You don't need a red team

September 26, 2025 | Leonidas Tsaousis

Covert red teams are overrated. There is much more to gain through collaboration of attack and defense.

Around eight out of 10 requests for red-team exercises that we get are eventually diverted into other types of engagements. There are a few occasions where a red team is indeed the best fit or is mandated by regulators. However, in most cases, we quickly find that the client is either not ready, can’t really afford it, or simply doesn’t understand it. What if I told you there’s a better way to improve your security posture: one that costs less, covers more ground, and educates your people in the process?

One collaborative methodology for threat-driven, offensive security exercises could resemble what we call “attack path mapping.” First, a set of starting points and business-critical objectives are decided. Then, the operators identify and technically validate as many paths as possible, that an attacker would likely take to achieve them. But crucially, they do so in full view of the blue team and by formally consulting the organization’s subject matter experts (SMEs). Here’s why this is (usually) a better solution.

The constraints: time, breadth, and stealth

Myth: Unlike a pen test, a red team will stress-test the security of your entire organization.

Reality: A red team will document only the path of least resistance to every objective set.

Imagine a large enterprise with a diverse attack surface including multiple clouds, continuous integration/continuous deployment (CI/CD) pipelines, overlapping identity planes, and multiplatform endpoints. A report with no findings — neither weaknesses nor strengths — about some of these areas doesn’t necessarily mean they were robust. It most likely means they were not traversed, as more reliable avenues were found to achieve the objectives. Whatever the case, as a stakeholder reading it, your questions about their resilience remain unanswered… Achieving broad coverage in a single assessment would take time, and time costs, so working within these boundaries requires relaxing another constraint: stealth.

Your experts on center stage

Let’s consider this real-world case: Network and security architects of a Critical Infrastructure provider designed the operational technology (OT) environment and segregated it from the IT environment. They also documented the connection points between the two and the key risks posed to those critical assets. Come assessment time, wouldn’t it be better if testers could tap into this expertise, instead of attempting to reinvent the wheel? We have found that scheduling a series of rapid threat modeling-style sessions with these experts and keeping them looped in throughout the engagement speeds up internal reconnaissance, allowing operators to understand the landscape (and attack paths present) faster. Of course, hands-on enumeration follows as usual, but the communications channel remains open and active.

Challenges in the clouds

Red teaming cloud-native estates presents more complications. Cloud identity and access control technologies such as Entra ID and AWS IAM were built aware of their predecessors’ inherent weaknesses. Gone are the days when any user could retrieve password hashes of service accounts “as a feature.” Nowadays, finding impactful paths requires some collaboration. This could take the form of granting testers “see everything” permissions to enable analysis with tools like RoadRecon or IAMGraph. And traversing these paths also requires some prior coordination: In case of a de-chain, the “standard” user provided for initial access will likely have no exploitable cloud permissions whatsoever. How about we define more interesting starting points, such as a compromised DevOps engineer or a malicious network engineer from a third-party contractor? Your SMEs will know exactly what their overprivileged contractor account looks like — trust me, it keeps them up at night.

Isn’t that a purple team?

I know what you’re thinking: “We’ve already invented this, it’s called a purple team.” I say, call it what you want, as long as you separate it from the granular, test-case driven kind, that’s fully automated with tools such as Atomic Red Team. And that’s because that form compromises realism heavily by focusing on the endpoints and barely touching the crown jewels deep within the network. Don’t get me wrong, I’ve conducted dozens of such exercises, and I can testify that it’s the best method available to assess an organization’s detection capability — it solves a different problem. Sure, executing isolated test cases for hundreds of Tactics, Techniques, and Procedures (TTPs) will make for punchy stats and fancy performance graphs. But they aren’t really addressing your worst security nightmares.

Still want that red team?

It’s 2025 and a lot of water has flowed under the bridge for the security community to acknowledge that provisions are not “cheating”. Taking this one step further, my thesis was that an alternative framework altogether is needed for large-scale adversarial simulation engagements. I hope that having read this you will also agree, that the collaborative methodology I’ve outlined offers a better value proposition overall. So, the next time you’re out in the market seeking an offensive security challenge, I invite you to ask yourself: Will a red team really solve your problem?

By Leo Tsaousis, Senior Security Consultant and Attack Path Mapping lead, Reversec

NIS2 must-knows for Digital Service Providers

The NIS2 Directive aims to strengthen and harmonize cybersecurity across the EU. For private-sector organizations, it removes the old distinction between Digital Service Providers and Operators of Essential Services.

Entities are now classified as “essential” or “important” based on factors such as size, sector, and societal impact. This new classification reflects each entity’s role in maintaining the resilience of critical infrastructure and services.

Here’s the key update you might have missed:

While NIS2 generally avoids sector-specific requirements, it requires the European Commission to adopt implementing acts that set out specific requirements for certain digital services. In October 2024, the European Commission published an implementing act that:

Focuses on incident reporting (Article 23)
Includes a 28-page Annex detailing mandatory cybersecurity risk-management measures (Article 21)

The act provides much more precision on how NIS2 compliance must be achieved. This leaves less room for interpretation and sets a higher bar for compliance.

Why this matters to Digital Service Providers

The implementing act introduces a sector-specific prescriptive layer within NIS2’s risk-based framework. Unlike the directive, it is directly applicable in all EU Member States – no national transposition required. The new rules for Digital Service Providers are already in force. With NIS2 now transposed in several Member States, this is the perfect time to reassess your compliance posture.

Ready to take the next step?

Compliance starts with clarity. We can help you answer three critical questions:

✅ Where are you now?
✅ How far are you from compliance?
✅ What do you need to do to get there?

Once the path is clear, we work with you to turn plans into action. We support your organization in implementing the roadmap and driving the changes needed to meet NIS2 requirements with confidence.

Don’t wait until compliance becomes a risk. Schedule a call with our experts and find out where you stand!

The Cyber Resilience Act (CRA) is about to change European product security

November 19, 2025 | Andrea Barisani

The Cyber Resilience Act (CRA) is a new EU regulation designed to strengthen security standards for European products with digital elements. With mandatory requirements for design, development, maintenance, and lifecycle management, the CRA aims to make secure products easier to identify.

Although the regulation entered into force in December 2024, it won’t be fully applicable until 11 December 2027. So what should organizations be preparing for? Andrea Barisani, Principal Consultant and head of Reversec’s Hardware Security team, breaks down the implications.

Why the Cyber Resilience Act matters

The Cyber Resilience Act is a significant development in the EU’s cybersecurity regulation. It brings into scope any product with digital elements that can directly or indirectly connect to other devices or networks, reinforcing the idea that anything digital must be secure.

Like any regulation, some parts of the CRA leave room for interpretation and may be implemented with varying levels of quality. Other parts are more specific, such as the requirement to support vulnerability handling for at least five years.

The CRA should be approached in the same way as security standards or regulations like NIS2 or PCI DSS. It forces organizations to document their processes, take action, and align those actions with a broader standard.

The CRA provides helpful structure, but structure alone doesn’t guarantee security. A device can meet every compliance requirement and still have blind spots. Likewise, something that falls short on paper could still be well protected. This is why technical expertise and compliance knowledge should go hand in hand.

Mobile phone
Cyber Resilience Act
Procuct Security — The Cyber Resilience Act applies to any product with digital elements. Products will carry the CE marking to signal CRA compliance.

What it demands

At the heart of the Cyber Resilience Act is an obligation to release products without known exploitable vulnerabilities that might impact security. This requirement is supported by assessing cybersecurity risks and applying suitable harmonized standards, common specifications, or recognized standards.

