Use cases

Most IT problems
look different
on the surface.

Underneath, they're usually the same three or four situations. Here's what they look like β€” and what happens when you actually fix them.

Tender & procurement
120 people Β· Amsterdam

"We keep losing tenders β€” and it's not our pitch."

A sustainability consultancy winning every room they walked into. Then the procurement security annex would land and the silence would start. No MDM. No documented access controls. Nothing to put in the box.

Enterprise sales
60 people Β· B2B SaaS

"A deal just died in security review. Six months of pipeline, gone."

Six months into the sales cycle. Legal had signed off. Then procurement sent a 180-question security questionnaire with a five-day deadline. The answers were split across Slack, two ex-employees, and one engineer's memory.

IT ownership
80 people Β· Series A

"Our IT person quit on a Friday. Three engineers were starting Monday."

One person had owned everything β€” devices, SaaS provisioning, new joiner setup. Two weeks notice, then gone. Nobody knew which systems existed, who had access to what, or how to get the new hires set up.

Investor due diligence
45 people Β· Healthtech

"Our lead investor asked about our IT security posture. We had no answer."

The Series B term sheet came through on a Tuesday. By Thursday, the technical due diligence list had landed β€” and halfway down was a section on IT security controls. The founding team looked at each other.

Tender & procurement

"We keep losing tenders β€” and it's not our pitch."

Sustainability consultancy Β· 120 people Β· Amsterdam

They were winning every room they walked into. Sharp pitch, credible team, genuine sustainability expertise that enterprise clients actually wanted. But somewhere between the final presentation and the purchase order, they kept losing. Not on price. Not on capability. On a four-page security annex that came attached to every procurement process β€” and that they had absolutely nothing to put in.

The Baseline Posture Audit made it concrete: 120 people across unmanaged devices, SaaS tools provisioned by whoever needed them that week, and no single record of who had access to what. No identity provider, no MDM, no offboarding process, no documented controls. Not a security crisis β€” just a company that had grown fast without anyone ever owning IT.

Device fleet enrolled and managed. Identity centralised with SSO and phishing-resistant MFA. Offboarding automated so access revocation happens in minutes, not months. An access matrix built and documented. And a compliance checklist β€” mapped directly to the security annexes they kept facing β€” that could be completed in an afternoon instead of left blank with an apology.

Eight weeks from audit to ready. They submitted their first fully completed security annex on day one of the next RFP window. The checklist is now standard practice for every tender they bid on. The configurations exist, they're documented, and they hold up when a procurement team actually checks.

"We went from leaving the security annex blank to submitting it on day one of the RFP window."
Enterprise sales

"A deal just died in security review. Six months of pipeline, gone."

B2B SaaS Β· 60 people Β· Selling into financial services

Six months of careful sales work. A champion inside the account, budget approved, legal moving. Then procurement sent a 180-question security questionnaire with a five-day response window. The answers were scattered across three Slack channels, two people who had already left the company, and one engineer who half-remembered what was set up two years ago. The deal didn't die β€” but it came within a week of it.

No centralised identity provider. Devices unmanaged. No documentation of who could access which systems or how access was removed when someone left. The questionnaire wasn't unreasonable β€” the controls just didn't exist yet, and the ones that did weren't written down anywhere that could be shown to a bank's security team.

Identity stack consolidated. Device fleet enrolled with encryption enforced. An access control matrix built from scratch. A security questionnaire response template created β€” mapped to the controls that were now actually in place and provable. Every claim in it backed by an audit log or a policy document, not a verbal assurance.

The deal that nearly died closed. The next security questionnaire β€” from a different enterprise prospect six months later β€” was answered in three days. Deal closed on schedule. The enterprise sales cycle that used to end in a nine-month stall now moves at the pace the product deserves.

"The next questionnaire took three days to respond to, not three months to survive."
IT ownership

"Our IT person quit on a Friday. Three engineers were starting Monday."

Deeptech startup Β· 80 people Β· Series A Β· Amsterdam

One person had owned everything. Device procurement, SaaS provisioning, new joiner setup, the IT helpdesk inbox β€” all of it lived in one head. They gave two weeks notice and then they were gone. No handover document. No list of what systems existed. Three engineers were due to start the following Monday. Nobody knew how to get them set up.

40+ SaaS applications, most provisioned by whoever needed them fastest. Twelve former employees with active accounts β€” some going back eighteen months. No identity provider tying it together. Devices managed through a mix of a spreadsheet and institutional memory. None of this was negligence. It was what happens when a company grows 4x in two years without anyone owning the infrastructure layer.

Full access audit and triage. All twelve ghost accounts closed. Identity provider implemented with SSO across every major tool. Device fleet enrolled. Lifecycle automation connected to HR β€” so provisioning and de-provisioning are triggered by the same workflow that handles contracts and start dates, not a Slack message to someone's personal inbox.

The three Monday starters were set up and fully provisioned before 9am on day one. Offboarding now takes eight minutes and leaves a complete audit trail. And the company has documentation of what exists, who owns it, and what happens when someone joins or leaves β€” for the first time in its history.

"The next hire was set up and ready before 9am on their first day. Offboarding now takes eight minutes."
Investor due diligence

"Our lead investor asked about our IT security posture. We had no answer."

Healthtech Β· 45 people Β· Pre–Series B Β· Amsterdam

The term sheet came through on a Tuesday. By Thursday, the lead investor had sent a technical due diligence list. Halfway down was a section on IT security controls β€” device management, access governance, incident response, encryption standards. The founding team looked at each other. Nobody had a clear, documented answer for a single item.

Unmanaged devices with no encryption enforcement or proof. No formal access governance β€” people had admin rights in tools they'd forgotten they had. No audit trail for onboarding or offboarding. Good intentions, zero documentation. The security controls that existed were real β€” they just weren't organised, verifiable, or presentable to an investor's technical team.

The Baseline Posture Audit gave them a precise gap map β€” what existed, what was missing, what needed to be built. Six weeks of implementation: devices enrolled, encryption enforced and provable, access governance formalised, audit logs structured, and a full evidence pack assembled β€” built to answer the exact questions an investor or auditor would ask.

The due diligence pack went back to the investor with every control documented, demonstrable, and independently verifiable. No scrambling, no "we'll follow up on that one." Series B closed on schedule. The IT infrastructure that used to be the company's hidden risk is now a documented strength.

"Every control was documented and demonstrable. No 'we'll follow up on that one.'"
Your situation

Recognise any of these?

Most of the companies we work with aren't in a crisis. They're in the quiet phase just before one β€” and they know it. A 60-minute call is enough to tell you whether that's where you are.

Book a IT maturity assessment β†’