Presentations · Prospect dossier
CyberX × GETMILK
Sales-strategy dossier for CyberX (cyberx.pt) — catalogue, clients in NIS2 scope, The O, gaps in their compliance stack, and a concrete partner-program play.
TL;DR for execs
CyberX is a 17-person, bootstrapped, founder-led offensive-security boutique out of Porto — pentest, red team, EXIN-certified ISO 27001 training, plus a notable side-bet on “The O”, an AI threat-intel platform for governments. Their book (Vision-Box, Iskraemeco, Conduril, CA Auto Bank, Águas e Energia do Porto) is exactly the NIS2 / CER / DORA population that must prove supplier integrity under Article 21. Top fit:become their named “specialised partner” for supplier-risk / compliance delivery + co-sell EDF-eligible supply-chain-security into their INNCyber / EUDIS pipeline. Top risk: small, bootstrapped, still proving The O — partner revenue will lag. Next step: warm outreach to David Silva (CEO) proposing a joint Cyber-Secure Supplier Shortlist SKU + a booth split at INNCyber Summit 2026.
Fit score
84
highpartner-program + EDF pipeline leverage
Team size
17
plans to double in 2 years
Markets
9
PT · ES · UK · BR · CA · US · LU · CH · UAE
Recognitions
Top 5%
recentSME Portugal 2025 · 3rd INNCyber
1. Company snapshot
2. Offerings — catalogue
| Service | Category | Specs | Target |
|---|---|---|---|
| Penetration Testing | Pentest-as-a-service | Web / API / WiFi / IoT / Mobile — OWASP + business-logic | Mid-market to enterprise |
| Red Teaming | Adversary simulation | Digital + physical + human TTP · weeks–months | Enterprises with in-house blue team |
| Vulnerability Assessment | Continuous scan | Automated + expert-reviewed remediation plans | SMBs, first-time buyers |
| Phishing Campaigns | Awareness | Simulated phishing at scale (3,000-user healthcare case) | CISO / HR preparing NIS2 |
| Code Analysis (SAST) | Static appsec | Source review, secrets, dependency risk | DevSecOps |
| Digital Forensics & IR | DFIR | IR, imaging, data recovery | Post-breach |
| ISO 27001 Foundation | Certification | EXIN-certified · 2 weeks · 93% pass rate | CISOs, consultants |
| The O — The Omniscient | AI threat-intelligence (MVP) | Deep-web OSINT · terrorism / protest / election / exec-protection | Governments, intel agencies |
| Workshops & CTFs | Training | Secure coding, threat modeling, gamified CTF events | Corporate L&D, universities |
| Partner Program (3 tiers) | Channel | Affiliate → Reseller → Strategic Alliance | Integrators, MSPs |
3. Tech & engineering signals
Stack
React SPA + Supabase backend, Vite, Radix UI. Strong CSP / HSTS / COEP hygiene on marketing site.
Team certs
OSCP · OSWE · CISSP · Google Cloud (team). EXIN partner for ISO 27001 F / ISMP / Privacy & Data Protection.
Missing certs
No ISO 27001 on CyberX itself, no SOC 2, no Cyber Essentials, no CREST, no NATO. This is the gate for large procurement.
Ecosystem
EUDIS Defence Hackathon (mentor), InCyber Lille, INNCyber @ PT Air Force HQ, Web Summit, WAM Saudi, H2HC São Paulo, Login Conf Vilnius.
4. Customers (logo rail · verified partner page)
Mixed rail of clients + partners + program alumni. Confirmed through third-party press or case studies:
No named MoD / EU-agency contract is publicly disclosed. INNCyber = innovation-hub recognition. ECCC = relationship from InCyber. EUDIS = mentoring role.
5. Competitive landscape
Integrity S.A. (PT)
Largest PT pentest / consulting firm
Much larger, finance/telecom focus
S21sec (Thales)
SOC + MDR + IR for regulated enterprises
Different tier, same customer
Claranet Portugal
MSP with global cyber unit
Managed detection focus
Eviden (Atos PT)
Enterprise SOC, identity, consulting
Large-scale, not boutique
Leonardo Cyber (PT/IT)
NATO-accredited defense cyber
Direct target-market overlap in defense
Thales Portugal
Gov / defense cyber, national-security systems
Incumbent
Tekever Cyber
Dual-use cyber arm of PT defense unicorn
Rising defense-tech peer
Nine / NXXT / Samsys
Smaller PT peers
Often partner, not competitor
CyberX's differentiation: founder-led ethical-hacking DNA; The O as a defense-tech narrative none of the compliance-heavy peers have; multi-market footprint (PT + GCC + LATAM + EU); MSME-accessible pricing.
