Tailored cyber security services
for your business

Why us?

This is a family business, started by 2 brothers, highly skilled and with more than 20 years of experience in the security industry. Reach out and we will tell you more about what we do and how we do things differently.

FORTBRIDGE is a family owned business created by 2 brothers after having worked in the IT security industry for more than 20 years combined.

We are UK based and have worked all over Europe in countries such as Netherlands, Switzerland, Italy etc and we have delivered critical projects for businesses in various industries: retail, finance & banking, oil, insurance, gambling, market research, social media etc. We have worked in pretty much all types of industries and companies you can imagine, from startups to multi-billion top tech companies from Silicon Valley.

2brothers
8services
20years

After we’ve accumulated a wealth of experience in some of the biggest Tech companies, we’ve decided that the next challenge for us would be to start a new company and deliver better services by learning from the shortcomings we’ve observed during our engagements in previous roles. We have either worked for other consultancies or we had to hire them in the past. Being on both sides of the fence, allowed us to see where the main pain points are.

As we are a small company, we are directly involved in all of our projects  and customers’ success is always our main goal.

Our consultants are highly skilled and hold various certifications such as OSCP, CREST and DevSecOps. In the past few years, we have moved into the cloud space as well and we hold certifications in all major cloud vendors AWS, Azure and GCP. With a background in software development, system administration & low-level development we can tackle any complex security task you might have for us, while working together with your team where necessary.

Quality of our work & reports is our main focus, but so is speed, after all we live in an agile world, right?

Want to find out more?

Are you a passionate security professional and you’re thinking of joining our  team? Please reach out and let’s have a conversation.

Web application security assessments

(Web, Mobile, APIs, microservices)
This is our most in demand service, together with cloud security. Our team has years of experience in AppSec, conducting hundreds of pentests (black box/white box) for web/mobile/APIs and microservices. This is a very niche skillset and we’re constantly developing & updating our skillset/toolbox, in order to provide the most value for our clients and helping them to achieve their goals, whilst also raising awareness around application security inside organizations. In simple terms, our methodology consists of tools/automation, together with manual testing and our internal bag of tricks which we’ve hand picked over the years. The secret sauce lies in the manual testing of course and the complementary skillset which the team has developed whilst working closely together (devsecops) for the past decade for a thorough security analysis.
An important fact to mention here is that we’ve been developers in a previous life, so we understand the developer mindset/constraints very well and we’ve also worked closely with developers/devops engineers in different DevSecOps environments.

Mobile & API assessments

Every web application is accompanied by a mobile application these days, which basically translates to increased attack surface and more risks for a business. Fortbridge provides a dedicated consultant which specializes in Mobile Security (iOS & Android), to help you secure your data and mitigate business risks. As a principle, this is how our team works, every consultant specializes in a certain niche of security, using & developing their skillset in a complimentary manner for greater efficiency and for your benefit. Mobile is often a rich source of vulnerabilities in our experience, due to various reasons such as configuration,  coding patterns or simply the fact that web/mobile apps are created by different teams, which work independently and implement security controls differently. Generally our experts noted that client side security controls are less understood than server side security controls, but we help you alleviate risks and we provide high quality reports with actionable items.

Cloud Assessments

We’re really proud to provide our best of breed cloud security consultants  that have been involved in various cloud projects wearing either an offensive or a defensive hat helping companies to migrate their on-prem workload securely to the cloud using different containerization technologies. Cloud providers move very fast and that is why it can be difficult to keep track of all the in/security configuration options that are available. Also, there is a steep learning curve when building applications in the cloud and what we noticed is that security is often an afterthought and the initial goal is to just get everything working as a POC. Often whilst working on such projects we get a feeling of  “everything old is new again”, but with a twist of cloud. Our experts have secured various containerization solutions such as Docker, Kubernetes, ECS often used for machine learning projects. As a result of our continuous efforts in the cloud security space for the past few years our experts have obtained security certifications from all major cloud providers: AWS, Azure & GCP. Add to this our offensive security years developed in years of pentesting and we believe we truly have a top team, with a unique skill set of offensive/defensive security.

DevSecOps

DevSecOps have gained a lot of popularity benefiting a lot from  the success of DevOps. In their quest to become more agile, many companies have adopted this methodology or are in the process of migrating to DevSecOps. However this methodology is only in its infancy and there are many aspects still widely misunderstood. What  are the main pillars of DevSecOps? What tools should you choose? How should you configure them? Our certified DevSecOps consultants will help you implement the CI/CD pipeline with the required tools and provide the next steps you need to implement with your in-house security team. If you have a complex project that spans multiple teams, is budgeted for months/years, you need to have security built in from day 0. Automate reliably as much as possible and eliminate low hanging fruits early in the SDLC. This is only the first step in the grand scheme of things and it will contribute to long term success by enforcing secure patterns in the SDLC.

