Approach / Secure by Design

Security designed in, not bolted on.

Threat modelling and hardening are part of how we build — so attackers can't move sideways once they're in, audits aren't a scramble, and you don't have to choose between secure and shippable.

Threat-modelled
·
Audit-ready evidence
·
ISO 27001
·
Cyber Essentials Plus

Introduction

Most things that get breached weren't neglected — they were designed without the question being asked. Open trust relationships nobody scoped down. A flat network nobody segmented. An admin account nobody time-bound. Designed-in security is mostly about asking the right questions before the build, not after the incident.

Security is a build-time decision, not a run-time apology.

Secure by Design

Build it secure. Prove it.

Threat modelling at the design stage. Hardened baselines at deployment. Evidence captured as we build, not reconstructed for the audit. The pattern that turns compliance from an annual scramble into a by-product of good engineering.

Designed in

Threat modelling

Every design starts with what an attacker would do with it. STRIDE, attack trees, blast-radius analysis — fitted to the system, not the certification.

Secure baseline

Tenants, networks and infrastructure built to a defined hardened baseline — identity, conditional access, network segmentation, logging — same standard every time.

Hardening

CIS-aligned configuration, patching cadence agreed up front, attack surface trimmed at install — not tightened reactively after the first finding.

Least privilege

Identities, service accounts, network paths — scoped to what each one actually needs. Standing admin is the exception, not the default.

Evidenced

Control mapping

Every design decision mapped to a control framework — ISO 27001, Cyber Essentials, NIST, internal — so the audit conversation already has the answers.

Audit pack

Build evidence captured at the point of deployment, not reconstructed weeks later. Configurations, screenshots, change records — the pack you wish you'd had at the last audit.

Cyber Essentials support

Readiness, gap closure, evidence pack and submission. We do the practical work that gets you across the line — for CE and CE Plus.

ISO 27001 support

Risk register, statement of applicability, evidence collection, internal audit — the technical heavy lifting alongside your auditor or consultant.

What designed-in security actually buys you.

Smaller blast radius

When something does go wrong — and eventually something does — segmentation, least privilege and identity scoping limit how far it gets.

Audits that aren't a scramble

Evidence captured at build time. Controls mapped at design time. The audit conversation has the answers before it starts.

Build velocity that doesn't apologise

Done right, secure-by-design speeds delivery up — not down. Decisions made once, baselines reused, fewer last-minute retrofits.

Threat-modelled designs
Audit-ready evidence
ISO 27001
Cyber Essentials Plus

How to engage

Whether it's a design, a build, or an audit.

Most clients start with a design review or a CE / ISO readiness assessment, then either land the build with us or take the closure plan and run it themselves.

Design review
Independent threat-model and hardening review of an existing or proposed design. Risks named, mitigations recommended, prioritised honestly.
Secure baseline build
Tenant or infrastructure build delivered to our hardened baseline — defined, documented, repeatable, evidenced.
Compliance readiness
Gap analysis against CE, CE Plus or ISO 27001 — practical closure plan, scoped and quoted.
Audit support
Hands during an active audit — evidence collection, control mapping, technical answers to the auditor's questions.

As an IT Manager responsible for multiple sites I need to be confident that promised solutions work right first time. Having used M-Tech Systems for some years now they consistently provide me with the confidence and expertise to meet high expectations.
Voice of the clientIT Manager · Villiers High School

FAQs

Questions we hear every week.

Is this just Cyber Security with a different name?

Different chapter of the same story. Cyber Security is the operational watch — Closed doors, open eyes, prevention plus detection. Secure by Design is the build-time mirror — designing the lock and the segmentation before the door is hung.

Will you certify us for Cyber Essentials or ISO 27001?

We don't issue the certificate — we're not a certification body. We do the readiness assessment, gap closure, evidence pack and submission alongside your chosen certification body. Most clients pass first time with us in the loop.

Can you review a design we already have?

Yes — and we recommend it. Independent threat-modelling of an existing design is one of the cheapest pieces of security work you can buy. Findings, prioritised mitigations, a defensible record that you asked the question.

What does 'secure baseline' mean in practice?

A defined, documented configuration — for a Microsoft 365 tenant, an Azure landing zone, a network segment, a hardened OS image — that we apply identically every time we build. CIS-aligned, audit-mapped, repeatable. See Fully Managed Services for how we hold tenants to that baseline over time.

Does this slow projects down?

Done right, no. The work is up-front rather than retrofitted, and the baselines are reusable — so the second project is faster than the first, and the tenth is faster than the second. The only thing it slows down is the post-incident retrofit you didn't want anyway.

What about pen-tests?

We run internal hardening reviews, but for formal penetration testing we partner with independent specialists — separation of build and test is the right answer. We'll coordinate the engagement and own the remediation if you want us to.

/ Start a conversation

Tell us what you're trying to do.

Whatever the shape of your team or your stack — multi-site, lean on IT, or somewhere in the middle — we'll listen first, ask the right questions, and tell you honestly how we'd approach it.

Talk to an engineer See case studies