Defensibility as a Service · for evidence-sensitive SMEs

If you were breached tomorrow,
could you prove your cyber insurer should pay?

Most companies don't fail at security. They fail at proof. Axulu helps you see, close, and defend the evidence gaps before the insurer, regulator, or board ever ask.

Check my cyber policy See how it works

Free 12-minute diagnostic · No credit card · Senior-led, not script-led

How Axulu works

From "we think we're covered" to "we can prove it."

Four moves. Senior-led. Evidence-first. Each step ends with something signed, shareable, and stress-tested.

Step · Check my policy
01 / 04

Upload your policy.
See what it would actually demand.

Your cyber insurer expects evidence — not intentions. Axulu reads your wording line-by-line and surfaces every obligation, exclusion, and condition you'd need to prove on the worst day of your business.

Policy parser Obligation map Exclusion register Denial-vector list
Live · policy analysis cyber-policy-2026.pdf
cyber-policy-2026.pdf
2.4 MB · 14 pages · parsed in 8.2s
✓ Parsed
MFA required for all usersEvidence partial
Quarterly backup restore testNot provable
Endpoint protection — all endpointsEvidence on file
72-hour breach notification planUndefined
No unsupported operating systems2 found
Step · Defensibility diagnostic
02 / 04

Every obligation tested.
Every gap visible.

A senior architect (not a checklist factory) maps every policy requirement against every piece of evidence — what exists, what's missing, what's stale, and which gap puts your claim at most risk.

Control-to-evidence matrix Responsibility map Director risk register Scrutiny narrative
Claim simulation
Mixed exposure · 5 controls tested
2 pass 3 gaps
42%
Denial vectors
No restore-test evidence for the last 12 months · 2 unsupported endpoints in scope
Survivable gaps
MFA enforcement signed for 94% of users · 6 to escalate
What's defensible
Endpoint protection deployed and logging · Access reviews on quarterly cadence
Step · 7 year plan
03 / 04

See cost, risk, and certification before they surprise you.

Forward visibility, not a static roadmap. Every asset, control, and warranty plotted across seven years — toggle a decision (extend, replace, migrate, accept) and watch cost and risk curves move in real time.

Tri-curve chart Certified decisions Lifecycle register Expiry alerts
Server SVR-04 · 7-year forecast
Y1 Y2 Y3 Y4 Y5 Y6 Y7 Warranty ends Y5 Replace · signed
Certification Cost Risk
Step · Certified decisions
04 / 04

Every decision signed.
Every risk owned.

No more "we thought IT had that." Each material decision is logged, owned, dated, and reviewable — so when scrutiny starts, you have an audit trail that's reasonable, evidenced, and defensible.

Signed decision log Accepted risk register Evidence freshness Board pack export
Defensibility score
73 /100 ▲ +18 since baseline
19 of 23 controls evidenced · last verified 3 days ago
Recent certified decisions
MFA Enforced for finance team · accepted by CFO Worked
EOL 2 unsupported endpoints retired · evidenced Worked
RISK Legacy CRM kept · risk accepted, reviewed Q3 Mixed
23
Insurer obligations parsed
7yr
Forward visibility
94%
Avg evidence coverage at retainer Y1
0
Bodies sold — outcomes only

Every kind of scrutiny deserves this.

Cyber claims. Regulator reviews. Customer security questionnaires. Tender qualifications. The conversation you've been avoiding — defended.

FCA · Cyber renewal · Defensibility check
If our underwriter walked in tomorrow, what evidence could we hand over?
Claim simulation
Strong defensibility · 19/23 controls evidenced
3 critical gaps, 1 survivable, fixable inside 30 days
83%
Critical risks

Unsupported Windows Server 2012 in payroll segment · backup restore tests not evidenced for 14 months · two FCA-relevant roles missing access reviews.

Survivable gaps

MFA enforcement signed for 94% of users; 6 senior accounts on grace period. Vendor risk register exists but not refreshed against insurer schedule.

What's already defensible

Endpoint protection deployed across estate with central logging. Identity tenant locked-down, joiners/movers/leavers automated. Quarterly access attestations on file.

What we'd certify next

Restore-test cadence with logged outputs · two-track decommissioning plan for legacy segment · evidence-freshness alerting in HubSpot for renewal cycle.

Five outcome layers

5 layers of defensibility.

Each layer shapes a different kind of evidence. Smart Setup picks the layer you need first — or your senior advisor will.

Wedge

Safe

"Can you prove your claim should pay?"

Cyber Liability Protection. Evidence-mapped to your policy, ready for the worst day.

 Core

Titanium

"Stop firefighting your own estate."

Hardened, standardised, recoverable. The operating base evidence is built on.

 Forward

Plan

"See what's coming. Decide deliberately."

The 7 Year Plan. Cost, risk, and certification plotted on one canvas.

 Accelerate

Supercharge

"Use AI without losing control."

Tailored AI & automation. Practical leverage, governed, role-shaped.

 Judgement

Leadership

"CIO-level thinking, without the hire."

Fractional CIO / CTO / Head of Architecture. The human judgement behind the outcomes.
Senior judgement layer

CIO-level thinking,
without the £180k hire.

