vCTO and Co-Managed Security
We embed a single source of authority for the layers under our responsibility: your team runs daily operations, privileged access and configuration authority stay with us.
The problem
In most mid-sized organizations, security is an installation project. A firewall is bought, an antivirus is deployed, an audit report is completed, and everyone goes back to work. The infrastructure is correct on the day it is built and starts aging the day after. But there is a deeper problem: the organization often does not even know what it owns. Some of the assets that need protecting appear in no inventory at all. You cannot protect what you cannot see.
Four outcomes
The output of a vCTO engagement is not a product list; it is four measurable outcomes:
Visibility
A complete digital asset inventory, from domain names to servers, licenses to access rights. Management sees, for the first time, what the organization owns and who controls what.
A shrinking attack surface
Segmentation, egress lockdown, email authentication, defensive domain locks and MFA systematically close the doors an attacker could use.
Efficient use of resources
Existing hardware is re-evaluated rather than written off, open source eliminates license line items, and user/device analysis prevents over-purchasing. The security budget goes to actual needs, not to the shelf.
Disaster readiness
Backup (3-2-1, immutable vault), a DR environment with exercises, internet continuity (BGP multihoming), and identification of physical risks (water, electrical, power). The bad-day plan exists in tested form, not on paper.
The layer the C-level never sees: the digital asset inventory
Most security projects start from the assumption that the organization knows what it owns. What we see in the field is different: senior management is usually unaware of its own digital inventory. The most valuable first deliverable of a vCTO engagement is often not a firewall rule but an asset map nobody had ever written down.
A concrete, anonymized example. In a recent engagement we found the organization's entire branded domain portfolio (websites, email, brand identity, all of it hanging off those domains) inside a reseller account a single technician had opened in his own name. The door to that account was protected by an SMS code sent to a personal phone. There was no corporate record of ownership. This is not an individual's mistake; it is an undefined process. If that person left, failed to hand over the account, or had his phone line hijacked in a SIM swap, the organization could lose control over the internet identity of all of its brands.
That is the vCTO's first job: make the invisible visible, then bind it to centralized, corporate, auditable governance. We move assets like domains onto our own managed panel (Ops Hub) with role-based access control (RBAC), TOTP-based two-factor authentication, automated renewal tracking and an immutable audit trail; dependence on SMS-based verification is removed entirely. The lesson goes beyond domains: every organization has an asset class nobody has inventoried, hanging on one person's attention.
Approach
Architecture first, products second. No single product delivers security on its own, and the order never changes. We build the defense in four layers:
- 1Shrink the attack surface: segmentation, trust zones, lateral movement closed off from the start.
- 2Protect identity: centralized MFA, tiered administration, privileged access concentrated in one place.
- 3Cut off propagation: entry defense starting at the email layer, strict egress control.
- 4Detect and respond: SIEM correlation, XDR, immutable audit trail.
This ordering follows how the threat actually works. The typical ransomware chain starts with a phished credential. Even the strongest EDR treats a login with a valid username and password as a legitimate user. That is why the first line of defense sits at the email and identity layer.
