Regulatory compliance for Micro and Small Businesses
Every business that employs people or serves customers holds sensitive data — employee records, payroll, client information, confidential communications. Under GDPR, protecting that data is a legal obligation regardless of your size.
For most small businesses, no one is actively making sure that obligations are met. And if you have an IT person, that’s not the same thing: managing your systems and securing them against threats are different roles, and mixing them creates a structural conflict of interest.
We help micro and small businesses implement practical, proportionate cybersecurity: technical safeguards required under GDPR Article 32, secure email and communication setup, access controls, encryption, and backup systems — plus the documentation that demonstrates compliance, not just the measures themselves.
No unnecessary complexity. No solutions built for organizations ten times your size.
You get protection that fits your reality — and documented evidence that you’ve met your legal obligations.
Security Assessment & Testing
Most organizations don’t know what they’re actually exposed to — not because they haven’t tried, but because point-in-time scans and compliance checklists aren’t designed to find what attackers look for.
We work in three layers of depth. A high-level assessment maps your actual risk — what you have, where you’re exposed, and what to address first, framed for both technical teams and decision-makers. Vulnerability scanning identifies known weaknesses across your servers, network equipment, and services, with a follow-up scan to confirm fixes have held. Security testing goes further: combining automated tools with manual techniques to find what can actually be exploited — authentication bypasses, code injection, API weaknesses, Active Directory misconfigurations — and verify that remediation has been properly applied.
You define the scope and depth. We adjust methodology to your environment and risk appetite.
You leave with a clear picture of your exposure — and documented confirmation that what needed fixing has been fixed.
Education & Training
A well-configured firewall doesn’t help if someone clicks the wrong link. The way your people recognize threats, respond under pressure, and communicate during an incident determines whether a security event becomes a crisis.
We design and deliver training for three distinct audiences, because the right exercise for a receptionist and the right exercise for a security engineer are not the same thing.
Non-technical staff — phishing simulations that test real behavior under realistic conditions, followed by targeted awareness training based on actual results, not generic material.
Management — tabletop exercises that walk leadership teams through realistic incident scenarios: detection, escalation, communication, and decision-making under pressure. The objective is not theory — it’s identifying exactly where your response process breaks down before a real incident exposes it.
Technical and security staff — hands-on cyber range exercises in controlled, simulated environments. Red vs. Blue team scenarios where defenders respond to live attack simulations, adapted for different team sizes and skill levels.
Your people leave better prepared — and you leave knowing exactly where the gaps are.
Consulting
Security strategy fails when it’s disconnected from operational reality. Frameworks applied without context create compliance theater, not security.
We provide expert advisory across risk assessment, security architecture, compliance, and mitigation strategy. Engagements are defined by your actual situation — not by a standard package.
A particular strength is NIS2 compliance for operators of essential services and critical infrastructure. Our team includes dedicated CISO expertise and OT (operational technology) specialists — people who understand the specific threat landscape and regulatory requirements facing energy, water, transport, and other critical sectors, not just the general compliance framework. For organizations navigating NIS2 for the first time, we provide structured support from gap analysis through implementation and documentation.
Our approach is explicitly oriented toward building your internal capability — not sustaining external dependency. That means transferring knowledge, not just delivering reports.
You get expert judgment applied to your specific situation, and leave more capable of managing risk independently.
R&D on Demand
Some security challenges don’t have off-the-shelf answers. Custom infrastructure, novel threat environments, and emerging defensive approaches require building something new — not applying something existing.
CyberArrange was founded as a spin-off of the Faculty of Electrical Engineering and Computing, University of Zagreb (FER). Our core team has active research backgrounds in cybersecurity, with publications and applied projects spanning IT system modeling, cyber range automation, LLM-based scenario generation, infrastructure-as-code, and applied AI in cybersecurity contexts.
We run our own infrastructure — including locally hosted large language models currently in active use — which means sensitive data stays in your environment during development and testing, not routed through third-party services.
This is where academic rigor and operational application meet. If your challenge requires building something new rather than configuring something existing, that’s the work this team was built for.
You get research-grade expertise applied to a real operational problem — with infrastructure and credentials from the lab, not borrowed from a sales deck.