Trust is no longer assumed.It is engineered, measured,and continuously proven.
Nucleus Systems is a Digital Trust Assurance firm. We build measurable trust across cybersecurity, AI governance, code security, digital identity and payments — through four proprietary frameworks, purpose-built platforms, and specialist services.
The code security platform that enforces trust at every commit.
Paxley is our only product — built to operationalise the NS-CTAF and NS-AIGF frameworks at the point of development. GitHub-native, repo-priced, and designed for enterprises where AI writes a growing share of the code.
Code Trust (NS-CTAF)
Every commit, PR and release scanned against the full NS-CTAF control set. CTA-1 through CTA-4 scoring, continuously.
AI Governance (NS-AIGF)
Continuous NS-AIGF control monitoring for AI systems in production, with EU AI Act compliance tracking.
SBOM & supply chain
Automatic SBOM generation, dependency health scoring, licence compliance and open-source risk tracking.
Repo-based pricing
Priced per repository, not per developer. Security costs scale with your codebase, not your headcount.
Framework → Platform → Service. In that order.
Every Nucleus Systems engagement starts with a proprietary framework. The framework defines the controls. Our platforms operationalise those controls at scale. Our practitioners deliver the service. This is the model that separates us from generalist consultancies.
Proprietary IP
Four internally developed frameworks — NS-CMMF, NS-AIGF, NS-AISCA and NS-CTAF — define every control, scoring model and maturity level we use.
Purpose-built delivery
Paxley and our Cybersecurity Maturity Platform operationalise framework controls continuously. Not periodic audits — live scoring.
Practitioner delivery
Specialist practitioners deploy the frameworks and platforms, deliver findings boards can act on, and track improvement across every engagement.
Three pillars. Four proprietary frameworks. One trust standard.
Each pillar represents a distinct domain of trust — with its own framework, platform and specialist service offering. Together, they cover the full surface area of enterprise digital trust.
Cybersecurity Trust & Resilience
188-control maturity assessment across 6 NIST-aligned domains. L1→L5 scoring. Board-ready trust index.
AI Trust & Governance
60-control AI governance framework across 7 domains. EU AI Act, ISO 42001 and NIST AI RMF aligned.
AI Security & Assurance
108-control AI security framework across 12 domains. GenAI, Agentic AI and MLSecOps coverage.
Code Trust & Secure Digital Delivery
86-control code trust framework. CTA-1→CTA-4 certification. DevSecOps, SBOM governance and AI-assisted code security.
Our intellectual property. Not adapted standards.
Most consultancies apply existing public standards. Nucleus Systems built four proprietary frameworks — each with its own control set, scoring model, maturity levels and assessment methodology. These are the instruments behind every trust score we produce.
Cybersecurity Maturity Measurement Framework
188 controls · 6 domains · 32 external mappings · L1→L5 maturity · v2.4.1
AI Governance Framework
60 controls · 7 governance domains · EU AI Act · ISO 42001 · NIST AI RMF · v1.3.0
AI Security Controls Architecture
108 controls · 12 security domains · GenAI · Agentic AI · MLSecOps · v1.1.0
Code Trust Assurance Framework
86 controls · 6 trust domains · CTA-1→CTA-4 certification · Paxley delivery · v2.0.1
Trust maturity model
Specialist expertise where the frameworks meet the market.
Beyond the four core pillars, we deliver specialist solutions in areas that demand deep domain knowledge — payment systems, digital identity, financial inclusion and quantum-safe cryptography.
Managed Detection & Response
24/7 MDR in partnership with CyberOne MSSP, anchored to NS-CMMF maturity context.
Payment Security & DPI
Mojaloop, Tazama, COMESA and PCI DSS. Securing payment infrastructure and digital public rails.
Verifiable Credentials & Digital Identity
MOSIP, OpenG2P, W3C VC, DID. Security for national identity programmes and credential ecosystems.
Financial Inclusion & Emerging Markets
Mobile money, agent banking and microfinance security across Africa, Asia and the Pacific.
Post-Quantum Cryptography Advisory
CBOM analysis, PQC readiness, crypto agility design and NIST PQC migration roadmaps.
Thirteen years of proving trust.
Founded
Nucleus Systems established with a single focus: making trust measurable.
NS-CMMF launched
Our first proprietary framework turns maturity into a trackable score.
M&A cyber practice
Cyber due diligence becomes a core service for private equity buyers.
Global scale
Engagements pass 300 across more than 25 countries.
AI assurance
NS-AIGF and NS-AISCA bring governance and security to AI systems.
Paxley platform
Code Trust Assurance gets its own platform layer.
600+ engagements
40+ countries, four frameworks, one continuously proven standard.
Where trust carries the most weight.
