Compass Security’s cover photo
Compass Security

Compass Security

Computer and Network Security

Rapperswil, SG 4,220 followers

Keeping Cyber Risks Under Control

About us

Compass Security specializes in offensive and defensive IT security. Since 1999, we have supported companies across business and industry, as well as organizations in research and the public sector, in managing cyber risks effectively. Along the three pillars of cybersecurity—prevention, detection, and response—we provide targeted support to strengthen digital resilience, identify cyber threats, and respond confidently when it matters most. We work with organizations of varying risk profiles, regardless of their size or level of maturity, translating complex security challenges into clear, actionable measures. Our clients benefit from decades of experience and the expertise of a large team of cybersecurity specialists. International certifications such as ISO/IEC 27001:2022 and CREST accreditation confirm that our work meets the highest quality standards.

Website
https://www.compass-security.com
Industry
Computer and Network Security
Company size
51-200 employees
Headquarters
Rapperswil, SG
Type
Privately Held
Founded
1999
Specialties
Ethical Hacking, Penetration Testing, Security Reviews, Secure File Transfer, Secure Data Exchange, Red Teaming, Managed Detection and Incident Response, Incident Response, Purple Teaming, Managed Bug Bounty Service, and Cyber Security Trainings

Locations

Employees at Compass Security

Updates

  • Our latest blog post demonstrates how a product under Cyber Resilience Act (CRA) is assessed in practice. In Part II of our CRA series, we walk through the complete assessment of a low cost IP camera, from product classification and threat modelling to hardware analysis and compliance verification against IEC 62443-4-2. The article covers: ▪️ applying STRIDE based threat modelling ▪️ classifying a product under the CRA ▪️deriving security requirements from IEC 62443-4-2 ▪️analysing hardware, firmware and debug interfaces ▪️mapping technical findings to CRA compliance gaps The assessment identified multiple weaknesses, including unauthenticated video access, UART shell access and missing firmware integrity protection, resulting in the device failing both Security Level 1 and Security Level 2 requirements. At least, it passed as a great example. 😉 Read the full blog post. https://lnkd.in/enAjS_b2 #CyberResilienceAct #IEC62443 #ProductSecurity #EmbeddedSecurity #CyberSecurity

  • Our Basel colleague Tobias Hort-Giess briefly explains how to determine whether a product falls under the Cyber Resilience Act (CRA), how CRA product classes are assigned, and how organizations can assess their current level of compliance. This is the first article in a two part series. In this part, we explain the CRA, introduce the different product classes, and show how we translate regulatory requirements into a structured technical assessment. In Part II, we demonstrate the methodology using a practical assessment based on IEC 62443. The article also covers: - determining whether a product falls within the CRA scope - the different CRA product classes and their assessment requirements - how threat modelling, gap analyses, and security testing support readiness - why use IEC 62443 as an assessment framework and how it maps to CRA - suggest assessment approaches (target or Security Level - SL) Read the full blog post: https://lnkd.in/eUxFZQTb #CyberResilienceAct #CRA #IEC62443 #ProductSecurity #CyberSecurity

  • #CompassMDRInsights Organizations with an existing SOC or security team often reach a point where maintaining Microsoft Defender XDR content becomes increasingly challenging and time-consuming.   As a result, organizations often seek additional support in areas such as: •      Configuration and ongoing maintenance of the Microsoft Defender XDR platform •      Deployment and long-term maintenance of detection rules and alerts •      Creation and maintenance of dashboards and other custom content (automation rules, Logic Apps, …) •      Expert guidance on alerts and security incidents •      Log ingestion •      Best practices, incident response playbooks, and detection rules   This is exactly where our subscription-based 𝗠𝗮𝗻𝗮𝗴𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗼𝗻𝘁𝗲𝗻𝘁 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 comes in. It is designed to cover these areas in a structured and continuous way. This enables your SOC or security team to focus on what matters most: alerts and critical incidents.   We take care of platform maintenance, detection content, and continuous improvements. In addition, you gain access to our documentation on incident handling, alert response procedures, analyst playbooks, and more.   👉 Focus on investigating threats while keeping your detection content up to date.   Learn more about our service at https://lnkd.in/ees4MJDd #CyberSecurity #CompassMDRInsights #MDRInsights #ThreatDetection #ManagedSecurity #BlueTeam #SOC #MDR

