From the blog

A decade on, it remains the most practical starting point for any MSP serious about building a security practice — and the most underused commercial lever available.

A pen test is only as useful as the scope it's given. We walk through the most common scoping mistakes and how to avoid a report nobody acts on.

Most incidents aren't a technical failure — they're a response failure. A minimal but practical playbook for the decisions you need to have made before the phone rings at 2am.

How we built an automated enrichment pipeline using Splunk, TheHive and Cortex — cutting alert-to-notification time to under 60 seconds, with a structured 10-task audit trail on every qualifying case.

NIST's post-quantum signature standards are 52–267× larger than Ed25519. Benchmarked at 4.3M transactions/day, the bandwidth cost difference between Ed25519 and ML-DSA-65 is over £450 per year — and that's before compute.

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, secure cookies, server header suppression. Six headers. Six classes of attack mitigated. Most applications are missing at least three of them.

From Azure Key Vault to automated expiry alerts in Hudu — a practical framework for managing cryptographic keys across the full lifecycle, built from real MSP experience.

A worked example following NIST SP 800-30: Apache 2.4.57 on a production server, four CVEs including a Critical SSRF, and a prioritised remediation plan grounded in real context — not just CVSS scores.