The CRA’s requirements for regular updates, vulnerability fixes, a clear reporting policy and public disclosure are essential for transparency and accountability. If a vulnerability is discovered, there must be a public framework for reporting it.

“These are all things that I would expect companies to have even without the regulation,” Andrea Barisani says. “The regulation captures fairly well what we expect a manufacturer to have and to provide for their clients.”

Covered and excluded products

The CRA applies to any product with digital elements (PDEs). That includes any product that can interface with a network or other software, with a few exceptions such as medical devices, cars and aviation, which are already covered by existing rules. Open-source software is also exempt, but only in a narrow sense. If a developer integrates an open-source library into a product, they are still responsible for its security.

CE marking as a signal of compliance

Many products in the European Economic Area carry the CE marking to signal high health, safety and environmental standards. Manufacturers, importers and distributors follow CE requirements to enable unrestricted trade in the EEA and provide a consistent level of protection for consumers. Under the CRA, the CE marking will also indicate cybersecurity compliance. This extension will add new weight to an already pervasive label.

Implementation

The CRA requires manufacturers to address cybersecurity throughout the entire product lifecycle — from planning and production to maintenance. Risks must be documented and any exploited vulnerabilities or incidents reported. Manufacturers are also expected to provide clear and understandable instructions for their products.

“My washing machine is digitally connected. But companies making washing machines don’t necessarily have a strong background in pushing updates.”

Vulnerability handling

Companies must effectively support vulnerability handling for no less than five years, unless the lifetime of the product is less than five years, in which case the support period should cover that lifetime. If the product is reasonably expected to be in use for longer than five years, manufacturers should ensure longer support periods. This is a major change that places more responsibility on the manufacturers of digitally enabled products.

Security by design

Many of the CRA’s requirements can be effectively met through security by design, not by adding them later. The regulation explicitly mentions that products must be designed and developed in accordance with the requirements of the CRA. Andrea predicts that all manufacturers will eventually realize that implementing protections early is the most cost-effective approach.

Third-party accountability

Understanding what goes into a product has always been a challenge, but the CRA makes it an obligation. This is a welcome change, as security gaps often stem from a lack of visibility. Companies may include hardware, software, or firmware that isn’t directly under their control, overlooking its security implications.

Most products include code that isn’t owned by the developer. Even internal ecosystems are complex, with many teams and moving parts. The CRA forces orchestration of all these elements and holds manufacturers accountable for the final product’s security, regardless of its components.

Many suppliers will also be subject to the CRA, creating a waterfall effect that improves security outcomes for sub-components of end-user products. These suppliers will have a responsibility to manage their own security and communicate vulnerabilities, which will increase accountability throughout the supply chain.

Update requirements

Some products are better suited for remote updates than others. The ability to update a product exposes it to a larger attack surface, meaning that a poorly added mechanism can create new vulnerabilities. Updates are essential for security, but they must be handled with great care. The task requires significant effort and infrastructure, which makes this one of the most challenging aspects of CRA implementation.

“My washing machine has Wi-Fi — it’s digitally connected. That means this product is probably going to fall under regulation. But companies making washing machines don’t necessarily have a strong background in pushing updates.”

For effective implementation, the mechanism should be engineered into the product from day one. Good security consulting can offer valuable input during testing and early design, so that updating can be integrated more organically and at a lower cost.

“I don’t think that from January 1st, 2028, we’ll suddenly have everyone caught up and the ones who didn’t will be fined immediately.”

Industry readiness

The CRA will come into full effect in December 2027, but Andrea expects a slow start to EU-wide compliance. “I don’t think that from January 1st, 2028, we’ll suddenly have everyone caught up and the ones who didn’t will be fined immediately.”

Security isn’t binary, so meeting the requirements won’t necessarily guarantee strong protection. Features like update mechanisms or user authentication can be implemented in many ways, with varying levels of robustness. The industry should gradually move from checkbox compliance to meaningful adoption.

Given the complexity of today’s product ecosystems, it’s hard to say whether manufacturers are ahead or behind on CRA compliance. Some are well-positioned because they’ve been applying security principles for years. The landscape resembles what we’ve seen with NIS2: highly fragmented.

Andrea has worked with some clients for over two decades. For them, CRA compliance is largely a matter of making sure existing practices are documented in a way that aligns with the regulation’s structure. Other clients will need pinpointed advice to close specific gaps.

For companies starting from scratch, reaching CRA compliance within a few years can feel daunting, but it makes financial sense. The cost of overlooking the requirements will only increase from here.

Commercial impact as a driver of security

Regardless of the regulation’s specifics, the underlying challenges remain the same. The hope is that stronger incentives will drive better practices, raise awareness and improve outcomes, lifting the overall maturity level of the products we rely on.

Security also carries commercial weight. If a product is successful and widely used, companies become more sensitive to security risks, knowing that any failure could have business consequences. Successful products tend to mature in security, setting a market expectation.

Consumers are more informed now than they were two decades ago, and security can influence buying decisions. This logic applies to purely digital products as well. However, newer players often overlook these aspects while focusing on getting their product to market.

Strategic implications

The CRA can be seen as a catalyst for improving supply chain security. Many of its requirements directly affect how supply chains are managed, calling for intermediate checks and tighter oversight to maintain integrity. Over time, companies may find better ways to reuse components rather than reinventing the wheel. Supply chain security principles could even inspire cross-company collaboration or funding and sponsoring of open-source projects that become critical to the security of the final product.

Will it spur innovation?

Whether the CRA stifles or stimulates innovation is a matter of perspective. There’s plenty of room for innovation in how CRA requirements are fulfilled, especially when aiming to do it effectively, reliably and in a way that can be repeated. At the same time, regulations can cause stagnation, as some companies may hesitate to develop products if they’re unsure how to meet the requirements. But the CRA itself doesn’t inherently pose a risk to innovation.

Impact on open source

Non-commercial open-source software is exempt from the CRA, simply because it’s not feasible to impose requirements on it. Regardless of this, the CRA requirements still apply to products containing exempted code. This could lead to more investment in securing crucial open-source software.

Manufacturers who choose to incorporate third-party code are responsible for ensuring that the final product adheres to their own standards. Trusting an open-source product doesn’t shift that responsibility.

Small vs. big teams

The CRA has been criticized for potentially favoring larger companies, as smaller businesses and solo developers may struggle to comply when redistributing open-source software. However, size doesn’t always mean better security.

Smaller companies struggle with security, and larger ones often do too. Their scale can make them less agile, which creates additional challenges for security. A well-engineered product can be very secure regardless of the size of the team responsible for it. What matters is having a team that fits the product’s context and understands good engineering practices.

Impact on security testing

Some of our long-time clients are already heavily aligned with the CRA, having worked with us to implement security frameworks like ISO/IEC 62443. Others are engaging with Reversec for the first time, prompted by the CRA and its new requirements. These organizations are facing a complex journey, but they’re motivated to improve security regardless of regulations. That mindset makes a difference.

The new regulation brings a difference in testing scope. In earlier projects, Andrea’s team might have tested a narrow subcomponent, such as an individual chip essential for maintaining security. The CRA advises companies to build security into every process that touches a product before it’s on the market.

Alignment with security standards

While the CRA does not point to any specific standards, many of the requirements closely align with well-known standards like IEC 62443. This alignment will help to push many manufacturers and developers into established security best practices, and also ease the journey towards future certification, if desired.

Cyber Resilience Act — The CRA will fully apply in December 2027. We can support you in getting ahead of the regulatory implementation date.

Early implementation pays off

Secure design and development make compliance with the CRA easier. The earlier security is integrated into the design process, the more effective and less expensive it becomes. In development calls with clients, a simple suggestion at the early stage has prevented months of complex fixes, future problems, and saved hundreds of thousands of euros. Sometimes that’s all it takes: one design choice at the beginning.

