SECURITY ASSESSMENT // CHIMERASCOPE
We assess your organization's external attack surface and deliver an encrypted, compliance-mapped report — the only assessment at this level that maps every finding to specific CRA, NIS2, ISO 27001, GDPR, DORA, and MiCA regulatory articles.
We evaluate your organization's publicly visible infrastructure — domains, subdomains, certificates, email security, exposed services, cloud configurations, and third-party dependencies — using a proprietary assessment methodology developed over years of security research.
Every finding is automatically mapped to the regulatory framework articles that apply to your organization. The result is a structured, encrypted intelligence report that speaks the language of both your technical team and your compliance officers.
This is not a penetration test. We do not interact with your systems beyond what any external observer could see. No authorization is required for the standard assessment scope — though we recommend a formal engagement agreement for all paid assessments.
Comprehensive assessment delivered as an AES-128 encrypted PDF with full table of contents, executive scoring (A–F), and forensic chain of custody. Typically 30–50 pages depending on infrastructure complexity.
Every finding mapped to specific articles: CRA Art. 10, 11, 14 — NIS2 Art. 21 measures — ISO 27001 Annex A controls — GDPR Art. 32 technical requirements — DORA Art. 5–12, 17, 24, 28 for financial entities — MiCA Art. 62, 67, 68, 75, 79, 83 for crypto-asset service providers — with dedicated MiCA/DORA Compliance Scorecard (per-article PASS/FAIL assessment). Sector-specific annotations where applicable.
Boardroom-ready summary with overall security grade, CRA readiness scorecard with traffic-light indicators, and remediation priority matrix organized by impact and effort.
SHA-256 hashed forensic evidence chain with verification QR code. Machine-readable JSON export compatible with SIEM platforms, Jira, and ServiceNow for direct integration into your remediation workflow.
Vulnerability reporting becomes mandatory from September 11, 2026. Full compliance required by December 2027. We map findings to Articles 10 (cybersecurity requirements), 11 (vulnerability handling), and 14 (reporting obligations). Penalties: up to €15M or 2.5% of global annual turnover.
Article 21 security measures assessment across all applicable domains. Sector-specific mapping available for healthcare, energy, transport, water, and digital infrastructure entities. Active in Denmark, Finland, and Sweden since January 2026.
Annex A control mapping with gap identification against information security management requirements. Particularly relevant for organizations pursuing or maintaining certification — our findings integrate directly into your Statement of Applicability.
Article 32 technical and organizational measures assessment. Data exposure evaluation, breach risk scoring, and identification of processing activities visible from the external attack surface.
Mandatory for EU financial entities. We map findings to Art. 5–6 (ICT risk management), Art. 7 (patch management), Art. 9 (access control, encryption), Art. 10–11 (detection and response), Art. 17 (incident reporting), Art. 24 (resilience testing), and Art. 28 (third-party risk). DORA compliance mapping is included in all paid assessments.
EU-wide regulatory framework for crypto-asset service providers (CASPs), effective June 2024 with full application from December 2024. We map findings to Art. 62 (ICT risk management), Art. 67 (operational resilience), Art. 68 (safeguarding requirements), Art. 75 (custody and administration), Art. 79 (exchange services), and Art. 83 (complaint handling). Crypto-asset targets receive a dedicated MiCA/DORA Compliance Scorecard with per-article PASS/FAIL/WARN assessment in the delivered report. Essential for exchanges, custodial wallet providers, and any entity offering crypto-asset services within the EU.
Clinical trial data protection, manufacturing system exposure, GxP compliance verification. Assessment covers connected laboratory equipment, research portals, and API interfaces to partner organizations.
Multi-client data environment assessment, FDA/EMA audit readiness evaluation. Particular focus on supply chain exposure, shared infrastructure risks, and cross-client data isolation verification.
Connected device ecosystem assessment, CRA product compliance evaluation. Covers firmware exposure analysis, update mechanism security, API authentication, and cloud management platform posture.
OT/IT convergence risk assessment for CRA-applicable connected products. Sensor network exposure, SCADA interface detection, cloud management platforms, and edge computing security evaluation.
Electronic health record system exposure, patient data risk assessment. NIS2 health sector requirements mapping, telehealth platform security, and integration endpoint evaluation.
DORA compliance readiness assessment, API security posture evaluation. Payment infrastructure analysis, mobile banking exposure, and third-party service provider risk mapping.
MiCA compliance readiness for crypto-asset service providers, exchanges, and custodial wallet operators. Blockchain address intelligence with OFAC sanctions screening, wallet exposure analysis, token risk assessment, and Proof of Reserves verification. Covering BTC, ETH, XRP, SOL, and ERC-20 token ecosystems.
The standard assessment covers the core external attack surface described above. For organizations with specific regulatory, operational, or sector requirements, the engagement scope can be extended with additional reconnaissance and verification activities — selected to match the organization's risk posture and compliance obligations.
Discovery of self-hosted reasoning platforms, agent frameworks, Model Context Protocol servers, and public inference interfaces that increasingly form part of the external attack surface of modern organizations. Covers exposure detection, authentication posture of management interfaces, and cross-reference against known vulnerability classes for inference engines and orchestration platforms.
JavaScript dependency risk analysis with CVE enrichment, Subresource Integrity validation across third-party resources, expired CDN domain attribution (a documented takeover path for long-lived brand properties), and third-party SaaS platform security posture evaluation for the vendor ecosystem visible from your external surface.
Infrastructure timeline analysis through DNS and BGP change patterns, archived content evolution, service fingerprint drift over time, and correlation across current and historical TLS certificates. Reveals operational patterns and infrastructure decisions that current-state scans cannot observe.
Identification of unauthorized SaaS tenants operating under the organization's identity perimeter, self-hosted engines operating outside corporate governance, and orphaned infrastructure retained beyond its operational lifetime — the classes of assets that produce incidents because no one currently owns them.
Validated testing for injection vulnerabilities (SQL, server-side request forgery, template, command) against endpoints in scope, performed exclusively under formal written authorization. This activity moves the engagement from passive reconnaissance into active assessment territory and requires a signed Scope of Work in advance.
Multi-chain wallet discovery (BTC, ETH, XRP, SOL, ERC-20), automated OFAC SDN sanctions screening against US Treasury lists, deep wallet timeline analysis, exchange attribution, token risk assessment, and DeFi endpoint discovery (exposed RPC nodes, leaked provider API keys, admin wallet detection). For organizations in the crypto-asset sector or those needing to verify counterparty blockchain exposure as part of due diligence or compliance obligations.
Each identified finding correlated to a specific MITRE ATT&CK technique and sub-technique, with coverage gap identification and detection-engineering priority recommendations. Integrates directly into the detection-engineering roadmap of organizations operating a Security Operations Centre or equivalent capability.
Organizations commonly requesting extended scope: defense and dual-use technology contractors, Contract Development & Manufacturing Organizations (CDMOs), critical national infrastructure operators, financial market infrastructure, Operational Technology and Industrial IT convergence environments, research institutions handling regulated data.
Submit your organization's domain for a complimentary External Exposure Summary — delivered within 48 hours.
Select your assessment type and provide your organization's primary domain. All submissions are treated as confidential.