Your executives’ personal exposure is your organisation’s attack surface.

What Is The Corporate Audit?

The Corporate Audit is our enterprise-level service designed to protect executive leadership teams and organizations from digital threats that could compromise corporate security, reputation, or competitive advantage.

While our individual services focus on personal privacy, the Corporate Audit addresses the unique risks faced by organizations — leaked executive data, vendor vulnerabilities, corporate espionage, and staff digital exposure that could be exploited by adversaries. This is pure investigation: we find your exposure surface and refer you to the right specialists for training, incident response, and physical security where those are needed.

Looking for a single-person audit instead? See our digital footprint audit overview — the same investigation method applied to an individual executive or HNWI.

Understand the threat landscape first. Read What the LockBit Vacuum Tells Us About the Ransomware Economy — an analysis of how corporate breach data circulates through dark web markets long after the original incident, and what that means for executive exposure today.

What Our Cybersecurity Audit Service Covers

The Corporate Audit is PI Solutions’ cybersecurity audit service. It is useful to be specific about what that means, because the term covers two quite different products in the market and buyers comparing them deserve the distinction stated plainly.

A regulatory cybersecurity audit — the kind delivered by the Big Four firms, specialist compliance consultancies, and accredited certification bodies — examines an organisation’s controls against a framework: ISO/IEC 27001, SOC 2, NIS2 implementing measures, sector-specific schemes. It produces a report on how the organisation’s documented controls meet a documented standard. That work is regulated, sometimes accredited, and squarely the remit of the firms that specialise in it. PI does not provide that service and does not compete for it.

PI’s cybersecurity audit is a different product. It is an OSINT-driven exposure assessment: an analyst-led examination of what a determined external adversary would already know about the organisation before approaching it. The scope reaches the people the organisation runs on — the named members of the management body, the senior officers, the suppliers’ counterparts on the other side of each commercial relationship — and the public surface that discloses them: data brokers, breach corpora, registry filings, signed accounts, conference bios, social.

The two products complement each other. A controls-based audit answers what the organisation has built. An exposure-based audit answers what the adversary already has. The one is no substitute for the other, and any buyer considering PI’s Corporate Audit alongside a GDPR compliance audit or a NIS2 readiness assessment from another provider should treat them as complementary engagements with distinct outputs. We will say so plainly in the scoping conversation. Pricing is from €5,000, scoped at intake, with 50% on engagement and 50% on delivery.

For the NIS2 dimension specifically — how exposure findings map to the categories the directive names — see our NIS2 compliance mapping page. For the GDPR Article 15 reconnaissance angle that often surfaces during these engagements, see our analysis on right of access as reconnaissance.

Third-Party Cyber Risk Assessment

Vendor and supplier exposure is one of the questions buyers ask the Corporate Audit to answer specifically. The third-party cyber risk assessment runs as a defined module inside the engagement: each named supplier organisation is examined as if PI were briefing the principal on what an external adversary would already know about that supplier before approaching it.

The work distinguishes between two types of finding. Public-record due diligence on the supplier as an organisation — corporate registry filings, leadership names, prior breach disclosures, public infrastructure indicators, sanctions and PEP screening signals — is in scope by default. Depth OSINT on named individuals at supplier organisations is treated as a separate consent gate: it requires either consent from the persons assessed or for the supplier to engage PI directly. The engaging client’s contract does not transfer rights they do not hold.

This is a service, not a software platform. Buyers comparing PI’s third-party risk management services against TPRM platforms — Prevalent, OneTrust, BitSight, SecurityScorecard, and the rest — should treat them as different products. Continuous automated scoring on one side; analyst-led OSINT findings with named individual scope on the other. The two are routinely complementary; PI integrates findings into a register the client can feed back into their own platform if they run one. Where the platform shows a vendor security rating dropping from B to C, our third-party assessments answer the upstream question: which named persons or systems explain the drop, and what is the adversary’s view of them.

For the NIS2 supply-chain dimension specifically — Article 21(2)(d) on supplier-related cybersecurity measures — see our NIS2 compliance mapping page and our analysis on digital exposure as a NIS2 risk vector.