Start preparing for the Cyber Resilience Act now

Companies with a solid security posture will find CRA compliance relatively straightforward. Those struggling to meet the requirements may benefit from following established frameworks like IEC 62443. The best path forward is to start improving organically. Whether that happens internally or with support from third parties like Reversec depends on the situation.

Our consulting services are designed to help your organization meet CRA requirements and build real security into your products. We can support you in getting ahead of the regulatory implementation date, making sure you’re integrating resilience in your system and meeting compliance requirements.

Mainframe security deep dive: From attack paths to best practices

August 7, 2025 | James Boorman

Mainframe systems often sit at the heart of an organization’s infrastructure, silently powering critical operations behind the scenes. Yet despite their centrality, they are frequently under-tested or misunderstood. This stems not just from their legacy nature but from a skills gap and a tendency to treat them as untouchable black boxes. In this article, we take a deep dive into Mainframe security testing and best practices with our Security Consultant & Global Mainframe Lead, James Boorman.

Intro to mainframes

When it comes to mainframes, there’s a fair amount of confusion, even within technical teams. Strictly speaking, it refers to systems like IBM Z/OS, Unisys ClearPath, or certain Fujitsu models. Then there are others, like HPE NonStop, which aren’t technically mainframes but behave similarly enough that many professionals lump them in. So whether you’re calling it a mainframe or a mid-range system with mainframe DNA, the security challenges, operational behaviours, and strategic importance remain largely the same.

These applications are built up over time, often older than the people maintaining them, and are highly interconnected to comply with strict regulatory demands. What appears simple on the surface involves numerous systems working together to review customer information, verify transactions, and manage accounts.

Common attack paths in mainframe environments

Mainframes might seem like fortress-grade systems, but attackers know where to look. Most vulnerabilities stem from access control misconfigurations, making privilege escalation and unintended data exposure real concerns. Let’s break down the most common and practical attack paths.

Most vulnerabilities stem from access control misconfigurations.

Surrogate chaining

One of the standout techniques is surrogate chaining, where an attacker abuses job submission permissions to run code under higher-privileged user IDs. If User A can act as User B, and User B can act as User C, then User A effectively gains access to User C’s privileges, even without direct rights. These chains grow in complexity and can be exploited if not carefully managed, especially in large systems with sprawling permission structures.

Application breakouts

In online applications, attackers often look for a way to break out of the app’s restricted environment. By triggering errors or manipulating inputs, they aim to infiltrate the underlying command environment, such as the CICS region, thereby gaining broader control than intended. From here, it’s about probing what access is possible at the platform level, even if they entered with a low-privilege account.

Network-based entry points

Network-based attack paths exist but are less common in real-world testing. Gaining entry without credentials or direct access is tough, given that most controls live inside the mainframe. Still, misconfigured services or stolen credentials via phishing can open doors, and these shouldn’t be overlooked.

Permission hopping via shared jobs or datasets

Mainframe security often revolves around resource protection and access assignments. If an attacker can alter a job that runs under another user’s credentials, they inherit that user’s access. Misconfigured datasets, improperly secured USS (Unix System Services), and over-permissioned profiles can make these jumps surprisingly easy.

The bottom line? Mainframe security is less about flashy exploits and more about navigating complex webs of access. System owners must stay vigilant, regularly review permission hierarchies, and test not just individual applications, but how they connect across the environment. Because with thousands of users and highly interconnected apps, one weak link is all it takes.

Mainframe security testing: platform vs. application

Security testing for mainframes typically happens on two levels:

Platform-level reviews: These are broad assessments, similar to a build review. They target the overall platform, checking subsystems and mainframe-specific controls. However, these massive systems with potentially hundreds of applications and thousands or tens of thousands of databases and tables, going deep isn’t practical. Understanding why each person has access to every given table would take mind-numbingly long. Instead, the assessment focuses on the wider, more global configuration of the operating system and its subsystems, identifying systemic misconfigurations and weaknesses at the cost of specificity.

Application-level reviews: These are more focused and context-rich. Testers examine specific apps, like a payment review tool, along with the data it uses, who can access it, and how it behaves. This approach is typically suitable for assurance-driven compliance and provides insight into the security posture of the specific application and its resources. However, since mainframe applications rarely exist in isolation, this method misses both the wider solution and bigger system picture – especially when applications rely heavily on each other.

The gap? Strategic middle-ground assessments. These look at clusters of related applications, say, 40 systems that make up a payment engine, to understand how data flows between them, where interdependencies lie, and how attackers might move laterally. It’s a space where purple teaming or attack path mapping can add real value, combining offensive and defensive testing to simulate realistic threats across complex environments.

Why mainframes need holistic security testing

The reality of mainframe testing

Mainframe security testing isn’t commonly practiced; it’s a niche skill set, and few professionals specialize in it. In many cases, organizations claim to test mainframes but restrict those efforts to unauthenticated network scanning. When services don’t respond or appear hardened, teams often walk away satisfied. The result? Superficial assessments that miss deeper, systemic vulnerabilities.

Organizations claim to test mainframes but restrict those efforts to unauthenticated network scanning.

Why a combined platform + application approach matters

The organizations that truly engage in effective mainframe testing take a more holistic approach. Rather than treating the system as a monolith, they separate platform-level configuration and application-level security. This dual perspective provides:

Broad insight into how infrastructure-wide settings affect individual components.
Granular visibility into application-specific risks, such as poorly configured authentication or insecure data storage.
Coverage of legacy weaknesses, which often arise from outdated assumptions about how the systems work.

Testing both dimensions helps uncover attack paths that stem from decades-old code and documentation gaps, things that traditional audits would miss.

Testing frequency: Compliance vs. proactivity

Security testing cycles vary widely. Some enterprises only test mainframes to meet compliance thresholds, annually or once every few years, depending on system criticality. Others take a more proactive stance, building regular mainframe testing into their operational security roadmap.

Yet some organizations still neglect to perform routine, comprehensive mainframe testing. These systems, perceived as inaccessible, legacy-bound, or simply misunderstood, may not always be included in modern testing pipelines. The truth is, their complexity and obscurity increase risk, not reduce it.

Common misconceptions & hidden risks

One recurring theme in mainframe testing is the prevalence of assumptions:

“The application passwords are encrypted” until closer inspection reveals they’re stored in plaintext.
“Application IDs can only be used by one user” until a tester successfully impersonates another user.
“No one can access this system” until someone tries… and succeeds.

These myths persist because documentation is missing, incomplete, or lost to time. Knowledge silos and shrinking subject matter expertise compound the problem.

Mainframe security: Best practices that make a difference

Despite their age, complexity, and niche status, mainframes continue to power critical infrastructure across industries. Their enduring presence doesn’t mean they’re impervious, but it does mean they require a tailored approach to security. Here’s what organizations should prioritize when safeguarding these systems.

1. Follow vendor guidance, and actually apply it

Leading vendors, such as IBM, provide extensive best-practice documentation for securing their platforms and subsystems. These resources offer practical architecture guidelines and proven security configurations. However, these recommendations are too often overlooked or partially implemented. The first security win is simply making sure they’re properly followed.

2. Perform regular, context-aware security testing

Mainframes shouldn’t be tested once every few years just to tick a compliance box. Security assessments must be recurring and adapted to each organization’s setup. Testing should span:

Platform-wide evaluations to assess overall configuration and access control
Application-level reviews that uncover business logic flaws and interface risks
Strategic security audits tailored to the organization’s architecture and threat landscape

No two mainframe environments are identical, even if they run similar software. Testing must reflect how each system is uniquely deployed and configured.

