Three lanes. One engagement model. No surprises on the invoice.
We work with compliance-sensitive enterprises and the vendors who sell to them. Pick a lane below; pick an engagement shape further down.
Cloud cost & FinOps strategy
When to call us
You are about to make a multi-year cloud commitment and the internal numbers do not agree. Your incumbent hosting provider will not share invoices. A board paper is due in three weeks. You are a SaaS vendor pricing a multi-installation deal. Your CSP renewal is up and the partner-margin question has nobody to defend it.
What we deliver
A board-grade cost assessment anchored on cloud-economics, observability, and DevOps literature — Storment & Fuller, Majors, Nygard, Forsgren et al. — plus first-party Azure / AWS / GCP tier-selection and DR-cost guidance for the database engines in scope.
Typical deliverables: four-category cost taxonomy (fixed overhead, competence, variable, per-server), multi-scenario reserved-instance and CSP-margin modelling, triangulated baseline against incumbent spend, sensitivity analysis on staffing posture, working cost-model spreadsheet you keep.
For media-heavy platforms (video, audio, telemetry-at-volume) we have experience with codec-driven storage cost engineering — the right answer typically lives across CPU, RAM, storage, bandwidth, quality, and resilience trade-offs simultaneously, not in any one of them. Codec choice alone can move per-session storage cost by an order of magnitude before any tier strategy is applied. Region-of-interest encoding (prioritising face / hand / focal area at the same total bitrate) and adaptive recording (full fidelity for high-information segments, compact derived data for low-information stretches) are the next two levers worth modelling explicitly when the storage line dominates the unit economics.
What we do not deliver
We do not write Terraform. We do not migrate workloads. We do not sell you a product or a partner relationship. We deliver the document the decision-maker reads.
Recent example
A multi-installation industrial software vendor needed to know what to charge an enterprise customer for a cloud-managed deployment. The incumbent hosting baseline was unavailable. We built a triangulated baseline from public cloud list pricing and typical partner-margin bands, modelled three pricing scenarios across two staffing postures, and delivered a per-installation pricing playbook plus an enterprise-side calculator the customer could populate themselves. Read full case study →
Cyber resilience & NFR advisory
When to call us
Your enterprise customer just sent you their NFR catalog and you have ninety days to respond. NIS2 transposition has started touching your operating perimeter and the in-house team is missing one specific area. You are drafting the NFR catalog itself for an upcoming procurement and want it audit-defensible.
What we deliver
Structured NFR compliance responses against enterprise procurement matrices. We work across the standard domains — cyber security, data architecture, technical architecture, business continuity. Each response carries a compliance status (compliant / partial / non-compliant / desirable), justification, evidence trail, action required, and cost-impact estimate.
Around the register itself we add a deep-dive for items that do not fit a row, a source-verification log linking each justification to underlying meetings or documents, and a consolidated cost-impact summary that surfaces renegotiation triggers up front rather than mid-procurement.
We work with Azure-native security stacks (Entra ID, Key Vault, Defender, Purview, Sentinel) but the methodology is platform-agnostic.
For regulated-sector engagements we have experience with the domain-specific overlays — for healthcare: GDPR Article 9 special-category data handling, EHDS interoperability via HL7 FHIR R4, NIS2 essential-entity classification, MDR / EN 62304 / ISO 14971 readiness for software-as-medical-device adjacencies, ISO 27001 + 27799 ISMS scoping, and the relevant national transpositions (Germany: Gematik TI, BSIG-neu, BSI C5; Netherlands: NEN 7510, NCSC-NL guidelines; Croatia: HZZO, AZOP, eZdravlje). The engagement structure stays the same; the regulatory anchor changes.
On the audit-readiness and testing side we have experience aligning evidence packs against ISO/IEC 27001 (and 27002), ENISA guidance, OWASP (ASVS, MASVS, Top 10 2025), OSSTMM, and the NIS2 risk-management measures catalogue — for buyers whose procurement asks for a specific framework reference. GDPR / national-DPA equivalents (AVG in NL, AZOP in HR, BfDI in DE) anchor the privacy side of the same workpack. We deliver readiness reviews, evidence packs, and remediation plans; formal certification or accredited audit is left to bodies that hold the relevant accreditation.
What we do not deliver
We do not conduct penetration tests or security audits. We do not sit on your CSIRT. We do not write your ISO 27001 policies from scratch.
