Architect · The keystone
Most security programs are assembled: a control added to clear a finding, a tool bought to satisfy a clause, and no one ever decided what the whole was meant to be. The target-state architecture is the keystone. We design the security architecture your organisation should have, in reusable patterns mapped to every framework you answer to, so everything downstream is faster to build, cheaper to evidence, and easier to defend.
Scope agreed in writing before any work. No obligation.
What you are commissioning
The flagship engagement of the Architect track backs this page. Scope is sized in a short scoping conversation and agreed in writing before any work begins.
Architect trackTypically 4–8 weeks
Decide what good looks like before a single control is built.
Best for organisations building or rebuilding the program deliberately.
Includes
Deliverables
The method
The target state is expressed as reusable, proven patterns across cloud, identity, and Zero Trust (NIST SP 800-207), so your engineers build against a reference rather than reinventing a design for each system. Patterns are how good architecture scales without the architect in the room.
Controls are designed into the architecture rather than wrapped around it afterward, so security is a property of how systems are built, not a layer that slows them down. That is the difference between a program that holds and one perpetually catching up.
The architecture is mapped to each standard you answer to, so a single control set evidences ISO 27001, SOC 2, and NIST CSF at once. Get this right and you stop paying for the same control three times under three different audits.
The decisions are written down as reference designs and diagrams your team can build to and defend, not carried in one architect's head. The output is an asset you own, not a dependency on us.
You are standing up or rebuilding security and refuse to do it tool by tool. You want the destination designed first, by someone who has built it before, so the build has something to aim at.
Your team can execute; what they lack is the scarce, senior design work, the reference architecture and the patterns, that you cannot justify hiring for permanently.
A merger, a migration, or years of accretion have left an architecture no one designed. You need a coherent target state and a path from the mess you have to the model you want.
Why it is the keystone
Get the design right and the build is faster, the evidence is cheaper, and the audit is calmer. Get it wrong and every downstream phase pays for it.
The architecture is the spec the Build track delivers against
The control mapping is what makes compliance a by-product, not a project
With the blueprint in hand, you can build with us, a partner, or your own team
Questions
A target-state design across the domains that matter to you, cloud, identity, network, and data, expressed in reusable patterns, with Secure by Design patterns your engineers can build against, reference diagrams, and the design mapped to your frameworks. It is a blueprint, precise enough to build from and defensible to an assessor.
No. The design is yours either way. Many clients take the blueprint and build with their own team or a delivery partner; others continue with us into Build. The architecture stands alone and commits you to nothing.
The roadmap sequences what to do and when; the architecture decides what the end state is. They are complementary, and the roadmap is far more useful once the target state it sequences toward actually exists. Many engagements pair the two.
No. The architecture is designed for your needs and is independent of any vendor, our own platform included. Tooling is matched to the design afterward, never the other way around. We recommend Alvor where it fits and say so plainly when it does not.
Typically four to eight weeks, depending on the breadth of the estate and the number of frameworks in scope. It is scoped in writing after a short scoping conversation, before any work begins.
One conversation, then the scope and the price in writing. Your enquiry arrives already marked for target-state architecture.