[ Cybersecurity ]
Implement best security practices in your pipelines and infrastructure
Shift-left security
Building security into the code and the pipeline from the outset
We follow recognised DevSecOps practices: TFSec, TerraScan and Trivy scans in the pipeline, Cosign image signing, GitLab SAST, secret management, image hardening and the principle of least privilege. A vulnerability fixed before deployment costs ten times less than one fixed in production.
Sovereignty & compliance
Designing GDPR-compliant frameworks and preparing for sovereign compliance
We build architectures that comply with the GDPR and HDS, even in critical contexts such as healthcare, defence and the public sector. Sovereignty is not something you just declare: it is something you establish.
Operational implementation
Turning compliance into an everyday practice
We translate regulatory requirements into practical operational guidelines tailored to your level of maturity. A genuine approach to security is reflected not just in governance decisions, but also in the code and runbooks.
The cornerstones of our cybersecurity expertise
- DevSecOps in the pipeline
Our pipelines incorporate TFSec and TerraScan for IaC modules, Trivy for images, Cosign for signing, and GitLab SAST for application code. Code reviews always include a security aspect. Issues are detected before the merge to prevent errors and vulnerabilities in production.
- Secret management and combating shadow ops
HashiCorp Vault, External Secrets Operator, Azure Key Vault, AWS Secrets Manager: secret rotation is automated and audited. We eliminate secrets buried in tools or `.env` files stored in Git, as well as ‘shadow ops’ – technical operations carried out outside the official framework, which can sometimes pose a threat.
- Identity, IAM and federation
For identity and access management, we use Microsoft Entra ID in Microsoft environments and Keycloak for multi-cloud federation. Authentication without static credentials is provided via Workload Identity and OIDC at the workload level. MFA is applied systematically, and the onboarding and offboarding processes are fully automated.
- Kubernetes Security
We secure your Kubernetes environments at every level: Pod Security Standards, granular network policies and RBAC for access control, External Secrets for secret management, Falco for runtime detection, and systematic image scanning. Policy-as-code tools (Kyverno and OPA) are deployed where appropriate, without creating unnecessary overhead.
- WAF and perimeter protection
We configure and maintain your perimeter security using industry-leading solutions (Cloudflare, AWS WAF, Azure Front Door WAF) to block attacks without compromising performance or generating crippling false positives. Taking back control of a third-party-managed WAF often presents an opportunity for a full-scale modernisation project.
- Sovereignty, SecNumCloud and HDS
We support projects subject to regulatory requirements: architectures compliant with the GDPR and HDS certification for health data, and certified hosting on Scaleway or 3DS Outscale, depending on the context. Our monitoring of SecNumCloud and developments at ANSSI ensures that your hosting choices are in line with current and future regulatory requirements.
Discover our Scaleway expertise - EDR, SOC and AI-powered correlation
We run SentinelOne in Block mode, combined with AI-powered log correlation on Microsoft Sentinel or Sekoia.io. Our EDR + SOC approach prioritises the automation of incident response over the proliferation of alerts, enabling faster detection without overwhelming your teams with unqualified signals.
- Regulatory frameworks
NIS2 now applies to thousands of organisations in France, DORA is reshaping the financial sector, and ISO 27001:2022 introduces new controls, including cloud security. In light of these requirements, our support is aimed at achieving genuine operational efficiency, not just superficial compliance on paper.
They rely on our security
- Forvis MazarsSecure managed services for Forvis Mazars’ multi-region Azure infrastructure, with access management and observability tailored to the requirements of an international audit firm.
- CSTBCloudflare WAF and perimeter hardening for the platforms of a public technical institution, in addition to the Scaleway and Rancher Kubernetes architectures that we operate.
- Internal ISO 27001:2022 processKaliop has initiated its own ISO 27001:2022 certification process. The scope covers the implementation of the managed SOC, the deployment of SentinelOne EDR, the automation of onboarding and offboarding and the consolidation of the internal network. We practise what we recommend to our clients.
[‘’]
We are not strictly cybersecurity specialists. We are cloud platform operators who apply best practices recognised by the market and the CNCF ecosystem, taking a pragmatic approach tailored to the actual maturity of our teams.
A genuine approach to security is reflected in the code and runbooks: secrets aren’t left lying around in Confluence, pipelines reject vulnerable images, and tokens are no longer permanent or shared. That is also why we have embarked on our own ISO 27001:2022 certification process: to implement in our own organisation what we recommend to our clients, at a pace that reflects our actual level of maturity.
Adrien Bresson, Director of Cloud Infrastructure
