SECURITY ADVISORY AND CONSULTING
Know your risk
Build your resilience
End-to-end security advisory from vulnerability assessments and penetration testing to architecture design, governance frameworks, and risk management. Delivered by practitioners who have operated security at scale across the region.
Speak to an AdvisorCREST-Accredited Penetration Testing methodology, certified testers, and post-assessment support. First telco group in Axiata markets to be CREST accredited.
Assessment, architecture, governance, and risk management under one practice.
Most organizations treat security assessment, architecture, maturity and compliance in silos. ACFC transforms IT and security to an integrated resilience framework which encapsulate cybersecurity, data privacy, business continuity management, risk management and compliance under one umbrella driven through 3 lines of defense model.
Your Assessment Begins With a Complete, Intelligence-Led View
Before we engage as advisors, we will leverage our HELIOS capability to conduct a threat assessment and help organizations prioritize assessments quick wins and long-term strategic road maps.
Our approach
Security Assessments
Identify gaps before your adversaries do. ACFC’s assessment services pair HELIOS external attack surface intelligence with CREST-accredited human testing to deliver validated, actionable findings across every layer of your technology environment.
Architecture & Governance
Security strategy without architecture is a list of intentions. ACFC's architecture and governance practice translates strategy into implementable design drawing on the experience of building and governing a multi-year Zero Trust programme across one of Southeast Asia's most complex digital groups.
Compliance
Compliance is a floor, not a ceiling but it is a mandatory floor. ACFC turns regulatory requirements into practical security improvements. We have navigated Bursa Malaysia, BNM RMiT, NACSA, and CSA 2024 obligations across complex, multi-jurisdiction organisations and deliver assessments that satisfy regulators as well as genuinely improving security posture.
What Risk Advisory Covers
Risk Advisory & Consultancy Services
Strategic counsel for CISOs, Boards, and Risk Committees who need more than an assessment report. ACFC's advisory team has operated at group CISO level with board reporting responsibility across a publicly listed organisation translating technical risk into business language, informing investment decisions, and guiding security programmes through regulatory scrutiny.
Risk Advisory & Consultancy Services
Bespoke advisory engagements for security leaders, Boards, and Risk Committees covering cyber risk quantification, security investment prioritisation, programme effectiveness review, regulatory interpretation, and strategic security planning. ACFC advisors have operated at group CISO level with board reporting responsibility across a publicly listed organisation spanning 12 entities and five countries. Every advisory engagement is informed by live HELIOS threat intelligence meaning advice is grounded in the actual adversary landscape facing your organisation, not generic industry benchmarks.
TALK TO US
Ready to see your risk the way your adversaries see it?
Tell us which area concerns you most. We'll connect you with the right practitioner.
Or email us directly at hello@axiatacfc.com
Know your risk
Build your resilience
End-to-end security advisory from vulnerability assessments and penetration testing to architecture design, governance frameworks, and risk management. Delivered by practitioners who have operated security at scale across the region.
Assessment, architecture, governance, and risk management under one practice.
Most organizations treat security assessment, architecture, maturity and compliance in silos. ACFC transforms IT and security to an integrated resilience framework which encapsulate cybersecurity, data privacy, business continuity management, risk management and compliance under one umbrella driven through 3 lines of defense model.
Your Assessment Begins With a Complete, Intelligence-Led View
Before we engage as advisors, we will leverage our HELIOS capability to conduct a threat assessment and help organizations prioritize assessments quick wins and long-term strategic road maps.
Our approach
Security Assessments
Identify gaps before your adversaries do. ACFC’s assessment services pair HELIOS external attack surface intelligence with CREST-accredited human testing to deliver validated, actionable findings across every layer of your technology environment.
