Research Lab
06 entries · v1.0Patterns we deploy with clients on AWS, Azure, and GCP. Each entry includes the controls it satisfies, the trade offs we have learned the hard way, and links to the official documentation that backs it.
A reference landing zone for UK and EU workloads. Account hierarchy, baseline guardrails, identity, logging, and the service control policies that keep teams inside the lines.
Multi-account foundation
ReadAn Azure pattern for exposing APIs to users and partners with no implicit trust. Entra ID for identity, conditional access for posture, APIM for policy, and private endpoints for everything behind the line.
Internal and partner APIs
ReadBuild a BigQuery centred data lake that handles regulated data with classification, customer managed keys, VPC Service Controls, and access approval baked in from the start.
Analytics on regulated data
ReadA pattern for a single detection programme across three clouds. Sigma rules in git, normalised events, replay tests, and a SOAR pipeline that closes the loop without paging a human at 3am.
Unified threat detection
ReadThe shortest path to a defensible CI pipeline. Ephemeral runners, signed builds, SBOM and provenance, and an admission controller that refuses to run anything unsigned.
Build, attest, deploy
ReadStop chasing screenshots. A pull based evidence pipeline that maps system state to control requirements, alerts on drift, and gives auditors a read only window into the truth.
Continuous audit readiness
Read