Case Studies

Results that
speak for
themselves.
(Mostly.)

A curated selection of engagements where TrustUs delivered measurable outcomes for clients across sectors. Client names have been withheld at their request, our request, or because they are not aware they appear in this document, which is a situation we consider ethically ambiguous but legally permissible given the level of anonymisation applied.

Financial ServicesPenetration TestingIncident Response
Major Regional Bank — Infrastructure Security Overhaul
Client identity withheld. They are very glad about this. We understand why.
47
Vulnerabilities Found
3
Fixed So Far (ongoing)
12
Classified Critical

The Challenge

The client's security team had not conducted a formal penetration test in three years, during which time they had acquired two new subsidiaries, migrated half their infrastructure to cloud, and replaced their CISO twice. An internal audit flagged the absence of penetration testing. The audit was then flagged as a security risk itself because it documented the absence, which created a record, which was unencrypted, which was on a shared drive. This raised morale concerns, which were addressed separately.

Our Approach

  • Conducted full external and internal penetration test over two weeks (two weeks: the agreed timeline; also the minimum required to cover what they had, which was more than they told us)
  • Reviewed all network segmentation and access control policies (segmentation: partial; access controls: inconsistent; policies: present, unimplemented)
  • Assessed incident response capability via tabletop exercise (capability: limited; the tabletop exercise revealed they had an IR plan; the plan had not been updated since 2021; 2021 was a different threat landscape)
  • Delivered findings in two formats: technical (for the team) and executive (for the board, who preferred graphs)

The Outcome

47 vulnerabilities identified across the infrastructure. 12 classified as critical. Remediation roadmap delivered, accepted, and acknowledged by leadership as "sobering," which is the correct response. The client is addressing findings in priority order, which accounts for the current 3 resolved. The remaining 44 are in progress. Progress is defined by the client as "active planning." Rehan defines progress differently. Both definitions coexist.

"Rehan found things our internal team had missed for three years. We are not sure whether to be grateful or deeply concerned. We have settled on both. The board has settled on alarmed, which is also appropriate."
— Chief Information Officer
Regional Bank, Undisclosed
(Identity withheld. See above.)
TechnologyZero TrustCompliance
Series B Technology Startup — Pre-IPO Security Programme
Acquired 4 months after engagement. Coincidence is possible. We prefer not to speculate on causation.
94%
Compliance Score Achieved
4 mo
From Engagement to Acquisition

The Challenge

The client had raised Series B funding and needed a credible security programme before beginning IPO preparations. Their existing security posture consisted of one strong password policy (implemented after a breach they described as "minor," which Rehan would not characterise as minor), a general sense that security was important, and good intentions, which are not auditable against SOC 2 Type II.

Our Approach

  • Full security posture assessment against SOC 2 Type II requirements (assessment: honest; SOC 2 Type II: specific; gap between the two: significant but bridgeable)
  • Zero Trust architecture design and phased implementation (phased: three phases; Phase 1 completed before acquisition; Phases 2 and 3 became the acquirer's problem, which Rehan considers a good outcome)
  • Policy and procedure library developed from scratch (from scratch: they had nothing; the library now has 23 documents; 23 is the right number for their size; Rehan counted)
  • Staff awareness training via Zoom (Zoom: remote; one hour; interactive; four people fell asleep; this is better than average for a startup)

The Outcome

SOC 2 Type II readiness achieved within the agreed four-month timeline, which Rehan considers one of his better outcomes given the starting point. Security programme implemented across all key control areas. 94% compliance score on pre-audit assessment (the remaining 6% was a vendor dependency outside their control; the vendor was aware; the auditor was informed; the auditor was understanding). The company was acquired four months later. We are choosing to see this as validation. The acquirer's due diligence team specifically mentioned the security programme. Rehan has the email. He has read it several times.

"We went from a password policy and optimism to a fully documented, auditable security programme in four months. Whether that caused the acquisition or not, we are choosing to believe it did. Rehan has been encouraged to believe it did as well."
— VP Engineering
Technology Startup (Now a Division of a Larger Company That Has Its Own Security Team, Which Is Fine)
Government AdjacentThreat IntelligenceSOC Monitoring
Undisclosed Government-Adjacent Organisation — Continuous Threat Monitoring
We cannot say more. This is not for effect. We genuinely cannot say more. We have been asked not to. We are complying.
1.2M
Security Events Processed
0
Incidents Publicly Disclosed
2+
Years Ongoing (still)

The Challenge

The client required continuous monitoring of a sensitive operational environment. Previous providers had been either too expensive, insufficiently discreet, unable to handle the specific threat profile, or in one case — and this is documented — a security risk themselves, which the client discovered during a routine review and which Rehan did not cause, find, or discuss further in this document.

