The Corporate Audit faces outward. It maps what a determined adversary assembles about your people and vendors before the first approach — not what you have built to keep them out.
Supervisory boards are required to oversee cybersecurity risk management under NIS2, DORA, and the Dutch Corporate Governance Code — yet most have no documented picture of what their executives actually expose externally. That information gap is the adversary's starting point.
What the Corporate Audit addresses
Every organisation builds security controls facing inward — firewalls, endpoint protection, access policies, incident response. The Corporate Audit faces outward. It examines what a determined adversary already knows about your organisation before they approach it: the named individuals who run it, the vendors your operations depend on, and the public data surface those people and relationships have accumulated over years.
This is not a penetration test, not a compliance audit, and not a vulnerability scan. Those products answer what the organisation has built. The Corporate Audit answers what the adversary already has.
Why this matters
The most effective attacks against organisations did not begin at the firewall. They began with a phone call using an executive's home address as context. A credential from a breach four years ago, reused once, that opened a corporate VPN. An invoice-fraud operation built on a data-broker record, a Companies House filing, and a LinkedIn profile assembled in under an hour.
Your security team sees what happens inside your perimeter. They cannot see what an external actor has assembled about your organisation before the first approach. That is the gap the Corporate Audit fills.
Why your executives' presence matters more
Every adult has some findable data, and for most people the risk is limited — their data does not unlock anything of value to a targeted attacker. Your executives' data is different because of what it enables.
A CFO's home address in a data-broker record, a CEO's personal mobile in a people-search result, a named director in a Companies House filing — none of these individually looks dangerous. Combined with role context and a targeted pretext, they are the setup for a vishing call that bypasses corporate authentication, a SIM swap that defeats MFA, or a business email compromise that authorises a payment. The attacker is not interested in who these people are. They are interested in what their data makes possible.
Why your existing controls don't reach this
Your security controls are not weak, and they are not the problem. They are built for generic attacks; personalised attacks change the difficulty, not the importance of those controls. Awareness training, email filtering, your people's judgement and MFA hold against generic attacks and fall away against personalised ones — and personalisation is built from exactly the exposure this audit maps.
The evidence is consistent. In an eight-month field trial across more than 19,500 employees, annual security-awareness training showed no significant effect on who failed a phishing simulation, and immediate "you-clicked" training moved failure rates by under two percentage points; a majority clicked at least once regardless of training (2025, independently reproduced at a second large organisation). What moves the outcome is not training but difficulty: easy lures are clicked far less often than hard ones, and in a 7,700-person field study an automated, personalised approach nearly tripled the click rate of a generic one.
This is why the Corporate Audit is a multiplier rather than another control. It does not add a wall. It reduces the public exposure that lets an attacker personalise — which raises the effectiveness of every control you already run, by forcing attacks back toward the generic, where your defences work.
The regulatory frame
NIS2 Article 20 makes management-body members personally accountable for the organisation's cybersecurity posture — not merely aware of it, accountable for it. A management body that has not examined its own exposure surface may find it harder to demonstrate informed oversight. The Corporate Audit contributes to the documented exposure picture management bodies increasingly need to evidence that oversight. DORA Article 5 and ISO 27001 Annex A.5.7 carry equivalent requirements for financial entities and certified organisations.
The Dutch Corporate Governance Code (BPP 1.2.1) explicitly requires management boards to identify and analyse cybersecurity risks alongside strategic, operational, compliance, and reporting risk — with supervisory directors carrying a corresponding oversight duty under Principle 1.5. Academic analysis of the combined NIS2 / DORA / Dutch governance framework identifies information asymmetry — the supervisory body's lack of visibility into the actual external threat picture — as the primary driver of underinvestment in executive-level security measures.
Galle & Vletter-van Dort, 'From cybersecurity to cyber resilience in the boardroom: key steps for supervisory board members and non-executives', International Cybersecurity Law Review (2025) 6:221–237, Erasmus School of Law, Rotterdam.
The Corporate Audit examines publicly observable exposure and consented individual footprints. It does not replace penetration testing, compliance assessment, or technical attack-surface management. It is an OSINT exposure assessment that supports compliance and governance obligations but is not legal or compliance advice, and is not certification against any framework. Organisations should confirm their obligations with their own advisers.
Consent-first. Data purged after delivery.
Every individual assessed requires explicit written consent — we provide the forms. No one is audited without their knowledge and permission. All case findings are cryptographically deleted within 48 hours of final delivery.
