CHIMERASCOPE

SECURITY ASSESSMENT // CHIMERASCOPE

Compliance-Ready Security Intelligence

We assess your organization's external attack surface and deliver an encrypted, compliance-mapped report — the only assessment at this level that maps every finding to specific CRA, NIS2, ISO 27001, and GDPR regulatory articles.

External Attack Surface Assessment

We evaluate your organization's publicly visible infrastructure — domains, subdomains, certificates, email security, exposed services, cloud configurations, and third-party dependencies — using a proprietary assessment methodology developed over years of security research.

Every finding is automatically mapped to the regulatory framework articles that apply to your organization. The result is a structured, encrypted intelligence report that speaks the language of both your technical team and your compliance officers.

This is not a penetration test. We do not interact with your systems beyond what any external observer could see. No authorization is required for the standard assessment scope — though we recommend a formal engagement agreement for all paid assessments.

What You Receive

Encrypted Intelligence Report

Comprehensive assessment delivered as an AES-128 encrypted PDF with full table of contents, executive scoring (A–F), and forensic chain of custody. Typically 30–50 pages depending on infrastructure complexity.

Regulatory Compliance Mapping

Every finding mapped to specific articles: CRA Art. 10, 11, 14 — NIS2 Art. 21 measures — ISO 27001 Annex A controls — GDPR Art. 32 technical requirements. Sector-specific annotations where applicable.

Executive Brief & Scoring

Boardroom-ready summary with overall security grade, CRA readiness scorecard with traffic-light indicators, and remediation priority matrix organized by impact and effort.

Evidence Package

SHA-256 hashed forensic evidence chain with verification QR code. Machine-readable JSON export compatible with SIEM platforms, Jira, and ServiceNow for direct integration into your remediation workflow.

Regulatory Frameworks

Cyber Resilience Act (CRA)

Vulnerability reporting becomes mandatory from September 11, 2026. Full compliance required by December 2027. We map findings to Articles 10 (cybersecurity requirements), 11 (vulnerability handling), and 14 (reporting obligations). Penalties: up to €15M or 2.5% of global annual turnover.

NIS2 Directive

Article 21 security measures assessment across all applicable domains. Sector-specific mapping available for healthcare, energy, transport, water, and digital infrastructure entities. Active in Denmark, Finland, and Sweden since January 2026.

ISO 27001

Annex A control mapping with gap identification against information security management requirements. Particularly relevant for organizations pursuing or maintaining certification — our findings integrate directly into your Statement of Applicability.

GDPR

Article 32 technical and organizational measures assessment. Data exposure evaluation, breach risk scoring, and identification of processing activities visible from the external attack surface.

DORA — Coming Q2 2026

Digital Operational Resilience Act for financial entities. ICT risk management framework assessment, resilience testing readiness, and third-party service provider risk evaluation. Contact us for early-access DORA mapping.

Industries

Pharmaceutical & Biotech

Clinical trial data protection, manufacturing system exposure, GxP compliance verification. Assessment covers connected laboratory equipment, research portals, and API interfaces to partner organizations.

Contract Manufacturing (CDMO)

Multi-client data environment assessment, FDA/EMA audit readiness evaluation. Particular focus on supply chain exposure, shared infrastructure risks, and cross-client data isolation verification.

Medical Devices & MedTech

Connected device ecosystem assessment, CRA product compliance evaluation. Covers firmware exposure analysis, update mechanism security, API authentication, and cloud management platform posture.

Industrial IoT & Automation

OT/IT convergence risk assessment for CRA-applicable connected products. Sensor network exposure, SCADA interface detection, cloud management platforms, and edge computing security evaluation.

Healthcare IT

Electronic health record system exposure, patient data risk assessment. NIS2 health sector requirements mapping, telehealth platform security, and integration endpoint evaluation.

Financial Services

DORA compliance readiness assessment, API security posture evaluation. Payment infrastructure analysis, mobile banking exposure, and third-party service provider risk mapping.

Assessment Scope

What We Assess

  • External attack surface enumeration
  • Subdomain discovery and DNS security
  • TLS/SSL configuration and certificate management
  • Email security verification (SPF, DMARC, DKIM)
  • Exposed service and credential detection
  • Technology fingerprinting and version analysis
  • Cloud infrastructure and storage exposure
  • JavaScript supply chain risk evaluation
  • Historical infrastructure change analysis
  • Third-party dependency and SaaS exposure

What We Don't Do

  • Internal network testing
  • Social engineering or phishing
  • Physical security assessment
  • Active exploitation of vulnerabilities
  • Denial of service testing
  • Employee monitoring or surveillance
  • Source code review
  • Mobile application testing
Advanced Engagements: Vulnerability verification with controlled exploitation testing is available as a separate engagement under formal written authorization. Contact us to discuss your organization's specific requirements and compliance obligations.

Delivery

  • 48-hour turnaround. Reports delivered within two business days of engagement confirmation.
  • Three languages. Full reports available in English, German, and Polish. Additional languages on request.
  • Encrypted by default. AES-128 encrypted PDF with unique access credentials delivered through separate secure channel.
  • OPSEC-sanitized. All reports undergo operational security review. No internal methodology details, tool signatures, or assessment infrastructure information is disclosed.
  • Multi-source verification. Every finding correlated across multiple independent data sources before inclusion. Probabilistic findings are clearly marked as such.
  • Ongoing monitoring. Continuous assessment available on retainer basis with monthly delta reports and immediate alerts for critical exposure changes.

Request a complimentary assessment

Submit your organization's domain for a complimentary External Exposure Summary — delivered within 48 hours.

Request Security Assessment

Select your assessment type and provide your organization's primary domain. All submissions are treated as confidential.