3. Configure the security subsystem correctly

Mainframes use internal security subsystems to enforce access controls and define privilege boundaries. Misconfigurations here can undermine the entire platform. Organizations should:

Audit subsystem roles, groups, and policies regularly
Enforce least privilege across users and services
Ensure segregation between test and production environments

Mainframes’ enduring presence doesn’t mean they’re impervious, but it does mean they require a tailored approach to security.

4. Lock down network access with firewalls & segmentation

Production mainframes should be isolated from internal networks wherever possible. Strict firewalling and zone segregation prevent lateral movement and unauthorized access. Air-gapped designs or tightly controlled access pathways are ideal for critical workloads.

5. Monitor & audit with intelligence

Basic logging isn’t enough. Security teams should implement intelligent monitoring, with alerts tied to behavioural anomalies. For example:

A Db2 table accessed at odd hours
Unexpected admin login from a new source
Privilege escalation attempts outside approved workflows

Correlating these events across logs can surface hidden attack paths or misconfigurations.

6. Modernize authentication & access management

Many mainframes still rely on legacy password practices, think eight-character passwords with low complexity. But modern solution integrations do exist and should be adopted:

Enable multi-factor authentication (MFA)
Use privileged access management tools
Implement just-in-time access for high-privilege accounts
Rotate sensitive credentials on schedule or per-use

Security maturity here is uneven across organizations; modernization is low-effort with high payoff.

7. Encrypt sensitive data at rest

A surprising number of legacy systems still store sensitive data in plain text. It’s essential to apply modern encryption standards wherever sensitive data resides:

Within databases and application tables
In archival or regulatory storage
Across communication channels (avoid legacy SSL/TLS versions)

Data at rest encryption protects against insider threats and improperly scoped access.

Industry-specific mainframe security practices

Mainframes are versatile systems, deeply embedded across sectors like finance, healthcare, aviation, insurance, and government. Even in the same industry, they’re configured and deployed very differently. While general security principles apply, certain industry contexts require more tailored approaches and awareness of regulatory frameworks.

Financial institutions: More than just compliance

In banking and finance, mainframes often handle core transaction processing and customer data. These systems may fall under compliance mandates such as PCI DSS when dealing with cardholder data. While PCI DSS provides a checklist-style framework for testing and encryption requirements, organizations shouldn’t default to minimum effort:

Don’t just “tick the box.” Treat PCI DSS as a baseline, not a ceiling.
Customize testing to reflect actual platform risk, not just what regulators expect.
Ensure sensitive data like identifiers, credentials, and financial records are encrypted at rest and in transit.

It’s easy for legacy systems to be excluded from modern compliance pipelines simply because they’re “hard to test.” But complexity isn’t an excuse; it’s a red flag.

Aviation: Legacy systems that still fly

Airlines are known to rely heavily on mainframes for reservations, departure control, and crew scheduling. Despite their dependence, these systems are often considered untouchable. Though testing access might be challenging, aviation operators should prioritize:

Network segregation of operational systems from passenger-facing applications
Monitoring of batch jobs and scheduling access to detect potential abuse
Updating authentication mechanisms across reservation platforms integrated with legacy backends

While not bound by PCI DSS across the board, aviation companies still handle sensitive data, such as passport numbers, personal information, and payment details, and must adhere to international privacy laws and standards.

Cross-industry takeaway: Avoid minimum viable testing

Whether regulated or not, every industry faces this decision: do we do what’s required, or what’s responsible? The best practice is simple but vital, don’t settle for the bare minimum. Legacy systems are just as critical as flashy new apps, often more so. Their opacity, age, and integration with newer platforms make them uniquely valuable and uniquely vulnerable.

Organizations should:

Treat mainframes as active components of modern architecture
Test regularly and purposefully, beyond compliance thresholds
Integrate mainframe security into enterprise-wide strategies

How Reversec can help

Our mainframe security assessment provides a holistic view of your applications, ensuring end-to-end coverage that includes applications, network presence, operating system controls, and other interactions within the wider environment. This comprehensive approach enables you to apply layered security controls and significantly reduce your attack surface.

Blending scarce mainframe security skills with modern testing techniques, we tailor each assessment to your specific needs, providing maximum coverage and assurance. Our team also draws from industry-specific experience gained through work with finance, aviation, healthcare, and government clients.

Mainframe Security

Reversec’s four-month ISO 27001 journey
— and what you can learn from it

October 20, 2025 | Ondrej Doubek, Torbjörn Johansson

As a cybersecurity consultancy, we regularly support clients with ISO 27001 readiness and internal audits. So when we split from WithSecure and launched as an independent company in 2025, certification for this foundational security framework became a top priority. In this article, Lead Implementer Torbjörn Johansson and internal auditor Ondrej Doubek share their accounts of how a newly formed cybersecurity company achieved ISO 27001 certification in just four months — and why a sub-year timeline is achievable for others.

The significance of ISO 27001

ISO 27001 provides a structured, systematic and mature approach to managing security across the organization, from executive leadership to operational procedures. Certification for the standard is granted through an audit by an independent third party.

Across Europe and in most regions outside the United States, it is the most widely adopted security standard. While demanding, it offers clear guidance and a well-defined structure that makes implementation manageable. Achieving ISO certification demonstrates that an organization has the right controls in place and treats security as a serious, ongoing responsibility.

Motivation

From the beginning, ISO certification was a clear requirement for Reversec. Prior to launching our company, we operated under WithSecure, where the standard was already in place. Once we became independent, clients expected us to maintain the same level of maturity, posture and evidence-based security practices.

Our decision was also shaped by ISO 27001’s strong position in Europe and its recognition as a credible way to demonstrate alignment with several EU regulations, including the increasingly relevant NIS2 Directive.

Timeline: Kickoff to certification

The preparations typically begin by defining the scope of what you want certified. Our project started in early February 2025, with the goal of achieving certification quickly to minimize the transition gap between WithSecure Consulting and Reversec. This helped reassure customers that continuity would be maintained.

Torbjörn Johansson led the implementation of our Information Security Management System (ISMS) while also serving as CISO, a role he continues to hold today. His background in information security and experience running ISO 27001 projects for clients gave us a solid foundation to build on.

‘To keep the process on track, management made it clear that ISO 27001 certification was a mandatory initiative. At the start of the project, Executive Vice President Scott Reininga, who was expected to become CEO, sent a message to the entire organization: “We’re doing this. Make yourself available and be prepared to contribute.” That message set the tone.

For internal follow-up, Torbjörn provided weekly updates to the project’s steering group. At the same time, members of the group were also managing Reversec’s broader transition, rolling out ERP, CRM, HR and finance systems. Despite the parallel efforts, Torbjörn consistently received the support he needed.

Stage 1 – Documentation review

Within two months, we were ready for Stage 1 of the initial audit, which took place on 12 April. This stage involves a review of required documentation by the external auditor to confirm that the minimum documentation exists and aligns with the company’s scope and ambitions. Our external auditor was DNV, a leading assurance and risk management firm.

In late April, we brought in Ondrej Doubek, a certified ISO 27001 Implementer and Auditor, to conduct the internal audit. His role was to assess the ISMS for any gaps or deficiencies. To maintain independence, Ondrej had not been involved in creating the ISMS.

Following Ondrej’s two-week assessment, the team began preparing for the next stage of the external audit. Identified issues were addressed over the course of about ten days, leading up to the next stage of the initial audit.

Stage 2 – Certification audit

The certification audit was focused on how well Reversec’s processes and procedures were functioning. External auditors examined our organization and evaluated how we had adopted the ISMS. This stage included extensive interviews across the company and took place over four days, from 16 to 19 June.

