NirVyn Methodology

How we work

Our four‒step engagement methodology — the spine that runs through every piece of work we do.

The strongest security programmes are designed. The weakest are improvised. The difference between the two is usually visible at the moment of the first engagement letter — not the first incident.

Why, then, does so much security advisory start at the incident and work backwards?

Most security problems are design problems before they are operational ones. The methodology below describes how we run a piece of work from the first scoping conversation through to the deliverable a client's team will actually use on a Monday morning. Four steps, each producing a defined output that the next step depends on. It is build‒out‒agnostic. The same spine runs through a greenfield GCC assessment, a brownfield reassessment, an insider‒risk investigation, or an architecture review. Different work, same discipline. For greenfield and new‒site work specifically, a build‒out lens called Site → Shell → Systems → Steady‒state sits over the methodology — we come back to that lower down the page.
step 1 of 4

Threat Assessment

The input layer. What the client is actually exposed to.

What this step is. Threat assessment is the input layer. Before we examine what the client should do, we examine what they are exposed to — concretely, not generically. The threat picture has to be specific to this client's sector, footprint, and operating profile; the moment it becomes a template, the rest of the methodology weakens.

The questions we answer. What is the actual threat landscape this client faces? What incidents have they (and similar operations) experienced? What are the regulatory, operational, and adversarial pressures specific to this engagement? What does the empirical record say — not the marketing literature?

Inputs and output. Inputs: client briefings, site visits where applicable, OSINT layers, a regulatory scan in scope (DPDP, CERT‒In, sectoral codes), incident history (client's own and sectoral), and where the engagement warrants it, ground‒validated intelligence. Output: a defensible, specific threat picture — evidenced, dated, and structured so the next step can calibrate against it without rework.

This is the step where most generic security advisory weakens — the threat picture treated as a checklist, or copy-pasted from the last engagement. Done well, it is the foundation everything else stands on.
step 2 of 4

Risk Caliberation

Threats translated into the client's business reality.

What this step is. Risk calibration translates threats into the client's business reality. A threat picture, however accurate, is not yet useful — it has to be weighed against what the client actually values, what the client can afford to lose, and what the regulatory and parent‒company environment will permit. The same threat carries different weight in different operations; the calibration is what makes the difference visible.

The questions we answer. Which of the assessed threats matter most to this specific operation? What is the client's risk appetite — articulated, not assumed? What constraints (regulatory, parent‒company, budgetary, cultural) shape what mitigation is actually deployable? How do these threats interact — and where does a single mitigation address multiple exposures?

Inputs and output. Inputs: the threat picture from Step 1, the client's strategic and operational context, the regulatory frameworks in scope, and a structured conversation with leadership about what ‘acceptable’ means in their setting. Output: a prioritised risk register — calibrated to the client, defensible to the board, and ready to anchor the next step.

This is the step where the firm earns the trust of a board. A threat picture anyone can produce; a calibrated risk register requires understanding the business as well as the threat.
step 3 of 4

Posture Baseline

The snapshot. Scored, evidenced, retained for re‒scoring.

What this step is. Posture baseline is the snapshot the client takes away. It captures, in a re‒readable form, where the operation stands today against the calibrated risk picture — scored, evidenced, and structured so the client can re‒score against the same baseline in twelve months or twenty‒four. Most assessments produce a one‒time finding; a posture baseline produces an instrument.

The questions we answer. How does the operation actually perform today against each prioritised risk? Where are the gaps — and how severe? Where are the strengths the client may not have credited themselves with? What is the trajectory — improving, stable, or eroding?

Inputs and output. Inputs: the prioritised risk register from Step 2, the existing controls and their measured effectiveness (not their documented intent), and the operational evidence gathered through site assessments, document review, and conversations with the people who actually run the controls. Output: a baseline document the client retains — a single artifact that captures posture in a comparable, durable form.

The discipline at this step is honesty about what is being measured. Documented control intent and measured control effectiveness are not the same thing; the baseline depends on knowing which we are looking at.
step 4 of 4

Solution Design

Phased, costed, built to be used on a Monday morning.

What this step is. Solution design is where the work earns its keep. The baseline tells the client where they stand. Solution design tells them what to do about it — sequenced, phased, and fitted to the constraints that the first three steps surfaced. This is the deliverable the client's team will live with for the next twelve to thirty‒six months; everything earlier in the methodology exists to make this step land well.

The questions we answer. Which gaps must be closed urgently, which can be sequenced, which are acceptable to live with? What is the right mix of physical, technical, and procedural mitigation for each priority? How does this fit the client's budget envelope and operating cadence? What dependencies between mitigations need to be respected? Who owns what, by when?

Inputs and output. Inputs: the posture baseline from Step 3, the client's operating constraints, and a structured prioritisation conversation with leadership. Output: a phased solution roadmap — practical, costed where appropriate, and structured around how the client's team will actually execute it.

The endeavour, throughout, is to design what we deliver around how the client will use it on a Monday morning — not how the consulting industry has trained itself to format it. A report that gets filed has failed.
Callout

A build‒out lens, for greenfield work

For new India build-outs — greenfield GCC and MNC operations — the four-step methodology is applied across a build-out-specific lens we call Site → Shell → Systems → Steady-state. The four S's describe the four windows in a build-out lifecycle where security decisions are cheapest to get right and most expensive to retrofit. The methodology runs across all four; the lens sharpens what we examine in each.

Read more in the thought leadership piece Security Belongs on the Blueprint, or on the forthcoming Greenfield page.

Built for

This methodology is built for senior-led engagements at: • Global Capability Centres operating in India — established centres and new build-outs

• Multinational corporations with India operations — entry, expansion, and reassessment

• Large Indian industrial enterprises — multi-site footprints and converged risk programmes

• Multi-site enterprises generally — where comparability across sites is the value, not findings at any one site


This methodology describes how each piece of work moves from scope to closeout. The principles that govern how every engagement is actually run — partner-led, scope-discipline, confidentiality, deliverable-built-to-be-used — are set out separately on the About page under How We Work.

Request a confidential consultation
Bring life to your vision with our unique expertise. For a constructive engagement and private offers, select your area of interest below:
"I have read and agree to the Terms and Conditions and Privacy Policy. I consent to NirVyn Ventures LLP processing my data in accordance with the DPDP Act and GDPR."
Powering resilient growth with foresight, wisdom and human centered design.
Security Solutions | Technology | Consulting
nirvyn ventures llp
Legal and privacy
Contact
NirVyn Ventures LLP: https://nirvyn.com LLP Identification Number: [ACR-3952] Registered Office: New Delhi, India.
Advertising & Data Disclosure - This website uses cookies, remarketing pixels, and similar technologies to enhance user experience and deliver relevant content. Third-party vendors, including Google, may display our advertisements on websites across the internet based on your past visits to our website. These vendors use cookies to serve ads based on a user’s prior visits. • Visitors can opt out of Google's use of cookies by visiting Google's Ad Settings. • Alternatively, you can opt out of third-party vendor cookies by visiting the Network Advertising Initiative Opt-Out page.
Intellectual Property - 'NirVyn', the NirVyn logo, and all associated visual designs are registered trademarks (applied) of NirVyn Ventures LLP in India and other jurisdictions. Unauthorized use, reproduction, or distribution is strictly prohibited.
© 2025-2026 NirVyn Ventures LLP. All Rights Reserved.