Cybersecurity consulting · Potsdam · DACH

Cybersecurity and AI governance – full scope or pinpoint.

For organisations within the scope of ISO 27001, BSI IT-Grundschutz, KRITIS, NIS 2 or the EU AI Act. We take on the mandate, build the management system and secure the supply chain: at the depth today's maturity demands, with a handover state that carries tomorrow's.

Substance over marketingWhat we deliver is proven in practice: code, tools and methodology drawn from real projects, not from slides.

Verifiable in-house teamCISSP, CISA, BSI IT-Grundschutz, CISO (TÜV). No subcontractors, no body-leasing pyramid.

Depth on demandFrom internal audit to CISO mandate: same methodology, same team, different cut.

Book an intro call Open Research

Outcome artefacts from real engagements

Where you stand today, documented before the auditor asks.

Controls in SoA

78/93

+6 since Q3

Effective

61/78

+4 since Q3

Open findings

3 overdue

A.5Organizational controls30/37

25 Effective5 In progress7 Gap

A.6People controls7/8

6 Effective1 In progress1 Gap

A.7Physical controls12/14

11 Effective2 In progress1 Gap

A.8Technological controls29/34

19 Effective9 In progress6 Gap

Example artefact · Anonymised clientVisible in 30 days · CISO & board ready

Anonymised from real engagements. Form and depth are set on day one, not in sales.

Our way. Four principles, every project.

Four guiding principles we measure every decision against, from the first discovery call through to the handover to your team.

01 · ENABLE

Enable

We hand over what we build, with documentation and runbooks, so your team can carry on without us. We don't come to stay. But we'd be glad to come back.

02 · AUTOMATE

Automate

Automate once, never manually again. Recurring work gets a script, a pipeline, an agent. Your time with us is finite; the automation stays.

03 · SHARE

What we build in other projects feeds our internal libraries: policy templates, risk catalogues, audit routines. You don't start from zero, you start at the level previous engagements have reached. And what we build with you, if it generalises, goes back into our Open Research repositories.

04 · SCALE

Scale

When a project outgrows us, we curate. No body-leasing, no partner pyramid. The accountability stays with us; the expertise comes from a pre-vetted network of individual specialists. Your contract stays one, your escalation chain too.

Cybersecurity consulting services.

From long-term mandates through defined projects and recurring controls down to one-off tasks. A scale, not a catalogue.

Mandate
The CISO your organisation needs. Without creating the role in-house.
The CISO role is rarely a hiring problem; it's a coverage problem. Board dialogue, audit steering and incident lead must work every day, not from the day the role is filled. We take on the role externally, at the depth of an internal hire, until you fill it — or permanently, if you choose not to.
- Strategy & roadmapEndorsed by the board, with measurable quarterly objectives, not a slide deck.
- Governance that holds in daily lifePolicies, decision paths, ISMS steering. The question “who actually decides this?” stops being asked.
- Board and supervisory reportingPosture, risks, effectiveness on a twelve-month rhythm: decision-ready, not explanation-bound. Plus incident lead when it matters.
Mandate
The AI officer role filled before the AI Act demands it.
The EU AI Act doesn't ask whether you deploy AI. It asks who is accountable, in which risk class, and with what evidence. We take on the role externally and, in parallel, build the foundation an internal successor can take over: inventory, classification, human oversight, documentation.
- AI inventory & risk classificationOne obligation profile and one implementation plan per system, under the AI Act.
- Governance foundationRisk management, human oversight, logging, documentation: operationally ready, not paper-bound.
- AI literacy under Art. 4Role-specific programmes for specialists and leadership, with documented completion.
Project
An ISMS that passes the audit and keeps raising the security level.
Most ISMS projects produce a binder, pass an audit and quietly die. The reason is almost always the same: documentation written for the auditor, not for the organisation that has to operate it. We invert that. The system you operate is the system that gets audited.
- ISO 27001Scope, Statement of Applicability, risk and control set: lean documentation, anchored in daily operations.
- BSI IT-GrundschutzBasic, Core or Standard Protection at the depth your situation demands, not the maximum for every module.
- Audit support to certificationA handover state that carries the next three surveillance audits without external scaffolding.
Project
Resources deployed where they protect the organisation most.
Cyber risk is decided in the boardroom long before it's mitigated in the SOC. The numbers brought up there often don't survive the first question from the management board. Ours do, built on named scenarios, recognised methodology (ISO 27005, FAIR-oriented) and visible assumptions open to challenge.
- Risk assessmentsQualitative where it suffices, quantitative where it counts. ISO 27005, FAIR-oriented.
- Mitigation strategiesPer asset class and business process, through to a residual-risk statement the board can sign.
- Risk KPIs for ongoing reportingFew, unambiguous, in the same format as the quarterly report.
Project
KRITIS obligations anchored so the evidence cycle becomes routine.
KRITIS isn't a compliance sprint, it's a continuous state: thresholds, sector-specific state of the art, biennial evidence, plus a regulator that sets the tone. Three parallel projects (KRITIS obligations, ISO 27001, B3S) is the expensive variant. We build it as one body of work, in which every requirement is anchored exactly once.
- Applicability & scopeThresholds, plant categories and critical services, clearly delimited and defensible to the regulator.
- ISMS build, KRITIS-gradeISO 27001 and sector-specific B3S in a single coherent body of work, not two parallel languages.
- State of the art & evidenceControls implemented, gaps closed, the biennial submission ready to file.
- Reporting & operationsBSI contact point, incident reporting, exercises — a lived process that withstands a personnel rotation.
Project
NIS 2 decided, documented, delivered. Before the regulator asks.
NIS 2 affects more organisations than most realise and makes personal accountability of the management body a structural element, not a footnote. The most expensive mistake is waiting for final clarity. Whoever decides applicability, training duty and measures now controls their own pace, not the regulator's.
- Applicability analysisWhether, how and to what extent you fall in scope: documented, traceable, defensible to regulator and insurer.
- Management body trainingUnder § 38 NIS2UmsuCG (German NIS-2 Implementation Act): practical, evidenced, not academic.
- ImplementationRisk management, reporting duties, technical and organisational measures: operationally ready by the date of effect, not by the first regulator request.
Controls
Steer third-party risk without renegotiating with every supplier.
Your attack surface stops nowhere near your firewall, and a supplier's certificate says little about your residual risk. Supplier security only becomes load-bearing when assessment, requirement and monitoring are graded by criticality: deep for a few, lean for the many.
- Supplier risk assessmentsTiered by criticality, with defined depths instead of a one-size-fits-all questionnaire.
- Requirement cataloguesNegotiable and auditable, transposable into contract language. Passes Procurement, holds before Legal.
- Monitoring & escalationOngoing observation, documented response paths, a clear threshold for 'review the contract'.
Task
An internal audit that doesn't end in a binder, but on the board's agenda.
Internal audits rarely fail on method; they fail on consequence. Insights nobody prioritises, residual risks nobody signs, remediation without a date. We invert that: neutral outside view, ISO 19011 as method, a report in the language the executive team uses to decide.
- Audit planningRisk-based audit programme aligned with certification cycle and rate of change.
- ExecutionInterviews, sampling, evidence reviews to ISO 19011: neutral, documented, reproducible.
- ReportingInsights with severity, remediation option and due date. One A4 page for the board, the rest defensible in the appendix.

