Service Zero trust architecture · BeyondCorp implementation · UK · senior-only

Zero trust architecture, for the team that still. trusts its 2018 VPN.

BeyondCorp-style perimeterless access for UK SaaS, fintech, and scale-up teams. SSO + MFA + SCIM, conditional access, micro-segmentation, just-in-time access, and an audit log on every session. We replace the VPN and the flat network with zero trust your CISO and your acquirer both sign.

24hreply, from a senior
100+projects shipped since 2019
Senioronly, on the spine
(Why UK security leads sign)

Your CISO and your acquirer ask the same thing: who can reach what, and can you prove it. We build to that answer.

A zero trust implementation isn’t a product you switch on at audit. It’s a set of access decisions you make in week one, or pay six months to retrofit. We make them in week one, with senior engineers and the evidence your diligence team asks for.

0

0

0

The team this page is forFlat network · 2018 VPN · 25% diligence haircut threatened

Nadia ran security at a UK SaaS scale-up. The product was solid. The network trusted everyone inside it.

01

One VPN bought in 2018, a flat internal network, and a shared admin password in a vault that half the team could open. Access was all-or-nothing. Once you were on the VPN, you could reach the production database, the billing service, and the customer data store. Nobody had ever drawn the map of who could touch what.

02

The in-house attempt was two engineers part-time, no observability, no audit log, and a Confluence page for the runbook. Then the acquirer’s CTO walked the codebase pre-LOI and gave a verdict: rip and replace the access model, or take a 25% diligence haircut. The deal stalled on a single question Nadia couldn’t answer in writing.

03

We rebuilt the access model over twelve weeks. BeyondCorp-style identity-aware proxy, SSO + MFA + SCIM, conditional access, micro-segmentation, just-in-time access, audit log on every session. Zero production incidents. This page is for the CISO or CTO who decided security is a build problem, not a paperwork problem.

Zero-trust since 2022
The pillars

Six zero-trust pillars

Designing for identity-first access in week one is roughly a fortnight of architecture work. Retrofitting it after a lateral-movement breach is six months of senior engineering and a hard board call.

Pillar-01

Identity-aware proxy (BeyondCorp)

No VPN, no trusted internal network. Every request to every app checks who you are and what device you’re on. The network stops granting access. Identity does.

Pillar-02

SSO + MFA + SCIM provisioning

One identity provider, MFA enforced, SCIM so a leaver loses access the moment HR closes the account. No orphaned logins. No shared passwords.

Pillar-03

Conditional access policies

Access depends on context, not just credentials. Device posture, location, time of day, and resource sensitivity feed the decision. An unknown device at 3am gets a step-up or a block.

Pillar-04

Micro-segmentation

Workloads talk to exactly what they need, and nothing else. The billing service can’t reach the data lake unless policy says so. One compromised service stays in one room.

Pillar-05

Just-in-time privileged access

Nobody holds standing production access. You request it, justify it, get it for the task, and it expires. Every grant logged. Permanent keys to the crown jewels drop to zero.

Pillar-06

Session audit log + export

Every session logs identity, device, resource, action, and timestamp. Searchable, exportable, tamper-evident. The auditor’s question becomes a query, not a panic.

The eight pains we hear in every zero-trust audit call

The access pain. The day-1 architecture answer.

Every security lead who emails us is fighting one of these eight things. Each one is brutal to fix once the flat network is live. Each one is a single architectural decision made on day one of our zero trust implementation.

  1. 01
    The VPN blast radiusDay-1 architecture

    “Once anyone’s on the VPN, they can reach everything. One stolen laptop and we’re done.”

    Identity-aware proxy, per-request auth. Zero trust network access checks identity and device on every request to every app. The network grants nothing. A stolen laptop with no valid session reaches nothing.

  2. 02
    Lateral movementDay-1 architecture

    “Our network is flat. If one service is compromised, the attacker walks to the database.”

    Micro-segmentation, default-deny east-west. Workloads talk only to what policy allows. The billing service can’t reach the data store unless we say so. A breach in one room stays in one room.

  3. 03
    Standing admin keysDay-1 architecture

    “Six engineers hold permanent production access. Revoking it felt too risky to do.”

    Just-in-time access with expiry. Nobody holds standing keys. You request access for the task, justify it, and it expires. Every grant logged. The permanent blast radius drops to near zero.

  4. 04
    The leaver who kept accessDay-1 architecture

    “Someone left three months ago and their login still works in two tools.”

    SSO + SCIM joiner-mover-leaver flow. One identity provider, SCIM-synced. The moment HR closes the account, access dies everywhere. No orphaned logins. The auditor stops flagging it.

