Cyber security advisory
Alvor Advisory is a specialist practice for security architecture, management, and compliance. We assess, architect, build, and operate, taking on as much or as little as you need, from a one-off review to a fully managed service.
A virtual CISO, security architecture, and hands-on engineering, sized to you and ready in weeks, not years.
Scope and price agreed in writing before any work. No obligation.
Why architecture-led
A control added to clear a finding, a tool bought to satisfy a clause, and no one ever decided what good actually looks like. We design the target state first, then build and run to it, so the program holds together and holds up. One control set, designed once, evidences every standard you answer to at the same time.
The evidence is a by-product of the design, not a scramble the week before the assessor arrives.
The decisions are written down, not carried in one person's head.
You can stand the posture up to your board, a regulator, or a customer's security team.
The obligation
Customers, regulators, and boards now expect demonstrable security, not intent. Whichever standard applies to you, it expects evidence on a schedule. We make meeting it the natural output of a well-designed program rather than an annual emergency.
ISO 27001
The international baseline for an information security management system, and increasingly a condition of doing business with larger customers.
SOC 2
The report your customers ask for before they trust you with their data, assessed against the criteria you scope: the mandatory Security criteria, then Availability, Confidentiality, Processing Integrity, and Privacy as your commitments require.
NIST CSF 2.0
The common language for security posture and maturity, and the spine most board and regulator conversations now hang on, with governance now a function in its own right.
ISO 42001 · NIST AI RMF
As AI lands in your products and your teams' hands, customers and regulators are starting to ask the question they once asked of security: show us how you govern it.
DORA · NIS2
Binding for financial entities and essential services operating in Europe, with management accountability and incident-reporting clocks written into the statute.
HIPAA · GDPR · PCI DSS
Where you handle health, personal, or cardholder data, the obligation is statutory and the penalties for failure are real.
Working to a regional or sector regime, such as the Essential Eight, APRA CPS 234 and CPS 230, SOCI or IRAP in Australia, DORA or NIS2 in the EU and UK, or NIST SP 800-171 and CMMC in the US defence supply chain? We map the engagement to it directly. Region-specific guidance is published separately.
How we work
We assess where you stand, design the target state, stand it up, and run it. Each track is a full practice in its own right, with a dedicated page and named services behind it, and you decide how far it goes.
Every boundary is a decision you control: continue with us, bring it in-house, or pause. Nothing commits you to the next track.
The practice
Alvor Advisory is the consulting arm of Alvor, the security and compliance platform company. The practice is new, and that is deliberate: we started it the way we tell clients to start a program, design first. No legacy methodology, no junior bench to keep busy, no pyramid to feed.
A senior practitioner scopes your engagement, designs the work, directs the hands-on delivery, and signs off the validation. Engineers build under that direction, never as a separate delivery organisation. Everyone holds the certifications relevant to their line of work: CISSP, ISO 27001 Lead Auditor and Lead Implementer, cloud security, and offensive security credentials.
We run our own security program on the platform we sell. Alvor's ISO 27001 and SOC 2 certifications are in progress with independent assessors, and we publish the attestations the day they are issued: the same separation of builder and judge we recommend to you.
Advice is paid for in fees, never steered by licences. Tooling is selected against your architecture, independent of any single vendor, our own platform included. We recommend Alvor where it is the right answer and say so plainly when it is not.
We take you to assessor-ready and stop. The certificate or attestation is issued by an independent body, by design: we build the posture, your assessor judges it. That separation is what makes the result count.
Global, with a named senior lead on every engagement. We work in the international standards and map directly to regional regimes, from the Essential Eight and APRA to DORA and NIS2.
Every engagement runs under a master services agreement and mutual NDA, with professional indemnity and cyber liability cover in place. Engagement data and evidence are segregated per client, and sub-processors are disclosed under NDA.
Proof of method
Eight pages of the standard Security Program Assessment report, redacted: the executive summary, the NIST CSF 2.0 maturity profile, the per-category summaries for Govern, a full control-level assessment with observations and recommendations, the risk-ranked gap register, and the prioritised roadmap. Names, owners, dates, and figures are removed; the method and depth are exactly what you receive.
Download the sample reportPDF · 8 pages · Reproduced from the 31-page deliverable, redacted for publication.
Findings at a glance
4.1 Maturity scorecard
NIST CSF 2.0 · Scale 0–5 · Prepared for
4.2 Gap register (extract)
Rows 14–16 of 27 · prioritised, risk-ranked
No privileged-access workflow for production
Owner · Remediation · Cost
Recovery objectives undefined for core services
Owner · Remediation · Cost
Vendor tiering absent above 50 suppliers
Owner · Remediation · Cost
Who we work with
Regulated and high-growth organisations, typically 50 to 5,000 people, in the sectors where the obligation is sharpest: software, financial services, health, and critical services.