Qualified through teaching and practice.

Through targeted upskilling of our team, we make sure every capability we need is in place and continuously developed. Academically and in practice.

Founders

Team Total

12*

Unique Professional Certifications

Teaching Assignments Held

*including:CISSPCISABSI IT-Basic Protection ConsultantCISO (TÜV)BCM 200-4 (TÜV)Data Protection Officer (TÜV)SCRUM Master IPRINCE2 Practitioner

Our research is free to use: as code, papers and tools.

We publish our tools and research on git.neomint.com/nm. Permissive licences, traceable commits, usable from the first release.

All repos on Forgejo

nm/magic-wormhole-web

Secure file transfer via PAKE. Browser-based wormhole frontend without server trust.

TypeScriptApache-2.0

nm/win11-vhdx-creator

Reproducible VHDX containers for forensics labs and isolated malware analysis.

PowerShellMIT

nm/…

More repositories are in preparation. We only publish once a tool runs reliably, is documented and has proven itself across several of our projects.

Coming soon

Working at NeoMINT

We grow when it fits.

We're not actively hiring right now. Even so: if you see cybersecurity as a craft and want to contribute to Open Research, write to us. We'll answer honestly about whether and when it could fit.

Leave a profile

01
Hiring is a consequence, not a goal.We hire when it moves us forward, not because a plan demands it.
02
Remote-first, with fixed sync rituals.DACH time zone, German-speaking. No office obligation, but shared rituals.
03
Open Research time is paid time.What we publish emerges within projects, not on weekends.

30-minute intro call · no commitment

A conversation costs nothing. Incidents do.

You describe your situation. We listen, ask follow-ups, and at the end we tell you honestly whether we're a fit. No sales funnel, no slides.

Book a call info@neomint.com

What you get

Duration30 min

FormatVideo call

Prepnone

Response< 24 h weekdays

NDAon request beforehand

Cybersecurity and AI governance – full scope or pinpoint.

Our way. Four principles, every project.

Enable

Automate

Share

Scale

Cybersecurity consulting services.

The CISO your organisation needs. Without creating the role in-house.

The AI officer role filled before the AI Act demands it.

An ISMS that passes the audit and keeps raising the security level.

Resources deployed where they protect the organisation most.

KRITIS obligations anchored so the evidence cycle becomes routine.

NIS 2 decided, documented, delivered. Before the regulator asks.

Steer third-party risk without renegotiating with every supplier.

An internal audit that doesn't end in a binder, but on the board's agenda.

Qualified through teaching and practice.

Our research is free to use: as code, papers and tools.

We grow when it fits.

A conversation costs nothing. Incidents do.

What you get