Saltar al contenido principal

Cybersecurity

Cybersecurity

Protect your business from digital threats. Services designed to prevent, detect and mitigate attacks.

6 services available
Security configuration and hardening service

Security Configuration

We harden servers, workstations, applications, and network devices following CIS benchmarks and each manufacturer's official recommendations.

Most incidents don't start with an exotic vulnerability but with default configurations that were never changed: standard passwords, unnecessary services left running, logging disabled, permissions that are too lax. Systematic hardening closes those doors that attackers' scanners find in seconds.

What's included

  • Firewall, WAF, and IDS/IPS configuration according to network zone.
  • Granular management of permissions, roles, and the principle of least privilege.
  • Patches, updates, and a secure configuration baseline.
  • Linux/Windows hardening according to CIS (Center for Internet Security) benchmarks.
  • Web application hardening (headers, strict HTTPS, CORS, CSP).
  • Centralized logging configuration for auditing and detection.

Ideal for

Companies that have just deployed new servers or applications and want to secure them before putting them into production, organizations undergoing external audits that need to pass controls, businesses that identified weaknesses in a pentest and need to fix them systematically, and any organization that wants to raise its security baseline.

How we work

We audit the current state against a benchmark (CIS, NIST, OWASP as appropriate), generate a deviation report prioritized by risk, and apply the changes in an orderly manner with functionality testing at every step. We document the standard configurations (golden images, Ansible playbooks) so that new systems are born hardened instead of having to be fixed afterward.

Frequently asked questions

Does hardening break applications?

If done without testing, yes. That's why we work in controlled windows, with staging environments that replicate production, and with rollback ready. Changes are applied incrementally, validating functionality at each step. In 2 years of experience, incidents caused by poorly applied hardening are rare and reversible.

What are CIS benchmarks?

These are guides published by the Center for Internet Security with secure configurations for operating systems, databases, browsers, cloud providers, and more. Each benchmark has hundreds of community-validated controls. They are the de facto standard for professional hardening and satisfy many ISO 27001 and PCI DSS requirements.

How often should configurations be reviewed?

We recommend a full annual review and partial reviews whenever there are major changes (new OS version, new application, topology change). Between reviews, continuous monitoring and automated patching maintain the baseline. Benchmarks are updated periodically and we keep up with them.

Security auditing and pentesting service

Security Audits & Pentesting

We perform penetration testing and comprehensive security audits to identify vulnerabilities in your systems before attackers find them.

A well-executed security audit reveals what your automated scans miss: server misconfigurations, authorization logic that can be bypassed, credentials exposed in repositories, and attack chains that combine multiple minor weaknesses. Everything manually verified by specialists.

What's included?

  • External infrastructure assessment (perimeter, exposed services, DNS, email).
  • Internal pentesting (lateral movement, privilege escalation, AD/LDAP).
  • Web application audit based on OWASP Top 10 and ASVS.
  • Cloud configuration review (AWS, Azure, GCP) and exposed buckets.
  • Executive report + technical report with reproduction steps and remediation.
  • Post-remediation retest included to validate that fixes work.

Ideal for

Companies that handle sensitive data (financial, medical, customer data), that must comply with regulations such as PCI DSS or ISO 27001, that are about to undergo an external audit, or that have just deployed a platform and want to validate their security posture before scaling.

How we work

We sign an NDA before starting and define the scope with clear rules (testing hours, permitted systems, social engineering scenarios if applicable). We operate under established methodologies such as the OWASP Testing Guide, PTES, and OSSTMM. We deliver the report in Spanish, with findings classified by severity (Critical/High/Medium/Low) and reproducible technical evidence.

Frequently Asked Questions

What's the difference between an audit and a pentest?

An audit reviews configurations, processes, and compliance against a standard (ISO, NIST, PCI). A pentest simulates a real attack: it exploits vulnerabilities to demonstrate how far an attacker can get. Ideally they are done together — the audit detects weaknesses on paper, the pentest validates them in practice.

Can it disrupt my operations?

Tests are run within agreed time windows. For critical systems we work in staging environments that replicate production. When we test against production, we avoid denial-of-service techniques and coordinate with your IT team in real time via a dedicated channel.

How are the results delivered?

With two reports: an executive summary in Spanish for management (business risks, impact, prioritized recommendations) and a technical report for IT (exact reproduction steps, commands, screenshots, proof-of-concept code, and concrete fixes per finding). At the end we present the results in a meeting with your team.

Ethical phishing testing and controlled simulations service

Ethical Phishing Tests

We conduct ethical phishing tests to identify vulnerabilities in your security systems and raise your team's awareness of digital threats.

