The Security Partner That Scaled With Them

About the customer

Founded by an academic in Cambridge, this company runs a research platform that handles electronic health records and genomic data from clinical trial participants across the UK, US, and Africa. Their platform connects research teams worldwide with pseudonymised patient data from people who have consented to take part in studies. Regulatory compliance and ethical data handling are at the core of how they operate — not just requirements to satisfy, but genuine business risks that could halt their operations if things went wrong. As the company grew from early-stage startup into a scale-up with real traction, the security picture needed to match.

The situation

Their Chief Security Officer brought us in to audit the AWS environment. The company was building fast. Investors needed milestones hit. The cloud platform was growing week by week to serve an expanding set of research customers. The audit was turned around quickly. What it showed was manageable in isolation. The direction of travel was the real concern. Every new feature and every new deployment was adding to a growing pile of security debt. Without a change to how the team worked, that pile was only going to keep growing.

What we did

Fixing the immediate issues was the first step. The harder work was helping the team build securely going forward — not as a set of rules to follow, but as a way of thinking about what they were deploying and why. We reviewed their Terraform configurations and software development lifecycle. We helped them shape policies for incident response and data retention that actually matched how the team worked, rather than policies written to satisfy an audit and then ignored.

What started as a single audit became a four-year working relationship. We threat-modelled their applications on a regular cadence, sat on their Information Security Governance Committee, and advised the CEO and COO directly on risk. When penetration tests came around, we helped them understand the outputs and present them accurately to external stakeholders. In many cases we implemented the security controls ourselves, giving them the assurance that the work had been done properly.

Four years on

By the time they went through their first major pen test, the preparation showed. The results were strong on the first attempt. Cyber Essentials Plus and NHS DSP Toolkit compliance were in place. Investors had a clear, documented view of the security posture. Other companies in the same sector have faced high-profile incidents, class-action lawsuits, and the regulatory scrutiny that follows. This company has kept its data safe, its customers confident, and its business intact.