Capability inventory
| Layer | What we do | Standards mapping |
|---|---|---|
| Digital asset discovery and inventory | Read-only domain/DNS/WHOIS discovery, email authentication posture, shadow-mail detection, building the asset inventory and binding it to governance | ISO 27001 A.5.9 · PCI DSS 12.5.1 |
| Architecture and segmentation | Trust zones, ERP/sales/OT separation, Purdue-style OT layer, multi-site IPSec | ISO A.8.22 · PCI DSS Requirement 1 |
| Virtualization | VMware ESXi to Proxmox migration, dual-host HA cluster (QDevice witness), failure testing, PBS image backup | ISO A.8.14 |
| Identity and MFA | AD/LDAP-integrated centralized MFA (privacyIDEA, RADIUS/PAM), tiered administration, LAPS, FortiToken for FortiGate | ISO A.5.17, A.8.2, A.8.5 · PCI DSS Requirement 8 |
| Firewall and network | Single-authority FortiGate management (IP whitelist + MFA), FortiManager, FortiAnalyzer, rule review at least every 6 months | ISO A.8.20, A.8.21 · PCI DSS Requirement 1 |
| Internet continuity and BGP | Multi-carrier BGP multihoming on the organization's own /24 block and ASN, RPKI ROA, rDNS/PTR control, FortiGate HA pair; carrier independence and failover within seconds | ISO A.5.29, A.5.30, A.8.14 |
| SIEM and monitoring | Log collection with Wazuh, correlation, anomaly detection, FIM (including AD/SYSVOL changes), immutable audit trail | ISO A.8.15, A.8.16 · PCI DSS Requirement 10 |
| Email security | Proofpoint (enterprise) and Barracuda (SMB): phishing, BEC, account takeover, attachment/URL sandboxing, email DLP. SPF/DKIM/DMARC management and phased DMARC rollout. Deliverability: FCrDNS/PTR and IP reputation | ISO A.5.14, A.8.7 |
| Endpoint | Palo Alto Cortex XDR, policy management, periodic scanning | ISO A.8.7 · PCI DSS Requirement 5 |
| Backup and DR | PBS image backup, Oracle RMAN, Proxmox replication, DR environment in the VeriTeknik data center, undeletable offsite immutable vault, periodic restore testing | ISO A.8.13, A.5.30 |
| ISMS (ISO 27001) consulting | 5x5 risk matrix (Clause 6.1.2), Statement of Applicability (SoA) updates, CAPA plan, internal audit and management review calendar, exercises; aligning the documented system with the controls actually in the field | ISO Clauses 6.1, 9.2, 10.2 |
| Physical and environmental assessment | Server room placement and water risk, electrical safety (RCD/RCBO), UPS architecture, access logging; findings are tied into the quality system (ISO 9001) | ISO A.7.x · ISO 9001 7.1.3, 7.1.4 |
| CDR and airgap | Controlled file transfer between zones: re-rendering, active content stripping, multi-engine scanning (VeriTeknik development) | ISO A.5.14, A.8.22 |
| Patch management | WSUS, local apt mirror, FortiGate egress lockdown (default deny + FQDN whitelist), critical patches within 1 month | ISO A.8.8 · PCI DSS Requirement 6 |
| Software asset and license compliance | License inventory, user/device (CAL) analysis to prevent over-purchasing, scanning for pirated activation tools (a known malware distribution vector) | ISO A.5.32 · Turkish IP law (FSEK, No. 5846) |
| Regulatory and official correspondence support | Technical response annexes to government agency letters, tracking of Law No. 7545 obligations, KVKK notification processes | Law 7545 · KVKK |
VMware to Proxmox migration
Broadcom's move of VMware to subscription bundles, the narrowing of its partner program and the aggressive rise in license pricing have forced many organizations to rethink their virtualization layer. Proxmox VE is a mature, auditable, license-cost-free alternative at this scale; its built-in backup server (PBS) also removes the separate Veeam-class license line item.
Our migration projects follow these steps: inventory and discovery, VM conversion, reattaching shared storage (FC/iSCSI, multipath) to the new hypervisor, image backup with PBS, testing and a rollback plan, and where needed a QDevice-witnessed dual-host HA cluster with failure testing. Migration can be quoted as a standalone project; taken together with the managed service, post-installation operations, hardening and monitoring continue under the same roof.
Open source first, proven commercial where it matters
Wherever it fits, we deploy open source: Proxmox, Wazuh, PBS, Zimbra, Nextcloud, privacyIDEA. Auditable source code and the absence of vendor lock-in increase control, and license costs drop. In layers where open source falls short or criticality demands commercial support, we are an authorized partner for products that have proven themselves:
| Product | Segment | Relationship |
|---|---|---|
| Barracuda | SMB email security | Reseller since 2007, distributor since 2008 |
| Proofpoint | Enterprise email security | Partner |
| Palo Alto (Cortex XDR) | Endpoint detection and response | Partner |
| Fortinet (FortiGate) | Network security | Deployment and single-authority management |
Our selection criterion is need, not dogma: open source where it fits, commercial where it is required. The same principle applies to resources: existing hardware is not written off, it is securely wiped and re-evaluated for DR or redundancy roles.