Recent example
A tier-1 European energy operator's procurement NFR matrix carried roughly fifty line items across cyber security and data architecture domains. We produced the response register, deep-dive sheet, and source-verification log linking each justification to a meeting or email. Read full case study →
AI integration for established systems
When to call us
You have working systems and you want to connect modern frontier models to them — not replace them. Your data-residency requirements rule out hosted LLM APIs. Your knowledge base is too large to paste into a prompt and too sensitive to upload to a third party. Your engineering team has shipped a chatbot and now leadership wants to know is this actually working?
What we deliver
- MCP control layers wrapping existing internal applications, exposing them as tools to LLM agents.
- RAG over enterprise knowledge bases — chunking strategy, retrieval tuning, evaluation harness, and an honest answer to is RAG the right call here at all?
- On-premises LLM infrastructure — model selection (Llama family, Mistral, others), serving stack (Ollama / vLLM), GPU sizing, observability.
- LLM-assisted legacy modernisation — using frontier models to accelerate code understanding, dependency mapping, and migration planning on systems your team has been told to just rewrite.
- AI training for engineers and managers — what these systems are, what they are not, and how to evaluate them empirically.
- Self-hosted speech-to-text and ASR pipelines — Whisper-family deployment (faster-whisper / CTranslate2 runtime, INT8 quantisation), speaker diarization with word-level timestamps, GPU sizing for batch inference, multi-language. For high-volume scenarios where per-minute cloud ASR pricing breaks the unit economics, or where audio cannot leave the perimeter.
- Edge-side neural audio enhancement — DNN-based noise cancellation and dereverberation running on the client device before media reaches the server. Combined with self-hosted ASR above, the entire speech pipeline can run within the operator perimeter — zero per-minute cloud cost, zero audio leaving the network boundary.
What we do not deliver
We do not train foundation models. We do not sell you AI strategy without a working artifact. We will not ship an AI feature where the right answer is a SQL query.
Three engagement shapes you can actually approve.
Discovery Sprint
1–2 weeks · fixed fee
Scoped problem, structured deliverable, decision-ready output.
Rapid PoC
2–4 weeks · fixed fee
Working demonstration plus an evidence-based go/no-go.
Fractional CTO
Monthly retainer
A senior architect on call. Sounding-board for the in-house team, RFP due diligence, second-opinion reviews. For when the team is strong but missing one specific area of depth.
We take one to two new engagements per quarter. The first thirty minutes is always free, with no pitch and no slide deck.
A Discovery Sprint, day by day.
The shorter cousin of the Rapid PoC. One to two weeks, single deliverable, no working artifact — pure decision support. Used when the question is concrete and a working PoC would be overkill.
A Rapid PoC, week by week.
A typical 4-week Rapid PoC engagement. Stages overlap deliberately — by mid-week-2 we already have enough of the map drawn to start the analysis.
Other shapes we have run when the engagement called for it.
SQL Server · PostgreSQL · Oracle rescue
Slow databases are rarely fixed by adding hardware alone. Stored-procedure archaeology, execution-plan analysis, indexing strategy, locking / blocking / deadlock investigation, high-ingestion telemetry data design, read-replica and sharding architecture review. Typical output: a ranked list of bottlenecks with safe remediation steps and before/after benchmarks.
VB6 · Classic ASP · WebForms · old SQL
For business-critical applications where the logic lives in old code, stored procedures, and undocumented integrations. Strangler-Fig sequencing, dependency mapping, business-rules-hidden-in-SQL inventory, target-architecture proposal, risk-and-cost estimate. Combines naturally with the AI lane (LLM-assisted code understanding) and the database lane above.
Interim team-lead or functional manager
For situations where the gap is operational rather than analytical — interim team-lead or functional-management coverage for ITIL-organised or ASL / BiSL-organised functional-management departments. Time-boxed, fixed-fee monthly retainer, with a written handover plan from day one.
LIMS, lab-automation, vendor integration
Hands-on experience with Laboratory Information Management Systems (LIMS), instrument-integration design (ASTM E1394, HL7), and business-process-management systems that sit alongside them. Most often as part of a healthcare or industrial-IoT engagement; rarely as a standalone mandate.
We do not sell hours. We sell decisions.
Thirty minutes is on us — no pitch, no slides. We will tell you on the call whether we can help.