Capabilities — full catalogue
Every level of the problem
Intelligence fails when it arrives at the wrong altitude — indicators in the boardroom, geopolitics in the SOC. The bureau produces at four levels, plus casework, and each deliverable is written for the person who has to act on it. Everything below runs under retainer; casework is also taken on mandate.
Strategic
“Where is the danger moving, and what does it cost us?”
Threat landscape assessment
Your sector’s adversary picture, twelve months out: who is industrialising, what access is being traded, which business models are under attack.
Geopolitical-cyber watch
Sensitive zones under standing watch — Middle East, Caucasus, Central Asia, Eastern Europe. When state pressure turns into cyber campaigns, we call the shift before it reaches your infrastructure.
M&A and investment due diligence
The target’s real security history: undisclosed compromises, leaked credentials, standing adversary interest, toxic dependencies. Before signature, not after integration.
Supply-chain intelligence
Your most critical suppliers, watched like your own perimeter — because access to you is traded under their name.
Board briefing programme
A standing rhythm in front of the board: the threat picture in business terms, on the record, questions answered live.
Operational
“Who is coming, and are we ready for them specifically?”
Adversary tracking
Named-actor dossiers: infrastructure, tooling, targeting patterns and the people behind them. Maintained continuously, not compiled after you ask.
Campaign early warning
Standing coverage of energy, finance, defense and public institutions. When a campaign turns toward your sector, you hear it from us first.
Incident intelligence & attribution
While the intrusion is live: who this is, what they take next, what they want. Attribution you can act on before the ransom note.
Ransomware crew intelligence
When extortion lands: which crew this is, whether they honour deals, what they did to the last ten victims, how those negotiations ended.
Insider recruitment watch
Adversaries recruit insiders openly — forums, Telegram, professional networks. We watch the offers made against your sector and your name.
Executive exposure
The digital footprint of your leadership — what a motivated adversary can reach today, and how to shrink it this week.
Tactical
“What do we look for, this week, in our environment?”
TTP dossiers & detection support
Actor playbooks translated to your stack: behaviours, not hashes. Sigma and YARA where they help — and told plainly where they will not.
Hunt packages
Hypothesis-driven hunts built from live campaign knowledge: where to look, what would prove it, what to do on a hit.
Adversary emulation intelligence
Your red and purple teams, armed with how the adversary actually behaved last month — not a framework’s museum version.
CTI capability transfer
We build your internal cell and make ourselves less necessary: intelligence requirements, collection plan, workflows, analyst training.
Technical
“What does this artefact mean, and what is it connected to?”
Attack-surface watch
Your perimeter as the adversary maps it — exposed services, forgotten assets, supplier weak points. Reported when it changes, not once a quarter.
Leak & credential monitoring
Stealer logs, combo lists, broker chatter. What surfaced, where it circulates, and whether someone is actively working it.
Dark-web & market surveillance
Standing presence where access is sold and data is fenced: markets, forums, closed channels. When your name appears, you know the same day.
Infrastructure intelligence
Not a feed. Pivot maps around live campaigns: what the infrastructure connects to, what it is likely to become, confidence stated.
Malware & implant analysis
Reverse engineering on demand: capability, command-and-control, targeting logic — and whether it was built for you.
Brand & fraud infrastructure
Phishing kits, typosquats, cloned portals and fake apps trading on your name — found, documented, prepared for takedown.
Special bureau
“Casework beyond the watches — documented to courtroom standard.”
OSINT investigations
Digital footprint, corporate interests, hidden connections — mapped from open and semi-open sources, documented to a standard that holds up in court.
Crypto-asset tracing
From a wallet address toward the person behind it: cross-chain attribution, illicit-flow tracing, correlated identities and pseudonyms.
Counter-intelligence & OPSEC
The discipline of deciding what an adversary must not learn about you — then making it true. Designed and tested against state actors, organised crime and commercial spyware.
Special-bureau casework is accepted for identified clients only, within applicable law, and documented to evidentiary standard. If a mandate should not be taken, we say so before it starts.