  5. 05
    The audit log gapDay-1 architecture

    “The SOC 2 auditor asked who accessed the billing service last March. We had no record.”

    Session audit log on every access. Identity, device, resource, action, timestamp, logged on every session. Searchable, exportable, tamper-evident. The auditor’s question becomes a one-line query.

  6. 06
    Contractor accessDay-1 architecture

    “Contractors use their own laptops. We can’t give them VPN access without opening the whole network.”

    Device posture + BYOD-aware access. Unmanaged devices get scoped, conditional access to exactly what they need. No company laptop required. No flat-network exposure. The contractor ships, the network stays closed.

  7. 07
    The diligence flagDay-1 architecture

    “Our acquirer’s CTO flagged the flat network and the VPN. The offer is on hold.”

    Zero-trust brief + ADRs + evidence pack. The architecture brief and ADRs we ship are the documents the diligence team asks for. Three 2024-25 clients passed acquirer reviews on first walkthrough.

  8. 08
    Shared secretsDay-1 architecture

    “Half the team can open the same vault with the same password. Secrets live in code too.”

    Per-service secrets + rotation. Vault or AWS Secrets Manager, scoped per service, rotated on schedule. No secrets in code, no shared vault password. Access is logged and least-privilege by default.

Zero trust implementation stack · identity-first + AWS

Three tiers, one access spine your auditor can read.

Twelve zero-trust engagements have stress-tested these picks. Tier 1 runs every implementation. Tier 2 is what we reach for when the brief needs it. Tier 3 is the infrastructure that scales it without a rebuild.

T1

What every zero-trust build runs on

identity-first
Cloudflare AccessPomeriumTeleportOktaEntra IDWorkOSSCIMOIDC / SAMLVaultOpenTelemetryTerraformGitHub Actions
T2

When your brief actually calls for it

reach when needed
CiliumIstio / LinkerdTailscaleBoundaryVanta / DrataPython (FastAPI)
T3

The infrastructure that scales it

AWS + cloud-native
AWSIAM Identity CenterAWS KMSSecrets ManagerKubernetes (EKS)VPC + Security GroupsGuardDutyCloudWatchCloudTrailDatadog + SentryRedisMicroservices
Zero-trust surfaces we’ve shipped

What sits on the access spine

Each one wired identity-first, audit-logged, and built so a breach in one place can’t walk to another.

12+

Zero-trust engagements since 2022

0+

Standing production keys

“The access map was the document that closed our diligence. Their CTO walked it once and signed retention.”

Nadia

Security lead, UK SaaS scale-up

001

Identity-aware proxy

Cloudflare Access, Pomerium, or Teleport in front of internal apps. Per-request auth, device posture, no VPN. Your team logs in once.

002

SSO + MFA + SCIM

Okta, Entra ID, or WorkOS as the identity provider. MFA enforced. SCIM so joiners and leavers sync automatically. No orphaned accounts.

003

Micro-segmentation

Workload-to-workload policy. AWS security groups, Cilium, or service mesh. Default-deny east-west traffic. A breach stays where it started.

004

Just-in-time access

Request, justify, approve, expire. Teleport or AWS IAM Identity Center. No standing production keys. Every grant audit-logged with the reason.

005

Session audit + SIEM feed

Every access event streamed to CloudWatch, Datadog, or your SIEM. Searchable, exportable, tamper-evident. SOC 2 evidence by default.

Recent client · UK SaaS scale-up · 2024

In-house flat network to
acquirer-defendable access, in twelve weeks

Nadia’s zero trust implementation, in real numbers. We replaced the 2018 VPN and the flat network with an identity-aware proxy, SSO + MFA + SCIM, conditional access, micro-segmentation, just-in-time access, and a session audit log. Twelve-week sprint, senior engineers paired daily, ADRs documented same day, evidence pipeline wired on day one.

The sprint

12wk
Access model rebuilt
0
Standing production keys

The outcome

0
Production incidents
9wk
SOC 2 Type 1 achieved

Track record

12
Zero-trust engagements since 2022
3
Acquirer reviews passed
How we work with security teams

Three ways to start. Pricing in the email back.

We don’t publish prices on a page. Every zero-trust scope carries different access weight. Pick the shape that fits and Mohit will send your real number inside 24 hours.

AStart here

5-day zero-trust audit

One week, fixed cost. Two senior engineers read your estate and brief. A 30-page brief mapping your access model against zero-trust pillars, with a risk matrix.