We work where a failure of trust is not an inconvenience — it is a systemic event.
Financial Services
Banks, insurers and asset managers where a trust failure triggers systemic regulatory action.
Government
Public institutions where digital trust is foundational to governance and citizen confidence.
Digital Public Infrastructure
National identity, payment rails and data exchanges that underpin entire economies.
Fintech
Regulated disruptors building trust at speed across payments, lending and digital wealth.
Healthcare
Patient data, clinical systems and AI diagnostics where trust is a matter of life.
Technology
Platforms, SaaS and AI companies proving security posture to enterprise buyers and boards.
Private Equity
Deal teams and portfolio companies managing cyber risk through M&A and ownership cycles.
Critical Infrastructure
Energy, water and transport operators where a breach carries national consequences.
Work with sector specialists
Don't see your industry?
We likely cover it.
Our practitioners have operated across 40+ countries and a wide range of regulated sectors. Tell us where you are — we'll tell you how we can help.
A trust standard that travels.
From one methodology applied consistently across 40+ countries and six domains, a board in one market reads the same score a regulator reads in another.
From the Nucleus Systems desk
Trust, proven.
Tell us where trust matters most in your organisation. We will show you how to engineer it, measure it, and keep proving it.
The trust frontier, in writing.
Research, frameworks and field notes from our practitioners on the questions that matter most.
All Publications
Engineer trustfor a living.
We are a team of specialists who would rather measure trust than talk about it. If you want your work to show up as a number a board acts on, you will fit in here.
Work that proves itself.
We hire people who care about evidence. Here is what you can expect in return.
Real frontier work
AI security, post-quantum, DPI. You work on the problems most firms are only starting to name.
Flexible by default
Hybrid and remote roles across regions, built around outcomes rather than hours at a desk.
Certifications funded
We back the credentials that matter, from CISSP to ISO 42001 lead, and the time to earn them.
Measured growth
Clear progression mapped to skill, with the same rigour we bring to client maturity models.
Small, senior teams
You work alongside experts, not layers of management. Your name is on the assessment.
Global, balanced
Competitive packages, generous leave, and travel only when it genuinely moves the work forward.
No opportunities at the moment.
We are not actively hiring right now. We still review every application, so if you can prove trust, introduce yourself and we will reach out when the right role opens.
Don't see your role?
We are always interested in people who can prove trust. Tell us what you do best.
Let's prove it.
Tell us where trust matters most in your organisation. We will come back within one business day to set up a briefing.
Thank you. Your enquiry is in.
A Nucleus specialist will be in touch within one business day to set up your briefing.
Built by practitioners.
Driven by trust.
Our team brings together decades of hands-on experience in cybersecurity, digital finance, AI governance, and open-source infrastructure — deployed across Africa, the Middle East, and beyond.
A team forged in the world's most demanding digital environments.
Nucleus Systems was founded on a simple conviction: that digital trust must be engineered, measured, and continuously proven — not assumed. Our practitioners have built, broken, and secured the systems that underpin financial services, government infrastructure, and open-source platforms across Africa, the Middle East, and Europe.
We are practitioners first. Every member of the Nucleus team has operated in real environments — implementing cryptographic systems, leading regulatory compliance programmes, architecting cloud security for tier-one banks, and contributing to the open-source platforms that power digital public infrastructure worldwide.
This depth of hands-on experience is what separates us from advisory-only firms. When we assess your security posture, design your AI governance framework, or guide your M&A cyber due diligence — we are drawing on direct operational knowledge, not theory.
Godfrey Kutumela
A seasoned expert in digital trust, fintech, and regtech with extensive experience across African and Middle Eastern banking and payments sectors. Godfrey has held pivotal roles at institutions like Alinma Bank and MTN Fintech, supporting financial innovation across 16 African markets. As CEO of Nucleus Systems, he specialises in Digital Financial Services, Digital Public Infrastructure, and Private Equity M&A technology due diligence — having led over 150 investment-focused engagements.
Co-creator of OpenSwitchAfrica and contributor to Mojaloop, Tazama, Mifos, MOSIP, and OpenG2P.
Our Practitioners
Aime Bukasa
Enterprise Security Architect with deep expertise in cryptography, EMV systems, PKI, ISO 20022, and blockchain — deployed across IBM, Standard Bank, Investec, and major financial institutions in South Africa, Europe, and the Middle East.
Kerlyn Manyi
Seasoned cybersecurity professional leading vulnerability assessments, secure SDLC integration, and compliance for platforms like Mojaloop. Pursuing a Ph.D. in Network Security — passionate about inclusive digital ecosystems in emerging markets.