6. Weak spots & open questions
No ISO 27001 on CyberX itself
They train on it, but don't hold it. Blocks enterprise RFPs that need the same cert from the supplier.
No SOC 2 / Cyber Essentials / CREST / NATO accreditation
Gates large defense and regulated procurement.
Compliance delivered 'through specialised partners'
They don't own the GRC / supplier-integrity stack. Margin leakage on every deal where it's needed.
No named MoD contract
EUDIS, INNCyber, ECCC relationships exist — no procurement win reported yet.
The O is still MVP
No deployments cited, no pricing, no pilot customer on record.
Customer logos are a soup
Partner rail mixes clients + alumni + accreditation partners without labels.
Bootstrapped → cap-ex constrained
Limits ability to fund The O or stand up a physical lab for hardware-heavy engagements.
Dubai office <1 month old
Localized Arabic site, but no GCC customer disclosed yet.
7. Supply-chain hook — why this deal exists
CyberX already lives in the building. They just don't own the plumbing.
- Their book (Vision-Box, Iskraemeco, Conduril, CA Auto Bank, Águas e Energia do Porto) sits squarely in NIS2 / CER / DORA scope. Article 21 obligations now dwarf pentest spend.
- They already tell customers that compliance is delivered “through specialised partners” — that sentence is our door.
- The O wants to be an OSINT product for governments. Supplier-provenance OSINT is what makes it a defensible product, not a feed of CVE headlines.
- They're pursuing EDF / EUDIS pipelines where EU-content supply chains are a hard filter. CyberX has no documented answer today.
8A. CyberX as a GETMILK customer
- 1
EU-sourced red-team kits
Vetted EU rugged-laptops, Faraday bags, write-blockers, forensic drives for your PT + UAE ops. Small ACV, real sovereignty signal.
- 2
Supply-chain dossier for The O
We feed structured supplier-OSINT (ownership, sanctions, beneficial-owner changes) into The O. Differentiates vs. generic threat intel.
- 3
EDF-grade forensic hardware
When The O sells into a government, the underlying servers / HSMs / SOC-racks must be EU-content. We pre-qualify them.
8B. CyberX as a GETMILK partner — co-sell
Become your 'specialised partner'
Formal Strategic-Alliance tier in CyberX's Partner Program. GETMILK = supplier-integrity leg of every compliance engagement. Revenue share per deal.
NIS2 Article 21 bundle
CyberX pentest + GETMILK supplier-integrity evidence pack = one SKU that Iskraemeco, Vision-Box, Águas e Energia do Porto all need by 2026 renewal.
DORA + CER co-pursuit
CA Auto Bank (DORA) and utility customers (CER) need documented third-party risk. Joint scope, joint invoice, joint renewal.
EDF consortium play
Join CyberX + GETMILK + a drone OEM (Tekever, UAVision) into an EDF-eligible consortium. CyberX = cyber resilience. GETMILK = supply-chain integrity. Both mandatory under EDF rules.
8C. Technical integration ideas
Joint Product: Cyber-Secure Supplier Shortlist
GETMILK matching + CyberX vendor-risk pentest. One SKU: pre-qualified, security-assessed EU supplier for your BoM. Sold to drone / hardware OEMs before EDF submissions.
GETMILK data feed → The O
Supplier ownership, sanctions exposure, beneficial-owner changes as structured OSINT layer. Turns The O from MVP to defensible product.
White-label Security Snapshot
Plug GETMILK manufacturer-vetting output into CyberX's free Security Snapshot tool. Top-of-funnel gets deeper, leads get warmer.
Shared booth: INNCyber + EUDIS + BSides Porto
Split stand cost, double pipeline, one joint pitch deck (this one).
9. Outreach plan
Primary contact
David Silva, CEO & co-founder
Channels
LinkedIn · contato@cyberx.pt · +351 252 085 009
Forcing function
INNCyber Summit 2026 / BSides Porto booth meeting
Subject
NIS2 supplier-risk — GETMILK + CyberX joint offer
David,
Saw your EUDIS Lisbon mentoring role and the Dubai launch — congrats on both. We're GETMILK, an agentic manufacturing-intelligence platform: AI-driven EU supplier matching for hardware, drone, and defence companies.
Your book (Vision-Box, Iskraemeco, Conduril, Águas e Energia do Porto) sits squarely in NIS2 / CER scope where Article-21 supplier-integrity obligations now dwarf the pentest spend. Today CyberX delivers compliance “through specialised partners” — we'd like to be that partner.
Proposal: a joint “Cyber-Secure Supplier Shortlist” SKU + a GETMILK feed into The O's OSINT layer. 20 minutes next week? Happy to come to Porto or meet at BSides.
— The GETMILK team