Service · 02

Network & cloud security engineering, from PoC to production.

Designing an architecture means anticipating what will break in eighteen months. Our engineering engagements cover detailed design, PoC in a controlled environment, industrialisation, documentation, and a clean handover to the run team.

Discuss a project

We work on security engineering projects where integration complexity is the actual problem: connecting a cloud firewall to an identity store, plugging a SaaS platform into your SOC, exposing an AWS service without leaking it to the public internet.

Zscaler ZIA / ZPA design and rollout

End-to-end Zscaler target architecture: Location Group design, sub-clouds, URL and application filtering policies, ZIdentity integration (SAML, SCIM, OAuth2). For ZPA: application segmentation design, deployment model for App Connectors (HA, scaling, geographic placement), Network Connectors for machine-to-machine flows, and progressive migration off legacy VPNs.

We know the technical distinction between Network Connector and App Connector — and how to explain it to your teams — because they serve different purposes and we regularly see both misplaced.

FortiGate & FortiManager multi-ADOM architecture

Design and hardening of FortiGate estates orchestrated through FortiManager: ADOM organisation (by business perimeter, by environment, by cloud), policy packaging (e.g. Outbound_FW_Cloud_Prod), deployment templates, centralised object management, automated configuration push via JSON-RPC API.

We also handle the sensitive work: refactoring an aging policy with no-downtime migration, deduplicating objects, and standing up automated review of unused rules.

Secure AWS cloud architecture

Design of AWS environments with strong security requirements: VPC segmentation, transit gateway, perimeter cloud firewall (FortiGate VM, AWS Network Firewall), hybrid routing, controlled exposure. Specific patterns for AI workloads: Bedrock Access Gateway behind VPC-only private API Gateway, AgentCore Runtime with IAM access control + resource policies + PrivateLink, EC2 instances with instance profiles instead of long-term keys.

MCP & LLM integration in enterprise environments

We design LLM access architectures compatible with enterprise governance: IAM authentication via SigV4, signed MCP proxies (e.g. mcp-proxy-for-aws), private networking, logging, control over inbound/outbound prompts. Connecting Claude Code, Claude Desktop or internal tools to a Zscaler MCP Server hosted on AWS Bedrock AgentCore Runtime.

Platform migration and coexistence

FortiGate → Zscaler migration, ZPA → ZIA for selected flows, or durable coexistence of both. We design the phasing, identify critical flows to isolate, validate observability, and minimise cutover windows.

Method

From design to run.

  • Scoping — workshops with the team, review of the existing setup, target architecture document
  • PoC — isolated environment, validation of critical flows, characterisation of limits
  • Build — pre-production rollout with load testing and failover drills
  • Cutover — production switch with runbook, rollback plan, intensified monitoring
  • Run — team support over 30 to 90 days, capitalisation, training

FAQ

Frequently asked.

Can you replace our incumbent integrator?
Not always, and not always desirable. We often work alongside: on subjects where the traditional integrator is less comfortable (cloud, automation, LLM integrations), or as a technical challenger on proposed designs. We collaborate constructively with existing partners.
Do you build off-the-shelf or bespoke?
Reasoned bespoke. We reuse proven patterns (reinventing the wheel is rarely necessary), but each architecture is tuned to the client context: volumes, regulatory constraints, existing debt, internal skills. No copy-paste from another engagement.
What does the engagement format look like?
For design and PoC, fixed price with milestoned phases. For run and ongoing support, daily rate or reserved capacity. We avoid "cathedral" fixed-price contracts that end up in change orders — preference for 2 to 3-week sprints with concrete deliverables.
Do you work with vendors?
Full independence — no resale, no vendor commission. That lets us recommend the most appropriate solution freely — including recommending nothing new if the existing setup does the job.

A project being scoped?

We will gladly review an architecture document, an RFP, or a pre-sales project — under NDA if needed.

Talk to us

Other practices

Service · 01

Cybersecurity audit

FortiGate configuration, Zscaler posture, gap analysis, AWS and IAM review.
Service · 03

NOC automation

Detection pipelines, AI agents, CA Spectrum / ServiceNow / Bedrock integration.
Service · 04

Zscaler & cloud security

ZIA/ZPA integration, ZIdentity, App Connector, IAM hardening.