Yash Sancheti
Cybersecurity researcher and solution architect specialising in DevSecOps, CI/CD security, and cloud-native infrastructure. Google Summer of Code contributor and mentor. 50+ verified vulnerabilities reported on HackerOne and OpenBugBounty.
Akshat Sharma
AI, machine learning, and cybersecurity engineer with published research on stock market prediction, breach analysis, and deep learning. GSoC 2025 mentor at The Mifos Initiative. LeetCode top 3%, active open-source contributor.
Ready to put this expertise to work for your organisation?
Whether you need a Fractional CISO, a cybersecurity maturity assessment, AI governance design, or M&A technology due diligence — our team is ready to engage.
Digital Trust Assurance.
Built on Intellectual Property.
Nucleus Systems is a specialist Digital Trust Assurance firm helping enterprises, governments and financial institutions build, measure and continuously prove trust across cybersecurity, artificial intelligence, software supply chains, digital identity and payments.
We engineer trust. We don't just advise on it.
Nucleus Systems was founded on the belief that trust in digital systems cannot be assumed — it must be engineered, measured and continuously proven. Where most consulting firms offer generic frameworks adapted from public standards, we built our own: four proprietary frameworks that represent years of research, field testing and continuous refinement across every major industry vertical.
Our operating model integrates Framework, Platform and Service into a single coherent delivery model. Every engagement is backed by a proprietary assessment methodology. Every outcome is quantified. Every finding is mapped to a remediation roadmap that clients can act on immediately.
We operate at the intersection of cybersecurity, artificial intelligence governance, code security, digital identity and payments — domains that increasingly converge in the modern enterprise and that individually require specialist expertise that generalist firms cannot reliably deliver.
Proprietary IP
Four proprietary frameworks — NS-CMMF, NS-AIGF, NS-AISCA and NS-CTAF — form the backbone of every engagement.
Purpose-built Platforms
Paxley and our Cybersecurity Maturity Platform are not third-party tools. They are built to deliver our frameworks at scale.
Quantified Outcomes
We score every control, weight every domain and produce trust scores that boards and regulators can read and act on.
Regulatory Alignment
Every framework is mapped to NIST, ISO, EU AI Act, GDPR, PCI DSS and other major standards — so compliance gaps surface automatically.
The numbers behind the practice
Ready to build provable trust?
Speak with a Nucleus Systems practitioner about your specific environment and objectives.
Cybersecurity Trust & Resilience
We assess, score and continuously improve cybersecurity maturity across your organisation using the NS-CMMF — our proprietary maturity framework mapped to 32 global standards.
Cybersecurity maturity that goes beyond compliance
Most organisations can pass a compliance audit. Very few can demonstrate genuine operational resilience. Nucleus Systems built Core Pillar 1 to close that gap: a structured, scored, 5-level maturity model that assesses 188 controls across six NIST-aligned domains, then maps every finding to a board-readable trust score and a prioritised remediation roadmap.
The NS-CMMF framework and its supporting Cybersecurity Maturity Platform allow us to track improvement over time, compare performance against industry benchmarks and produce evidence that regulators, insurers and acquirers can rely on.
Services delivered under Pillar 1
All services are anchored to the NS-CMMF framework and delivered through the Cybersecurity Maturity Platform.
- Cybersecurity Maturity Assessment (NS-CMMF Level 1–5)
- Enterprise Security Architecture Review
- Security Policy & Governance Framework Design
- Threat & Vulnerability Management Programme
- Incident Response Planning & Tabletop Exercises
- Mergers & Acquisitions Cyber Due Diligence
- Regulatory Compliance Advisory (NIST, ISO 27001, GDPR, PCI DSS)
- Security Operations Capability Assessment
- Board-Level Cybersecurity Reporting & Trust Index
- Continuous Monitoring & Posture Management
- Third-Party & Supply Chain Risk Assessment
- Cloud Security Architecture Review (AWS, Azure, GCP)
Start your maturity assessment
A Nucleus Systems practitioner will scope the right NS-CMMF assessment tier for your organisation and produce a trust score within an agreed timeframe.
AI Trust & Governance
We help organisations govern artificial intelligence responsibly — from board-level policy to algorithmic accountability — using the NS-AIGF framework, aligned to the EU AI Act, ISO 42001 and NIST AI RMF.
AI governance that boards and regulators can rely on
The proliferation of AI across enterprise operations has created a governance gap that is now receiving intense regulatory scrutiny. The EU AI Act imposes mandatory compliance obligations. ISO 42001 establishes a management systems standard for AI. Boards are being held accountable for AI decisions they don't yet have the tools to understand.
Nucleus Systems built the NS-AIGF — a 60-control AI governance framework spanning 7 domains — to give organisations a structured, auditable and continuously improving AI governance posture. Our Paxley AI Governance Platform delivers these controls at operational scale.
