脆弱性診断で何がわかりますか？何をしてもらえますか？

Webアプリ・APIの脆弱性（OWASP Top 10準拠）・インフラ設定ミス・認証/認可の欠陥などを特定します。診断結果はリスク評価・優先順位付き修正手順をセットで提供するため、対応計画にそのまま使えます。

ISMS（ISO 27001）取得には何ヶ月かかりますか？

一般的に準備着手から認証取得まで6〜12ヶ月が目安です。現状のセキュリティ体制・文書化の状況・組織規模によって異なります。ギャップ分析から始めて、現実的なロードマップをご提示します。

小規模な会社でもセキュリティ対策は必要ですか？

はい。規模に関わらず、顧客データを扱う・クラウドを使う・外部サービスと連携するならリスクは存在します。「小さく始めて段階的に強化する」アプローチで、コストと効果のバランスを取りながら対策を設計します。

インシデント発生後の対応支援も依頼できますか？

可能です。インシデント対応（フォレンジック・原因分析・再発防止策）から、ステークホルダーへの報告書作成まで支援します。事前に対応手順書（インシデントレスポンスプラン）を整備しておくことも推奨します。

Home > Services > Cybersecurity

SERVICE 08

Cybersecurity

Cyber Security

Absorbing the complexity of security through design and operations.

From vulnerability assessments and penetration testing to building monitoring frameworks, all designed around real business impact. We never settle for security that only looks good on paper.

Process

01 Current-state assessment & risk inventory

02 Countermeasure design & prioritization

03 Implementation & operating framework

04 Continuous monitoring & drills

Who this is for

Moving past the "we think we're covered, but really we're stuck" state

PAIN 01

You didn't know how to prioritize security, so you ended up deploying tools just to have something in place

You brought in a WAF, EDR, and vulnerability scanners, but no one operates them and they've become dead weight. You can't tell where your real weaknesses are.

PAIN 02

Demands from audits and business partners keep growing, and you're scrambling to keep up

PAIN 03

You have no clear structure or escalation flow for when an incident hits

Even if you're only at the "we just got ISMS / PrivacyMark certified" stage, we're happy to talk.

Tell us where you stand →

The SYSTEMI approach

Designing for both risk and the business

Rather than applying best practices wholesale, we set priorities based on business impact and realistic risk.

Current-state assessment & risk inventory

We review assets, communication paths, permission design, and existing controls across the board, then organize business impact and risk into a matrix.

Output

Asset register / Threat map / Existing-control evaluation / Risk matrix

Output

Countermeasure roadmap / Investment plan / Executive briefing materials

Countermeasure design & prioritization

We set priorities based on risk and business impact, then design a menu of countermeasures, explaining "do or don't do" decisions in business terms.

Implementation & operating framework

We implement WAF, EDR, SIEM, identity management, and more, scoped to a level you can actually operate so you avoid over-investing.

Output

Security foundation / Operational runbooks / Alert design / Org chart

Output / What happens next

Vulnerability management operations / Drill plan / Review framework

Continuous monitoring & drills

We stay alongside you through the vulnerability management cycle, incident drills, and monitoring operations.

What sets us apart

Is it "design that works for the business" or just security that looks good on paper?

There are plenty of security vendors, but few can both set priorities grounded in business impact and carry the work through to implementation.

	Dedicated security firms	Cloud vendors	MSPs (managed operations)	SYSTEMI
Design grounded in business impact	△ Product-driven	△ Cloud scope only	△ Contracted scope only	◯ Starts from observing the work
Carries through to implementation	◯	△ Mostly guidance	△ Depends on deliverables	◯
Ongoing operational support	◯ Specialist-led	△ Platform scope only	◯	◯ With in-housing in mind
Integration with existing systems	△	△	△	◯ Designed to connect with existing assets

AI × Security

Using AI to lighten the operational load of security

Vulnerability report summarization

An LLM classifies, summarizes, and prioritizes vulnerability scan results so your team can immediately decide what to tackle first.

Log & alert analysis

An LLM surfaces anomalous patterns from huge volumes of SIEM logs, cutting the effort of first-line triage.

Policy & documentation

An LLM drafts policy documents for ISMS, PrivacyMark, and similar frameworks, dramatically reducing the effort of getting them in order.

Related cases

Where we make the biggest difference

A mix of cases we can disclose publicly and illustrative model cases.

SecurityCloud SaaS

Partnering with G-gen on the security design of a cloud-based SaaS platform

Challenge

They needed to meet the security requirements of a cloud-native SaaS without adding operational burden.

Outcome

We implemented everything from IAM design and WAF design to monitoring, then handed it off as a self-sustaining operation.

MODEL CASE

FDE in action

Illustrative caseIncident response

Helping a company buried under audit findings with assessment → prioritization → phased implementation

Why they reached out

Audit findings kept piling up and they were constantly scrambling to address them.

What we organized

An asset inventory → risk prioritization → a roadmap for addressing issues in phases.

See all cases →

DELIVERABLES

What we produce on the front line

Examples of how the materials we hand over are structured. We organize them into decision-ready inputs you can use directly in the next phase.

DOCUMENT 01 — Security assessment report (assets, threats, countermeasures)

Security_Assessment_v1.0.xlsx

Asset registerAn inventory of servers, data, SaaS, and privileged accounts with their sensitivity

Threat modelLikely attack scenarios and their business impact

Existing-control evaluationThe operating status and weaknesses of WAF, EDR, MFA, logging, and more

Priority action listPriorities ranked by impact × likelihood × mitigation cost

RoadmapA countermeasure plan split into short-term (within 3 months), mid-term, and long-term

DOCUMENT 02 — Proposed architecture diagram

Example security foundation — Edge / Endpoint / SIEM

Perimeter

WAF + ShieldBlocks malicious requests

CloudFrontTLS termination

Cognito + MFAAuthentication

Access management

IAM / Secrets ManagerLeast privilege & credentials

🔐

SSO / IdPPrivileged access control

Endpoint

🛡️

EDR (e.g. CrowdStrike)Device protection

SIEM

CloudWatch + GuardDutyLog aggregation & threat detection

ClaudeAlert summarization

Response

📟

CSIRT framework + drillsIncident response

* We set priorities based on business impact and realistic risk, scoping implementation to a level you can actually operate.
* We avoid over-investment and design a set of controls that operations can sustain.

Frequently asked questions

Common questions about cybersecurity

We're preparing for ISMS / PrivacyMark certification. Can you support us?

Yes. We provide end-to-end support across technical controls, policy documentation, and internal audits. We go beyond what consulting alone can deliver, building, on an implementation basis, the kind of "mechanism that actually runs" in day-to-day operations.

Cloud (AWS/GCP) security settings are too complex for us to handle.

We provide automated checks aligned with the AWS Well-Architected Security Pillar and CIS Benchmark, along with secure, IaC-based configuration templates. We operationalize this including continuous drift detection.

How far can you go with penetration testing?

We conduct vulnerability assessments of web apps, mobile apps, and cloud infrastructure. Remediation of the vulnerabilities found and re-testing are handled as part of the same package.

Do you offer support when an incident occurs?

We do, but since the speed of the initial response is critical, we recommend building a CSIRT framework, preparing runbooks, and running drills in advance. Investing in preparation up front works out cheaper than reacting after the fact.

Related services

FDE · Forward Deployed Engineering →

SRE · Infrastructure Automation →

Cloud-Native Development →

Tell us where your security stands today.

Even if you have plenty of controls in place but can't tell what's actually working, we can start by helping you make sense of it.

Talk to us about security (free)