Capridiem Consultancy Services Book a discovery call →
Practice · 9 disciplines

How we operationalise security.

Nine tightly-scoped services - offensive, defensive, governance, response, and regulated-industry compliance - wrapped in one opinionated lifecycle when you need them stitched together. We don't sell hours; we sell defensible posture you can show an auditor, a board, or a regulator.

Tap a node - every service orbits the four lifecycle phases that wrap an engagement.

VAPT
ISMS
Privacy
SOC
VISO
Cloud
Red Team
DFIR
GxP / GCaaS
Discover
Assess
Establish
Sustain

Tap a node to expand · Services orbit phases
01 · Flagship

Web & API Vulnerability Assessment & Penetration Testing

OWASP, MITRE ATLAS, NIST aligned - manual depth amplified by in-house tooling.

OWASP Top 10API Top 10MITRE ATLASNIST AI RMF

Manual VAPT is the engine; tooling is the lever. We cover OWASP Top 10, API Security Top 10, GraphQL/gRPC quirks, MITRE ATLAS for AI surfaces, and NIST AI RMF for compliance pinning. Every finding ships with reproduction, business-impact framing, and remediation engineering - not just CVSS.

Talk to us about Web →
  • Security testing capabilities
  • Web & API Security TestingOWASP Top 10, API Security Top 10, manual & automated VAPT with proprietary tooling
  • AI / LLM Red-TeamingPrompt injection, jailbreak, RAG poisoning, MCP-server abuse - MITRE ATLAS aligned
  • Agentic & Autonomous SystemsTool-use abuse, memory poisoning, lethal-trifecta detection across multi-agent stacks
  • Workflow & Business-LogicMulti-step attack-chain replay across n8n, custom orchestrators, and CI/CD pipelines
  • Compliance & Threat ModelingMITRE ATLAS, NIST AI RMF, OWASP LLM Top 10, AVATAR taxonomy mapping
02

Information Security Management System (ISMS) Consulting

ISO/IEC 27001-aligned implementation, audit & certification support.

ISO 27001ISO 27701Internal AuditAnnex A

Every ISMS we deliver is built to actually pass certification - risk register, policy library, internal-audit playbook, evidence packs, and an ongoing improvement engine. We do the heavy lifting on Annex A controls, then operate alongside your team until cert day and beyond.

Talk to us about Information →
  • Security testing capabilities
  • Risk Assessment & TreatmentAnnex A control mapping, quantified risk register, treatment plans aligned to ISO 27001:2022
  • Policy & DocumentationPolicy library, Statement of Applicability, ROPA, IS manual - built to pass certification
  • Internal Audit ProgramAuditor training, audit calendar, evidence packs, nonconformity tracking and closure
  • Certification SupportStage-1 & Stage-2 readiness, auditor liaison, gap-closure sprints through cert day
  • Continuous ImprovementManagement review cadence, KPIs, corrective-action engine for surveillance audits
03

Privacy Management Consulting

DPDP Act, GDPR, HIPAA - operationalised.

DPDPGDPRHIPAADPIAROPA

Privacy programs that survive a regulator visit. DPIA, ROPA, data-subject request workflows, vendor due-diligence, and ongoing governance - calibrated to your jurisdiction (India DPDP, EU GDPR, US HIPAA) and your data's sensitivity tier.

Talk to us about Privacy →
  • Security testing capabilities
  • Privacy Program DesignDPIA, ROPA, lawful-basis mapping, cross-border transfer impact assessments
  • Data Subject RightsRequest intake, identity verification, fulfilment SLAs, documented refusal grounds
  • Vendor & Sub-processor DiligenceDPA templates, transfer-impact reviews, processor onboarding gates
  • Breach Response & Notification72-hour DPDP/GDPR clock, regulator-ready templates, stakeholder communication playbooks
  • Jurisdictional CalibrationIndia DPDP, EU GDPR, US HIPAA, sector overlays (PCI, RBI, IRDAI)
04

Security Operations Center (SOC) Monitoring

Design, deployment, and continuous tuning of detection & response.

