WingsGRC

Security operations engineering for regulated industries.

We build the SOC operations, IAM lifecycle, and detection systems that produce DORA and GDPR compliance evidence continuously — not assembled at audit time. AI reasoning applied where it measurably reduces analyst load.

Explore services Get in touch
300+
Mission-critical systems delivered in prior roles
15+ yrs
Combined enterprise security & AI experience
DORA · GDPR · EU AI Act
Compliance-native by design
Track record across prior production engagements
50+ years
cumulative enterprise security & AI engineering experience
1,400+
employees governed under unified IAM in regulated environments
20+
countries · multi-jurisdiction regulatory operations
Frameworks delivered in production DORA Art. 17, 23, 28, 30 · GDPR Art. 28, 33 · ISO 27001 Annex A · MITRE ATT&CK · EU AI Act
*We work under NDA frameworks aligned to GDPR Article 28 standard contractual clauses with regulated financial entities and ICT third-party providers. We do not publicly identify the organisations we serve. All metrics above reflect verifiable outcomes from prior engagements documented in team biographies.
Where the load is sharpest in 2026

The operational reality for regulated security teams.

43%
of EU financial security incidents originate in compromised or over-privileged identities. IAM is where breaches begin — not end.
Verizon DBIR 2024
168
days mean time to identify a breach in financial services. A gap manual SOC alert triage rarely closes, regardless of compliance investment.
IBM Cost of a Data Breach Report 2024
200+
SaaS platforms a regulated financial team must govern at scale. Each is a provisioning and offboarding risk without automated identity lifecycle.
Industry average, mid-market EU fintech
DORA enforcement began 17 January 2025. The first supervisory cycle starts late 2026. Organisations producing security operations evidence continuously enter that cycle defended. Those relying on periodic reports enter producing explanations.
The distinction that matters
Organisations investing in compliance tooling acquire documentation capacity. Organisations investing in security operations produce compliance evidence as a continuous output. The two investments are not interchangeable — and only one of them closes the actual exposure.
What we do

Operators, not advisors. Built in production.

01

We are operators, not theorists

Our team built AI and security platforms inside one of the most demanding regulated industries on earth — global fintech. We have shipped into production, not slide decks.

02

Security & compliance are not bolt-ons

DORA, GDPR and the EU AI Act are designed into every engagement from day one. No retrofits, no surprises during audit.

03

Measurable delivery, not endless retainers

Every engagement has explicit contracts, output guarantees and failure-mode behaviour. You know what you are getting — and when.

How it fits together

From raw signals to audit-ready autonomous response.

Every stage is contract-bound, versioned and audit-logged. No black boxes.

Services

Four focused offerings. Zero fluff.

01

AI-Powered Security Operations

SOC with LLM Reasoning · Threat Triage · Autonomous Remediation

Alert triage decision: 1-2 seconds. Analyst attention redirected to adversarial judgment — not alert volume.

Security teams drown in alerts — manual triage takes 4 to 5 hours per alert, often crossing shift boundaries before adversarial intent is even classified. We build and upgrade Security Operations Centres with an AI layer that compresses that window to seconds.

  • LLM-based threat reasoning against attack history and MITRE ATT&CK
  • ML anomaly detection calibrated on the client's own infrastructure
  • IoC enrichment pipelines & SIEM integration (Datadog, Splunk, Elastic)
  • Autonomous remediation for pre-defined scenarios
  • DORA Article 17 incident evidence as a continuous pipeline output
02

Detection-as-Code

Coverage Engineering · MITRE ATT&CK · Version-Controlled Rules · DORA Alignment

Detection rules versioned and deployed like software. Coverage gaps closed systematically against MITRE ATT&CK.

Security teams accumulate detection rules that nobody maintains. Gaps appear silently between what you detect and what DORA requires you to report. We write, version, and deploy threat detection logic the same way engineers deploy software.

  • Detection rules written, tested, and deployed via CI/CD pipeline
  • Coverage mapped systematically against MITRE ATT&CK
  • Rules aligned to DORA ICT risk categories
  • No gap between operational detection and audit reporting
03

Compliance as Architecture

DORA Art. 17-23 & 28-30 · GDPR · EU AI Act · Continuous Evidence

Compliance evidence as a continuous pipeline output — not assembled retrospectively when an auditor arrives.

DORA, GDPR, and EU AI Act compliance is not a documentation workstream parallel to security operations. It is a structural output of a well-engineered security layer. We architect the systems so that compliance evidence emerges continuously.

  • Automated ICT incident detection, classification and evidence pipeline
  • Third-party ICT vendor risk monitoring (AI-driven scoring)
  • GDPR data retention automation & access governance
  • Breach notification workflow within the 72-hour window
04

Identity, Access & Zero Trust

ZTNA · IAM · Lifecycle Automation · MDM

Provisioning and offboarding: minutes, not days. Zero access audit backlog. DORA Article 9 evidence maintained continuously.

Growing organisations accumulate orphan accounts, un-reviewed privileges, and shadow IT. We automate the entire identity lifecycle — from onboarding to offboarding, across every critical SaaS.