Product Assessment

This is also a popular service, mainly focused around security products that customers wish to buy, or they have already bought. We focus here on 2 key aspects: benchmarking the product, configuration assessment and pentesting the product itself.  When doing benchmarking we basically measure how good the product itself is, compared to other products in the market, or even compared to the vendor’s claims!? We help our customers make an educated decision and choose the right tool for their environment. Obviously every new tool that you setup on prem/in the cloud will add to your attack surface, security tools having vulnerabilities is not something unheard of. This is the second aspect of this service, where we basically test the security of the security product itself. A security product with low hanging fruits is never a good idea and our experts can validate these aspects for you.

Source code review (white box testing)

Although not as popular as black-box testing, this method provides great results for mature companies, but it’s often underrated. The advantage of this technique over black-box is that when doing black-box testing, there is always a guessing part which is involved.  Having access to the source code, gives our experts full visibility into your application and takes guessing out of the equation, making the whole process more successful and more time efficient in the end. An even better approach is to combine both methodologies black-box and white-box testing, where this is doable and the standards/compliance policies require it.

Secure by Design( Security Architecture)

Security is at the forefront of any application development these days, that is why many companies are trying to embed a security architect in each business unit. But this is not always feasible or it’s simply not scalable. Fortbridge can help you cover this gap and perform a comprehensive architecture analysis for you, so that you get the major security objectives right from the start which translates to reduced refactoring costs further down the road. This is even more important nowadays in cloud environments where you have a plethora of services available, but making the right choices can be difficult, due to multiple stakeholders requirements, internal standards, compliance etc. We will check your infrastructure design, cloud services you’d like to use and any design patterns you wish to use to ensure you build on a solid foundation. From a software perspective we will look at the frameworks in use, defensive coding techniques, threat modelling, software integrations and all other things that can go wrong in a software project in order of priorities & real risks.

Network Security

To this day there is a misconception that internal networks have a lower risk from a security perspective, simply because they’re not directly accessible  to an attacker. While phishing is a well understood method to gain internal access, last few years have shown us some new and innovative ways to pivot into internal networks from the outside and subsequently conduct attacks on unpatched systems, abusing clear-text credentials, system misconfiguration or insecure defaults. If you’re concerned about how far an attacker can go once inside your network, or perhaps you’re worried about disgruntled employees then this service provides you assurance for such scenarios. There have been quite a few breaches over the past few years which have been publicly documented and there is always a lesson to be learned here.

Application Security

This is an introductory training in application security, for everyone who wants to learn about OWASP TOP 10 & threat modelling and is designed for young security professionals who want to build a foundation around AppSec. Prerequisites for this training: basic understanding of programming(high level/scripting) languages is recommended.

Secure By Design

This is an introductory training in application security, for everyone who wants to learn about OWASP TOP 10 & threat modelling and is designed for young security professionals who want to build a foundation around AppSec. Prerequisites for this training: basic understanding of programming(high level/scripting) languages is recommended.

Cloud Security

By blending in a security skillset with defensive skillset and working closely in a devsecops manner, we have created this training to prepare your team for the latest challenges in the cloud space. Cloud Security has seen a tremendous growth in popularity over the past few years and it has been one of our main pillars of activity together with application security. Our consultants hold security certifications from all major cloud providers (AWS,Azure, GCP) and are here to upskill you team around cloud security.
Customized training
Do you have needs for a particular type of tailored for your company because you want to raise the bar even higher? We can set up an exploratory discussion, listen to your specific requirements and create a customized training according to your needs.

I have known Adrian for some time and can honestly say he has been one of the most refreshing security professionals to speak with. His broad range of experience across AppSec, Cloud security, Vulnerability management, and Information risk allows him to act as an SME and mentor to junior professionals simultaneously. A very approachable Cyber professional that has also helped me understand the technical components of IT Security in greater depth.

Farhan Khan

Founding Director
CyberApt

It was a pleasure working with Bogdan. He is a very professional, honest and sociable person. He found high impact vulnerabilities and provided top quality reports to the development teams. He jumped on call with developers and made sure the critical vulnerabilities were fixed on spot and also held read-outs to developers and executives to make sure all findings are crisp clear. If top quality pentests and trainings is what you are looking for then Bogdan can definitely help you.

Sreenarayan Ashokkumar

Product Security Leader
Capital One

Adrian has ensured security is delivered as part of a key project. Covering pipeline, infrastructure and application security it has been fantastic to have a single person cover all of these areas, ensuring agility doesn’t mean compromise security. Fantastic to work with and hope to do so again.

Chris Hardstone

Cloud Security Architect
Direct Line Group