Information Security —
from regulation to implementation.
Blackfort Technology combines regulatory expertise with technical security implementation and AI competence – for organisations that need security not just on paper.
Why Security Programmes Fail
The problem is not the regulation. It is the gap between concept and implementation.
Security programmes rarely fail because no concept exists – they fail because of the gap between regulatory requirements and technical reality. Blackfort Technology operates precisely at this interface: from analysis through to implementation, in the same projects, with the same teams.
“Strategy consulting without IT architecture is like a chef without a kitchen.”
Christian Gebhardt
Founder & Managing Director, Blackfort Technology
Partner of the Alliance for Cyber Security (BSI)
Competency Areas
Three areas. One consultancy.
Most IT security consultancies are strong in one of these areas. We cover all three – and connect them in projects that are successfully and sustainably implemented.
Understanding, prioritising, and translating regulatory requirements into measures.
The regulatory landscape has changed fundamentally over the past three years. NIS2 significantly expands the circle of obligated organisations and raises requirements for security measures, reporting obligations, and governance structures. DORA imposes binding ICT resilience requirements across the entire financial sector. The Cyber Resilience Act obligates product manufacturers to implement security by design.
These requirements cannot be met through one-off audits or ticked checklists. They require an information security management system that is genuinely lived – with clear responsibilities, documented processes, and the ability to respond to operational changes.
We accompany organisations from the first gap analysis through to certification. This includes building ISMS structures, developing security concepts and policies, preparing for external audits, and ongoing support as an external information security officer.
All Consulting ServicesIdentifying vulnerabilities, hardening systems, building security infrastructure.
Information security is not a paper exercise. Every requirement from the regulatory framework must be reflected in a technical measure: a process, a system configuration, a monitoring rule, or a network segmentation.
In practice, we regularly encounter the same gaps: no systematic patch management, insufficient or inconsistent logging, an Active Directory that has accumulated attack surfaces over years, or missing controls over privileged access. These problems are known. Yet they remain unaddressed – because technical implementation goes beyond a classic consulting engagement.
We take on this technical implementation: vulnerability analysis and penetration testing, system hardening to CIS Benchmarks, Active Directory hardening against Pass-the-Hash and Kerberoasting, PKI deployment, SBOM management, and centralised logging with SIEM integration. Not just as a one-off project, but with sustainable integration into your processes.
Penetration Testing & Technical Security SolutionsDeveloping, integrating, and operating AI systems securely and under control.
AI systems are no longer a future challenge. They are today integrated into production processes, customer interactions, and decision support systems. And they generate risks for which classical security approaches have no established answers.
Prompt injection attacks on language models cannot be repelled with a firewall ruleset. Opaque decision logic in regulated environments generates liability risks that neither DORA nor NIS2 explicitly address. The EU AI Act introduces new compliance requirements for high-risk AI systems, whose implementation requires technical documentation and traceability.
As a permanent member of the AI working group of the Alliance for Cyber Security (ACS/BSI) and lead authors of one of the first methodological guides to LLM pentesting in the German-speaking world, AI security is a dedicated competency at Blackfort. Our offering covers AI governance, technical security testing, LLM pentesting, and monitoring for AI-assisted processes in regulated environments.
AI Security at Blackfort TechnologyProprietary Solutions
Security solutions developed in-house.
Blackfort Security Bridge
Automated integration of Microsoft Defender and Jira – vulnerability findings routed directly into structured tickets.
Independent Log Vault
Tamper-proof, audit-compliant log retention. Independent of the production SIEM – for compliance evidence and forensics.
Privileged Access Bridge
Privileged access without VPN, without agents, with a complete audit trail. For service providers and internal administrators.
Threat Exposure Filter
CERT and CVE alerts filtered to your own infrastructure – no generic newsletters, only relevant signal intelligence.
Sector Expertise
Regulation and technology are sector-specific.
Each sector brings its own regulatory requirements, attack vectors, and operational realities. Our projects are contextualised accordingly – not generic.
Research & Analysis
Security Insights & Research
Technical analyses, security research, detection engineering, and regulatory and operational cybersecurity topics – straight from the field.
Section 393 SGB V: Why Your Cloud Provider’s C5 Attestation Often Isn’t Enough
Since July 1, 2025, Section 393 SGB V requires a current C5 Type 2 attestation of the data-processing entity itself whenever cloud software processes health or social data. A checklist for practices on what the fine print actually needs to say.
DENIC Final Report: The Rollover Agent Bug Behind the May 5, 2026 DNS Outage
DENIC has published its final root-cause analysis of the May 5, 2026 DNS outage: a bug in the rollover agent generated a separate key pair per HSM instead of one shared pair. Full technical breakdown and remediation steps.
NIS2 for the Space Sector: What the GOVSATCOM Hub Cologne Means for Ground Station Operators
NIS2 classifies the space sector as highly critical. With GOVSATCOM Hub and SpaceHub Cologne, new infrastructure is emerging in Cologne — what this means for cybersecurity under BSI TR-03184.
Request a Consultation
How can we help you?
Every conversation starts with a specific question. Choose the starting point that best matches your current situation.
NIS2 Scope Analysis
Is your organisation subject to NIS2? To what extent? What are the specific areas requiring action? We clarify this in a structured initial consultation.
DORA Gap Assessment
How far is your organisation from DORA compliance? Where are the largest gaps in ICT risk management? What needs to be addressed first?
Security Architecture Review
A systematic analysis of your IT architecture: vulnerabilities, attack surfaces, structural gaps. Result: concrete measures, prioritised by risk.
AI Security Assessment
Which AI systems are in operation? What risks arise? What does an appropriate security architecture look like? A consultation with a concrete outcome.