Our methodology
Most security tools spit out a list of vulnerabilities and leave you to make sense of it. We do the opposite: we sit down with your environment, follow every request, document every layer, and hand you a prioritised plan you can act on tomorrow.
The goal is not a longer vulnerability list — it is a sharper understanding of where you are exposed, why it matters, and what to do first. That is the difference between scanning and assessing.
We start by mapping what you actually run: systems, accounts, perimeters, integrations. You cannot defend what you cannot see.
Edge, application, network, backend, data. Each layer gets its own analysis — not a single perimeter scan.
A written Security Score with red/orange/green priorities and concrete next steps. Yours to keep, share, act on.
Domain 1 — Access Control & Identities
Every breach starts with an account. We audit identity end-to-end: people, privileges, SSO, offboarding, and emergency access.
Multi-factor authentication enforced everywhere, with an authenticator-app fallback.
Separate admin accounts with full audit logging on escalations.
Offline-stored emergency account so a directory-service outage doesn't lock you out.
SSO on primary tools, with SAML/OIDC wiring still pending on secondary apps.
Team-wide password manager with per-department vaults and joiner-leaver flow.
Documented offboarding script for every system — no orphaned access.
Domain 2 — Data Protection & Backup Strategy
We audit the whole protection lifecycle: what is encrypted, what is backed up, how often it is tested, and how fast you can come back.
Daily backups paired with a quarterly sandbox restore test and a timed recovery.
Disk encryption on every laptop and platform-managed keys across storage and databases.
Current, signed policy with active information-protection labels in use.
Documented Recovery Time and Recovery Point Objectives per system.
Quarterly cadence with runbooks, named owner, and dated audit evidence.
Written DR plan with priorities, dependencies, and a yearly walkthrough.
The backup cycle we run with you
Automated daily snapshots, encrypted in transit and at rest.
Quarterly restore to a sandbox — no excuses, no exceptions.
Real recovery against a real RTO — measured in hours, not promises.
Data integrity check + sign-off, archived as evidence for auditors.
Backup is not an event, it is a loop — the only step that matters is restore.
Domain 3 — Infrastructure & Network Security
Internet-facing edges, office WiFi, VLAN boundaries, patch cadence. We follow the request from the open internet through your perimeter into the workloads.
We map the real topology — public IPs, WAF rules, VLANs and ingress — then check every hop against its expected configuration.
Edge security with rate limiting and bot management on public domains.
WPA3-Enterprise with directory-backed authentication — not a shared WPA2 password.
Separate VLANs for Staff, IoT and Guest — no flat office LAN.
OS and app updates inside 30 days, with documented exceptions.
Outbound DNS filtering and a reviewed firewall ruleset.
Identity-aware access on internal services, no implicit network trust.
Domain 4 — Incident Response & Continuity
An incident response plan is a muscle, not a document. We check the plan, the drill cadence, the external contacts, and the post-incident loop.
Current IR plan with roles, escalation paths, and a clear communication tree.
What we check: Version, last review date, ownership and storage location — and whether the people named in it still work here.
Twice-yearly tabletop drills with rotating scenarios so the team knows the playbook.
What we check: Date of last drill, scenarios run, lessons captured, and changes pushed back into the plan.
CERT, insurer, legal counsel and forensics with 24/7 numbers in the IR plan.
What we check: Every contact tested for currency and pre-approved scope so you are not negotiating during a crisis.
Pre-drafted holding statements for staff, customers, regulators and press — legal-reviewed.
What we check: Templates for each audience, signed-off escalation thresholds and a single source of truth for status updates.
Structured post-mortem within 14 days, with action items tracked to closure.
What we check: Blameless template, action register and a calendar reminder to re-check controls 90 days after the incident.
Domain 5 — Compliance & Third-Party Risk
GDPR registers, processing inventories, data subject access, vendor reviews. We audit the records and the third-party risk surface — and leave you with a register that is actually current.
Email-platform filtering with safe-link, attachment and anti-phishing policies tuned to your domains.
Up-to-date register with every activity, lawful basis, retention term and owner.
Documented Data Subject Access Request process with owner, SLA and templates.
Risk-based assessment for every supplier with access to production or personal data.
PIA for every new system or supplier touching personal data, archived with the register.
Compliance evidence in one searchable place — policies, sign-offs, drill logs, reviews.
The deliverable
Every finding from the five domains above lands in one written report, scored on a three-tier system you can act on without a translator. This is what stays in your hands after we leave.
Access control, data protection, infrastructure, incident response, compliance — each one with status, finding and evidence.
For every gap: priority, owner, effort estimate and a concrete next action — not a vague 'review and improve'.
Architecture diagrams included in the report, marked up with healthy/at-risk/critical so the picture matches the prose.
Your Security Score
You don't get a stack of paper full of jargon. You get a Score: per item, immediately clear what's working and what needs attention.
Critical vulnerability — immediate action required. We fix it during the day where possible.
Needs attention — plan this within 30 days. We give you the steps.
All good — this part is properly handled. Confirmed in writing.
On average we find 8–12 issues per assessment. Whatever we find, we fix — same day if possible.
Optional — same-day quick wins
If we have time after the full assessment, we apply the changes that take minutes — not weeks — so you go to bed safer than you woke up.
Turn on bot management, browser integrity checks and security level for the paths that need them. Five minutes, real impact.
Put proper limits on the contact form, login and password reset. Cuts off the easiest abuse vectors before they start.
Revoke former employees, old admin accounts and unused API keys we found in level 1. The cheapest win in the report.
Drop in HSTS, X-Frame-Options, baseline CSP. Done in one config change at the edge, kept forever.
Honest caveat: Quick wins only happen if the full assessment finishes with time to spare. We will never trade depth for fixes — a thorough audit is the deliverable, the fixes are the bonus.
Why Korur differs
Plenty of tools will sell you a scan. Very few people will sit at your office for a day and explain what they found. Here is the difference.
You see exactly what we do at every level — no black box, no proprietary mystery. The methodology is the deliverable.
Inventory, edge, application, network, backend, data, integrations. Most scans cover one layer; we cover the path.
When a problem is solvable in minutes, we solve it before we move on. You leave with results, not just a list.
Through our partnership service the Security Score stays live — you see your posture change as you act on the recommendations.
Everything we find lands in a document your auditor, your CTO and your future hires can read. The knowledge does not leave with us.
Ready when you are
One full day. On site. Fixed price. You walk away with a Security Score report and — if there is time — a stack of improvements already deployed.
