Critical Infrastructure
Downtime is measured in treaty obligations, not in revenue.
A single hour of disruption rewrites the contract.
Critical-infrastructure operators run assets where downtime is measured in regulatory exposure and continuity-of-service obligations far down the line. Energy, water, telecoms, ports, datacenters, refining: each operates under a regulatory frame the operator did not write and a threat picture the operator cannot opt out of. Boards and regulators expect a defensible record of the security posture in place, not a description of intent. The threat picture combines kinetic exposure (perimeter intrusion, unauthorized drone activity, asset seizure during instability), cyber exposure (intrusion, ransom, exfiltration, OT disruption), insider exposure (authorized access used outside the engagement's terms), and supply-chain exposure (counterparty integrity in vendor and consumable chains). A capable program addresses all four on a single accountability framework. The firm operates under that framework as standard.
Mandates calibrated to the operator's continuity profile.
The firm engages critical-infrastructure operators across project, managed, advisory, and crisis terms. Most operators retain the firm under managed terms covering protective posture at named perimeters, counter-UAS deployment, intelligence correlation against asset-specific threat pictures, and a documented chain-of-custody on every action that touches the operational record. Cyber-incident response and investigative work run in parallel where an incident has cross-domain implications.
Project mandate
Site survey, vendor diligence, program design, or post-incident review delivered against a defined scope and window.
Managed engagement
Sustained protective posture, counter-UAS deployment, and command-surface integration across named perimeters and operations.
Advisory retainer
Standing counsel to security, compliance, and continuity functions: threat picture briefs, program review, and incident readiness.
Crisis support
Time-bounded response convened against a defined disruption on the operator's continuity profile, under written terms.
They show up the way they tell us they will.
Audit-immutable record. Operating tempo preserved.
Three engagements abstracted to the standard at which they can be discussed in public, each closed against board and regulator review.
Counter-UAS posture held without operational stoppage.
A national-importance perimeter was held under sustained counter-UAS posture across repeated detection events over a single operating period, without an operational stoppage on the asset. Chain-of-custody on every detection and mitigation action remained reviewable by the operator's compliance function and the relevant regulator.
Multi-site command surface, one audit-immutable record.
A multi-site operator integrated the firm's command surface with an existing C2 layer across its estate in multiple regions. Sensor feeds, drone telemetry, and friendly-force tracking write to a single audit-immutable record reviewable by the operator's board and audit committee.
Port operator, kinetic incident, contracted return-to-tempo.
A port operator retained the firm following a kinetic incident on a sovereign asset under its concession. The engagement spanned protective rosters, intelligence correlation, and a written incident record reviewable by the host authority and successor administrations. The asset returned to operating tempo within the contracted window.
Methods on the record.
mena 2026: ten themes for the second half
What we are watching in the Middle East and North Africa for the remainder of the year, with notes on second-order effects for sovereign and infrastructure clients
on the irreversibility of decisions
Every fragile engagement has a last reversible point. Naming it, and timestamping it, is the analytic act that distinguishes counsel from commentary.
The capability stack for asset-bearing operators.
Stabilization and humanitarian work is run elsewhere; the relevant capabilities for critical-infrastructure clients are listed below in order of operational gravity.
Most critical-infrastructure engagements begin with a one-hour conversation.
A site survey or desk review precedes any operator or system deployment. The mandate is written before work begins.