Services delivered under Pillar 2A
All services are anchored to the NS-AIGF framework and delivered with the Paxley AI Governance Platform.
- AI Governance Framework Design (NS-AIGF)
- EU AI Act Readiness Assessment & Gap Analysis
- ISO 42001 Certification Advisory
- Board AI Governance Policy Development
- AI Risk Register Creation & Maintenance
- AI Ethics & Responsible AI Programme
- Algorithmic Accountability & Explainability Assessment
- AI Regulatory Compliance Advisory (EU AI Act, GDPR)
- AI Procurement & Third-Party Risk Review
- AI Incident Response Planning
- Continuous AI Governance Monitoring (via Paxley)
- Executive AI Governance Reporting & Trust Scoring
Build an AI governance programme your board can stand behind
We scope NS-AIGF assessments to your current AI footprint and regulatory obligations — delivering a programme that grows with your AI adoption.
AI Security & Assurance
We assess and secure the technical infrastructure of AI systems — from model development pipelines to agentic AI deployments — using the NS-AISCA framework, spanning 108 controls across 12 security domains.
Security for AI systems, not just governance of them
Pillar 2A governs how AI is used and governed. Pillar 2B secures the AI systems themselves. These are distinct disciplines requiring different skills. The NS-AISCA framework was built to address the security risks unique to machine learning systems: adversarial attacks, data poisoning, model inversion, prompt injection, agentic AI autonomy risks and MLOps pipeline vulnerabilities.
With 108 controls across 12 domains, NS-AISCA provides the most comprehensive AI security assessment structure available from a single practitioner firm, delivering findings that technical teams and boards can both act on.
Services delivered under Pillar 2B
- AI Security Assessment (NS-AISCA)
- Generative AI Security Review
- Agentic AI Security Architecture Assessment
- ML Pipeline Security & MLSecOps Advisory
- Adversarial Robustness Testing
- Prompt Injection & LLM Security Testing
- AI Model Risk Assessment
- Data Poisoning & Training Set Integrity Review
- AI Supply Chain Security Assessment
- Red Teaming for AI Systems
- AI Incident Response & Forensics
- Model Governance & Version Control Security
Secure your AI before it becomes a liability
Our NS-AISCA assessment delivers a structured security posture review of your AI systems with prioritised, actionable findings.
Code Trust & Secure Digital Delivery
We assess, certify and continuously monitor the trustworthiness of software — from source code to production — using the NS-CTAF framework and the Paxley Code Security Platform.
Trust in software has to be earned at every commit
Modern software supply chains are complex, distributed and increasingly AI-assisted. The risks are real: compromised open-source dependencies, unsigned binaries, insecure CI/CD pipelines, untested SBOMs and code written by AI models with no security accountability. Nucleus Systems built Core Pillar 3 to address this systematically.
The NS-CTAF framework defines 86 controls across 6 trust domains. The Paxley platform delivers these controls at the point of development — scanning every commit, validating every dependency, and producing a continuous Code Trust score that development teams, security teams and boards can all rely on.
Services delivered under Pillar 3
- Code Trust Assessment (NS-CTAF CTA-1 to CTA-4)
- Software Supply Chain Security Review
- DevSecOps Programme Design & Implementation
- SBOM (Software Bill of Materials) Governance
- Open Source Trust & Licence Compliance Assessment
- CI/CD Pipeline Security Review
- AI-Assisted Code Security Assessment
- Container & Infrastructure-as-Code Security Review
- GitHub Advanced Security Advisory
- Secrets Management & Credential Governance
- Continuous Code Security Monitoring (via Paxley)
- Developer Security Training & Upskilling
Certify the trust in your code
Book a Paxley demo or request an NS-CTAF assessment scoping call with a Nucleus Systems practitioner.
NS-CMMF
Nucleus Systems Cybersecurity Maturity Measurement Framework. A structured, scored and externally mapped maturity model for enterprise cybersecurity.
Version 2.4.1 · 2026Design philosophy
NS-CMMF was designed to close the gap between compliance and operational resilience. Most organisations can pass an ISO 27001 audit or a SOC 2 review while remaining genuinely vulnerable to real-world threats. NS-CMMF addresses this by defining 188 controls that go beyond procedural compliance to assess actual implementation depth, operational consistency and evidence-based practice.
The 5-level maturity model (L1 Initial → L5 Optimised) allows organisations to track improvement over multiple assessment cycles and compare against industry-specific benchmarks. The 5-axis scoring model evaluates each control across Policy, Process, Technology, People and Measurement dimensions.
Coverage
All 188 controls are organised across 6 NIST CSF-aligned domains, with explicit mapping to 32 external standards including ISO 27001, CIS Controls v8, NIST 800-53, PCI DSS, SOC 2, GDPR and sector-specific frameworks.
