Our Product

Paxley

The code security platform that enforces trust at every commit.

Paxley is our only product, built to operationalise the NS-CTAF and NS-AIGF frameworks at the point of development. GitHub-native, repo-priced, and designed for enterprises where AI writes a growing share of the code.

Explore Paxley → Book a demo

NS-CTAFCode Trust Framework

NS-AIGFAI Governance

GitHubNative scanning

The Digital Trust Assurance Company

We don't describe security.
We measure and prove it.

Other firms deliver compliance reports. Nucleus Systems engineers, measures, and continuously proves digital trust, converting cybersecurity complexity into measurable, defensible, board-level confidence across 40+ countries.

✱

Founder-led on every major engagement 26+ years of practitioner experience, not delegated to junior teams

▣

Proprietary IP, not adapted public standards Four owned trust models, not ISO or NIST adaptations with a new logo

◎

Attacker-informed, evidence-based assurance We validate, test, and produce board-ready defensible findings, not interview checklists

⬢

End-to-end, from assessment to managed operations Fractional CISO leadership, DevSecOps integration, and 24x7 MSSP capability

Request a briefing → Our story →

NS Trust Index

96.4% ▲ verified

40+ Countries served

600+ Engagements delivered

250+ M&A due diligence

4 Proprietary frameworks

One methodology. One trust score. Applied consistently across 40+ countries and six domains of digital trust.

How We Work

Framework. Platform. Service.
Every engagement, in that order.

Most consultancies borrow public standards and apply them loosely. Nucleus Systems starts with proprietary frameworks we built, runs them through platforms we developed, and delivers findings through practitioners who know the difference.

01

FRAMEWORK

Proprietary IP, built from first principles.

Four internally developed frameworks define every control, domain, scoring model and maturity level we use. Not adapted from existing public standards, designed from scratch to make trust scores consistent, comparable and defensible to boards and regulators.

NS-CMMF · 188 controls NS-AIGF · 60 controls NS-AISCA · 108 controls NS-CTAF · 86 controls

Explore our frameworks →

02

PLATFORM

Purpose-built delivery, not point-in-time audits.

Our Cybersecurity Maturity Platform and AI Security Assessment Platform turn framework controls into continuous, automated scoring. Every assessment generates a live trust index, not a PDF that sits on a shelf. Boards see real posture. Regulators accept the output.

Cybersecurity Maturity Platform AI Security Assessment Platform Live trust index Continuous scoring

Explore platforms →

03

SERVICE

Practitioner delivery, specialist, not generalist.

We deploy deep domain specialists across 40+ countries. Every engagement is led by a practitioner who has operated in the sector, understands the regulator's lens, and knows how to translate technical findings into language a board can act on.

600+ engagements 40+ countries Board-ready output Regulatory accepted

Start an engagement →

Latest Thinking

From the Nucleus Systems desk

View all insights →

Our People

Built by practitioners.
Driven by trust.

Every engagement at Nucleus Systems is led by a specialist who has operated in the sector, not a generalist analyst reading a playbook. We deploy people with decades of hands-on experience in the most demanding regulated environments globally.

Founding CEO

Godfrey Kutumela

Project Lead & Senior Cybersecurity Practitioner

CISSP ISO 27001 LA EU CyberNet Expert Mojaloop MOSIP

26+ years across African and Middle Eastern banking, payments and digital public infrastructure. Former Alinma Bank and MTN Fintech. Led 150+ M&A cyber due diligence engagements. Co-creator of OpenSwitchAfrica.

Our practitioners have built cryptographic systems for tier-one banks, led regulatory compliance programmes for central banks, architected cloud security for payment rails and contributed to the open-source platforms that underpin digital public infrastructure across Africa, the Middle East, and Europe.

This depth of direct operational experience is what separates us from advisory-only firms. When we assess your security posture, design your AI governance structure, or lead your M&A cyber due diligence, we are drawing on real-world knowledge, not frameworks read from a textbook.