The auditors looked for major nonconformities that could delay certification. Reversec had no major nonconformities and one minor (for which we successfully submitted a corrective plan). The auditors also highlighted three opportunities for improvement — suggestions, not misses — which we’ll incorporate into our continuous improvement cycle. This outcome allowed the auditors to proceed with issuing the certification.

Finally, DNV conducted a third-party review of the findings. With no further concerns, the certificate was approved and issued in July.

Scope and audit sizing

Reversec had around 250 employees and three offices in scope. The audit covered our Swedish headquarters, along with sites in Manchester and Singapore. The Singapore office was audited remotely through a video walkthrough.

The total effort for the project amounted to approximately 100 FTE days. This excludes work already underway as part of the broader transition, where additional instructions were provided by the project team to align with relevant requirements.

Typical durations

Three to four months is exceptionally fast for the certification. It requires full commitment, coordination, cybersecurity expertise and a clear understanding of the process from everyone involved.
Six months is a realistic minimum for organizations with a highly engaged team.
Twelve months is a typical timeline for companies starting from scratch or without prior certification.

Roles and responsibilities

The implementation involved staff from Finland, Denmark, Stockholm, Singapore, Manchester and London. Everyone with a stake in security — from executive leadership to administrative staff in Finance — contributed to the project.

Torbjörn Johansson served as the lead implementer of the ISMS.
Ondrej Doubek conducted the internal audit.
The project’s steering group included the operations and transition manager, Nordic consulting manager, and frequently the EVP.
Our Senior Engagement Manager in the UK supported the project by allocating available capacity and bringing in team members who weren’t assigned to client work.
The Singapore office manager facilitated the video for that location.

Inside the internal audit

During his two-week document review, Ondrej Doubek examined and compiled all relevant materials into a structured report, closely following the ISO standard — familiar territory from his work with clients. To maintain objectivity, Ondrej remained at a distance throughout the project until the review phase. “Whenever I thought I could help with writing something, I was told, ‘No, you stay away,’” Ondrej reflects on the process.

The purpose of the internal audit is never to nitpick. It should aim to exceed the thoroughness of the external audit, helping the company prepare for the external audit in a meaningful way. As a cybersecurity company that supports clients with ISO compliance and internal audits, our assessment had to reflect our high ambitions and go well beyond the standard’s minimum requirements.

The process was complicated by the fact that the ISMS was still evolving. Before Ondrej could submit his report, a policy might have changed twice, requiring him to revise his findings. He was effectively auditing a moving target.

Despite these added challenges, the auditor was highly satisfied with the outcome, describing the internal audit as exceptionally thorough and uncompromising.

“Whenever I thought I could help with writing something, I was told, ‘No, you stay away.’”

Why four months was possible

In most organizations, policy creation involves multiple rounds of HR approval. Staff often need time to familiarize themselves with ISO 27001, which slows progress.

Reversec was already fully tuned to the standard. Our staff understood the importance of the certification, trusted the policies, and didn’t need convincing. We also had a large pool of experienced contributors.

Commitment from top management played a central role in our ISO compliance journey. Leadership prioritized certification and allocated the resources to make it happen. When projects lose momentum, it’s often because management isn’t fully engaged.

Given the nature of our business, we had in-house cybersecurity expertise and extensive experience with ISMS implementation. This allowed us to access and adapt a wide range of templates and documentation for internal use. Adjusting policies and procedures from WithSecure’s certified ISMS to suit our needs saved significant time.

We offer this advantage to our clients as well. While no two ISMS’s are identical, we can noticeably accelerate the implementation process by drawing from our extensive library of curated structure templates and example documents.

What we’d do differently

Looking back, we began our certification journey earlier than ideal, while Reversec was still being established as an independent consultancy. At that point, we were still defining our business processes, building our IT environment and setting up core governance. Not a setup we’d recommend to other companies, but it was unavoidable given the circumstances.

“Implementing ISO 27001 while building the company was challenging, but it also had advantages.”

For most organizations, a stronger starting point is when:

The company structure, key processes and stable IT environments are in place.
Leadership roles and responsibilities are well defined.
There is a clear understanding of critical services, data flows, and applications that require protection.
Internal expectations, customer commitments and legal or regulatory obligations are clearly understood.
Security awareness and basic controls are already in place.
Risk management practices are at least partially established.

This foundation allows the ISO 27001 project to focus on improving and formalizing what already exists, rather than designing everything from scratch.

“Implementing ISO 27001 while building the company was challenging, but it also had advantages,” Torbjörn Johansson recalls. “It meant we could embed security and compliance principles directly into the way we operate — not bolt them on later.”

Recommendations for ISO 27001 success

Begin with a gap analysis.
Compare your current state with certification requirements before committing.
Secure management involvement.
Leadership must provide clear direction and maintain momentum.
Design the ISMS to support real security.
Avoid measures that look good on paper but fail in practice.
Ensure competence in information security.
Expertise is essential for risk-based decisions a posture that reflects current threats.
Define a clear scope early.
Outline what is included and what will be certified. This is key to planning resources and costs.
Focus on risk, not just controls.
ISO 27001 is risk-based. Manage and assess risks properly. Management should understand the risks and how they’re addessed.
Leverage existing resources.
Use available tooling, documentation and processes. Teams and SharePoint can support the effort.
Keep documentation practical.
Write policies for people to follow, not just for audits. Avoid overcomplication.
Run awareness and training early.
Staff should understand objectives, what’s being measured and why it matters.
Manage the project efficiently.
Don’t underestimate time and resources.
Use available capacity flexibly.
Reassign tasks when necessary to maintain progress.
Maintain focus without burnout.
Set clear milestones to facilitate hard work. Avoid pushing at an unsustainable pace.

Ondrej Doubek — Reversec can support organizations through every step of the ISO 27001 certification journey.

After certification

The ISMS is called a management system for a reason: Once implemented, it needs to be maintained. Regular activities are expected throughout the year between audits. The standard also calls for continuous improvement, which means the organization must evolve to stay compliant.

Why certification matters

One of the biggest advantages of ISO 27001 certification is client trust. Being able to show that an independent auditor has verified your security posture carries weight.

Certification also helps avoid missed opportunities. Without it, you may not qualify to pitch for certain types of business. This is especially true in the public sector.

Another benefit is regulatory alignment. Across regions and industries, organizations face different regulations but share a growing need to demonstrate compliance. With ISO 27001 in place, you’re well positioned to align with other frameworks and future requirements. For example, the entire ICT risk component of DORA and NIS2 is covered by the ISO standard.

How we can help

We support organizations through every step of the ISO 27001 certification journey — from initial gap analysis to successful certification and ongoing compliance.

Our services include:

Gap analysis & readiness review – Understand where you stand today and what’s needed to meet ISO 27001 requirements.
Implementation support – Develop policies, procedures, and controls aligned with ISO 27001:2022.
Internal audits – Independent audits to verify effectiveness and readiness before certification.
ISMS management – Ongoing support to maintain compliance, either through a virtual CISO or as operational assistance to your in-house CISO.

Whether you’re starting from scratch or strengthening an existing ISMS, we can tailor our involvement to your needs.

A practical guide to PCI DSS compliance

August 18, 2025 | Antti Laatikainen

Despite the rise of digital wallets, contactless transactions, and blockchain-based solutions, the backbone of global payments still relies heavily on traditional credit card technology, and that’s exactly why PCI DSS compliance remains so critical.

PCI DSS (Payment Card Industry Data Security Standard) is developed by major credit card brands—Visa, Mastercard, American Express, Discover and JCB—to ensure that all companies handling payment card account data maintain a secure environment. It applies to any entity that stores, processes or transmits cardholder data. The standard consists of 12 core requirements, each broken down into smaller sub-requirements. The standard is managed by the independent third-party PCI Security Standards Council (PCI SSC).

