05 / 07
Case file
Next-generation firewalls, segmentation, NAC, EDR, SIEM and backup — Fortinet, Palo Alto, Sophos, Check Point — designed to how breaches actually unfold, not how vendors describe them.
/ The discipline, in detail
How we approach network security.
Most network-security stacks fail not at detection but at recovery. We design with the assumption that the bad day will arrive and the question will be how quickly the organisation is back online. Segmentation that contains lateral movement, EDR on every endpoint that matters, immutable backups stored offline, and a runbook that names the human who picks up the phone at three in the morning. The firewall is necessary but not sufficient.
For an owner, the decision that matters is not which firewall but who is accountable on the worst day, and how fast the organisation is back. We scope the posture around real recovery-time tolerance — what must return within the hour, what can wait until morning, and who holds the offline backup and the runbook. Segmentation and endpoint detection limit how far an intrusion travels; immutable, regularly tested backups decide whether a bad day is an incident or a closure. We design to the compliance regime the sector actually answers to, and we rehearse the recovery rather than assume it.
On record
Every network security engagement is documented end-to-end — design, programming, commissioning, calibration — and handed over with the files our successors would need if we were never to return.
/ Where we deploy this
Active across 5 sectors.
Network Security is rarely a standalone brief — it sits inside a wider sector practice with its own codes, expectations and operating rhythm.
/ Sister services
The rest of it.
A serious brief usually crosses two or three of these. Read across the discipline — we deliver them as one contract.
- 01
EPABX & IP-PBX
Voice, routed cleanly.
Enterprise voice — IP-PBX, SIP trunking, hosted UC and hospitality PMS integrations — Grandstream, NEC, Cisco and Yeastar.0 - 02
IT & Networking
Wires the building's nervous system.
Structured cabling, Wi-Fi 7, switching, SD-WAN and data-centre networking — Cisco, HPE Aruba, Juniper, Netgear, CommScope.1 - 03
Structured Cabling
Backbones rated for the next quarter-century.
Cat6A, OS2 and OM4/OM5 structured cabling — designed to TIA-568, terminated to manufacturer warranty and labelled to a documented patch schedule.2 - 04
Enterprise Wi-Fi
Coverage you can measure, not just claim.
Wi-Fi 7 and Wi-Fi 6E enterprise wireless — Cisco, Aruba, Juniper Mist, Netgear — site-surveyed to the building's actual cell-edge SNR.3 - 06
Servers, Storage & Data Centre
On-prem, hybrid and edge — sized for actual workload.
Server and storage architecture — Dell, HPE, Lenovo, Pure, NetApp — for on-prem and hybrid workloads, including precision cooling, rack design and DR.4 - 07
Video Conferencing Infrastructure
Reliability beats features.
Cloud, on-prem and hybrid VC — Microsoft Teams, Zoom, Google Meet, Cisco Webex — with bridges, gateways, recording and transcription infrastructure.5
/ Integration with
How network security talks to the rest.
A serious deployment of this system rarely operates in isolation. The disciplines below most commonly share its cabling pathways, its controller logic, and its cause-and-effect matrix.
Structured Cabling
Backbones rated for the next quarter-century.
Cat6A, OS2 and OM4/OM5 structured cabling — designed to TIA-568, terminated to manufacturer warranty and labelled to a documented patch schedule.Enterprise Wi-Fi
Coverage you can measure, not just claim.
Wi-Fi 7 and Wi-Fi 6E enterprise wireless — Cisco, Aruba, Juniper Mist, Netgear — site-surveyed to the building's actual cell-edge SNR.Servers, Storage & Data Centre
On-prem, hybrid and edge — sized for actual workload.
Server and storage architecture — Dell, HPE, Lenovo, Pure, NetApp — for on-prem and hybrid workloads, including precision cooling, rack design and DR.
/ Read deeper
The engineering, in long form.
Each article below goes deeper than this service page can — a full walk-through of the engineering decisions, written by the team that delivers this work.
- AV · 9 min
AV-over-IP deployment realities: network discipline is the binding constraint, not the codec choice
AV-over-IP is a network deployment that happens to carry AV. The codec choice, the platform brand and the encoder count are the visible decisions; the multicast routing, the IGMP snooping, the QoS marking, the VLAN segregation and the BFD discipline are the invisible decisions that decide whether the deployment works. Why network discipline outweighs codec choice on real projects.
Read article - ELV · 11 min
Eight ELV integration mistakes that survive into commissioning — and how to catch them earlier
ELV integration faults rarely surface in design review or installation — they survive into commissioning because the seam-level coordination is nobody's contractual responsibility. The eight failure modes we see most often, and the design-stage discipline that catches each one before it becomes a snag list at handover.