Phishing remains the leading vector behind nearly all ransomware attacks and corporate breaches. Knowing in theory that you shouldn't "click on suspicious emails" isn't the same as recognizing one under pressure on a Tuesday at 4 PM. Ethical simulations measure reality with evidence, without real consequences, and provide data you can act on.

What's included?

  • Realistic phishing attack simulations.
  • Assessment of your employees' response to suspicious emails.
  • Detailed reports with recommendations to improve security.
  • Immediate learning page for employees who fall for the simulation.
  • Escalated campaigns: easy → intermediate → advanced to measure progress.
  • Coordination with management and HR for ethical handling of results.

Ideal for

Companies that have already trained their team in security and want to measure effectiveness, organizations that must demonstrate awareness training controls for regulatory compliance (ISO 27001, SOC 2), and businesses that suspect their team is vulnerable but need objective evidence to prioritize investment in training.

How we work

We coordinate the ethical scope with management and HR (educational, not punitive, objectives), define the email templates (plausible topics for your industry) and the execution window. Platforms like GoPhish, King Phisher, or enterprise tools run the campaign in a controlled manner. Results are delivered anonymized by group (not by individual publicly) with a focus on corrective actions, not on exposing people.

Frequently asked questions

Is it legal to run phishing tests against my own team?

Yes, when it's authorized by company management with a formal authorization letter. It's part of security programs accepted globally. What is NOT legal is running it without written authorization. We require that document before starting and work under clear ethical rules (no public exposure of individuals, focus on learning).

What happens to employees who fall for it?

At the moment of the click, they see a learning page explaining what the simulation was, what warning signs were in the email, and how to recognize it next time. Individual-level results remain confidential between the employee and HR — no lists are published. At the aggregate level, management sees trends by area to focus training.

How much does the result improve with training?

Teams without prior training typically have click rates of 20-40%. After focused training and 2-3 simulation cycles, it drops to 5-10%. More importantly, the "report" rate rises (employees who receive the email and report it to IT), which is the most operationally useful metric.

Anti-phishing protection service for businesses

Anti-Phishing

We protect your business against phishing attempts through advanced solutions and customized strategies.

The best training isn't enough on its own — it needs to be paired with technical controls that reduce the number of suspicious emails reaching the inbox. Well-configured DMARC, SPF and DKIM protect your brand from impersonation; advanced filters and sandboxing detect threats in incoming email. Both layers are necessary — neither alone is sufficient.

What's included?

  • Early detection of fraudulent emails.
  • Training to strengthen your team's security awareness.
  • Implementation of robust anti-phishing technologies.
  • Monitoring of lookalike domains (typosquatting) that could be used to attack you.
  • Real-time alerts when an employee receives a suspicious email.
  • Periodic reports on blocked threats and trends.

Ideal for

Businesses that receive a lot of external email and have already suffered impersonation attacks, organizations where management or finance are the typical target of fraud (CEO fraud, fake invoices), businesses that send emails to customers and want to make sure they aren't blocked or spoofed, and any company using Google Workspace or Microsoft 365 that wants to harden the default configuration.

How we work

We audit your current SPF/DKIM/DMARC configuration (most domains have these misconfigured or incomplete) and your email policies. We implement the correct DNS records and move DMARC progressively from "monitor" to "quarantine" to "reject" so as not to break legitimate email. We configure advanced filters on your email platform, enable sandboxing for attachments, and set up alerts. We monitor DMARC reports monthly to detect ongoing impersonation attempts.

Frequently asked questions

What are SPF, DKIM and DMARC?

These are three DNS standards for authenticating email. SPF declares which servers are allowed to send email on behalf of your domain. DKIM cryptographically signs every outgoing email. DMARC tells the receiving server what to do if SPF or DKIM fail (reject or quarantine). Without these three, anyone can send email impersonating your domain.

Will this reduce the spam my team receives?

Yes, significantly. In addition to Google/Microsoft's native configuration, we add layers such as reputation-based filters, up-to-date blocklists, and content analysis. On average, businesses reduce spam reaching the inbox by 60-80%, with less than 1% false positives (legitimate emails misclassified).

What happens if an important supplier's email gets blocked?

Filters are calibrated with whitelisting for known supplier domains and a fast release process for false positives. The administrator can review the quarantine and release legitimate emails within seconds. We also recommend that your critical suppliers set up their own DMARC to reduce false positives.

Cybersecurity training service for businesses

Cybersecurity Training

Strengthen your company's first line of defense: your team. We offer cybersecurity training programs tailored to all levels.

Firewalls and antivirus software don't protect against an email an employee opens because it looks legitimate. 90% of successful breaches involve human error at some point. Systematic training turns the team from an attack vector into the first line of defense — and it's not a one-time talk, it's sustained culture.

