NIS2-ready Kubernetes security

Production clusters, hardened to survive audits and adversaries.

Dockerized closes the gap between running Kubernetes and running it securely — every control mapped to NIS2 Article 21, every fix proven in your production cluster.

CKS-certified engineers·EKS · AKS · GKE · on-prem·Amsterdam
readiness.sh — prod-eu-west
// works across the stack you already run
EKSAKSGKEOpenShiftKyvernoOPAArgo CDFalcoCosignTrivy
40+
production clusters hardened
1,900+
findings remediated
6 wk
median time to NIS2-ready
0
reportable incidents post-engagement
// what we do

Security engineering for the way you actually run Kubernetes.

01

Cluster Hardening

CIS Benchmark and Pod Security Standards enforced across every namespace. Least-privilege RBAC, seccomp, and read-only root filesystems by default.

02

Supply-Chain Security

Sign, verify, and attest every image. SBOMs, Cosign signatures, and SLSA provenance gating your admission controllers.

03

NIS2 Compliance Mapping

Every Article 21 measure mapped to concrete Kubernetes controls — with evidence your auditor and your board both accept.

04

Runtime Threat Detection

eBPF-based detection with Falco and Tetragon. Catch container escapes, crypto-miners, and lateral movement in real time.

05

Secure GitOps

Locked-down Argo/Flux pipelines, policy-as-code with OPA and Kyverno, and drift detection so prod never diverges from git.

06

Incident Response

A retained team that knows your clusters before the pager fires. Forensics, containment, and post-incident hardening.

// nis2 · article 21

Your clusters are in scope. We make them defensible — and provable.

NIS2 turns “we think it’s secure” into “show me the evidence.” We translate every Article 21 measure into concrete Kubernetes controls, then hand you the proof your board and your auditor both accept.

nis2-controls --area access
// how we work

Four phases. No slideware, no surprises.

01 / assess

Assess

A two-week deep audit of your clusters, pipelines, and threat model. You get findings mapped to NIS2 Article 21.

02 / harden

Harden

We remediate alongside your team — policy-as-code, admission control, RBAC, and supply-chain gates, all in your GitOps flow.

03 / prove

Prove

An audit-ready evidence pack: control mappings, test results, and dashboards your board and regulator can read.

04 / sustain

Sustain

Drift detection, runtime monitoring, and a retained response team keep you compliant long after go-live.

// engagements

Built around the NIS2 clock.

Compare all packages →
RECON
Readiness Assessment
from €7.5k
2 weeks · fixed price

Know exactly where you stand against NIS2 — and what to fix first.

SUSTAIN
Managed Security
from €6k/mo
ongoing retainer

Stay compliant and defended long after the sprint ends.

Built by engineers who run production Kubernetes — not slideware.

Every engagement is delivered by CKS-certified security engineers who have operated clusters at scale. We work in your GitOps flow, via pull requests your team reviews and merges. Nothing goes to prod behind your back.

CKS
Certified Kubernetes Security Specialist engineers
CKA
Certified Kubernetes Administrators on every team
ISO 27001
Controls aligned to your ISMS and audit scope
SLSA L3
Supply-chain build integrity, by default
// next step

Your clusters are already in scope. Book the audit before your auditor does.

A 30-minute scoping call, then a fixed-price readiness assessment. Kick off within two weeks.

Request an audit