What we've actually shipped.
Client names withheld by request. Each study below documents the problem we walked into, the operational constraint that shaped the approach, and the before/after metrics the engagement moved. We don't publish case studies our clients haven't reviewed.
MLSE-tier venue, zero-trust redesign for event week
A flagship Canadian venue runs simultaneous concerts, broadcast feeds, and corporate offices over the same physical network. Pre-engagement, every tier could see every other tier. Post-engagement: segmented networks, identity-first access, AV systems that don't become an attack surface for the venue.
- Network segmentation Flat L2 across all tiers VLAN per tier (crew, attendee, broadcast, corporate)
- AV control plane exposure Reachable from attendee Wi-Fi Isolated VRF, no attendee-tier reachability
Registered charity, exposed surface to A+ headers in 6 weeks
A donor-data-handling Canadian charity engaged us after a board-level concern about a competitor's recent breach. Six weeks later: A+ Observatory grade, MFA across the entire staff, donor PII encrypted in transit and at rest, board-ready PIPEDA documentation in their hands.
- Mozilla Observatory grade F (no CSP, no HSTS) A+ (strict CSP, HSTS preload)
- MFA coverage across staff 18% 100%
Want one of these for your work?
Every engagement starts with a 30-minute posture call. Free, no commitment.