Read article
Engineering toolkit
Tools to scope this work
Calculators and reference checkers we use ourselves to sense-check the engineering before any drawings change hands.
- Life-safety · 28 states + 8 UTs
NBC Fire-Safety by State
State or union territory, building height and occupancy in — list of sprinkler, addressable FA, voice-evac PA, wet-riser and Fire-NOC triggers out, with explicit source-status tiering across all 28 Indian states and 8 union territories.
NBC 2016 · state ruleOpen - IT · Cabling
Structured Cabling Estimator
Estimate total structured-cabling length, patch panel count and IDF closet count against floor area and drop count. Panduit, CommScope, Belden, Legrand, Corning, Furukawa, R&M. Cat6, Cat6A, Cat7, Cat8 copper plus OM3, OM4, OS2 fibre. TIA-568 compliant.
7 brands · 7 categoriesOpen - ELV · Surveillance · Storage
CCTV Storage Retention Calculator
Multi-brand, codec-aware CCTV storage retention sizing across Hikvision, Dahua, Axis, Hanwha, Bosch, Honeywell, CP Plus and Prama. Computes storage TB, HDD count plan, recorded bandwidth and an NVR/VMS class recommendation against camera count. Pairs with the CCTV Coverage Calculator.
8 brands · codec-awareOpen
/ Engineering concepts
Related engineering concepts
Concept
Online (Double-Conversion) UPS
Double-conversion uninterruptible power supply. Rectifies AC to DC and inverts back to clean AC, isolating the load from grid disturbances. Default for mission-critical IT and life-safety equipment.
Concept
Honeywell Building Management System
Honeywell's BMS framework — chiller, AHU, lighting and energy supervision integrated into a single operating picture for premium commercial and hospitality buildings.
Concept
Vertiv EnergyCore BESS
Vertiv's LFP battery-energy-storage cabinet line. Drop-in lithium replacement for VRLA banks on mission-critical UPS, with eight-year TCO advantages above 20 kVA.
Concept
Modbus Protocol
Industrial serial and TCP protocol. Lingua franca of energy meters, VFDs and legacy controllers — the integration bridge between BMS, BESS and industrial plant.
/ Used alongside
Commonly deployed alongside
Sector
Industrial & Warehousing
Operations that don't take a day off.
Service
Fire Alarm System
Detection that pinpoints. Response that is coordinated.
Service
Building Management System (BMS)
The building, on a single dashboard.
Service
CCTV & Surveillance
Coverage. Storage. Evidence.
Service
Access Control
Right person. Right door. Right time.
Service
Boom Barriers & Motorised Gates
Controlled flow, every gate.
/ Frequently asked
Network Security — what buyers ask first.
MDR or SIEM in-house?
Under 500 employees, choose managed detection-and-response (MDR); above 500, hybrid MDR-plus-internal-SOC begins to pay back. Recommend managed detection-and-response (MDR) — the talent cost of running a 24/7 SOC in-house rarely makes sense at that size. Above 500 employees, hybrid MDR-plus-internal-SOC begins to pay back.
What's the right firewall for a typical SMB?
FortiGate, Palo Alto Networks PA-series, or Cisco. For small branch sites, a cloud-managed Cisco appliance is excellent (simple, low ops overhead). For headquarters, FortiGate offers the best price-performance with strong threat intelligence. Palo Alto is the premium tier with the deepest application-aware controls.
What does zero-trust architecture mean in practice?
Every request is authenticated regardless of network location — there is no 'inside the firewall' implicitly trusted zone. Practical implementation: identity-driven access (single sign-on with MFA), device-posture checks before network admission, and micro-segmentation that contains lateral movement. We design to zero-trust principles for any new deployment in 2026.
How do we approach endpoint protection?
EDR or XDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) on every endpoint that matters. Anti-virus alone is no longer sufficient; behaviour-based detection catches modern malware that signature-based scanners miss. We deploy and integrate with the SIEM for centralised visibility.
What about backup and ransomware recovery?
Immutable, offline-capable backups stored on infrastructure that cannot be modified by a compromised primary network. Veeam, Rubrik or Cohesity to a Wasabi or backblaze cold-storage tier with documented recovery testing. The most important security investment many organisations have not yet made.
How often should we run penetration testing?
Annually at minimum; semi-annually for regulated and high-value organisations. We coordinate with independent penetration-test firms (we don't audit our own work) and the findings flow into a remediation plan with documented closure dates. This is part of the AMC programme for premium clients.
· Begin
Begin a
network security
brief.
Tell us about the building, the timeline, and what success looks like a year after handover. We will reply within two working days with a written response, not a sales pitch.