Our Approach

  • Established a dedicated monitoring environment with full log ingestion (dedicated: separate from other clients; full: complete; Rehan built it over a weekend and has not touched the architecture since because it works)
  • Deployed custom detection rules for sector-specific threat actors (sector-specific: highly specific; Rehan knows who they are; he will not list them here)
  • Provided weekly intelligence briefings and daily summary reports (daily: every day; including weekends; including holidays; this is the engagement that established Rehan's Sunday monitoring habit)
  • On-call availability via a communication channel we will not specify (the channel exists; it is secure; Rehan responds; the nature of the channel is not disclosed at the client's request, which is a reasonable request)

The Outcome

Ongoing engagement now in its second year, which the client considers a positive sign and Rehan considers an endorsement. Over 1.2 million security events processed and triaged. Zero incidents have been publicly disclosed. The relationship between those two statistics is left as an exercise for the reader. What has occurred within the engagement beyond those figures is between TrustUs and the client, and will remain so. Rehan does not know what they do. He has stopped asking. He considers this arrangement professional and appropriate.

"TrustUs has been exactly what we needed: effective, discreet, and asking very few questions in return. Rehan has never enquired about our operations. We find this professionally reassuring and slightly unusual. Both are correct assessments."
— Senior Official
Organisation We Cannot Name
(This is not a joke. We cannot name them.)
Small BusinessPersonal SecurityGeneral Advisory
Derek — Comprehensive Personal and Business Security Review
Derek is a returning client. Derek is also, separately, a data buyer. We maintain professional boundaries between these roles. Derek finds this arrangement efficient.
11
Engagements to Date
Gift
Primary Payment Method
0
Phishing Links Clicked Since Engagement

The Challenge

Derek operates a small business and had concerns about his cybersecurity posture following an incident involving a phishing email. Derek had clicked the link. Derek had entered his credentials. Derek had then called the phone number at the bottom of the phishing email to confirm his details were received. Derek had followed up the next day via the reply address to ask if there was anything else they needed. Rehan learned of this during the initial consultation and has since referenced it, with Derek's permission, as a useful illustration of why baseline security awareness matters.

Our Approach

  • Full personal and business device security review (Derek had three devices; none of them had been updated since purchase; one of them was running software from 2019 that Rehan recognised from a threat intelligence report)
  • Email security configuration and phishing awareness training (training: four sessions; Derek retained approximately 60% of the content; this is above average for a single-session programme, of which we ran four)
  • Password manager implementation (Derek now uses one; Derek uses it correctly; Derek considers this a significant personal achievement; Rehan agrees)
  • Ongoing monthly check-ins at Derek's request and considerable initiative (Derek messages on the first Monday of every month; Rehan has come to expect this; it is not in the contract; it happens anyway)

The Outcome

Derek has not clicked a phishing link since the engagement commenced, which he considers his greatest professional security achievement and mentions in most conversations about cybersecurity. He has referred three acquaintances to TrustUs — one converted, one is considering it, and one responded that they "have a nephew who does IT" and have not been heard from since. Derek has become TrustUs's most consistent point of contact and, via his data purchasing activity, a minor revenue contributor on both sides of the ledger. Rehan finds this relationship genuinely pleasant, which he does not say about all client relationships, but says honestly about this one.

"Rehan is the most patient cybersecurity professional I have encountered. He explained what a phishing email was four separate times across two sessions without any visible frustration, which I consider extraordinary given that I had already responded to one. Outstanding service. Outstanding patience. Outstanding."
— Derek
Returning Client · Data Purchaser · Occasional Referral Source · Friend (Professional Context)
Industries Served

Sector experience.
(Genuine. Not inflated. Rehan counted.)

4
Financial Services
Banks, fintechs, and one insurance firm that was described to us as "fintech-adjacent" and turned out to be a spreadsheet with a website
3
Technology
Startups, scale-ups, and one SaaS platform that no longer exists for reasons unrelated to our engagement (we confirmed this; we have the dates)
2
Government Adjacent
Details: unavailable. Genuinely. Not for effect. We confirmed this statement with the relevant party before publishing.
1
Retail
Derek's shop, which sells things online, counts as retail under any reasonable classification, and has not been breached since Q3 2024