TLPR.

Capabilities — full catalogue

Every level of the problem

Intelligence fails when it arrives at the wrong altitude — indicators in the boardroom, geopolitics in the SOC. The bureau produces at four levels, plus casework, and each deliverable is written for the person who has to act on it. Everything below runs under retainer; casework is also taken on mandate.

Strategic

LVL/1

audience — Boards, executive committees, investors

Where is the danger moving, and what does it cost us?

  • Threat landscape assessment

    STR/01

    Your sector’s adversary picture, twelve months out: who is industrialising, what access is being traded, which business models are under attack.

    → deliverable — Annual assessment + quarterly outlooks, briefed in person

  • Geopolitical-cyber watch

    STR/02

    Sensitive zones under standing watch — Middle East, Caucasus, Central Asia, Eastern Europe. When state pressure turns into cyber campaigns, we call the shift before it reaches your infrastructure.

    → deliverable — Monthly outlook + flash notice on threshold events

  • M&A and investment due diligence

    STR/03

    The target’s real security history: undisclosed compromises, leaked credentials, standing adversary interest, toxic dependencies. Before signature, not after integration.

    → deliverable — Due-diligence dossier, delivered under NDA

  • Supply-chain intelligence

    STR/04

    Your most critical suppliers, watched like your own perimeter — because access to you is traded under their name.

    → deliverable — Vendor watchlist + compromise notices

  • Board briefing programme

    STR/05

    A standing rhythm in front of the board: the threat picture in business terms, on the record, questions answered live.

    → deliverable — Quarterly in-person briefing

Operational

LVL/2

audience — CISOs, security directors

Who is coming, and are we ready for them specifically?

  • Adversary tracking

    OPS/01

    Named-actor dossiers: infrastructure, tooling, targeting patterns and the people behind them. Maintained continuously, not compiled after you ask.

    → deliverable — Living dossiers, updated as the actor moves

  • Campaign early warning

    OPS/02

    Standing coverage of energy, finance, defense and public institutions. When a campaign turns toward your sector, you hear it from us first.

    → deliverable — Flash notice, hours from detection

  • Incident intelligence & attribution

    OPS/03

    While the intrusion is live: who this is, what they take next, what they want. Attribution you can act on before the ransom note.

    → deliverable — Attribution assessments during the incident

  • Ransomware crew intelligence

    OPS/04

    When extortion lands: which crew this is, whether they honour deals, what they did to the last ten victims, how those negotiations ended.

    → deliverable — Crew profile + negotiation support brief

  • Insider recruitment watch

    OPS/05

    Adversaries recruit insiders openly — forums, Telegram, professional networks. We watch the offers made against your sector and your name.

    → deliverable — Notification + evidence pack

  • Executive exposure

    OPS/06

    The digital footprint of your leadership — what a motivated adversary can reach today, and how to shrink it this week.

    → deliverable — Exposure dossier + reduction plan

Tactical

LVL/3

audience — SOC managers, detection & hunt teams

What do we look for, this week, in our environment?

  • TTP dossiers & detection support

    TAC/01

    Actor playbooks translated to your stack: behaviours, not hashes. Sigma and YARA where they help — and told plainly where they will not.

    → deliverable — TTP dossier + detection rules

  • Hunt packages

    TAC/02

    Hypothesis-driven hunts built from live campaign knowledge: where to look, what would prove it, what to do on a hit.

    → deliverable — Hunt package per campaign

  • Adversary emulation intelligence

    TAC/03

    Your red and purple teams, armed with how the adversary actually behaved last month — not a framework’s museum version.

    → deliverable — Emulation plan per actor

  • CTI capability transfer

    TAC/04

    We build your internal cell and make ourselves less necessary: intelligence requirements, collection plan, workflows, analyst training.

    → deliverable — Programme + training, fixed scope

Technical

LVL/4

audience — Analysts, responders

What does this artefact mean, and what is it connected to?

  • Attack-surface watch

    TEC/01

    Your perimeter as the adversary maps it — exposed services, forgotten assets, supplier weak points. Reported when it changes, not once a quarter.

    → deliverable — Change notices, continuously

  • Leak & credential monitoring

    TEC/02

    Stealer logs, combo lists, broker chatter. What surfaced, where it circulates, and whether someone is actively working it.

    → deliverable — Verified exposure notices

  • Dark-web & market surveillance

    TEC/03

    Standing presence where access is sold and data is fenced: markets, forums, closed channels. When your name appears, you know the same day.

    → deliverable — Same-day notification + context

  • Infrastructure intelligence

    TEC/04

    Not a feed. Pivot maps around live campaigns: what the infrastructure connects to, what it is likely to become, confidence stated.

    → deliverable — Contextualised indicator sets

  • Malware & implant analysis

    TEC/05

    Reverse engineering on demand: capability, command-and-control, targeting logic — and whether it was built for you.

    → deliverable — Analysis report + extracted indicators

  • Brand & fraud infrastructure

    TEC/06

    Phishing kits, typosquats, cloned portals and fake apps trading on your name — found, documented, prepared for takedown.

    → deliverable — Evidence pack per case

Special bureau

LVL/X

audience — Counsel, law enforcement, recovery teams

Casework beyond the watches — documented to courtroom standard.

  • OSINT investigations

    SPE/01

    Digital footprint, corporate interests, hidden connections — mapped from open and semi-open sources, documented to a standard that holds up in court.

    → deliverable — Investigation dossier, evidentiary grade

  • Crypto-asset tracing

    SPE/02

    From a wallet address toward the person behind it: cross-chain attribution, illicit-flow tracing, correlated identities and pseudonyms.

    → deliverable — Attribution graph + court-grade documentation

  • Counter-intelligence & OPSEC

    SPE/03

    The discipline of deciding what an adversary must not learn about you — then making it true. Designed and tested against state actors, organised crime and commercial spyware.

    → deliverable — OPSEC model + hardening runbooks

Special-bureau casework is accepted for identified clients only, within applicable law, and documented to evidentiary standard. If a mandate should not be taken, we say so before it starts.