GRC, Compliance and Risk
Risk registers, policy packs, control mapping, evidence checklists, vendor-readiness support, and audit preparation.
Learn moreCybersecurity
Security work that tells the business what to fix first.
Citual helps founders, SaaS teams, SMEs, and digital businesses reduce cyber risk with practical evidence, clear remediation priorities, and security decisions that match business context.
Delivery map
What we clarify before execution
1
Map assets, access, cloud exposure, critical workflows, and customer data risk.
2
Test and review controls using evidence, not assumptions.
3
Prioritise fixes by business impact, exploitability, effort, and compliance pressure.
Service coverage
Security coverage that fits real teams
The work is designed around practical execution. You get enough detail for engineers to fix issues and enough clarity for leaders to make decisions.
SOC and Incident Response
Incident response plans, escalation workflows, tabletop exercises, alert triage design, and post-incident review structure.
Learn moreVulnerability Assessment and Pentesting
Scoped testing for web apps, APIs, authentication, authorization, business logic, and cloud-connected surfaces.
Learn moreCloud Security and IAM
Review of IAM, MFA, admin roles, logging, secrets, exposed services, storage access, and least-privilege controls.
Learn moreSecurity Reporting
Decision-ready reporting with risks, owners, remediation state, evidence, accepted exceptions, and retest outcomes.
Founder and Team Briefings
Plain-language briefings that explain exposure, trade-offs, timelines, and immediate actions without creating panic.
How we work
Evidence first, remediation second
The point is not to produce a long document and disappear. We map the operating reality, show the evidence, and turn it into a sequence your team can execute.
01
Scope the systems, users, data, providers, and compliance expectations that matter.
02
Collect evidence from application flows, cloud access, IAM, logs, policies, and exposed interfaces.
03
Score findings by impact, likelihood, exploitability, business importance, and fix effort.
04
Review the remediation roadmap with technical and business owners, then validate critical fixes.
What the buyer sees
What security buyers should receive
Each engagement should leave the business with fewer unknowns, better prioritisation, and enough documentation to act without confusion.
Executive summary and technical findings.
Risk-ranked remediation plan.
Evidence screenshots and reproduction notes.
Control and policy gaps.
Retest or validation record.
Residual risk and ownership notes.
Decision layer
Aligned with recognised security thinking
The page structure and delivery model are informed by widely used frameworks such as NIST CSF for risk management and OWASP WSTG for web application testing. Citual turns those ideas into practical work suitable for smaller and mid-size teams.
Governance is included, not treated as paperwork after the technical work.
Testing is scoped and authorised, with clear evidence and remediation guidance.
Cloud and IAM are treated as part of the business attack surface, not separate infrastructure noise.
Research-backed thinking
NIST Cybersecurity Framework
NIST CSF 2.0 frames cybersecurity risk through outcomes and functions including Govern, Identify, Protect, Detect, Respond, and Recover.
View referenceOWASP Web Security Testing Guide
OWASP WSTG provides a broad testing reference for web applications, APIs, identity, authorization, session handling, and input validation.
View referenceEvidence-ready reporting
Every finding should be understandable by the person funding the fix and actionable by the person implementing it.
Next step
Start with a focused assessment.
We will clarify scope, evidence, effort, and priority before recommending a larger implementation.