Domain coverage
Six domains, each weighted by criticality. All 188 controls are distributed across these domains.
Identify
Asset management, business environment, governance, risk assessment and risk management strategy.
Protect
Access control, awareness and training, data security, information protection processes and protective technologies.
Detect
Anomaly and event detection, continuous security monitoring, and detection process definition and testing.
Respond
Response planning, communications, analysis, mitigation and improvements after a detected cybersecurity event.
Recover
Recovery planning, improvements and communications during and after a cybersecurity incident.
Govern
Security policy, board accountability, compliance obligations, third-party risk and supply chain security.
Framework specification
| Attribute | Specification |
|---|---|
| Framework ID | NS-CMMF |
| Full name | Nucleus Systems Cybersecurity Maturity Measurement Framework |
| Version | 2.4.1 (2026) |
| Total controls | 188 across 6 domains |
| Scoring model | 5-axis (Policy, Process, Technology, People, Measurement) |
| Maturity levels | L1 Initial · L2 Developing · L3 Defined · L4 Managed · L5 Optimised |
| External mappings | 32 frameworks including NIST CSF, ISO 27001, CIS v8, PCI DSS, SOC 2 |
| Delivery platform | Nucleus Systems Cybersecurity Maturity Platform |
| Assessment method | Evidence-based control evaluation with practitioner validation |
| Output | Domain scores, aggregate trust score (0–100), maturity level, remediation roadmap |
Apply NS-CMMF to your organisation
Speak with a Nucleus Systems practitioner to scope the right assessment tier for your sector and regulatory context.
NS-AIGF
Nucleus Systems AI Governance Framework. A structured governance model for responsible, accountable and auditable artificial intelligence.
Version 1.3.0 · 2026Design philosophy
NS-AIGF was designed for organisations deploying AI at scale who need to demonstrate to regulators, boards, customers and partners that their AI systems are governed responsibly. Unlike generic ethics checklists, NS-AIGF is a structured control framework: 60 controls, 7 domains, each control mapped to specific regulatory obligations and industry standards.
The framework is technology-agnostic — it covers all AI modalities including predictive models, large language models, generative AI and agentic AI systems — and it is designed to be continuously assessed rather than a one-time audit.
External alignments
Domain coverage
AI Strategy & Policy
Board-level AI policy, AI governance committee structure, strategic risk appetite for AI and accountability assignment.
Risk Management
AI risk identification and categorisation, risk register governance, AI risk scoring methodology and residual risk management.
Transparency & Explainability
Model documentation, explainability requirements by risk tier, stakeholder communications and AI disclosure obligations.
Fairness & Non-Discrimination
Bias detection and mitigation, protected characteristic monitoring, fairness metrics and remediation processes.
Data Governance for AI
Training data provenance, data quality management, data rights compliance and dataset governance lifecycle.
Human Oversight
Human-in-the-loop requirements, override mechanisms, escalation pathways and accountability for AI decisions.
Regulatory Compliance
EU AI Act obligations by risk tier, incident reporting requirements, conformity assessment and third-party AI procurement governance.
Framework specification
| Attribute | Specification |
|---|---|
| Framework ID | NS-AIGF |
| Full name | Nucleus Systems AI Governance Framework |
| Version | 1.3.0 (2026) |
| Total controls | 60 across 7 domains |
| Primary alignments | EU AI Act, ISO 42001, NIST AI RMF, OECD AI Principles |
| AI modality coverage | Predictive ML, LLMs, Generative AI, Agentic AI |
| Delivery platform | Paxley AI Governance Platform |
| Assessment method | Control-level evaluation with regulatory mapping and board reporting |
| Output | Domain governance scores, aggregate AI governance rating, EU AI Act compliance gap report |
Apply NS-AIGF to your AI programme
Start with an EU AI Act readiness assessment or a full NS-AIGF governance review, depending on your current maturity and regulatory obligations.
NS-AISCA
Nucleus Systems AI Security Controls Architecture. A comprehensive technical security framework for AI systems, models, pipelines and infrastructure.
Version 1.1.0 · 2026Design philosophy
NS-AISCA addresses a gap that most cybersecurity frameworks do not cover: the security of AI systems as technical artefacts. General cybersecurity frameworks (ISO 27001, NIST CSF) treat AI systems like any other IT asset. They are not. AI models have unique attack surfaces — adversarial inputs, training data poisoning, model extraction, hallucination exploitation and agentic autonomy risks — that require specialised security controls.
NS-AISCA defines 108 controls spanning 12 domains, organised to cover the full AI system lifecycle from data ingestion through model training, deployment, monitoring and decommissioning. It is the technical counterpart to NS-AIGF's governance layer.