External Attack Surface Management

External attack surface management — the inventory of an organisation’s adversary-visible footprint and the routine work of keeping it shrunk — is a question Corporate Audit answers from a specific angle. Most platforms in this category (Microsoft Defender External Attack Surface Management, Tenable, Mandiant Attack Surface Management, Cycognito, Palo Alto Cortex Xpanse) discover infrastructure-side exposure: IP space, exposed services, certificate misconfigurations, shadow IT. PI’s lane is different. We map the people-and-records layer of the same external surface — what an external adversary would already know about the organisation through public filings, breach corpora, data broker records, search-indexed personal data, registry filings, and the named individuals who run the organisation.

Both layers matter. Both are part of the adversary’s view. A controls-side ASM platform tells you that port 22 on a forgotten subdomain is exposing SSH; PI’s external attack surface mapping tells you that the named executive who would receive a phishing email about that exposure has a residential address, three personal phone numbers, and an old breach password recoverable from public sources. The two findings reach the same employee; only one is visible from a network scanner.

This is a service, not a software platform. Buyers comparing PI’s attack surface management services against ASM platforms — the SaaS vendors named above — should treat them as complementary products. Continuous automated infrastructure discovery on one side; analyst-led OSINT on the public-data-and-people layer on the other. Where a client runs an ASM platform, PI’s findings integrate as a parallel evidence stream a CISO can present alongside the platform’s output. Where a client runs no ASM platform, PI’s mapping is often the first time the adversary’s view of the organisation is examined holistically.

For a fuller breakdown of where ASM and CAASM platforms structurally stop short — and what a per-individual identity inventory adds — see our analysis on the identity attack surface ASM vendors miss. For the NIS2 dimension specifically — particularly the basic cyber hygiene and vulnerability-handling measures — see our NIS2 compliance mapping page.

What’s included in the Corporate Audit

What you receive from the Corporate Audit

How the Corporate Audit fits your cyber security management programme

Most organisations already run a cyber security management programme — internal IT security, an MSSP for monitoring, periodic penetration tests, and compliance work driven by NIS2, ISO 27001, or DORA. The Corporate Audit does not replace any of these. It sits alongside them and supplies the input they typically lack: what your executives, their families, and your vendors actually expose to an attacker conducting OSINT before an engagement.

Incident responders and SOC analysts look at the perimeter, logs, and endpoints. Compliance teams look at policies, controls, and audit trails. Neither has the remit or the tooling to map the personal-side exposure that drives executive-targeting attacks — spear-phishing with home-address context, SIM-swap precursors, credential stuffing from stealer logs, deepfake voice calls to finance staff. That gap is what we fill.

Findings are delivered in a format your existing programme can absorb: risk registers, board reports, quarterly review cycles. No new tooling to procure, no platform to onboard, no ongoing licence.

Mapping findings to a cyber security management report

Board-level reporting on cyber risk is increasingly a mandatory deliverable. NIS2 Art 20 requires management-body accountability, DORA Art 5 requires board oversight of ICT risk, and most ISO 27001-certified organisations produce quarterly management review outputs. The question is rarely whether a cyber security management report is produced. It is whether that report captures the executive-exposure and supply-chain surface that sits outside the firewall.

The Corporate Audit deliverable is designed to drop into that reporting cycle. The Executive Exposure Report scores per-person risk across ten reconnaissance categories. The Corporate Leak Surface Map logs where corporate email addresses, documents, and internal communications have circulated in breach data. The Quarterly Security Posture Report tracks how that surface is changing — new staff, new breaches, new people-search hits.

Each output is structured around an Immediate / Short-Term / Long-Term action plan, so the board reading it can direct remediation owners without translation. The Executive Briefing is the delivery channel — a live walkthrough with your leadership team, not an email attachment that leaks.

Alignment with NIS2, DORA, and ISO 27001 cyber security management frameworks

The Corporate Audit maps cleanly to the control families that most cyber security management frameworks require evidence for.