PCI DSS demands rigorous protection across every node of the payment flow. The real-world risk isn’t theoretical. Fraudsters don’t need to break into quantum code; they just need to exploit weak links in the chain. Every step in the transaction journey, from the payment terminal at your local store to the issuer of the actual credit card, must function at the highest level of security.

Five practical steps to PCI DSS audit readiness

PCI DSS is mandatory for all parties involved in payment processing. Building a PCI DSS program and running operations accordingly is a responsibility shared by all stakeholders in the payment process. To help you avoid common pitfalls, Antti Laatikainen, our Principal Consultant in Security and Risk Management, has prepared a guide designed to turn compliance theory into practical preparation.

1. Read the standard and stay updated

PCI DSS is not a static document. It evolves frequently and is widely considered the most detailed and demanding commercial security standard. Whether you’re aiming for first-time certification or undergoing recertification, downloading and thoroughly reading the latest version is essential.

Auditors often encounter organizations that have previously been certified but are unaware of significant updates to the standard. Organizations must continuously monitor the evolution of PCI requirements and incorporate changes into their internal controls.

Enroll in up-to-date training programs and maintain internal knowledge. External consultants are helpful, but internal understanding is non-negotiable.

2. Map your systems and networks with precision

PCI DSS doesn’t let you define your scope yourself, like ISO 27001 and many other standards do. Your technical architecture determines what’s in and out of scope. That makes your system and network diagrams the backbone of your compliance efforts.

Some companies leave out “harmless” systems like backup or management servers, thinking they’re irrelevant.

Auditors begin with a close review of how your network is structured, from firewalls and switches to system interactions. Everything needs to be documented down to individual server levels. Whether your infrastructure is physical, cloud-based, or hybrid, accuracy is key.

A common pitfall we see is that some companies leave out “harmless” systems like backup servers, thinking they’re irrelevant. But if those backups bypass firewalls, connect across networks with privileged access or are stored by a third party without PCI DSS certification, they become unintentional vulnerability hotspots. And if they’re not represented on your diagrams, your entire audit may be compromised. Your system and network diagrams should include:

Physical and logical network layers
Internal connectivity between systems
External and semi-trusted access points
Log collection flows and storage points
Authentication systems, IAM setups, and yes, your backup topology
Tooling used by the administrators to manage the environment, such as patching or configuration management systems

3. Map the flow of cardholder data across your systems

Once you’ve mastered the PCI DSS requirements and mapped your environment, the next pillar is understanding cardholder data flows. Defining these flows is the core of PCI DSS scope. It’s the nucleus of your security controls, audit scope, and overall compliance strategy. Start by tracing how credit card data enters your environment. Identify:

Entry points (e.g. payment terminals, web portals, other service providers)
Locations in your infrastructure where transport layer encryption is removed, i.e. TLS Offload
Processing layers and databases (physical or virtual)
Storage mechanisms, including hosted environments
Encryption protocols at rest and in transit

These data flows define what PCI DSS considers in scope. Meaning any system that touches, transmits, or can access cardholder data needs to be covered. Don’t forget the ripple effect; if one server in a subnet processes card data, all servers in that subnet fall within PCI scope. Attackers only need one open door. Beyond systems, evaluate:

Network segments and connected devices
Shared services in cloud accounts
Administrators with cross-environment access
Logging, backup, and patching systems, even if they don’t touch card data directly, they support the security of those that do

This exercise leads to your scope definition, a vital deliverable in PCI preparation and the foundation for every control, test, and security practice that follows.

4. Enforce security hygiene across all technologies

PCI DSS doesn’t ask for innovation; it demands consistency. The security expectations here are plain and universal:

Timely security patches
Strong passwords and access controls
Multi-factor authentication (MFA)
Hardened systems, updated libraries
Centralized logging and monitoring
Well-defined change management and documentation

None of these practices are PCI-exclusive. They’re basic cyber hygiene measures that every organization should implement anyway. But PCI DSS ups the ante: now you must apply them to every system in scope, no skipping legacy tools or fringe infrastructure. Typical stumbling blocks include:

Patching only major OS platforms, but not network hardware
Applying strict access controls in cloud apps, but using shared credentials for firewalls
Overlooking outdated authentication mechanisms for infrequently accessed admin tools

Some companies know these practices are outdated but lack the urgency to act. PCI DSS provides that urgency, turning “nice-to-have” policies into mandatory controls. In fact, many of our clients appreciate this friendly nudge from compliance.

A generic statement like “Provider handles server security” won’t cut it.

5. Define roles and accountability for outsourced partners

Unlike many other frameworks, PCI DSS digs deep into service provider agreements. Why? Because it’s not just business data at stake, it’s the financial safety of individuals. This elevates the ethical bar and legal scrutiny. PCI DSS doesn’t tolerate vague handoffs or assumptions, so a generic statement like “Provider handles server security” won’t cut it. You must spell out:

Exactly which PCI controls the provider is responsible for
How they implement and maintain those controls
Who makes decisions on patching, upgrades, access rights, and security tooling
Whether their practices are up to date with recognized standards

A provider using a “golden image” from 2018 isn’t compliant unless it’s been reviewed and updated. That level of granularity in roles is essential. Think through scenarios like:

Who patches the front-end servers?
Who reviews log data and alerts?
Who manages access to cloud-based PCI systems?

If these aren’t clearly defined and monitored, you remain liable even when outsourcing. Delegation without enforcement is a compliance trap, and when things go wrong, it’s your organization that faces the consequences.

Common PCI DSS audit pitfalls and how to avoid them

Mistake #1: Not keeping up with PCI updates
PCI DSS evolves quietly. And audits often reveal that organizations weren’t aware of new controls like integrity checks for HTTP headers. Missing requirements during an audit leads to delays, scramble fixes, and potential penalties.

Mistake #2: Forgetting recurring tasks
Many PCI controls are scheduled obligations:

Quarterly vulnerability scans
Annual penetration testing
Incident response plan testing
Policy reviews and documentation updates

Skipping just one cycle can undermine your compliance. The rule is simple: Don’t just comply at audit time, live it daily.

Mistake #3: Misunderstanding ISO 27001’s role
ISO 27001 and similar standards lay a solid foundation. They help with policy structure, documentation practices, and patching discipline. But PCI DSS is not cross-compliant. You still need to meet each applicable PCI control in full.

What ISO can do:

Streamline internal workflows
Establish roles and responsibilities
Reinforce cyber hygiene practices

What ISO cannot do:

Replace or substitute PCI-specific requirements
Automatically fulfill PCI audit checkpoints

This concludes the five practical pillars of PCI DSS readiness. Each step builds toward a security posture that’s not just audit-ready, but genuinely resilient.

ISO 27001 and similar standards lay a solid foundation, but PCI DSS is not cross-compliant.

New highlights in PCI DSS 4.0.1: What matters most now

With the release of PCI DSS v4.0.1, the standard sharpened its focus on targeted risk analysis. Gone are the blanket mandates for tasks like scanning for skimmers or reviewing logs on a rigid schedule. Instead, organizations must now justify the frequency of these activities based on threat modeling and internal analysis. That means:

You choose how often to inspect payment terminals for skimmers, train your incident response personnel, or scan your systems for malware
But you must document the rationale behind those choices.
You need to show maturity in understanding threats to critical PCI functions like incident response, network defense, or authentication systems.

This pivot echoes the logic of seasoned cybersecurity teams: security must fit the environment and threat landscape, not just the checkbox list.