Threat model coverage
Domain coverage
Data Security & Integrity
Training data validation, poisoning detection, data provenance and pipeline integrity controls.
Model Security
Model file integrity, access controls, serialisation security and model registry governance.
Adversarial Robustness
Input validation, adversarial testing, evasion attack resistance and robustness benchmarking.
LLM & GenAI Security
Prompt injection prevention, output validation, system prompt security and hallucination risk controls.
Agentic AI Security
Agent boundary controls, tool use authorisation, autonomy constraints and multi-agent trust architecture.
MLOps & Pipeline Security
CI/CD pipeline security for ML, experiment tracking security, model versioning controls and deployment governance.
Infrastructure Security
GPU/TPU security, inference endpoint hardening, API security and compute isolation.
Privacy & Inference Attacks
Membership inference defences, model inversion prevention, differential privacy implementation and data minimisation.
Supply Chain Security
Third-party model vetting, pre-trained model integrity, dataset provenance and open-source AI component risk.
Monitoring & Detection
Runtime anomaly detection, model drift monitoring, adversarial input detection and security telemetry.
Incident Response
AI-specific incident classification, model rollback procedures and post-incident forensic analysis.
Compliance & Assurance
OWASP ML Top 10 alignment, MITRE ATLAS mapping and regulatory reporting for AI security incidents.
Apply NS-AISCA to your AI systems
Book an NS-AISCA scoping call to define which domains are most relevant to your current AI deployment and threat model.
NS-CTAF
Nucleus Systems Code Trust Assurance Framework. A structured certification model for software trustworthiness across the full development and delivery lifecycle.
Version 2.0.1 · 2026Design philosophy
NS-CTAF was built on the premise that trust in software must be established at the point of creation and continuously maintained through every change. It defines 86 controls across 6 trust domains — covering source code integrity, dependency trust, CI/CD pipeline security, SBOM governance, open-source risk and AI-assisted code — and introduces a four-tier certification model (CTA-1 through CTA-4) that allows organisations to communicate code trust levels to internal and external stakeholders.
The Paxley platform is the primary delivery vehicle for NS-CTAF, scanning every commit, PR and release against the framework's control definitions and maintaining a live Code Trust Score.
Certification tiers
| Tier | Definition |
|---|---|
| CTA-1 | Foundational code trust — basic security hygiene, secrets scanning, known vulnerability prevention |
| CTA-2 | Structural trust — dependency governance, SBOM management, licence compliance, signed commits |
| CTA-3 | Pipeline trust — CI/CD security, container image hardening, IaC security, deployment integrity |
| CTA-4 | Advanced trust — AI-assisted code security, supply chain integrity, provenance attestation, adversarial code testing |
Domain coverage
Source Code Integrity
Secrets scanning, SAST, code signing, commit attribution and malicious code pattern detection.
Dependency & Supply Chain Trust
SCA, SBOM generation, dependency pinning, licence compliance and open-source risk scoring.
CI/CD Pipeline Security
Pipeline hardening, workflow integrity, runner security, artefact signing and deployment controls.
Container & Infrastructure Security
Container image scanning, IaC security, registry trust and runtime environment integrity.
AI-Assisted Code Trust
AI-generated code security assessment, copilot policy governance, AI code review and hallucination risk controls.
Governance & Assurance
Security policy enforcement, developer security training, audit trail management and Code Trust Score reporting.
Certify your software supply chain
Start with a Paxley demo to see NS-CTAF controls in action, or request a scoping call for a standalone code trust assessment.
The code security platform that enforces trust at every commit — from your first repository to your thousandth agentic AI workflow.
Paxley for Code Trust
GitHub-native scanning across every commit, pull request and release. Continuous NS-CTAF control enforcement, SBOM management, dependency governance and CTA-1 to CTA-4 certification scoring.
Paxley for AI Governance
Continuous NS-AIGF control monitoring for AI systems in production. Audit trails, governance dashboards, EU AI Act compliance tracking and board-level AI trust reporting.
What makes Paxley different
Built on Nucleus Systems proprietary frameworks — not generic rulesets.
NS-CTAF & NS-AIGF enforced
Every scan maps directly to Nucleus Systems proprietary control frameworks — not commodity SAST rules.
GitHub-native
Installs as a GitHub App. Scans every PR and commit in context. No agent to deploy, no pipeline to maintain.
Repo-based pricing
Priced per repository, not per developer. Security costs scale with your codebase, not your team size.
Continuous trust scoring
Live Code Trust Score across all repositories. Track improvement over time. Report to boards and auditors.
SBOM & dependency governance
Automatic SBOM generation, dependency health scoring, licence compliance and open-source risk tracking.