Penetration Testing
OWASP aligned penetration testing across web applications, mobile (iOS/Android), APIs, network infrastructure, cloud environments, and OT/SCADA systems. Each engagement follows a six phase methodology: Pre engagement, Vulnerability Analysis, Exploitation, Post Exploitation, Reporting, and Remediation Verification. We support black-box, grey-box and white box testing approaches where applicable. Every finding is clearly explained, reproducible, and demonstrated, no unvalidated or “rat rated” issues. Post remediation testing is conducted to verify fixes and confirm vulnerabilities remain closed.
Vulnerability Management
Continuous, risk-based VM programme identifying, prioritising, and tracking remediation of vulnerabilities across your entire attack surface. Combines automated scanning tools directly into the programme. Risk-based prioritisation. We deploy scanners into your environment not just reports. Includes CVE scores, CVSS scores so your team can address what matters most.
Risk Assessment & Gap Analysis
Structured risk assessment identifying security controls against a defined standard NIST CSF, ISO 27001, PCI DSS, RMiT, or a bespoke baseline. Produces a risk-rated gap register, ownership assignment, and a prioritised remediation roadmap with business impact assessments at every finding level.
Source Code Review
Manual and automated review of application source code to uncover logic flaws, hardcoded credentials, insecure cryptography, injection vulnerabilities, and architectural weaknesses invisible to runtime testing. Line-level findings with developer-ready remediation guidance.
Cloud Security Posture Assessment
Assessment of AWS, Azure, or GCP environments against our MBSS, CIS Benchmark, or your organization's baseline.
Network & Infrastructure Security Review
Manual or network segmentation (firewall rules, ACLs, routing policies), hardening baselines (servers, network devices), hardening baselines (servers, network devices), insecure protocols, and weak cryptographic configurations. Includes initial access as authorised.
SOC Maturity Assessment
Independent maturity assessment of your Security Operations function against the CMMI Security Maturity Model covering people, process, technology, governance, risk and compliance. Delivered as a risk-rated Maturity Report. Aligned with NIST CSF, MITRE ATT&CK, and CREST. All benchmarks against industry SOC maturity levels. Includes a prioritised improvement roadmap.
Cybersecurity Posture Assessment
HELIOS-powered comprehensive assessment combining external attack surface intelligence, dark web monitoring, code repository scanning, cloud container discovery, and governance control review. Produces a board-ready risk score and remediation roadmap.
Red Team Exercises
ACFC’s Red Team conducts APT-simulated, multi-vector adversarial exercises using TTPs aligned with real adversary groups, simulating attacks across digital, social engineering, and physical vectors. These exercises are mapped to the Cyber Kill Chain framework to assess the effectiveness of your detection, response, and technical controls.
MBSS Assessment
Assessment against Malaysia's Minimum Baseline Security Standards the national cybersecurity baseline for government agencies and CNII operators. ACFC has implemented MBSS assessments across 12 operating entities covering 575+ standards, 1,000+ automated compliance scripts, and five technology domains.
Architecture & Governance
Security strategy without architecture is a list of intentions. ACFC's architecture and governance practice translates strategy into implementable design drawing on the experience of building and governing a multi-year Zero Trust programme across one of Southeast Asia's most complex digital groups.
Enterprise Security Architecture & Roadmap
End-to-end security architecture design and multi-year programme roadmap. ACFC's ESA service covers current-state discovery, gap assessment against a target architecture, reference architecture design, and a phased investment roadmap prioritised by risk and business impact. ACFC has designed and is executing a multi-year Zero Trust programme for the Axiata Group this methodology is now available to enterprise clients. Includes executive presentation and board-level narrative for programme approval.
Security Architecture Assessments
Review of your existing security architecture against best-practice frameworks identifying design flaws, technology gaps, and integration weaknesses across network, identity, cloud, OT/IT convergence zones, and application security layers.
Third-Party Security Management Blueprint
Design of a vendor security risk framework supplier classification, minimum security requirements, contract language, due diligence questionnaires, and ongoing monitoring. Addresses the supply chain risk that has caused several of the region's most significant breaches.