  • We're at area41 security conference this week, come find us at our booth! If you run Purple Team engagements, RAPTR might be exactly what's been missing from your workflow. It's an open-source collaboration platform that lets offensive and defensive teams plan campaigns, log attacks and detections side-by-side, track results, and generate reports, all in one place. Stop by for a live demo! #Area41 #PurpleTeam #OpenSource

    • No alternative text description for this image
  • We're at area41 security conference in Dübendorf (CH) next week and if Entra ID security is on your radar, we'd love to show you EntraFalcon. It's a free, open-source PowerShell tool built for cloud administrators, pentesters and security analysts who want a clear picture of their Microsoft Entra ID environment. Privileged objects, risky assignments, Conditional Access gaps: EntraFalcon finds what's easy to miss. Come by our booth for a demo! Our team on site: Patrick Vananti | Alessandro Zala | Daniel Schenker | Ivano Somaini #Area41 #EntraID #CloudSecurity #OpenSource

    • No alternative text description for this image
  • Thanks to everyone who joined our Beer Talk on "Post-Quantum Cryptography in Practice". Great to see so many familiar and new faces.   If you missed it, here are the key takeaways: • The threat is real. With "harvest now, decrypt later", sensitive data can already be at risk today. • The timeline is moving closer, the window for action is open but narrowing. • PQC is ready. Standards are in place and adoption has already started.     #PostQuantumCryptography #PQC #Cybersecurity #NIST --- Thinking about your next steps? We're happy to support your migration, from initial threat assessment to advising on implementation choices. Feel free to reach out.

    • No alternative text description for this image
  • AI agents are showing up in Entra ID tenants. Do you know what permissions they have? Microsoft Entra Agent ID introduces new service-principal-based identity concepts including agent blueprints, blueprint principals, agent identities, agent users, inheritable permissions, and new authentication flows. Our security analyst Christian Feuchter took a close look at how these objects work, where the risks lie, and how to review them. The post focuses on what matters when evaluating Agent ID in Entra ID tenants, including: 🔹 how Agent ID objects differs from traditional app registrations and enterprise applications 🔹 where credentials are stored and why blueprint ownership matters 🔹 which roles and API permissions can control Agent ID-related objects 🔹 how API permissions can be assigned directly or inherited through blueprints 🔹 cross-tenant implications of foreign blueprints 🔹 some example attack paths such as blueprint ownership abuse and Agent ID consent phishing It also shows how Agent ID-related risks can be identified with our open-source tool EntraFalcon. Dive in and enjoy: https://lnkd.in/eC_ecYSD

    • No alternative text description for this image
  • Compass Security reposted this

    View organization page for KMUdate

    830 followers

    Cyberangriffe treffen längst nicht nur Konzerne, sondern immer häufiger auch KMU. Genau darüber haben wir gestern am «KMUdate» bei der Strässle Installationen AG in Amriswil gesprochen: Unter der Moderation von Regula Späni gaben Cybersecurity-Experte Ivan Bütler (Compass Security), Andrea Roth (CEO Geobrugg) und Gastgeber Andreas Schmidt (Geschäftsführer Strässle Installationen) spannende Einblicke in: - reale Cyberangriffe auf Unternehmen - die Rolle von Cyberversicherungen und Spezialisten im Ernstfall - konkrete Massnahmen der Mitarbeitenden - Tipps, wie sich KMU und Privatpersonen schützen können Beim anschliessenden Apéro von «Genial Delikat gmbh» blieb viel Zeit für Austausch und Networking – und es wurde klar: Cybersecurity ist längst ein zentrales Thema auch für kleinere und mittlere Unternehmen. Ein grosses Dankeschön an unsere Referenten, alle Gäste und Strässle Installationen AG für die Gastfreundschaft und den gelungenen Anlass! Hier gibt's mehr Informationen und Impressionen, eingefangen von Kirsten Oertle: https://lnkd.in/e_wxyYni Weniger anzeigen

    • No alternative text description for this image
    • No alternative text description for this image
    • No alternative text description for this image
    • No alternative text description for this image
    • No alternative text description for this image
      +6
  • The Teleboy bug bounty program has been topped up with another CHF 10'000 in rewards. More than 400'000 users rely on Teleboy for streaming, internet, and telephony services. By continuing to collaborate with the security community, Teleboy reinforces its commitment to finding and fixing vulnerabilities before they can impact customers. Whether you're interested in web applications, APIs, or telecommunications platforms, there are plenty of opportunities to make an impact while earning rewards. Program: https://lnkd.in/d-tdgGDm #bugbounty #cybersecurity #ethicalhacking

    • No alternative text description for this image

Similar pages

Browse jobs