Hover the avatars below. Axulu's outcomes are senior-led — same judgement that scaled Flywheel from start-up to £12m, across 40 client estates, M&A integrations, TOGAF-grade architecture, and decades of regulated-sector experience.

Matthew — principal
Matthew — principal
Matthew — principal

Matthew — Principal & founder

30 years across IT strategy, enterprise architecture, M&A integration, cyber policy interpretation, vCIO work, and AI-native operating design. Behind every Axulu engagement is a senior architect — not a script, not a checklist, not a junior in a suit.

TOGAF CIO/CTO operating vCIO · 40+ estates Flywheel · scaled to £12m M&A integration Regulated sector 10-Year Plan methodology AI-native delivery
What makes us different

More than just a checkbox.

Most cyber providers sell controls. Axulu sells the evidence those controls actually existed when scrutiny started.

Evidence Hub

Every claim, dressed in its proof.

Stop scrambling through email threads when the insurer asks. Each control, obligation, and accepted risk is hung against its evidence with date, owner, and source. Generate the claim pack in one click.

Auto-refreshes from your stack · Audit trail on every artefact
Certified Decisions

Build the advisor you need.

Every material risk decision logged, signed, dated. No more "we thought IT had that." Defensibility starts with knowing who decided, when, and why.

Director-signed · Quarterly review cadence
Multi-sector

Your sector. Your wording.

Construction supply chain, regulated finance, legal, education. Axulu speaks each sector's language — FCA evidence, ISO 27001 control mapping, supplier assurance — natively, not as a translation.

Your context

Your policy. Your wording.

Upload the policy, the MSP contracts, the supplier register. Axulu references them throughout — no generic templates, no scary-but-irrelevant findings.

Integrations

Plugs into what you already run.

Microsoft 365, Intune, your MSP's RMM, HubSpot, Sharepoint, Jira. Axulu reads from your stack so evidence freshness updates itself — no rip-and-replace required.

Pricing

Three ways to start.
One way to scale.

Begin where the pain is loudest — claim defensibility — and expand into Titanium, Plan, and Supercharge as the base stabilises.

Defensibility Snapshot

A 12-day deep diagnostic. Find out where you stand, signed off by a senior architect.
£2,950 one-time
  • Cyber policy parsed & mapped
  • Evidence-gap report
  • Director risk register (draft)
  • 90-minute board readout
Book a snapshot
Most chosen

Defensibility Retainer

Live evidence engine + senior architect on call. The base that keeps you provable, not just compliant.
From £4,800 / month
  • Everything in Snapshot
  • Live Defensibility Score
  • Quarterly certified decisions
  • Claim-ready pack on demand
  • Fractional CIO escalation
Start retainer

Enterprise & full-stack

Titanium + Plan + Supercharge bundled with senior architecture and programme leadership.
Custom
  • Hardened operating base (Titanium)
  • 7 Year Plan dashboard
  • AI & automation workstream
  • Fractional CIO/CTO
Talk to sales
Multi-entity group? Acquired companies to integrate? Regulated by the FCA? Talk to a senior architect

Frequently asked.

What boards, MSPs, and finance directors ask before signing.

How is Axulu different from my MSP?
Your MSP runs your tickets and tools. Axulu runs your evidence. MSPs are paid to fix things; we're paid to prove the things that were true on the day a breach started. We don't compete with your MSP — we sit above them and make sure the controls they implement actually satisfy your insurer, your auditors, and your board.
Do you sell cyber insurance?
No. We're not a broker and we don't sell indemnities. We help you read, interpret, and evidence the cyber policy you already have so it pays out when it has to. Your broker stays your broker; we make their job easier.
What does "evidence-sensitive SME" mean?
Any business where someone might one day ask "prove it": an FCA-regulated finance firm, a construction tier-1 supplier with security questionnaires, a law firm handling sensitive matters, an education group under DfE scrutiny, a healthcare provider, an acquirer in due diligence, a tenderer for public contracts. If your customers, regulators, or insurers expect proof — you're evidence-sensitive.
What if my environment is a mess?
Most are. The Defensibility Snapshot tells you exactly how messy, in plain English, and prioritises the gaps that actually move claim risk — not the ones that just look bad on a slide. Then Titanium standardises the base.
Is this just a consulting engagement?
No. We sell outcomes, not bodies. Consulting is the bridge to a software-like service: the Snapshot is fixed-scope and fixed-price, the Retainer is recurring with measurable evidence coverage, and every repeated motion becomes more automated as we go. You'll see senior humans where judgement matters — and software where it doesn't.
Who reviews our policy?
A senior architect with three decades of operating-leadership experience — TOGAF-grade, CIO/CTO operating, vCIO across 40+ regulated estates. The diagnostic is AI-assisted, not AI-only. You'll never get a junior consultant on a script.
What if our data is sensitive?
We operate under UK data residency, with a per-engagement NDA, ISO-aligned handling, and the ability to work entirely inside your tenant if required. Policy uploads can be redacted before parsing; evidence stays inside your Microsoft 365 or your equivalent.
CIO CTO ARCH

Your next renewal deserves a defensible answer.

12 minutes. Free. Senior-led. You'll walk away knowing exactly where you stand.

Check my cyber policy Meet the team

No credit card · Senior architect on the call · Outputs yours to keep