Hybrid deployment
SaaS or self-hosted. Data residency options. Designed for enterprises with strict infrastructure requirements.
Supported frameworks
Paxley operationalises Nucleus Systems proprietary frameworks at the point of development.
Ready to see Paxley in action?
Book a 30-minute demo with a Nucleus Systems practitioner. We'll show you Paxley running against your own repositories.
Cybersecurity Maturity Platform
The purpose-built platform for delivering, scoring and tracking NS-CMMF cybersecurity maturity assessments at enterprise scale.
Built to deliver NS-CMMF, not adapted from a generic tool
The Cybersecurity Maturity Platform is the operational engine for Core Pillar 1. It implements all 188 NS-CMMF controls as structured assessment modules, calculates domain scores using the 5-axis model, produces board-ready trust scores and generates remediation roadmaps automatically from assessment findings.
The platform enables continuous assessment rather than point-in-time audits — so organisations can track maturity improvement between assessments, monitor regression risks and benchmark against sector-specific maturity targets.
Key capabilities
- 188-control NS-CMMF assessment engine
- 5-axis scoring per control (Policy, Process, Technology, People, Measurement)
- Domain-level and aggregate trust score calculation
- Industry benchmark comparison
- Automated remediation roadmap generation
- Board-level executive reporting suite
- Multi-period trend tracking and maturity progression charts
- Evidence management and audit trail
See the platform in action
Request a platform walkthrough or book an NS-CMMF scoping call with a Nucleus Systems practitioner.
AI Security Assessment Platform
The structured assessment and reporting platform for delivering NS-AISCA evaluations across AI systems, pipelines and infrastructure.
Structured assessment for AI security findings
The AI Security Assessment Platform operationalises all 108 NS-AISCA controls as structured assessment modules. Assessors use the platform to evaluate controls across all 12 security domains, with each finding automatically categorised by severity, domain, control ID and remediation effort.
The platform produces findings reports, risk-scored remediation roadmaps and executive summaries aligned to technical and board audiences. It supports both point-in-time assessment engagements and ongoing monitoring programmes.
Key capabilities
- 108-control NS-AISCA assessment engine
- 12-domain security coverage with severity scoring
- Automated remediation roadmap generation
- MITRE ATLAS & OWASP ML Top 10 cross-mapping
- Technical findings report and executive summary
- Multi-engagement trend tracking
- Agentic AI and GenAI-specific assessment modules
Assess the security of your AI systems
Book a scoping call to define which NS-AISCA domains are most relevant to your current AI environment.
Managed Detection & Response
24/7 managed detection, investigation and response services delivered in partnership with CyberOne — one of Africa's leading MSSP providers — underpinned by the NS-CMMF framework.
Continuous threat detection backed by NS-CMMF maturity
Nucleus Systems partners with CyberOne to deliver managed detection and response services that go beyond standard MSSP tooling. Every MDR engagement is anchored to the NS-CMMF framework — so detected threats are contextualised against the client's actual maturity posture, not a generic baseline.
This integration means that when a threat is detected and responded to, the findings inform the client's broader cybersecurity maturity programme. Detection events become data points in continuous improvement rather than isolated incidents.
Technology & standards
Services included
- 24/7 Managed Security Operations Centre (SOC)
- Threat Detection & Correlation (SIEM/SOAR)
- Endpoint Detection & Response (EDR/XDR)
- Threat Hunting & Proactive Investigation
- Security Incident Management & Response
- Vulnerability Management & Prioritisation
- Threat Intelligence Integration
- NS-CMMF Maturity Integration for Detection Context
- Monthly Threat & Posture Reporting
- Incident Response Retainer
Get continuous threat detection backed by maturity intelligence
Contact us to scope an MDR engagement that integrates with your NS-CMMF maturity programme.
Payment Security & Digital Public Infrastructure
Security advisory and assurance for payment systems, real-time payment infrastructure and digital public infrastructure — with specialist expertise in Mojaloop, Tazama and COMESA frameworks.
Payment security at the infrastructure layer
Nucleus Systems has deep specialist expertise in the security of digital payment infrastructure — particularly open-source payment systems and digital public infrastructure (DPI) frameworks deployed across Africa, Asia and the Middle East. Our practitioners have direct experience with Mojaloop (the real-time payments platform), Tazama (transaction monitoring) and the COMESA framework.
We combine payment-specific security expertise with our NS-CMMF maturity methodology to deliver security assessments that address both technical vulnerabilities and institutional governance gaps.
