CONTROL PLANE LIMITED

Security Assessment and Threat Modelling

ControlPlanes threat modelling service identifies security vulnerabilities within your cloud estate, aligning to industry standards and providing pragmatic engineering-led recommendations to enhance security, developer satisfaction and deployment efficiency.

Trust certified specialists with experience securing cloud accounts, containers and Kubernetes platforms, application delivery pipelines and AI/MLSecOps patterns in regulated environments.

Features

• Detailed threat modelling designed to identify vulnerabilities and security issues
• Assess Amazon, Google, or Azure PAAS, IAAS implementations and applications
• Assess CI/CD, software supply chains and AI/ML systems
• Tailored workshops for engineering, security architecture, operations and business stakeholders
• Develop attack trees highlighting issues of concern and escalation paths
• Threats mapped against MITRE ATT&CK matrix
• Controls assessment baseline against compliance standards; PCI-DSS, ISO27001, CSA-CCM, NIST
• Pragmatic recommendations for your engineers to commence work on immediately
• Provision of long-term roadmaps as your ongoing security partners
• Comprehensive report encompassing threat model, attack trees, recommendations, roadmaps, baselines

Benefits

• Flexibility to tailor the assessment to unique needs and requirements
• Boost security awareness through collaborative threat modelling activities
• Identify security control gaps to reduce the likelihood of misconfiguration
• Reduce overall engineering costs and time spent implementing complex redesigns
• Support all project stages with independent, vendor agnostic security assurance
• Proven ability to decode complex, undocumented environments through configuration/code analysis
• Containerised workload (EKS, AKS, GKE) and CNCF landscape project expertise
• CIS benchmark authors operating at intersection of compliance and engineering
• AWS, GCP, Azure certified consultants with regulated industry experience (CNI)
• Pragmatic approach to security prioritising developer experience and deployment velocity

£750 to £2,850 a unit a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at solutions@control-plane.io. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

472831284488281

Contact

Technical Solutions
+447570989398
solutions@control-plane.io

Planning

• Planning service: Yes
• How the planning service works: We offer a risk-based, pragmatic approach to help buyers plan for cloud implementation work. Starting with a comprehensive threat model, we will map out clients' information assets and work with key stakeholders to understand the potential impact of a compromise. We will then hold threat modelling workshops to uncover the different ways in which a threat actor could compromise these assets. The result of these activities is a detailed understanding of the system, a prioritised list of threats, against which mitigating controls will be devised, benchmarked to standards if required.; ; The fulfilment of the controls will then be assessed, and subsequent incomplete controls scored and prioritised according to risk level, to prioritise recommendations.; ; An extensive level of detail will be provided around these recommendations, making best use of ControlPlanes vendor agnostic approach and extensive knowledge of cloud provider services, open source and CNCF landscape technologies. The recommendations will be sufficiently detailed such that engineering staff can immediately work on implementing them, and will be devised such that they balance security, developer experience and velocity.
• Planning service works with specific services: No

Training

• Training service provided: Yes
• How the training service works: ControlPlane can provide training and knowledge transfer through a variety of embedded and classroom based means throughout the projects lifecycle. ; ; Knowledge transfer through embedding within existing teams, running regular project demos and info sessions, detailed documentation and holding specialist handover sessions can be complimented by our portfolio of classroom based interactive training courses covering, GRC with cloud native, threat modelling, devsecops, Kubernetes, secure containerised application development, and Kubernetes Capture the Flag events, available on a per-delegate, per course basis. ; ; For customised courses an additional charge for material uplift may apply, based upon the T&M rates for the consultant performing the uplift.; ; Our training portfolio can be found under our Cloud Native, DevSecOps and Kubernetes Training offering,
• Training is tied to specific services: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: ControlPlanes security assessment and threat modelling service can assist with clients migrating to, or between, cloud services by providing them with information on risks and issues with their planned setup or migration and subsequently making pragmatic reccomendations to reduce risk and align with best practices and compliance standards. ControlPlane is well placed to take on the complexity of on-prem to cloud as well as cloud to cloud migrations, with a thorough understanding of the change of people, processes and technologies between the environments, and technological nuances between the main cloud providers.
• Setup or migration service is for specific cloud services: No

Quality assurance and performance testing

• Quality assurance and performance testing service: No

Security testing

• Security services: Yes
• Security services type:
  • Security strategy
  • Security risk management
  • Security design
  • Cyber security consultancy
  • Security testing
  • Security incident management
  • Security audit services
  • Other
• Other security services:
  • AI and MLSecOps Reference Architectures
  • Supply Chain attestation and build security
• Certified security testers: Yes
• Security testing certifications:
  • Cyber Scheme
  • Other
• Other security testing certifications: Offensive Security Certified Professional (OSCP)

