What we are

Padstone is a boutique security consultancy built around a simple idea: the people who scope your engagement should be the people doing the work.

We are deliberately small. Not because we haven’t grown, but because size is not the goal — quality is. Every engagement is staffed with senior practitioners who have spent careers at the intersection of technical security and regulatory compliance. There are no account managers between you and the work. No juniors learning on your budget. No handoffs.

What we trade in is depth. The kind that comes from having implemented eBPF runtime security and navigated DORA audits in the same career. From having built Kubernetes threat models and sat across from SOC 2 examiners. From understanding that security and compliance are engineering problems, not documentation exercises.

What we are not

A large firm. A staff augmentation provider. The lowest-cost path to a compliance certificate.

We don’t run discovery calls that lead to proposals that lead to statements of work that lead to kickoffs six weeks from now. If there’s a fit, it becomes clear quickly.

We’re all for recycling — just not when it comes to deliverables. Those are made to order, not assembled with search and replace.

Why Padstone

A padstone is one of the oldest structural elements in construction: the stone that distributes the load of a bearing beam into the wall beneath it. Foundational, invisible when things work, catastrophically important when it’s missing.

Most security programs are ornamental. They sit above the structure rather than being part of it. Padstone exists to build the load-bearing kind.

Our approach

Engineering over theater. Security controls should be hard to get wrong, not hard to maintain. Automation, declarative infrastructure, and observability over manual processes and checklists.

Compliance as code. Regulatory requirements — SOC 2, DORA, ISO/IEC 27001, NIST standards — belong in your development pipeline and your daily operations. Continuous validation and automated evidence collection as a byproduct of how you work, not a quarterly fire drill.

Quantitative risk. Red/yellow/green heat maps don’t inform investment decisions. FAIR-based analysis that speaks in financial terms does.

Right-sized. Enterprise security programs at SMB scale create overhead without proportional protection. The right amount of security is proportionate to your actual risk profile, not someone else’s compliance template.

Founding credentials

Padstone was founded by a practitioner with 20+ years in cybersecurity across multiple continents — spanning cloud-native security architecture, complex regulatory compliance, and everything in between.

  • Cloud-native security: Kubernetes, Falco, eBPF, OpenTofu, OpenTelemetry
  • Compliance frameworks: SOC 2, ISO/IEC 27001, DORA, NIS2, NIST standards (CSF, SP 800 series), PCI DSS
  • AI security: Google SAIF, NIST AI 100-1 / 600-1, ISO/IEC 23894
  • Quantitative risk: FAIR methodology and the Open FAIR standard
  • Financial services security across US and EU regulatory environments

These are the standards every Padstone engagement is held to.

What we’re building toward

Resilient systems. Not secure-looking systems — actually resilient ones.

In complex systems, failures rarely come from a single component breaking in isolation. They emerge from inadequate control of the interactions between components — from gaps in the control structure that nobody designed intentionally, and nobody noticed until something went wrong. Security is no different. You don’t achieve it by hardening each part in isolation. You achieve it by understanding the system as a whole and designing the control structure correctly.

And because some failures are inevitable, resilience also means your systems constrain the consequences when controls fail — not just preventing bad outcomes, but limiting blast radius, enabling recovery, and learning from what breaks.

That’s how we think about every engagement: understand the system, design the controls structurally, constrain the blast radius, and build for recovery as well as prevention. Compliance is a property of how you operate, not a ritual you perform before audits.

Good fit

We work well with organisations that are navigating a first serious compliance requirement and want to do it properly; that have an engineering team and want security integrated into how they build; that have been through a compliance process and ended up with paperwork but not security; or that need senior technical expertise on a fractional basis without the overhead of a large firm.

Get in touch — no sales cycle, just a conversation.