• NIS2 Art 21(2)(d) — supply chain security. Findings on vendor digital footprints and third-party staff exposure feed directly into supplier risk assessments. See our analysis of digital exposure as an NIS2 risk vector.
• NIS2 Art 21(2)(g) — human-factor security. Per-executive exposure findings identify the staff most likely to be social-engineered and flag the specific data being used to target them.
• NIS2 Art 20 — management-body accountability. The board briefing creates the documented oversight that management-body members are personally liable for. See our guide to NIS2 personal liability for board members and the operational sister piece on cybersecurity board reporting under NIS2.
• DORA Art 5 — ICT governance. Executive-exposure findings on financial-services leadership inform ICT risk appetite decisions and concentration-risk reporting.
• ISO 27001 Annex A.5.7 — threat intelligence. Findings meet the external-threat-intelligence control requirement.
• ISO 27001 Annex A.6.3 — information security awareness. Per-executive findings let awareness training target the actual exposure, not a generic curriculum.

We do not issue certifications. Where an auditor or assessor needs evidence, our findings are sourced, timestamped, and exportable.

GRC inputs: feeding governance, risk, and compliance registers

A governance, risk, and compliance framework only works if the risk register captures the risks that actually matter. Data broker profiles, stealer-log credential exposure, and executive home-address findability are rarely captured by traditional risk-management tooling — they sit outside the scope of vulnerability scanners, CASBs, and SIEMs.

The Corporate Audit feeds three GRC inputs:

1. Risk register entries. Each material finding is scored by likelihood (attacker access) and impact (what exploiting that finding enables), formatted for direct addition to your existing register.
2. Control gap flags. Where a finding indicates a missing control — for example, executive personal data resurfacing after an opt-out cycle — we log it as a remediation priority with a suggested owner.
3. Compliance evidence. Findings and the steps taken to remediate them create the documented trail that NIS2, DORA, and ISO 27001 audits ask for.

GRC teams typically receive the Corporate Audit output, triage it with the security team, and assign owners. The Quarterly Security Posture Report updates each entry so the register stays current instead of ageing into noise.

What we are not: tools, platforms, and managed services

Honest positioning: we are not the right vendor if procurement is looking for a cyber security management tool, a SaaS platform, or a managed service.

• We are not a cyber security management tool. We do not sell a dashboard, a subscription, or a scanner. Tools like Recorded Future, ZeroFox, and Constella serve continuous-monitoring needs that are valid and different from ours.
• We are not cyber security management software. No install, no agent, no portal. Findings are delivered in a briefing, not streamed to a tenant.
• We are not a cyber security management services provider in the MSSP sense. We do not run your SOC, respond to incidents, or manage your controls. MSSPs like NCC Group, BT Security, and Orange Cyberdefense serve that remit.

What we are: a human-led OSINT investigation firm. A Corporate Audit is a point-in-time engagement executed by analysts, with optional quarterly re-runs. If your need is continuous SaaS monitoring or 24/7 security operations, we will tell you so and refer you to the right category. See our methodology page for how we investigate.

When a Corporate Audit belongs inside a wider cyber security management system

A Corporate Audit is worth commissioning when one of these conditions is present:

• NIS2 scoping. Your organisation has been scoped into NIS2 (essential or important entity) and the programme needs documented evidence of management-body oversight and supply-chain risk assessment.
• Board risk-appetite review. The board has set executive-protection or reputational risk as a material category and wants a baseline before setting appetite thresholds.
• M&A due diligence. You are acquiring or merging with an organisation and need to understand the exposure of the combined leadership team and the target’s vendor base.
• Post-breach retrospective. An incident has occurred and the retrospective needs to establish whether pre-incident OSINT pointed to the attack path.
• Regulatory request. An auditor, assessor, or regulator has asked for evidence that executive-exposure and supply-chain OSINT risk has been assessed.

Outside these triggers, the Corporate Audit is often over-scoped. For individual executives without a surrounding programme, the digital footprint audit is the right entry point. For organisations unsure whether their exposure warrants an engagement, the Executive Exposure Checklist is a free self-diagnostic.

Who the Corporate Audit is for

• Your CEO’s home address is findable through a data broker and your board doesn’t know — our UK data broker rights guide sets out the UK GDPR path for removal
• You are conducting due diligence on a target company’s leadership before a deal closes — and need to know what’s exposed
• A competitor or activist group has already researched your executives and you need to know what they found
• Your organisation manages generational wealth and the family’s digital exposure has never been assessed
• Executive security is discussed at board level but no one has mapped the actual exposure surface

Not sure if this fits your situation? See what we do for organisations.