Ongoing support

• Ongoing support service: No

Service scope

• Service constraints: Normal service hours are from 09:00 to 17:00 UK time on weekdays, excluding bank holidays. Work outside these hours requires prior agreement and may incur additional charges according to the SFIA rate card. All travel and subsistence costs to the client site will be chargeable based on the agreed Terms & Conditions.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: For the duration of the project, ControlPlane staff will be available to answer email queries, usually within one business day.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Support levels: We provide dedicated staff for each engagement who are allocated on a skills-matched basis and are available to provide support accordingly on UK working days and hours (09:00-17:00). Extended support can be provided subject to agreement and additional cost as described within the supplementary pricing document.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Offensive Security Certified Professional (OSCP)
  • Certified Kubernetes Adminstrator /Application Developer , Certified Kubernetes Security
  • AWS Certified Solutions Architect, AWS Certified Security-Specialty
  • GCP Professional Cloud Architect, GCP Professional Cloud DevOps Engineer,
  • GCP Cloud Security Engineer
  • HashiCorp Certified Terraform Associate, HashiCorp Certified Vault Associate
  • Azure Security Engineer Associate
  • CREST Registered Technical Security Architect
  • CISSP

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  ControlPlane’s remote-first approach minimises wasteful travel to its corporate office. When travel to a client site is required, sustainable transport options are employed. This remote-first strategy enables ControlPlane to lower its carbon footprint by reducing travel and requiring only a small office.; ; Additionally, in delivering its architecture and engineering services, ControlPlane aims to eradicate wasteful spending on cloud resources. It designs and builds efficient, cost-effective solutions that utilise features such as autoscaling and configuration drift detection to minimise resource usage and expenditure.

  Covid-19 recovery

  As a result of COVID-19, ControlPlane has become a remote-first organisation, offering enhanced flexibility, eradicating commuting, and improving employee work-life balance.; ; Remote engagements also reduce the burden on healthcare services by minimising virus transmission risks. The introduction of virtual tooling necessary for remote work has expanded accessibility to our services.; ; As a result of these changes, ControlPlane has been able to maintain a minimal office footprint, establish sustainable travel practices, and foster a remote-first culture.

  Tackling economic inequality

  ControlPlane's commitment to skill enhancement through client and community engagement—ranging from classroom-based training and knowledge sharing on projects to active participation and presentations at free community meetups and conferences—effectively addresses skills shortages by empowering individuals to gain new skills and certifications.; ; As a vendor-neutral consultancy with a deep commitment to leveraging open source technologies, ControlPlane boasts a rich history of contributing to open-source projects and sponsoring PhD research in technologies it finds beneficial. This strategy not only promotes diversity within the technology supply chain but also ensures the selection of the most fitting technology to meet specific needs, rather than defaulting to a few monolithic suppliers.; ; Furthermore, with a strong focus on security, ControlPlane demonstrates an in-depth understanding of supply chain risks and management strategies, showcasing a proven record of evaluating supply chain risk and implementing solutions that enable organisations to securely utilize open source and other third-party products.

  Equal opportunity

  ControlPlane is committed to promoting equal opportunity, and our diverse culture empowers and develops individuals with talent and integrity. We ensure that individuals at all levels of the organisation grasp the importance and benefits of diversity in high-performing teams. This empowers them with the motivation and opportunity to express their perspectives and drive change.; ; Our recruitment practices are designed to be as inclusive as possible, attracting and retaining top talent from a variety of experiences and backgrounds. We also offer existing employees support, professional development training, and other mechanisms to advance their careers.; ; Furthermore, ControlPlane partners with charities and schools to introduce underrepresented groups to careers in technology and security. These partnerships include hosting and contributing to workshops aimed at secondary school students. Our goal is to educate and inspire young individuals during their crucial academic decision-making phases.; ; ControlPlane is currently in the process of establishing an outreach programme.

  Wellbeing

  ControlPlane is fully committed to employee wellbeing, offering two fully-paid company-wide mental health days annually. We strongly; encourage employees to take this time to focus on relaxation and wellbeing activities. We make scheduled contributions to an employee rewards and benefits platform, which includes a wellness portal and credits redeemable for various products and services, including those focused on wellness.; ; ControlPlane champions a community of open-source and security advocates by attending, presenting at, and organizing industry conferences, local meetups, and engaging with specialist interest groups within the Linux Foundation. Our collaborative ethos is evident in how we engage; we prefer to work embedded within client organisations and existing teams, rather than forming separate teams outside of an organisation.

Pricing

• Price: £750 to £2,850 a unit a day
• Discount for educational organisations: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at solutions@control-plane.io. Tell them what format you need. It will help if you say what assistive technology you use.