Coastal lighthouse on a breakwater at dusk — monochrome dithering (C.1 Mono)
Application Security · Poland & CEE

Security built in, not bolted on.

An annual pentest no longer satisfies DORA, NIS2 or the CRA. We help regulated organizations build security into how software ships, consistently across every team and entity, and provable to an auditor. We do it through training, verification and hands-on advisory. Practitioner-led, standards-based, and proven inside banking and fintech.

50+ companies in regulated sectors Thousands of engineers trained Ready for DORA · NIS2 · CRA
Trusted by teams in banking, fintech & regulated software
BGK
BNP Paribas
Bank Millennium
Circle K
XTB
GPW
PayPo
Autopay
Orange
Comarch
Symfonia
7N
Spyrosoft
The Software House
Relativity
Pracuj.pl
Nowa Era
BIK
What we believe

Three convictions behind how we work.

Earned over years of hands-on application-security practice: our own work, inside engineering teams, and across dozens of organizations. It's why our engagements outlast the audit that triggered them.

01 / THREAT MODELING

Security is decided before the first line of code.

We teach threat modeling where the decisions are actually made: at feature kickoff, not once a year before an audit. The method is matched to the system, the organization and the team's maturity.

02 / DEVSECOPS

The pipeline enforces secure defaults, not good intentions.

Manual security gates lose to deadline pressure. We wire controls straight into the pipeline: tests, scans and policies that run on every build. Security stops being a step to remember and becomes the default.

03 / SECURITY CHAMPIONS

Champions dissolve the AppSec bottleneck.

Modeling and automation don't scale without people who understand them. We build and sustain a network of Security Champions in every team, so ownership returns to where the code is written, and modeling and automation both stay alive.

What we do

Three ways we make security stick.

One specialism: the security of how software is built. We don't start with a big contract: each path runs from a single expert session to running your security function, and you take the next step only once the last one paid off. Enter where your maturity fits, then scale across the group.

Training

Engineers who understand why, not just what. Secure decisions then happen in the pull request, not after the pentest.

Threat Modeling Offensive Web App Testing DevSecOps automation Expert sessions
From a single expert session to multi-week transformation programs.

Verification

Measure before you change. An objective read of where your process stands, on a recognized scale, defensible to an auditor.

SDLC maturity audit Security testing Architecture review Compliance gap analysis
From a fixed-scope quick assessment to a tailored deep dive. Every report ends with priorities.

Advisory

Design, implement, oversee. We don't replace your team: we set the process up to run without us. And when you need it, we take the security leadership seat ourselves.

Practice implementation Secure SDLC Security Champions Fractional CISO
From fixing one problem to running your whole security function.
Why now

Regulation moved the deadline up.

Three EU regimes turn “secure by design” from best practice into a requirement, and auditors now ask for evidence, not assurances. We help you produce that evidence the way auditors expect, across every entity in the group.

DORA

Operational resilience for financial entities: ICT risk, testing, and third-party oversight under regulatory scrutiny.

NIS2

Wider scope, stricter duties, board-level accountability for cybersecurity across essential and important entities.

CRA

The Cyber Resilience Act puts security obligations directly on products with digital elements: SBOM, SDLC, vulnerability handling.

Proof

Proof over promises.

Our programs at work inside regulated organizations. We report what actually changed in how teams build, not an invented “−73% in vulnerabilities”. The quotes come from the people who drove the change.

Case 01FinTech · DORA

DevSecOps run by Security Champions

XTB · Polish fintech, proprietary investment platform

“We are completely different people now — the Security Champions and me. We know how to act and what to do next.”

— Łukasz Jagielski
Engineering Team Leader, XTB

DevSecOps
Case 02Banking · KNF

Threat modeling across a bank

BNP Paribas Bank Polska · hundreds of delivery teams

“The Security Champion is a central role for us. Without it, controlling and managing this process would be extremely hard.”

— Filip Brandt
Security Architect, BNP Paribas Bank Polska

Threat Modeling
The team

Real people behind the brand.

In security, the strongest trust signals are objective and verifiable: CVEs and years of hands-on practice in real organizations.

Andrzej Dyjak

Andrzej Dyjak

Founder · Managing Partner

20+ years of hands-on security practice: his own research, inside engineering teams, and across dozens of organizations. Hundreds of projects delivered, thousands of engineers trained, security programs built with the biggest names in the region.

CVEs: Apple · Google · Adobe · Oracle Threat Modeling · Automation · Governance OWASP SAMM · ASVS · WSTG
Krzysztof Korozej

Krzysztof Korozej

Co-founder · Managing Partner

Rafał Goliszewski

Rafał Goliszewski

Co-founder · Managing Partner

Spoken at
CONFidence
The Hack Summit
Advanced Threat Summit
OWASP
SEMAFOR
4Developers
WeAreDevelopers
Code Europe
Boiling Frogs
SecOps Polska
Standards, not a “proprietary methodology”

We work on recognized, industry standards.

No “Bezpieczny Kod methodology” in a black box. We implement the frameworks auditors already expect (NIST SSDF, OWASP SAMM, ASVS), applied by people with years of hands-on practice. In regulated sectors, that transparency is a strength, not a weakness.

OWASP SAMM · DSOMM · NIST SSDFSDLC maturity
OWASP Top 10 · ASVS · WSTGVerification
STRIDE · TRIM · LINDDUN · DREADThreat modeling
DORA · NIS2 · CRAEU regulation
SOC 2 · PCI DSS · HIPAAUS standards
ISO 27001 · ISO/IEC 42001Management systems
Next step

Ready to approve the next step?

A 30-minute diagnostic call with our expert. Not a salesperson, no slide deck, no NDA to start. The fastest way to sanity-check the next step, whether that's one team or rolling security out across the group.