SIEMEDRDetection EngineeringIR Playbooks

From SIEM selection to playbook authoring to 24×7 eyes on glass - we stand up SOCs that actually catch the things you bought them to catch. Tuning is continuous: every IR teaches the SIEM something new.

Talk to us about Security →
  • Security testing capabilities
  • SIEM Selection & DeploymentVendor-neutral evaluation, log-source onboarding, parser and normalisation tuning
  • Detection EngineeringMITRE ATT&CK coverage, custom rules, false-positive reduction loops
  • Incident Response PlaybooksTier-1 to Tier-3 runbooks, escalation matrices, evidence-preservation procedures
  • Threat HuntingHypothesis-driven sweeps, threat-intel integration, dwell-time and MTTD metrics
  • 24×7 Monitoring & TuningEyes-on-glass coverage, weekly tuning rituals, IR-feedback into detection logic
05

Virtual Information Security Office (VISO)

Fractional CISO leadership for growth-stage and resource-constrained teams.

StrategyBoard ReportingVendor RiskAudit Prep

A senior CISO at a fraction of the cost. We sit on your leadership team for strategy, board reporting, vendor risk, and audit readiness - embedded enough to be accountable, fractional enough to make economic sense.

Talk to us about Virtual →
  • Security testing capabilities
  • Strategic Security Roadmap12-24 month plan, budget defense, board-aligned priorities and quarterly milestones
  • Board & Leadership ReportingExecutive risk dashboards, regulator narratives, quarterly governance briefings
  • Vendor & Third-Party RiskTiered scoring, contract security clauses, reassessment cadence and exit planning
  • Audit & Certification ReadinessPre-audit gap closure, evidence curation, auditor playbacks across frameworks
  • Incident & Crisis LeadershipTabletop facilitation, breach response governance, post-incident lessons-learned
06

Cloud & DevSecOps Security

CSPM, Kubernetes, IaC, and software supply chain - security baked into the pipeline.

CSPMKubernetesIaC ScanningSBOMSLSA

Cloud is where the breach happens now. We posture-assess across AWS, Azure, and GCP; harden Kubernetes against runtime exploitation; scan IaC and containers in CI; and operationalise SBOMs and SLSA provenance for software supply-chain integrity. The deliverable isn't a PDF - it's a signed pipeline you can actually trust.

Talk to us about Cloud →
  • Security testing capabilities
  • Cloud Security Posture (CSPM)AWS / Azure / GCP misconfiguration sweep, IAM drift, public-bucket detection, CIS benchmark alignment
  • Kubernetes & Container HardeningRBAC review, admission controllers (OPA / Kyverno), CIS benchmarks, runtime detection (Falco)
  • IaC & Pipeline SecurityTerraform / CloudFormation / Pulumi scanning, secrets-in-code, GitHub Actions & GitLab CI hardening
  • Supply Chain & SBOMSBOM generation (CycloneDX / SPDX), SLSA level uplift, dependency provenance, signed artifacts (Cosign / Sigstore)
  • Container & Image SecurityBase-image hygiene, vulnerability gates, registry scanning, runtime drift detection across multi-cluster fleets
07

Red Team & Adversary Simulation

Goal-driven kill-chain emulation, purple-team uplift, real-world TTPs.

MITRE ATT&CKPurple TeamAdversary EmulationTIBER-EUAssumed Breach

Where VAPT stops at coverage, red team starts at intent. We emulate documented adversaries end-to-end - initial access through impact - and pair it with purple-team tabletop and detection-rule co-authoring, so your SOC walks away sharper than it started.

Talk to us about Red →
  • Security testing capabilities
  • Goal-Based Red TeamDefined-objective engagements - crown-jewel access, fraud paths, board-level scenarios - with full kill-chain documentation
  • Adversary EmulationMITRE ATT&CK and CTI-driven TTP replay: APT41, FIN11, Lazarus, ransomware affiliate behaviours
  • Purple Team & Detection UpliftSide-by-side with your SOC: rule co-authoring, detection coverage matrix, dwell-time reduction loops
  • Assumed-Breach & InsiderWorkstation-as-foothold scenarios, lateral movement, privilege escalation, data-exfil paths
  • TIBER-EU & CBEST AlignedThreat-led penetration testing for regulated financial entities, intel-driven scenarios, regulator-ready reports
08

Digital Forensics & Incident Response (DFIR)

Retainer-grade incident response, breach forensics, and litigation-ready evidence.