New emphasis: Vulnerability management beyond the OS
Also newly explicit in 4.0.1 is the requirement to include third-party libraries and dependencies in vulnerability management. Even if your servers are patched, your application code may carry outdated modules, and attackers exploit those entry points just as easily. It’s no longer enough to focus on the base infrastructure. Organizations must now:

Track vulnerabilities in all code dependencies
Integrate security scans into CI/CD pipelines
Review all components before releasing updates

This aligns PCI DSS with real-world attacker behavior and promotes a stronger “security-by-design” approach.

How Reversec can help

Looking to meet PCI DSS compliance?
We’re here to help you get ready. Whether you’re building a compliance program from scratch or strengthening an existing one, we offer hands-on implementation support. Our compliance-building services lay the right foundation while our audits validate and assess.

Ready for the audit?
As a Qualified Security Assessor (QSA), we conduct PCI DSS audits with an attacker-first mindset. We treat every audit like a breach assessment digging into firewalls, codebases, and TCP/IP configurations to uncover real-world vulnerabilities. We go beyond paperwork to test the actual systems.

What you get with us:
Our PCI DSS services don’t stop at certification. We leave you with better tooling, smoother developer workflows, and a more robust architecture built for long-term security program. While our audits assess and validate, our compliance-building services help you put the right foundations in place.

Curious about how we work with clients? Watch our Principal Consultant Antti Laatikainen and Engine by Starling’s Deputy CTO Jaco Engelbrecht share their experiences of ensuring Engine ‘s PCI DSS compliance.

Sweden, get ready for NIS2

In January 2026, the Swedish Cybersecurity Act (Cybersäkerhetslagen) is expected to come into effect, aligning national legislation with NIS2, the updated EU-wide cybersecurity regulation.

Reversec has been at the forefront of helping organizations across the Nordics prepare for this shift. Our unique expertise in offensive-driven security and international security frameworks like ISO 27001 and ISO/IEC 62443 has made it easier for organizations to turn complex requirements into effective security programs.

We also heavily contributed to implementing the Finnish NIS2 law, including participating in advisory hearings with the Finnish Parliament, commenting on the draft legislation, and serving as a key member of a working group that formulated implementation guidance for the Finnish industry.

Key requirements of the Swedish Cybersecurity Act

Expanded scope – Now applies to 18 sectors, including ICT, manufacturing, and shipping businesses with at least 50 employees or an annual turnover exceeding €10 million.
Executive accountability – Leadership must undergo cybersecurity training and may be held accountable for non-compliance.
Stricter incident reporting requirements – Significant incidents must be reported within 24 hours of becoming aware, with a formal incident notification submitted within 72 hours.
Enhanced supervision and sanctions – For essential entities, the maximum administrative fine is €10 million or 2% of total worldwide annual turnover from the previous financial year.

How we can help you navigate NIS2

We can support your organization at every stage of your NIS2 and Swedish Cybersecurity Act journey, from current state analysis to implementation. Our consultants will work with you to:

Review your existing compliance status
Collaboratively identify cyber risks across your operations
Build a strategic decision-making framework
Develop a vendor management program
Secure executive approval and guidance
Support implementation and provide training programs

The Swedish Cybersecurity Act is soon expected to come into effect, aligning national legislation with NIS2. Our unique expertise in offensive-driven security and international security frameworks like ISO 27001 and ISO/IEC 62443 has empowered organizations to turn complex requirements into effective security programs. — Our experience in international frameworks like ISO 27001 and ISO/IEC 62443 has helped Nordic organizations prepare for NIS2 compliance.

Real-world compliance stories

We have already assisted critical entities in Sweden, Denmark and Finland in navigating NIS2. These case studies demonstrate how our approach has helped organizations build resilient security programs and close compliance gaps.

1. Assessing a British multinational in Sweden

A British multinational company specializing in electrical test, measurement, and monitoring approached us to conduct a current state analysis of its security posture in relation to NIS2. The client sought a rapid yet intensive assessment to close the gap on NIS2 requirements.

Two of our senior consultants carried out an intensive five-day assessment. The project included stakeholder interviews, document analysis and comprehensive deliverables.

We conducted three structured interviews with stakeholders. Our team also reviewed organizational documents, including business continuity plans, IT policies, network configurations, asset inventories, supplier agreements and emergency response protocols.

We assessed the client’s risk management framework, examining how risks were identified and treated, and whether these processes aligned with NIS’s requirement for systematic risk management. Supply chain security was another priority, where we reviewed vendor assessment processes and analyzed contractual security requirements and monitoring procedures.

Technical security controls were assessed, including encryption implementation and policy, the deployment of multi-factor authentication, as well as asset management and classification frameworks. We also analyzed incident response capabilities, focusing on handling procedures and reporting timelines, and their alignment with NIS2’s strict notification requirements. Finally, we reviewed access control mechanisms, privileged access management, and segregation of duties.

We proposed a three-phased implementation approach:

1 – Foundation

Establish an ISO 27001-aligned Information Security Management System (ISMS )
Integrate with existing ISO 9001 processes
Complete critical vendor security assessments

2 – Control implementation

Deploy a comprehensive risk assessment methodology
Align incident response with NIS2 timelines
Expand MFA coverage across critical systems

3 – Operational maturity

Integrate internal audits with quality management
Establish management review processes
Implement continuous monitoring capabilities

We delivered a comprehensive report with findings, recommendations, and an implementation roadmap. An executive summary highlighted key risks and strategic priorities, while a board presentation was delivered to senior management and the CEO. The report included implementation guidance covering all ten NIS2 requirement areas with step-by-step guidance for each.

The engagement allowed the client to successfully close critical gaps across all identified NIS2 requirements, strengthen its vendor security posture, and improve its incident response capabilities to meet regulatory expectations. The engagement also laid the groundwork for potential ISO 27001 certification. By leveraging its existing ISO 9001 infrastructure, the company could accelerate implementation by 30%.

2. Enabling NIS2 compliance in telecommunications

The Danish branch of a multinational telecommunications company faced significant organizational complexity in its path toward NIS2 compliance. As part of a globally distributed enterprise, implementing a risk-based security program would require substantial investment.

We embedded a senior consultant with the company’s Governance, Risk, and Compliance organization for an eight-month engagement. Acting as a trusted advisor, the consultant provided expert-level cybersecurity input to ensure strategic and tactical alignment with NIS2 requirements and the ISO 27001 standard.

During the engagement, the consultant developed and presented strategic objectives to senior leadership and local regulatory agencies, helping to shape the company’s compliance roadmap. We drew on our broader consulting team to support the creation of policies, the development of procedures, and the building of competencies across operational domains.

The engagement resulted in the implementation of policies and procedures that aligned with both NIS2 and ISO 27001. A strategic project plan was presented to the board, CEO, and senior management, and a formal implementation roadmap was presented to regulators.

By combining dedicated advisory support with dynamic access to domain specialists, we enabled the client to rapidly close its compliance gap and meet its security program objectives.

3. Assessing a Danish electricity grid provider

An electricity grid company approached us for support in meeting the requirements of the NIS2 directive. The client needed a clear understanding of its security posture and a roadmap for improvement. We conducted an evaluation using two well-established frameworks:

The NIST Cybersecurity Framework (CSF)
The Cybersecurity Capability Maturity Model (C2M2) developed by the U.S. Department of Energy

This approach allowed us to assess the client’s alignment with both enterprise and industry security standards.

We delivered a prioritized roadmap that the client used to secure board-level funding to implement the necessary changes. A follow-up assessment revealed significant progress in compliance. The client demonstrated a proactive commitment to protecting its infrastructure and the surrounding society.