Technology & standards expertise
Services included
- Payment System Security Assessment (PCI DSS, ISO 20022)
- Mojaloop Platform Security Review
- Tazama Transaction Monitoring Security Assessment
- Digital Public Infrastructure (DPI) Security Advisory
- Real-Time Payment System Security Architecture
- Financial Crime & Fraud Risk Assessment
- SWIFT Customer Security Programme (CSP) Assessment
- Central Bank Digital Currency (CBDC) Security Advisory
- Payment API Security Assessment
- Correspondent Banking Security Review
Secure your payment infrastructure
Speak with a Nucleus Systems payments security specialist about your specific infrastructure and regulatory obligations.
Verifiable Credentials & Digital Identity Security
Security advisory and assurance for digital identity systems, verifiable credential infrastructure and national identity programmes — with expertise in MOSIP, OpenG2P, GovStack and OSIA.
Securing the infrastructure of trust for digital identity
National digital identity programmes are among the most sensitive and highest-risk digital transformation initiatives any government undertakes. Nucleus Systems brings specialist expertise in the security of identity platforms — particularly open-source DPI stacks such as MOSIP (Modular Open Source Identity Platform) and OpenG2P — and in the verifiable credential ecosystems being deployed across Africa, Asia and the Pacific.
Our engagement model combines security assessment, architecture review and ongoing advisory to ensure that identity programmes are secure from inception, compliant with international standards and resilient to the specific threat models that national identity infrastructure attracts.
Technology & standards expertise
Services included
- Digital Identity Security Architecture Review
- MOSIP Platform Security Assessment
- OpenG2P Security Review
- Verifiable Credential System Security Assessment
- Decentralised Identity (DID) Infrastructure Review
- Biometric System Security Assessment
- National ID Programme Security Advisory
- eIDAS 2.0 Compliance Advisory
- Identity Proofing & Verification Process Review
- Privacy-Preserving Identity System Design
Secure the infrastructure that underpins digital identity
Speak with a Nucleus Systems digital identity specialist about your programme and risk environment.
Financial Inclusion & Emerging Markets
Security and trust assurance for financial services providers operating in emerging markets — mobile money, off-grid payments, microfinance and inclusive fintech ecosystems.
Trust infrastructure for the next billion users
Financial inclusion requires security inclusion. Mobile money operators, microfinance institutions, agent banking networks and fintech platforms serving unbanked and underbanked populations face security and regulatory challenges that are distinct from those of established financial institutions. They operate at the intersection of fintech innovation, telecoms infrastructure and regulatory uncertainty — often with limited internal security capacity.
Nucleus Systems brings practitioner experience across sub-Saharan Africa, East Africa, West Africa, South-East Asia and the Pacific — with deep familiarity with the mobile money ecosystem, the regulatory frameworks that govern it and the specific threat models that emerging-market financial services providers face.
Market expertise
Services included
- Mobile Money Platform Security Assessment
- Agent Banking Network Security Review
- Off-grid & Last-Mile Payment Security Advisory
- Microfinance Institution Security Programme
- Financial Inclusion Fintech Security Assessment
- GSMA Mobile Money Security Guidelines Compliance
- Regulatory Readiness Assessment (emerging market)
- Digital Financial Services Risk Framework Design
- Fraud & Social Engineering Risk Assessment
- Digital Onboarding & KYC Security Review
Build trust infrastructure for financial inclusion
Our practitioners bring first-hand experience in emerging market financial services security across multiple continents.
Post-Quantum Cryptography Advisory
Preparing enterprises and governments for the quantum threat — cryptographic inventory, PQC readiness assessment, CBOM analysis, crypto agility design and migration roadmaps aligned to NIST PQC standards.
The quantum clock is running. Most organisations are not ready.
NIST finalised the first post-quantum cryptography standards in 2024. Cryptographically Relevant Quantum Computers (CRQCs) may be capable of breaking current public-key cryptography within a decade. Harvest-now-decrypt-later attacks — where adversaries collect encrypted data today to decrypt once quantum capability arrives — are already documented.
Nucleus Systems provides the advisory capability organisations need to understand their cryptographic exposure, build a credible migration roadmap and implement crypto agility architectures that can adapt as the quantum threat evolves. We work across enterprise, government and financial services sectors, with particular focus on organisations that manage long-lived sensitive data or critical infrastructure.
Standards & frameworks
Services included
- PQC Readiness Assessment
- Cryptographic Bill of Materials (CBOM) Analysis
- Cryptographic Inventory & Risk Mapping
- Harvest-Now-Decrypt-Later Threat Assessment
- Crypto Agility Architecture Design
- NIST PQC Standards Migration Roadmap
- TLS & PKI Infrastructure PQC Readiness Review
- Long-lived Data Encryption Risk Assessment
- PQC Vendor & Product Evaluation
- Executive PQC Briefing & Board Reporting
Start your PQC readiness programme now
The time to prepare is before quantum capability arrives, not after. Contact us to scope a CBOM analysis or PQC readiness assessment.