  • RBAC frameworks for Okta, Google Workspace, Microsoft 365
  • Zero Trust Network Access deployment
  • Ansible-based lifecycle automation (provisioning & deprovisioning)
  • Quarterly access reviews with audit-ready trails
Selected work

Results, anonymised. Numbers, real.

Case 01 · SOC Implementation

SOC with LLM Reasoning

Top-tier EU regulated trading platform · 300+ mission-critical systems · 1,400 employees

Problem

SOC receives thousands of alerts daily. 70%+ of analyst time spent on manual triage, with each alert taking 4-5 hours to classify — often crossing shift boundaries before adversarial intent is established. Real threats lost in noise.

Approach

LLM-based threat reasoning engine, autonomous remediation pipeline, ML anomaly detection calibrated on the client's infrastructure, IoC enrichment automation, containerisation across GKE. DORA Article 17 evidence pipeline built as a continuous output.

Outcome
1-2 sec
Alert triage decision (from 4-5 hrs manual)
< 1 min
Vendor reviews (from days)
5
Proprietary AI security tools delivered
Case 02 · IAM & DORA Automation

Zero Trust + Lifecycle Automation at Scale

Distributed multi-jurisdiction fintech environment · 1,400 employees · 50+ critical applications

Problem

50+ applications without consistent RBAC, days-long provisioning, orphan accounts from years of privilege creep, vulnerable VPN, fragmented MDM. DORA Article 9 access audit trail assembled manually — no continuous evidence.

Approach

Okta-centred RBAC framework, Ansible-based lifecycle automation across Okta to Google Workspace to credentials, Cato Networks ZTNA deployment, Jamf Pro and JumpCloud unification, 50+ SOPs for DORA compliance.

Outcome
~2 min
Full access revocation from HR trigger (from days)
-95%
Provisioning errors
50+
Audit-ready DORA SOPs delivered
Why this is hard to solve with existing tooling

What others deliver. What we deliver.

GRC Platforms
Drata · Vanta · AuditBoard
Produce documentation and compliance checklists. Useful for audit preparation and evidence assembly.
What's missing: operational security evidence produced continuously, not assembled at audit time.
SOC Managed Services
Alert monitoring providers
Provide alert volume reduction and L1/L2 triage coverage. Useful for capacity offloading.
What's missing: detection coverage engineering against MITRE ATT&CK. Alert reduction is not the same as closing detection gaps.
WingsGRC
Engineering practice
We design and operate the security and compliance systems that produce evidence continuously. Complementary to GRC platforms and audit firms — not competitive with them.
The layer they report on.
WingsGRC is complementary to GRC platforms, audit firms, and Big 4 advisory. We build the operational layer they document and report on.
How we engage

Low-risk entry. Then depth, if it fits.

Step 01

Security Operations Assessment

2-4 weeks · Fixed fee

A focused audit of your security and compliance stack. We identify the top 3-5 operational gaps with concrete remediation priorities and deliver a written report with a sequenced action plan.

Why it exists: We eliminate the buyer's risk. Instead of signing a six-figure contract based on a pitch, you pay a small fixed fee and walk away with real value — the decision becomes easy.

Step 02

Project Engagement

2-6 months · Scoped

Fixed-scope implementation of one or more of our four service lines. Clear deliverables, clear milestones, clear exit criteria. The engineer who pitches the work is the engineer who builds and operates it.

Step 03

Retainer

Monthly · Optional

After the project: monitoring, optimisation, escalation support, and quarterly reviews. WingsGRC becomes the extended arm of your internal team.

Procurement-ready by design

Vendor readiness

Built for the procurement profile of EU-regulated financial institutions. We do not discover compliance requirements during due diligence.

EU-residency data processing
DORA Art. 30 contract clauses
GDPR Art. 28 DPA template
Right-to-audit standard
Documented exit strategy
SIG Lite / CAIQ Lite ready
Out of scope

What we do not do

Our work is engineering. Understanding scope limits is part of evaluating fit.

  • GRC platform subscriptions or compliance tooling sales
  • L1 SOC managed services (alert monitoring without detection engineering)
  • Standalone audit or advisory engagements without implementation
The team

Three founders. One playbook. Built in production.

Boardroom — strategic security and compliance partnership

WingsGRC was founded by three senior engineers who spent years inside a global fintech with 1,400+ employees, operations in 20+ countries, and hundreds of mission-critical production systems. We are not people who learned security from a tutorial — we are people who deployed it where mistakes cost money, trust, and regulatory standing.

Our working hypothesis: in 2027-2028, the security practices that endure will be those useful even if the entire AI layer disappears overnight. We engineer for that baseline first, then add AI where it measurably reduces analyst load. The order matters.

Enterprise Security & Compliance
ZTNA, IAM, SOC infrastructure, DORA & GDPR implementation at scale.
AI / LLM Implementation
LLM deployment, agentic AI, ML anomaly detection, proprietary AI security tooling.
Platform & Data Engineering
Distributed systems, NLP runtimes, streaming pipelines, ML-aware engineering.
Contact

Let's have a conversation.

Whether you are assessing your DORA readiness, rethinking security operations, or evaluating automation opportunities — start with a 30-minute call. No slides, no sales pitch. A focused discussion on what you are trying to solve and whether we are the right fit.

Email [email protected]
Based in Holland, Amsterdam · Available globally
Response time Within 24 hours