Founders, CTOs, and COOs writing the first security cheque. We stand up the first program in the right order and carry the leadership as a virtual CISO until you are ready to hire, then hand it over cleanly.
An established function that needs the scarce, intermittent work it cannot justify staffing: a target-state architecture, a unified control set, a build delivered to spec under your direction.
Leadership under pressure to show posture, not intent. We give you the maturity scorecard, the roadmap, and the evidence to stand up in front of a board, a regulator, or a customer's security team.
The moments that bring teams to us
The bridge
The advisory and the platform are two delivery models of the same thing: security architecture, management, and compliance. The advisory does it with people. The platform runs it as software. When the controls are standing, Operate keeps them current on Alvor, so your program maintains its own evidence and your team is not rebuilding the capability by hand. The program and its evidence stay portable: the platform earns the run, it never locks it.
The advisory
Designs the target state and stands it up, with people.
The platform
Runs the program as software, keeping the evidence current.
How we price
Every engagement carries one of four commercial shapes, and whatever the shape, you see the scope and the price in writing before any work begins. Each phase is priced as its own decision, so the cost never runs ahead of the value.
The standardised assessments. One number, agreed in writing before any work, with the scope to match.
Design engagements and estate-dependent assessments. Sized in a short scoping conversation, then priced in writing before you commit.
Build work, delivered to a plan with milestones and a price agreed up front.
The standing services under Operate, sized to you and reviewed on your terms.
A well-designed program costs less than the patchwork it replaces. One control set, evidenced once, removes the audit preparation you currently repeat for every framework, the overlapping tools bought clause by clause, and the readiness project you would otherwise commission elsewhere.
References
We work under mutual non-disclosure with regulated and high-growth organisations. Named, attributed references are available on request. We do not publish anonymous or invented quotes, so this space stays deliberately empty until a client has approved theirs.
Questions
A fixed-fee diagnostic against the framework that applies to you. You receive a maturity scorecard, a prioritised gap register, and a risk-ranked view of your exposure. Scope and price are agreed in writing before any work begins.
The major international standards, including ISO 27001, SOC 2, NIST CSF, HIPAA, GDPR, and PCI DSS. Where a regional regime applies to you, we map the engagement to it directly.
No. Each phase ends in a decision that is yours. You can exit, bring the work in-house, or continue. The assessment stands on its own and commits you to nothing.
Both. After the architecture is designed, the build can be delivered hands-on, alongside a delivery partner, or by directing your own team under architectural oversight.
They are two delivery models of the same thing. The advisory designs and stands up your program with people. The platform runs it as software, so Operate keeps your evidence current on Alvor.
It is architecture-led. We treat designing the target state as the scarce, valuable work, and separate it from the build so the design is decided deliberately. Good architecture makes compliance a by-product rather than a scramble.
The standardised assessments are fixed-fee. Every other engagement is scoped to your organisation and priced in writing before any work begins. Each phase is priced as its own decision, so the cost never runs ahead of the value, and you see the scope and the price before you commit to either.
The architecture work is scarce and intermittent, so you get the design capability without carrying a permanent hire for it. Once the program is built, Operate can hand the run to your own team whenever you are ready, rather than leaving you dependent on us.
Seniority, not breadth. The senior practitioner who scopes your engagement stays accountable for it from the whiteboard to the run book: they design the work, direct the hands-on delivery, and validate the result. There is no pyramid, no rotating bench of junior analysts, and no offshore delivery centre, and scope is fixed up front, so nothing is lost in a handover.
We set the architecture and the standard, then let your team execute under that oversight, so we add direction rather than displace anyone. You can engage a single phase, an assessment or an architecture, without committing to more, and keep us for the design work that never justifies a permanent hire.
No, and that is by design. We take you all the way to assessor-ready; the certificate or attestation is issued by an independent body. We build the posture, your assessor judges it. That separation is what makes the result count.
Yes, because the continuity is structural rather than heroic. The Alvor platform carries the operational load, the evidence collection, the scheduling, and the tracking, so the senior team stays on the decisions that need them. That is how the same team stays accountable across the lifecycle without a pyramid underneath it.
Operate runs the program: the controls, the evidence, the leadership cadence, and the tuning of the detection stack Build deployed. Around-the-clock eyes-on-glass monitoring is deliberately out of scope; where you need it, we scope a managed-detection provider into the operating model and hold them to the architecture.
Start here
Start anywhere on the lifecycle: a one-off assessment, a target-state architecture, a hands-on build, or a fully managed service. The standardised assessments are fixed-fee, and every engagement is scoped and priced in writing before any work begins, with no obligation to go further.
We review your enquiry · within 1 business day
Scope and price agreed in writing · before any work
We begin · to the agreed scope
The standardised assessments are fixed-fee. Every other engagement is scoped and priced in writing before you commit, from a one-off review to a managed service.
Your enquiry
Tell us where you are and what you are looking for. We reply within one business day, and you see the scope and the price in writing before you commit to anything.