What's included?

  • Hands-on employee awareness workshops on digital threats.
  • Technical training for IT teams on security tools and methodologies.
  • Incident simulations and attack response exercises.
  • Training materials in Spanish featuring real attack examples from Latin America.
  • Assessments and a certificate of participation for every attendee.
  • Ongoing programs with fresh content every quarter.

Ideal for

Companies that must meet awareness training requirements (ISO 27001, SOC 2, PCI DSS), organizations that already suffered an incident due to human error and want to prevent it going forward, executive teams that are frequent targets of fraud (CEO fraud, BEC), and companies that fold cyber risk into their corporate risk management.

How we work

We start with a diagnostic (an initial phishing simulation plus brief interviews) to identify where the real gaps are. We design the curriculum in level-based modules (basic users, mid-level management, technical staff, executives) — each audience needs different messaging and depth. Workshops combine short presentations with hands-on exercises and discussion of real cases. We measure effectiveness with follow-up simulations to confirm the learning translated into behavior.

Frequently asked questions

In person, remote, or hybrid?

All three work, and we offer them based on your preference. In-person sessions have higher engagement and allow for richer group exercises. Live remote sessions work well for distributed teams. Recorded/asynchronous sessions suit large companies with schedules that are impossible to coordinate. We recommend a mix: recorded introduction + live workshop + follow-up practice.

How much time does it require from the team?

General awareness programs: 2-3 initial hours plus 15 minutes a month (refresher pills). Specific technical training: 1-2 days depending on the topic. The key isn't the number of hours but consistency: regular 15-minute monthly sessions beat a full day once a year.

Do you provide a compliance certificate for audits?

Yes. Each participant receives a personal certificate stating hours, topics covered, and date. The company receives a consolidated report with attendance, assessment results, and documented evidence — accepted by ISO 27001, SOC 2, and similar framework auditors as evidence of awareness training controls.

Regulatory and industry compliance service in cybersecurity

Compliance & Regulations

We advise you on compliance with information security standards and regulations to protect your business and meet legal and industry requirements.

Complying with a standard is not about filling out forms — it's about implementing real controls that are later documented. A paper-only approach may pass an audit once, but it leaves real vulnerabilities in place. Our focus is making sure your controls work in day-to-day operations and also generate the evidence auditors expect.

What's included?

  • Advisory on ISO 27001 implementation and recognized security frameworks.
  • Compliance gap assessment and remediation plan.
  • Data protection, privacy, and risk management policies.
  • Implementation of technical controls (not just documentation) aligned with the standard.
  • Team training and awareness to maintain ongoing compliance.
  • Support during external audits as a technical liaison.

Ideal for

Companies that must certify ISO 27001 due to requirements from corporate clients, organizations that process credit cards and must comply with PCI DSS, service providers selling to large enterprises that require SOC 2 Type II, and businesses in regulated industries (finance, healthcare, telecommunications) with specific sector requirements.

How we work

We start with a detailed gap analysis: which standard you're certifying against, where you stand today, and what's missing. We prioritize by impact (which controls are critical to pass the audit and which are refinements). We implement in phases, generating evidence from day one — not at the end. We support the internal pre-audit and act as a technical liaison during the external audit. Post-certification, we help with the ongoing maintenance cycle.

Frequently asked questions

How long does it take to certify ISO 27001 from scratch?

It depends on size, scope, and current maturity. SMEs with good practices already in place: 6-9 months. Companies starting from zero in formal security: 12-18 months. The timeline is shaped as much by the pace of internal implementation as by our work; if leadership prioritizes resources, timelines shorten.

Do you issue the official certification?

No. The official certification is issued by an accredited certification body (BSI, TÜV, Bureau Veritas, DNV, etc.) — this is an independence requirement. We prepare your company to pass that audit. We have experience with several certification bodies and know what they expect in practice, not just in theory.

ISO 27001 or SOC 2? Which one is right for me?

ISO 27001 is an international standard, globally recognized, common in Europe, LATAM, and Asia. SOC 2 is specific to the North American market, heavily required by B2B clients in the US. If you sell to US companies, go with SOC 2. If your clients are global or European, go with ISO 27001. Many companies pursue both in parallel since they share 70% of controls.

How does it work?

01

Tell us

Write to us via form or WhatsApp. Response in less than 2 hours.

02

Proposal

Clear plan with timelines, costs and scope. No commitment.

03

We execute

Weekly deliveries with real progress. No surprises.

Ready to start?

Tell us about your project and we'll advise you with no commitment. Response in less than 2 hours.