Reference Architecture & Models
Reusable, security-validated blueprints for common deployment patterns secure cloud landing zone, Zero Trust remote access, OT/IT integration, API security architecture, and data protection architecture. Eliminates repeated security design cost across new projects and acquisitions.
Cybersecurity Architecture Governance
Establishes an ongoing function to review all major technology investments, including the design of an Architecture Review Board, a security review process, decision criteria, and governance reporting. This also includes technology standardisation and harmonisation, rationalising security tooling and technology standards across the organisation to reduce duplication, fill coverage gaps, and produce a consolidated standard that simplifies management and enhances overall security visibility.
Compliance
Compliance is a floor, not a ceiling but it is a mandatory floor. ACFC turns regulatory requirements into practical security improvements. We have navigated Bursa Malaysia, BNM RMiT, NACSA, and CSA 2024 obligations across complex, multi-jurisdiction organisations and deliver assessments that satisfy regulators as well as genuinely improving security posture.
Cybersecurity Posture Assessment -Regulatory Grade
ACFC's flagship compliance assessment a comprehensive evaluation combining HELIOS external attack surface intelligence, governance control reviews, and technical testing into a single, regulator-ready deliverable. Used by Bursa Malaysia-regulated investment banks for mandatory regulatory exercises, covering internet-exposed vulnerabilities, dark web credential exposure, code repository leaks, cloud container exposure, and governance controls. Produces a scored assessment report, risk register, and prioritised remediation roadmap ready for board and regulatory submission.
Country Security Compliance Assessments
Jurisdiction-specific compliance assessments for organisations operating across multiple Southeast Asian and South Asian markets. ACFC understands the regulatory landscape across Malaysia, Indonesia, Bangladesh, Cambodia, Sri Lanka, and Nepal assessing compliance with local cybersecurity laws, data protection regulations, and sector-specific requirements in each market.
Third-Party Risk Assessments
Point-in-time and ongoing security assessments of your critical vendors, technology suppliers, and outsourced service providers producing a tiered risk rating, findings report, and remediation engagement path. ACFC conducts 200+ third-party risk assessments annually and addresses the supply chain risk requirements under BNM RMIT and ISO 27001.
NIST Zero Trust Maturity Assessment
Assessment of your organisation's Zero Trust maturity across the five NIST pillars Identity, Devices, Networks, Applications & Workloads, and Data. ACFC has designed and implemented a multi-year Zero Trust programme for the Axiata Group. This assessment draws directly from that experience to produce a credible maturity score with a phased improvement roadmap.
Risk Advisory & Consultancy Services
Strategic counsel for CISOs, Boards, and Risk Committees who need more than an assessment report. ACFC's advisory team has operated at group CISO level with board reporting responsibility across a publicly listed organisation translating technical risk into business language, informing investment decisions, and guiding security programmes through regulatory scrutiny.
Risk Advisory & Consultancy Services
Bespoke advisory engagements for security leaders, Boards, and Risk Committees covering cyber risk quantification, security investment prioritisation, programme effectiveness review, regulatory interpretation, and strategic security planning. ACFC advisors have operated at group CISO level with board reporting responsibility across a publicly listed organisation spanning 12 entities and five countries. Every advisory engagement is informed by live HELIOS threat intelligence meaning advice is grounded in the actual adversary landscape facing your organisation, not generic industry benchmarks.
What Risk Advisory Covers
Ready to see your risk the way your adversaries see it?
Tell us which area concerns you most. We'll connect you with the right practitioner.
Book an Assessment
Pen test, VM programme, Red Team, Cloud Security, or Posture Assessment tell us your environment and we'll scope the right engagement.
Request a HELIOS Demo
See your attack surface the way HELIOS maps it live. We'll show you what's exposed about your organisation right now, before any engagement begins.
Strategic Advisory
CISO-level advisory, board briefing, risk programme review, or regulatory preparation speak with an advisor who has operated at the same level.