FAQ

We combine deep technical engineering expertise with executive-level strategy work. Our methodology links security directly to business priorities, so decisions are justified by risk reduction, ROI, and regulatory impact—not vague maturity scores.

We treat AI as both an innovation accelerator and a new attack surface. Our services enable safe adoption of tools like ChatGPT and Copilot while helping you build secure custom AI systems aligned to OWASP AI Security and NIST AI RMF.

A structured, NIST CSF 2.0–aligned methodology that creates visibility, prioritizes actions based on business impact, and provides ongoing governance via checkpoints, KPIs, and an integrated ISMS/GRC tool.

Typically 3–5 weeks depending on stakeholder availability. The onboarding includes interviews, crown jewel validation, risk scenarios, technical spot checks, and full tool setup.

We identify concrete AI use cases, establish safe usage policies, help integrate AI tools securely, and build custom AI solutions with security, privacy, and governance built in from day one.

Secure usage of ChatGPT, Copilot, Gemini and similar tools, plus data governance, DLP alignment, usage policies, guardrails, monitoring, and team training.

Yes. We design and implement secure architectures for LLMs, retrieval-augmented generation, agents, and domain-specific AI systems, including compliance, privacy, and risk controls.

We apply NIST AI RMF and real-world threat models to assess prompt injection, data leakage, model theft, bias, and other AI-specific risks, then define actionable controls and monitoring.

A focused assessment that checks your external and underground exposure, identity posture, DMARC status, backup readiness, and Microsoft Cloud configuration to reduce your chance of being shortlisted by ransomware gangs.

Most organizations choose 1–2 runs per year to track exposure changes, implement quick wins, and stay off threat actor radars.

Yes via additional verifications of your MS Cloud Security settings, your AI settings as well as hardening process across the kill chain such as SecOps topics and IR exercises.

A security verification of Entra ID, endpoint baselines, ASR, backups, sharing policies, license usage, and Defender/Sentinel posture, plus a prioritized improvement plan.

Yes. We offer custom Azure governance, Zero Trust architecture, Purview deployments, detection coverage tuning, and SecOps automation.

Strategic cybersecurity leadership, risk management, regulatory alignment (e.g. NIS2, DORA), incident readiness, roadmap design, and executive steering—flexibly delivered T&M.

Our vCISOs combine boardroom strategy with deep engineering experience. We can talk to the board in the morning and fix an Entra misconfiguration in the afternoon.

We build insights for C-level visibility—KPIs, dashboards, SecOps metrics, cost optimization models, and data analyses that guide decisions instead of overwhelming with noise.

Yes. It uses Zero Trust design, Entra-based authentication, strict tenant isolation, encryption in transit and at rest, immutable logs, and Swiss/EU data residency.

You do. Authentication is through your own Microsoft Entra tenant, so MFA, Conditional Access, and access revocation remain under your full control.

Yes. CY360 supports GDPR, nFADP, NIS2, DORA, ISO 27001, and TiSAX. Our risk-based approach connects controls to regulatory impact for executive clarity.

Absolutely. We design lean KPI and KRI sets aligned to NIST CSF 2.0 that reflect real risk reduction and executive decision needs rather than complex scorecards.

Yes. Our services are designed for SMEs up to mid-market enterprises, providing high-value outcomes without requiring large in-house security teams.

Core packages are fixed-price and subscription-based. Custom services are T&M. Pre-commit volume gives discounts, and unused services expire after the defined period.

Checkpoints are remote or onsite sessions summarizing threat radar, KPI changes, treatment progress, and critical decisions—delivered using the CY360 ISMS/GRC tool.

Yes. We integrate with Microsoft Cloud, SIEM/SOAR platforms, AI systems, and data sources via APIs or log ingestion to support analytics and program visibility.

Yes, in a controlled way. Data is pseudonymized or processed under strict agreements, never shared externally, and handled within EU/Swiss compliance boundaries.

We align recommendations with business outcomes—risk, revenue, compliance, and operational resilience—ensuring leadership can make informed decisions quickly.

Yes. Most customers start with an External Attack Surface / ransomware prevent or AI Adoption check and later expand into Effective Security Program, Cloud Security, or vCISO support.

By prioritizing actions with the highest risk-reduction-per-CHF, eliminating waste, optimizing licenses, and focusing on practical controls rather than theoretical frameworks.