Threat Notes

Technical writing from the team

Short, practical notes on topics we encounter in real engagements. No vendor content, no press releases, no SEO filler.

Compliance March 2025

How to run a NIS2 gap analysis without hiring a Big Four firm

A structured walkthrough of Article 21 requirements and the questions your IT team should be asking before your first external audit.

Read note →
Pentest January 2025

What to include in a web application pentest scope — and what to leave out

Scoping mistakes that waste budget, delay delivery, and produce reports that don't reflect actual risk.

Read note →
Training November 2024

Why phishing simulations fail and what to do instead

Click rates are a poor proxy for security awareness. What the data actually shows and how to design training that changes behaviour.

Read note →
Compliance September 2024

ISO 27001 vs NIS2 — what overlaps and what doesn't

If you're already ISO 27001 certified, how much work does NIS2 actually add? A practical comparison for IT managers who need to answer this question.

Read note →
Training July 2024

Insider threat training that doesn't make staff feel like suspects

Most insider threat programmes create resentment without improving security. What the research shows about making these programmes actually work.

Read note →