What the monthly managed service does
Operations produce the value; installation is only the starting point. Responsibilities are made explicit through a RACI matrix. The rhythm:
| Cadence | Work performed |
|---|---|
| Daily | SIEM triage, critical patch tracking, backup verification, monitoring of identity and access events |
| Weekly | Firewall rule set review, anomaly report, egress control, email threat summary |
| Monthly | Patch compliance report, access rights audit, DR restore test sample, change records, joint review of logs and security events |
| Quarterly | Architecture review, segmentation validation, DR exercise, compliance status report (PCI DSS, ISO 27001, KVKK) |
Single authority, clear responsibility
We are the single source of authority for the layers under our responsibility. Root and privileged access sit with VeriTeknik, and every configuration change passes through our approval via the service desk. Daily routine operations and L1 monitoring stay with your team. Firewall administrator access is open only to VeriTeknik (IP whitelist + MFA). Logs, EDR and backups are held by an authority separate from the party that uses the systems; the using party cannot alter them.
The principle is simple: two-headed administration makes accountability impossible to trace. If it is unclear who changed what, the root cause of an incident stays unclear too. The application layer (IFS, SAP and similar ERPs) remains the responsibility of the authorized vendor; the platform, operating system and hypervisor stay with us as a single authority. When we join an engagement after an incident, we explicitly keep prior forensic analysis out of scope; we do not validate or adopt the historical narrative, we start with forward-looking preventive action.
How we start
Discovery (1-2 weeks)
Read-only digital asset discovery, site and physical environment assessment, license and resource inventory, current-state analysis, risk and gap map. No system is touched.
Roadmap
Findings are delivered in a single three-layer report (executive summary, findings, technical annexes), together with a risk matrix and a CAPA plan. Layer-by-layer priorities and scope are agreed together.
Transition to co-management
The RACI and authority boundaries are signed, privileged access is taken over, and your team receives L1 operations handover and training. Quick wins (MFA, egress lockdown, email authentication, defensive domain locks) go live in the first 90 days.
Who it fits
Multi-site, mid-sized organizations with PCI DSS, ISO 27001 or KVKK obligations that do not carry a full-time in-house security team. Suitable for manufacturing (including process manufacturing such as food), fintech, healthcare, and businesses with an OT layer.
Frequently asked questions
If privileged access sits with you, what happens to our internal IT team?
Your team does not shrink; its role becomes clearer. User support, physical checks, inventory and L1 monitoring stay with your team; we take on oversight, change approval and privileged execution. Duties and authority boundaries are defined in a written document, so everyone knows what they do and what they request.
Why is all privileged access concentrated in one place?
Separation of powers. If the party that uses a system also controls that system's security, logs and backups, prevention, detection and accountability collapse at the same time. And with two separate privileged authorities, responsibility blurs the moment something breaks. The standards require this as well (ISO 27001 A.5.3, PCI DSS Requirement 7).
What happens when the contract ends? Are we locked in?
No. The exit and handover plan is defined in the contract: up-to-date architecture and configuration documentation, an access inventory and a handover procedure are delivered in an orderly way to you or to the new provider you designate. The open-source-heavy stack structurally reduces vendor lock-in to begin with.
Isn't open source risky in an enterprise environment?
Open source is not automatically more secure or more risky. Correct configuration, auditability and continuous operations produce the security. That is why we operate open source with discipline and place proven commercial products in the critical layers.
How does pricing work?
Quoted per scope after discovery. The model typically consists of a monthly managed service fee (currency-protected) plus separately invoiced hardware and license procurement; installation effort is included in the managed service term.
Track record
More than 50 PCI DSS certifications since 2015, with zero failures, as Turkey's first Level 1 service provider. Two TSE-certified ISO/IEC 27001 internal auditors on staff. In email security, Barracuda's Turkey reseller since 2007 and distributor since 2008; with over 17 years of experience, a Proofpoint partner today. We bring the high-security discipline matured in banks and e-money institutions to mid-sized organizations facing the same threats.
Related
Let's talk
Let's scope it together. We start with digital asset discovery, a current-state analysis and a layer-by-layer roadmap. Pricing is quoted per scope.
Schedule a meeting