IR RetainerForensic ImagingMalware REChain of Custody72-Hour Clock

When the alarm goes off, you want the people who already know your network on the line. Our DFIR retainers cover triage, forensic acquisition, malware reverse-engineering, and root-cause reporting - with chain-of-custody good enough for a courtroom and a 72-hour clock that respects DPDP, GDPR, RBI, and IRDAI notification windows.

Talk to us about Digital →
  • Security testing capabilities
  • Incident Response RetainerPre-engaged hours, defined SLAs, tabletop drills, runbook custodianship - ready before the breach, not after
  • Forensic Acquisition & TriageEndpoint, server, cloud, and mobile imaging - chain-of-custody preservation, memory capture, timeline reconstruction
  • Malware Reverse EngineeringStatic + dynamic analysis, IOC extraction, family attribution, custom YARA rules for ongoing detection
  • Compromise AssessmentHypothesis-driven hunt across persistence, lateral movement, and exfil channels - when 'are we already breached?' needs an answer
  • Litigation & Regulatory SupportExpert-witness reports, evidence packs, DPDP / GDPR / IRDAI / RBI notification kits ready inside the 72-hour window
09

GxP Compliance as a Service (GCaaS)

End-to-end GxP, CSV/CSA, 21 CFR Part 11, ISO 13485 & medical-device cybersecurity - delivered as a service.

GAMP 521 CFR Part 11ALCOA+ISO 13485ISO 14971IEC 62304FDA Cybersecurity

GxP Compliance as a Service (GCaaS) delivers end-to-end compliance support across computerised systems, software, and medical devices, aligning with global regulatory expectations and quality standards. We cover Computerised System Validation (CSV/CSA) on ISPE GAMP 5 principles - fit-for-purpose, risk-based validation and lifecycle governance - and operationalise FDA 21 CFR Part 11, ALCOA+ data integrity, and ISO 13485 QMS for trustworthy electronic records and controlled processes. For medical-device software we integrate ISO 14971 risk management, IEC 62304 secure development, and FDA cybersecurity guidance for secure-by-design and post-market resilience. The result: faster delivery, lower regulatory risk, and inspection-readiness as a steady state - not a fire drill.

Talk to us about GxP →
  • Security testing capabilities
  • Computerised System Validation (CSV/CSA)ISPE GAMP 5 risk-based validation, lifecycle governance, IQ/OQ/PQ protocols, periodic review
  • 21 CFR Part 11 & ALCOA+ Data IntegrityElectronic record/signature controls, audit-trail design, ALCOA+ assessments, gap remediation
  • ISO 13485 QMS ImplementationQuality manual, design controls, CAPA, supplier management, certification readiness
  • Medical-Device Software (IEC 62304)Software safety classification (A/B/C), SDLC alignment, SOUP management, traceability matrix
  • ISO 14971 Risk ManagementRisk management file, hazard analysis, risk-benefit analysis, post-market surveillance integration
  • FDA Cybersecurity (Pre/Post-Market)Secure-by-design, threat modelling, SBOM for devices, post-market vulnerability handling, premarket submission support
  • Inspection & Audit ReadinessMock inspections, evidence binders, regulator-narrative prep, remediation sprints across FDA/EMA/CDSCO
Our approach

Discover · Assess · Establish · Sustain.

  1. 1

    Discover

    Understand business context, risks, and stakeholder priorities

  2. 2

    Assess

    Audit existing security & compliance posture against industry frameworks

  3. 3

    Establish

    Build the information-security & privacy office, policies, and controls

  4. 4

    Sustain

    Operate, monitor, and continuously improve compliance