Home/Services/Cybersecurity
Service / 05

Security that survives a real audit.

Zero-trust architecture, Kenya Data Protection Act compliance, penetration testing, and 24/7 SOC operations — engineered for organisations that have to defend their security posture in front of a regulator, board, or customer.

Discuss your security See our process
What's included
  • Security posture assessment
  • Zero-trust architecture design
  • Penetration testing & red-team
  • Kenya DPA compliance audit
  • SIEM / SOC implementation
  • Incident response runbooks
  • 24/7 managed SOC (optional)
Why us

Security as a discipline, not a checkbox.

Most "cybersecurity vendors" sell you a product, run a one-time scan, and disappear. We treat security as an operational discipline — embedded into how systems are built, deployed, monitored, and audited.

Every Augusta-built system ships with security review baked in. Every managed system is monitored 24/7. When the auditor comes asking, you'll have answers.

01

Audit-ready by default

Documented controls, traceable decisions, audit trails for every privileged action. When ODPC, an internal auditor, or a customer's security team comes calling, you're ready.

02

Kenya DPA fluent

We work to the Kenya Data Protection Act every day — data residency, consent flows, ODPC notifications, data subject rights. Not as an afterthought.

03

Real testing, not theatre

Our pentests go beyond compliance scans — we'll exploit, pivot, escalate. Reports include actual proof-of-exploit, not just "missing X-Frame-Options header".

04

Engineering-led

Our security team writes code. We don't just hand you a list of findings — we'll fix them, or work with your team to fix them properly.

Capabilities

What we do.

From advisory to 24/7 operations — six security practices.

Security architecture

Zero-trust design, network segmentation, identity-first architecture, secrets management, encryption strategy.

Penetration testing

Web, mobile, API, cloud and infrastructure pentests. Red-team engagements for organisations ready for the next level.

DPA & compliance

Kenya Data Protection Act audit and remediation, GDPR readiness, SOC2-style controls, ISO 27001 prep.

SIEM & monitoring

Log aggregation, threat detection, custom rule design — using your existing SIEM or one we recommend and operate.

24/7 managed SOC

Tier-1 to tier-3 analysts on call, incident response, monthly reporting — outsourced security operations done well.

Incident response

Tabletop exercises, IR runbooks, retainer-based response — ready before the breach, fast when the breach happens.

How we work

From assessment to operations.

Three phases — most engagements run all three.

01

Assess

Posture review, gap analysis against DPA / SOC2 / ISO 27001 as applicable, threat model. We end with a prioritised roadmap, not a 200-page report nobody will read.

Phase2 – 4 weeks
02

Remediate

Implementation of security controls — architecture changes, identity hardening, monitoring deployment, incident-response capability. Usually wave-by-wave.

Phase2 – 6 months
03

Operate

24/7 SOC, ongoing pentest cadence, quarterly posture reviews, annual recertification. Security as an ongoing discipline, not a project.

PhaseOngoing
FAQ

Buyer questions.

The questions security buyers ask before signing.

Are you DPA / ODPC registered?
Yes — Augusta is a registered Data Controller and Data Processor with the Office of the Data Protection Commissioner. We hold ourselves to the same standards we recommend to clients.
What about ISO 27001 / SOC2?
Augusta operates SOC2-style controls internally. We help clients prepare for both ISO 27001 certification and SOC2 audits — including evidence collection, control mapping, and pre-audit gap reviews with named auditing partners.
How does your pentesting differ from automated scanners?
Automated scanners catch common misconfigurations. Our pentests catch exploitable chains — the kind of attack a real adversary runs. Reports include proof-of-exploit, not just CVSS scores.
What's involved in 24/7 managed SOC?
Tier-1 monitoring (alert triage, false-positive filtering), tier-2 investigation, tier-3 incident response — all in-region, all in EAT. Monthly reporting on threats seen, MTTD, MTTR. Retainer-based incident response.
What if we're already breached?
Call us first, then your insurer. We can stand up an incident response within 4 hours including containment, eradication, forensic preservation, and ODPC notification support. Confidentiality is our default.
Adjacent services

Often paired with this.

Cloud & platform

Cloud architectures designed and operated with security as a first-class concern.

Learn more

IT consultancy

Security strategy, board briefings, and ICT investment cases for security spend.

Learn more

Custom software

Bespoke software shipped with security review baked in from sprint one.

Learn more
Get started

Ready to talk
security?

Tell us about your environment and the regulatory ground you have to defend. A senior security engineer will respond within one business day with a clear point of view.

Start a conversation See our work