Eight reconnaissance surfaces, assembled the way an attacker assembles them — then delivered as evidence your existing programme can absorb.
What we examine — eight data surfaces
For each surface we document not just what we find but why it is in scope and what an attacker does with it specifically. The audit shows you the full picture — including data you did not know existed, and data that may be the final piece completing a targeting package against your organisation.
Addresses, phone numbers, family and associates aggregated into one queryable profile. The address becomes the vishing pretext; family members the social-engineering route.
An email-and-password pair from a breach four years ago is still a working credential anywhere it was reused. We check named staff across multiple corpora for live access risk.
Infostealer logs carry session tokens, VPN credentials and SSO cookies that bypass MFA. Most organisations do not know whether their people appear in them.
Companies House, KvK, SEC EDGAR and equivalents supply the financial and organisational context that makes targeted fraud convincing.
Speaking engagements and bios index travel schedules, team relationships and reporting structures — and the pretext for a credible approach.
Professional profiles compiled without consent and sold as intelligence products — rarely covered by consumer-facing privacy checks.
Active markets and forums checked for access-broker listings, credential sets, and data dumps attributed to your infrastructure.
The same research scope applied to each named supplier — leadership data, breach history, and externally visible infrastructure indicators.
The combined picture
Each surface yields fragments — an address, a credential, a travel schedule, a stealer-log entry. The audit assembles what an adversary assembles: the full picture across all surfaces at once. That picture consistently includes data the organisation did not know existed, data it had not considered dangerous, and data that closes the gap between a targeted attacker's preparation and a successful first approach.
What you receive
| Executive Exposure Reportper participating executive | Full digital exposure map with per-category risk scoring and an Immediate / Short-Term / Long-Term action plan. PDF. |
| Corporate Leak Surface Map | Where corporate email, documents and internal communications have circulated in breach data or dark-web sources, with remediation guidance. |
| Vendor Risk Profile | Digital-footprint indicators per assessed vendor, delivered as prioritised risk flags — not definitive verdicts. |
| Security Team Threat Briefingfor your CISO / security lead | How the exposures likely occurred, what attack patterns they enable, and what to close. Formatted for operational use. |
| Executive Briefing | A live walkthrough with leadership — per-executive findings, organisation-level risk picture, and Q&A. Findings are not distributed ahead of it. |
| Quarterly Posture Report | Repeat assessment at agreed intervals — staff changes, new breach exposure, an updated priority list. Public exposure repopulates: people-search and broker records re-list, new disclosures accrue, and fresh breach data surfaces — typically within roughly 60–90 days — so a one-time reduction decays. The quarterly cycle re-suppresses what has resurfaced and holds exposure below the level where attacks become cheap to personalise. |
| Specialist Referral Packwhere applicable | Vetted specialist contacts with context notes where findings call for training, IR planning, or physical security. |
How the engagement runs
We do not hand over a document and leave. Every finding comes with a plan, a live briefing, and remediation support on your terms.
From findings to action
Every item in your reports comes with a discussion — what we found, what it means for you specifically, and what the options are for addressing it.
Transparent and direct
We show you everything we found. Uncomfortable findings are not softened — if something is serious, we say so and explain exactly why.
Your priorities, your decisions
The Immediate / Short-Term / Long-Term framework structures the conversation; it does not dictate it. You decide what to address, and in what order.
Executive remediation path
Vendor-neutral recommendations matched to the data we found — removal services, monitoring, and specialists. No exclusivity, no preferred-vendor list.
Security-team output & monitoring
A separate briefing for your security lead, with monitoring options sized to your team, infrastructure, and operational capacity.
Transition support
If you want us involved through remediation, we stay involved — available to review steps and evaluate vendor proposals. No fixed endpoint at delivery.
What we commit to — and what we don't
We do not promise that a sophisticated, targeted approach will never reach your people; no one credible can. We commit to something measurable instead: such approaches become rarer — each costs an attacker more work to assemble when there is less to find — and less successful, because you will know your own exposure and can prepare your people against the specific angles it creates. The quarterly cycle keeps both true as your footprint regrows.
How the Corporate Audit sits in your security programme
What our cybersecurity audit service covers
A regulatory cybersecurity audit examines an organisation's controls against a framework — ISO/IEC 27001, SOC 2, NIS2 implementing measures. PI's cybersecurity audit is a different product: an OSINT-driven exposure assessment of what a determined external adversary already knows. A controls-based audit answers what you have built; an exposure-based audit answers what the adversary already has. The two are complementary, with distinct outputs.
