NewThe 6-week AI Pilot ·  Fixed scope. Fixed price. £18k. 4 pilots per quarter.  See how it works →
0333 050 0729Book a free strategy call
Industry · Private Equity · UK & Ireland · funds with 3–30 portcos

One bench. Every portco covered.

Fractional CISO, CTO and IT director cover across your portfolio. IT and AI due diligence before the deal, a 100 day security baseline after it and exit-ready evidence throughout the hold. Senior engineers on fixed fees - one agreement at fund level, one number for the operating partner to call.

THE PORTFOLIO MODEL
1
fund-level agreement, per-portco scopes
3–30
portcos under one security framework
Day 1
incident escalation line live
10 days
red-flag IT due diligence on a target
Cyber Essentials Plus · ISO 27001 · insurer-awareThe first 100 days →
The brief

Six things we hear from every operating partner.

Mid-market portfolios run on thin IT. The fund carries the risk. Recognise any?

Nobody owns security at group level
"Every portco has a different MSP, a different password manager and a different answer. Nobody can tell me our exposure across the fund."
DD findings die in the data room
"Tech DD flagged eight risks at completion. Two years on, six are still open and nobody's been chased on any of them."
Insurance renewals keep getting harder
"Cyber insurers want MFA evidence, backup tests and incident plans for every portco. Collecting that takes my team a quarter."
Carve-outs land with no IT at all
"We bought a division that's still running on the seller's tenant. TSA ends in six months and there's no plan."
Portco IT spend is invisible
"Licences, MSP contracts, shadow SaaS. Each one's small, but across twelve portcos I'm certain we're burning money."
Exit DD will find the mess
"The buyer's advisers will crawl over everything we never fixed. Every open finding becomes a chip on the price."
One bench fixes all six. Most portcos are baselined inside 100 days.
What we run

Fractional leadership and delivery, across the whole portfolio.

Fractional CISO / vCISO

A named security owner for each portco and a group rollup for the fund. Risk register, board reporting, insurer evidence, incident escalation. One framework so portcos stop reinventing the wheel.

From £3k/month per portco
Fractional CTO / CIO / IT director

Senior technology leadership for portcos in transformation, carve-out or scale-up. Roadmaps, vendor and MSP management, build-vs-buy calls, hiring support. Days per month, not headcount.

From £2.5k/month per portco
IT & AI due diligence

Pre-deal red flags in ten working days: infrastructure and cloud posture, security history, licence and contract exposure, key-person risk, tech debt and integration cost, AI and data exposure.

Fixed fee per target
100 day plans & carve-outs

Post-completion security baseline, TSA exits, tenant separations and integrations delivered by the engineers, not just planned on a slide. DD findings carried straight into the plan.

Fixed scope, fixed fee
Portfolio compliance baseline

Cyber Essentials and Cyber Essentials Plus across the portfolio, ISO 27001 where a portco's market demands it. One framework, per-portco evidence packs your insurers and LPs can actually read.

Per portco, portfolio framework
AI value creation

The 6-week AI Pilot deployed where it moves portco margin: back-office automation, document processing, customer operations. Prove it in one portco, repeat the playbook across the others.

£18k fixed per pilot
Managed IT and cyber operations available underneath any of these as the Run layer, for portcos with no internal IT or an MSP that isn't working.
How it works

One agreement at fund level. Per-portco everything else.

01
Fund-level MSA

One master agreement with the fund or opco. Rates, confidentiality and working model agreed once, then never renegotiated per deal.

02
Per-portco scopes

Each portfolio company gets its own statement of work sized to its risk and stage: some need a CISO day a month, some need a full carve-out team.

03
Quarterly rollup

Every portco board gets its own pack. The operating partner gets the group view: one heatmap of risk, spend and progress across the portfolio.

04
Exit-ready evidence

Risk registers, certificates, DR test results and incident records maintained as a living data room folder, so vendor DD lands on prepared ground.

Portcos join and leave without paperwork drama.

New acquisition? It's a statement of work, live in days, with DD findings already in hand. Exit? Cover ends at completion and the evidence pack transfers with the business. The fund relationship carries on.

Talk through your portfolio
The playbook · scroll

The first 100 days in a new portco.

DAY
000
01 · WEEKS 1–2
See everything

Day one is about sight. You cannot defend an estate you cannot list.

02 · WEEKS 3–6
Stop the bleeding

The risks diligence found stop being findings and start being fixes.

03 · WEEKS 7–12
Make it provable

Control you can't evidence doesn't exist to an insurer or a buyer.

04 · DAY 100
Steady state

Baseline certified. Cover settles into cadence and the fund sees it all.

WEEKS 1–2
See everything
  • Asset and identity inventory
  • Admin access recovered and documented
  • Incident escalation line live
  • MFA gaps closed on day one accounts
WEEKS 3–6
Stop the bleeding
  • Backups verified with a real restore
  • Endpoint protection across the estate
  • Licence and contract register built
  • DD findings triaged into the plan
WEEKS 7–12
Make it provable
  • Cyber Essentials scope agreed
  • Incident response runbook tested
  • First board report delivered
  • Insurer evidence pack assembled
DAY 100
Steady state
  • Baseline certified and documented
  • Fractional cover cadence agreed
  • Roadmap priced for the hold period
  • Group rollup includes the new portco
Baseline certified
Day 100 · steady state · on the group rollup
Make this your first 100 days
For LPs, insurers and buyers

Evidence that's ready before anyone asks.

The difference between a portfolio that manages risk and one that can prove it is about four ring binders of evidence nobody enjoyed making. We maintain it as we go: insurer questionnaires stop being a quarterly fire drill, LP requests get answered the same week and vendor due diligence at exit starts from a prepared data room instead of a scramble.

THE STANDING EVIDENCE PACK · PER PORTCO
  • Risk register with owner, status and movement since last quarter
  • Cyber Essentials / CE Plus certificate and scope
  • Backup and disaster recovery test results, dated
  • Incident response runbook and post-incident records
  • MFA, access and joiner-leaver evidence for insurers
  • Licence, contract and MSP register with renewal dates
Rolled up across portcos into one group heatmap for the fund.
Also serving

Sectors your portcos probably live in.

FAQ

What operating partners ask first.

Eight questions deal teams and operating partners ask on every first call about portfolio cover.

From £3,000 a month per portfolio company on a three month minimum, with portfolio rates once three or more portcos are covered. That buys a named security owner, a maintained risk register, board reporting, insurer evidence and an incident escalation line. One agreement sits at fund level and each portco has its own statement of work, so cover starts and stops cleanly as companies join and exit the portfolio.

Let's talk portfolio

Bring the portfolio.
We'll bring the bench.

Free 30-minute working session with a senior engineer who has sat on both sides of a deal. Bring the thing that worries you most - a target in diligence, a portco with no security owner, an exit on the horizon. You'll leave with a straight answer and a fixed proposal follows in five working days.