4. Securing the digital supply chain of a global motor vehicle manufacturer

A global motor vehicles manufacturer needed to strengthen the security of its digital supply chain to meet the upcoming requirements of the NIS2 directive. As an essential entity, the organization faced heightened regulatory expectations, including the need to apply risk management procedures across hundreds of direct suppliers.

We supported the client in implementing a program plan that aligned its risk management and governance processes with supplier procurement and management procedures. Supply chain security best practices were integrated into the client’s procurement process.

The client can address supply chain risks iteratively, assessing risks with each new contract and renewal. Using this model, we continue to support the client in conducting risk-prioritized assessments of its supplier backlog, helping to close its compliance gaps.

WHITEPAPER

eBook: Shared requirements of ISO 27001, NIS2, DORA, and NYDFS

Download

Why you should choose us

Our experts cut through the complexity of NIS2 with focused services like readiness assessments, risk management and governance design, threat modelling and security assurance. As an offensive-driven consultancy, we approach compliance by thinking like attackers. Our clients don’t just pass audits but build resilience against real-world threats. We offer research-based and practical solutions that go beyond documentation and empower organizations to build security that stands up to scrutiny.

NIS2 is about identifying cybersecurity risks tied to critical business operations. For many industries newly added to its scope, this is easier said than done. We bring extensive hands-on experience in helping organizations meet these requirements in a practical and effective way. We guide the identification of key business and IT processes, systems and the functionalities that empower them.

Through professionally led threat identification and modeling workshops, we enable your risk management teams to gain realistic visibility into the cybersecurity threats and risks affecting your operations, aligned with the Swedish Cybersecurity Act and NIS2 requirements. These workshops also help assess existing controls, evaluate their effectiveness, and plan for any necessary improvements. We have adapted this process, also referred to as business impact analysis, into a NIS2-compliant format.

Ready to reach NIS2 compliance?

NIS2 isn’t about completing checkbox compliance exercises. It’s about identifying and addressing the risks that matter most to your business. Book a free readiness consultation or speak with an advisor to understand what NIS2 and the Swedish Cybersecurity Act mean for your organization. Our experts will help you turn compliance into a key business enabler.

Cybersecurity Current State Assessment

Reversec and ENISA partner to boost Nordic cybersecurity

New partnership enhances cyber defenses across Finland, Sweden, and Denmark

[Stockholm, 25 June 2025] Reversec, a new name in cybersecurity consulting, has been selected as the official partner for the European Union Agency for Cybersecurity (ENISA) in Finland, Sweden, and Denmark. The partnership – worth a minimum of €2.7 million and lasting for three years – marks a major step forward in protecting critical infrastructure and public services across the region.

Cyber threats in Europe are growing rapidly, with a sharp rise in incidents reported over the past year. In response, ENISA launched a new initiative to find trusted, capable partners in each EU country. Reversec stood out for its strong local presence, technical expertise, and ability to work in the native languages of the countries it will serve.

“This collaboration is about more than just delivering services, it’s about raising the bar for what offensive security can achieve,” said Scott Reininga, Executive Vice President at Reversec. “We’re committed to redefining offensive security as a proactive, strategic force. One that not only identifies vulnerabilities but helps build lasting resilience. Working with ENISA gives us a unique opportunity to bring that vision to life where it matters most.”

The partnership will support government agencies, energy providers, telecom companies, and other essential services. Reversec will help these organizations prepare for and respond to cyber threats, comply with new EU regulations, and build long-term resilience.

As cyber threats continue to evolve, the partnership between Reversec and ENISA shows how working together – across borders and sectors – is key to building a safer digital future.

About Reversec

Reversec, a new name in cybersecurity consulting, helps organizations worldwide tackle their most complex cybersecurity challenges.

With a focus on continuous research, practical solutions and knowledge sharing, Reversec’s findings provide the rationale behind informed security decisions.

With over 30 years of experience, Reversec brings together the expertise of renowned companies MWR Infosecurity, F-Secure, WithSecure, Digital Assurance, nSense, and Inverse Path.

Media Contact
Kelly Friend
pr@reversec.com
+44 (0)7880 488357

Whitepaper | NY DFS Part 500 Cybersecurity Enforcement

October 22, 2025 | Richard Suls

A complete analysis of NYCRR Part 500-related penalties in 2024-2025

New York’s Department of Financial Services (DFS) has entered its most aggressive cybersecurity enforcement phase in the regulation’s history. In total, the NY DFS issued $63.3 million in 23 NYCRR Part 500-related penalties in 2024-2025. This whitepaper breaks down the landmark cases from 2024–2025, including actions against GEICO, Travelers, Block, Healthplex, and Genesis Global Trading.

Proactive enforcement has dramatically changed the regulatory landscape from reactive compliance checking to comprehensive risk management oversight. Learn how DFS is reshaping expectations around multi-factor authentication, access controls, incident reporting timelines, board-level oversight, and risk-based supervision. Enforcement now focuses on how security programs operate in practice, not just how they’re documented. Sector-specific vulnerabilities and remediation mandates are also receiving increased attention.

Inside the whitepaper:

Root causes behind each enforcement action
Specific NYCRR Part 500 violations and their implications
What Class A entities should prepare for
How DFS is influencing national cybersecurity standards
What regulators expect from your security program today

Whether your organization operates in insurance, finance, virtual currency, or healthcare, the whitepaper offers practical insight into how New York’s regulators are shaping national baselines, and how your organization should adapt to withstand increased regulatory scrutiny.

WHITEPAPER

NY DFS Part 500 Cybersecurity Enforcement

Download

Table of contents

The constraints: time, breadth, and stealth

Your experts on center stage

Challenges in the clouds

Isn’t that a purple team?

Still want that red team?

Table of contents

Related content

Do you need a red team?

What is purple teaming? Key benefits and how it works

What is Attack Path Mapping

Here’s the key update you might have missed:

Why this matters to Digital Service Providers

Ready to take the next step?

Related content

Sweden, get ready for NIS2

Connecting the dots: Shared requirements of ISO 27001, NIS2, DORA, and NYDFS

Insights into the NIS2 Directive

Table of contents

Why the Cyber Resilience Act matters

What it demands

Covered and excluded products

CE marking as a signal of compliance

Implementation

Vulnerability handling

Security by design

Third-party accountability

Update requirements

Industry readiness

Commercial impact as a driver of security

Strategic implications

Will it spur innovation?

Impact on open source

Small vs. big teams

Impact on security testing

Alignment with security standards

Early implementation pays off

Start preparing for the Cyber Resilience Act now

Table of contents

Related content

Sweden, get ready for NIS2

Connecting the dots: Shared requirements of ISO 27001, NIS2, DORA, and NYDFS

Reversec Foundry

Table of contents

Intro to mainframes

Common attack paths in mainframe environments

Mainframe security testing: platform vs. application

Why mainframes need holistic security testing

The reality of mainframe testing

Why a combined platform + application approach matters

Testing frequency: Compliance vs. proactivity

Common misconceptions & hidden risks

Mainframe security: Best practices that make a difference

Industry-specific mainframe security practices

Financial institutions: More than just compliance

Aviation: Legacy systems that still fly

Cross-industry takeaway: Avoid minimum viable testing

How Reversec can help

Table of contents

Mainframe Security

Table of contents

The significance of ISO 27001

Motivation

Timeline: Kickoff to certification

Stage 1 – Documentation review

Stage 2 – Certification audit

Scope and audit sizing

Typical durations

Roles and responsibilities

Inside the internal audit

Why four months was possible

What we’d do differently

Recommendations for ISO 27001 success

After certification

Why certification matters

How we can help

Table of contents

Related content

Connecting the dots: Shared requirements of ISO 27001, NIS2, DORA, and NYDFS

Shared requirements of ISO 27001, NIS2, DORA, and NYDFS