Third-party cyber risk assessment
Vendor exposure runs as a defined module: each named supplier is examined as if we were briefing the principal on what an adversary would already know about that supplier. Buyers comparing PI against TPRM platforms — Prevalent, OneTrust, BitSight, SecurityScorecard — should treat them as different products: continuous automated scoring on one side, analyst-led OSINT findings with named-individual scope on the other.
External attack surface management
Most ASM platforms — Microsoft Defender EASM, Tenable, Mandiant, Cycognito, Cortex Xpanse — discover infrastructure-side exposure: IP space, exposed services, certificates. PI maps the people-and-records layer of the same external surface: public filings, breach corpora, data-broker records, and the named individuals who run the organisation. Both layers reach the same employee; only one is visible from a network scanner.
Fits your cyber security management programme
The Corporate Audit does not replace internal IT security, an MSSP, penetration testing, awareness training or compliance work — it raises their effectiveness. Those controls hold against generic attacks and weaken against personalised ones; by reducing the public exposure attackers use to personalise, the audit forces attacks back toward the generic, where your existing programme already performs. It supplies the one input the rest of the stack lacks — what your executives, their families and your vendors actually expose to an attacker conducting OSINT — and returns it as risk registers, board reports and quarterly cycles: no new tooling, no platform to onboard, no licence.
Mapping findings to a board report
NIS2 Art 20 requires management-body accountability; DORA Art 5 requires board oversight of ICT risk; ISO 27001 organisations produce quarterly management-review outputs. Each Corporate Audit output is structured around an Immediate / Short-Term / Long-Term action plan, so the board can direct remediation owners without translation. The Executive Briefing is the delivery channel — not an email attachment that leaks.
Alignment with NIS2, DORA & ISO 27001
- NIS2 Art 21(2)(d) — supply-chain security: vendor footprint findings feed supplier risk assessments.
- NIS2 Art 21(2)(g) — human-factor security: per-executive findings flag who is most likely to be social-engineered.
- NIS2 Art 20 — management-body accountability: the board briefing creates documented oversight.
- DORA Art 5 — ICT governance for financial-services leadership.
- ISO 27001 A.5.7 & A.6.3 — threat intelligence and targeted awareness training.
GRC inputs
- Risk-register entries scored by likelihood and impact, formatted for direct addition.
- Control-gap flags with a suggested remediation owner.
- Compliance evidence — sourced, timestamped, and exportable for auditors.
What we are not
- Not a cyber security management tool — no dashboard, subscription, or scanner.
- Not software — no install, no agent, no portal; findings come in a briefing.
- Not an MSSP — we do not run your SOC or manage your controls.
What we are: a human-led OSINT investigation firm. A Corporate Audit is a point-in-time engagement executed by analysts, with optional quarterly re-runs.
Frequently asked
Every individual whose digital footprint will be assessed must provide explicit written consent. We provide the forms as part of the engagement. No one is audited without their knowledge and permission — it is a core principle of our ethics code.
No. A penetration test examines what your infrastructure resists. The Corporate Audit examines what an adversary already knows before they approach it. The two answer different questions and are routinely run alongside each other.
All case findings are cryptographically deleted within 48 hours of final delivery — your organisation keeps every deliverable; our working copy is what is destroyed. We retain only the minimal transaction records required for legal compliance. Where your own governance, audit, or legal-hold obligations require us to retain engagement records for a defined period, that is set in writing in the engagement contract; absent that instruction, the 48-hour purge is the default.
Vendor assessments focus on publicly available information. We assess only what is publicly accessible — not private systems or internal data — and deliver results as risk indicators, not definitive findings. Depth OSINT on named individuals at a supplier is a separate consent gate.
Scope determines timeline. A focused engagement covering five executives and three vendors typically runs three to four weeks from consent to briefing. Larger scopes are agreed at intake.
Because the field evidence shows awareness training does little against personalised attacks — the kind aimed at executives — and personalised attacks are built from public exposure. The Corporate Audit reduces that exposure, which raises the effectiveness of the training, filtering and controls you already run. It complements them; it does not duplicate them.
No, and we will not claim otherwise. We reduce how much an attacker can find to personalise an approach, which makes targeted approaches rarer and less successful, and we prepare your people against their real exposure. We commit to that — not to a guarantee no credible firm can give.