  • 5-day senior audit
  • Access-model map + risk matrix
  • Architecture brief + six ADRs
  • Fixed-price sprint quote
BMost common

Zero-trust build sprint

8 to 14 weeks. Identity-aware proxy, SSO + MFA + SCIM, conditional access, micro-segmentation, just-in-time access, audit log. Evidence-pipeline-first.

  • Identity-first from day one
  • SOC 2 + DPA evidence ready
  • 30-day walk-away both ways
  • IP assigns on every commit
CPost-build

Senior security retainer

After handover. One day a week of a senior engineer for 3 to 6 months. Policy tuning, new surfaces, observability, your team gets unblocked.

  • One senior engineer, one day a week
  • Conditional-access policy tuning
  • 30-day notice both ways
  • Pause and resume any month
From £45-110K · audit £8K · fixed scope

“The access map was the document that closed our diligence. Their CTO walked it once and signed retention.”

— Nadia, security lead, UK SaaS scale-up
Zero trust architecture · honest answers

What security leads actually ask before signing

Pain-first, soft-second. The questions every CISO and CTO asks before they trust an engineering studio with the access model.

The audit is fixed at £8K: two senior engineers, five days, a 30-page brief, six ADRs, a risk matrix, and a fixed-price quote for the sprint. After that, most zero trust implementation projects we sign land between £45K and £110K on an 8-to-14 week fixed-price sprint. No day-rate, no scope creep. If we can’t hit your budget, we tell you in week one and you walk away with the audit brief, no commitment.

No. We work in place where we can. The identity-aware proxy runs alongside the existing VPN, app by app, until you’ve cut everything over and you sign off on retiring the old path. Old and new run in parallel so there’s no big-bang switch and no day where access breaks for the whole team. Migration sequencing is scoped at the audit.

You get a zero trust architecture brief written to the question your acquirer’s CTO will ask, six ADRs minimum, the access-model map, the session audit log, and a SOC 2 evidence pipeline wired from day one. Three clients in 2024-25 passed acquirer or regulator reviews on first walkthrough. The brief is built so they read it once and stop asking.

Yes. AWS is our default, with IAM Identity Center, KMS, Secrets Manager, GuardDuty, and CloudTrail. We’ve also shipped on GCP, Microsoft Azure, Cloudflare, DigitalOcean, Vercel, and Fly.io. The zero trust network access layer sits above the cloud, so the same identity-first model holds whether your workloads are in one region or five. The lock-in path is documented either way.

That’s one of the cleanest wins zero trust gives you. Conditional access reads device posture, so an unmanaged laptop gets scoped, least-privilege access to exactly what the contractor needs, and nothing more. No company laptop required, no opening the whole network. When the engagement ends, SCIM closes the account and access dies everywhere the same day.

This is the single biggest risk with a small studio, and the reason we pair. Every engagement has two senior engineers, not one. Every decision is written into an ADR the same day. If one engineer leaves, the other has full context the next morning. In seven years, two engineers have left mid-project. Both handovers were inside 48 hours and neither client noticed in their sprint. Bus factor on your access model is four, not one.

Three things make this hard to fake. The 30-day walk-away clause goes both ways and refunds the unused portion. Payments are milestoned 25/25/25/25, so you never pay more than 25% ahead of working software. And we’ve been shipping since 2019, UK VAT registered, listed on Companies House, with SOC 2 Type II achieved at Empyreal in December 2025. You can check us before you sign.

You walk away cleanly. The handover pack includes the architecture brief, ADRs, runbook, on-call playbook, the access-policy catalogue, and a video tour of the build for your next engineer. The optional senior retainer is one day a week, cancellable with 30 days’ notice any month. Most clients run it for three to six months while their in-house lead settles in, then end it without ceremony. No lock-in, no surprise renewals.

Zero trust architecture — product screenshot / UI
In context

What it looks like shipped.

zero trust architecture, in context — the dashboards, flows and components your team actually ships, reviews and maintains.

Build the zero trust architecture your acquirer can defend

One paragraph. That’s it.

Tell us your current estate, your deadline, and the outcome you’re after. Mohit reads every first email and replies inside 24 hours: a clear yes, a clear no, or the one question that decides it, plus your next audit slot.

Write to mohit@empyrealinfotech.com Replies in 24hIdentity-first from day 1Audit-ready
What happens after the email lands
  1. < 24h

    A personal reply.

    Yes, no, or the deciding question. Straight to your inbox, not a team thread.

  2. Week 1

    Audit week begins.

    We map your access model, write the trade-offs, hand you a fixed-price scope.

  3. Week 12

    Acquirer-defendable access.

    Identity-first, segmented, audited, with the brief your acquirer’s CTO reads cold.