Team at a glance

100+ Combined years

150+ Engagements led

16 Markets served

Meet the team → Join us

Core Pillars

Four domains of digital trust. Each with its own framework, platform and service.

01

NS-CMMF Cybersecurity

Cybersecurity Trust & Resilience

188 controls across 6 NIST-aligned domains. L1→L5 maturity scoring. Board-ready trust index and remediation roadmaps.

Explore →

2A

NS-AIGF AI Governance

AI Trust & Governance

60 controls across 7 governance domains. EU AI Act, ISO 42001 and NIST AI RMF aligned. AI system risk classification and governance assurance.

Explore →

2B

NS-AISCA AI Security

AI Security & Assurance

108 controls across 12 security domains. GenAI, Agentic AI and MLSecOps threat modelling and control validation.

Explore →

03

NS-CTAF Code Trust

Code Trust & Secure Digital Delivery

86 controls across 6 trust domains. CTA-1→CTA-4 certification. DevSecOps, SBOM governance, AI-assisted code security. Delivered via Paxley.

Explore →

Our Frameworks

Four frameworks.
Zero borrowed standards.

Explore all frameworks →

NS-CMMF v2.4.1

Cybersecurity Trust & Resilience

188 controls across 6 NIST-aligned domains. L1→L5 maturity scoring, board-ready trust index and remediation roadmaps.

32 mapped frameworks · 6 domains

Explore →

NS-AIGF v1.3.0

AI Trust & Governance

60 controls across 7 governance domains. EU AI Act, ISO 42001 and NIST AI RMF aligned. AI risk classification and assurance.

EU AI Act · ISO 42001 · NIST AI RMF

Explore →

NS-AISCA v1.1.0

AI Security & Assurance

108 controls across 12 security domains. GenAI, Agentic AI and MLSecOps threat modelling and control validation.

GenAI · Agentic AI · MLSecOps

Explore →

NS-CTAF v2.0.1

Code Trust & Secure Delivery

86 controls across 6 trust domains. CTA-1→CTA-4 certification. DevSecOps, SBOM governance and AI-assisted code security.

CTA-1 → CTA-4 · 6 trust domains

Explore →

Our Platforms

Purpose-built.
Not off-the-shelf.

Explore platforms →

Platform 01

Cybersecurity Maturity Platform

Purpose-built for continuous NS-CMMF assessment, scoring and executive reporting. Turns point-in-time audits into a live trust index that boards can track and regulators will accept.

NS-CMMF 188 controls Live trust scoring

See the platform →

Platform 02

AI Security Assessment Platform

Structured assessment and reporting for NS-AISCA evaluations across AI systems, pipelines and infrastructure. Findings scored by severity and mapped to remediation roadmaps.

NS-AISCA 108 controls 12 security domains

See the platform →

Domain-Specific Solutions

Where frameworks meet
specialised market demands.

Beyond the four core pillars, Nucleus Systems delivers specialist solutions in domains that require deep contextual knowledge, from payment rails to post-quantum cryptography.

Discuss your requirements →

S1

Managed Detection & Response

24/7 MDR delivered in partnership with CyberOne MSSP, anchored to NS-CMMF maturity context. Threat detection with trust measurement built in, not bolted on.

NS-CMMF24/7 MDRCyberOne

Learn more →

S2

Payment Security & Digital Public Infrastructure

Security architecture for payment rails and digital public infrastructure across emerging markets. Mojaloop, Tazama, COMESA and PCI DSS expertise, deployed where trust is both mission-critical and newly built.

MojaloopTazamaPCI DSSCOMESA

Learn more →

S3

Verifiable Credentials & Digital Identity

Security assurance for national identity programmes and verifiable credential infrastructure. MOSIP, OpenG2P, W3C VC and DID ecosystem, securing identity at population scale.

MOSIPOpenG2PW3C VCDID

Learn more →

S4

Financial Inclusion & Emerging Markets

Mobile money, agent banking and microfinance security across Africa, Asia and the Pacific. Trust assurance where financial infrastructure is still being built.

Mobile MoneyAgent BankingAfrica

Learn more →

S5

Post-Quantum Cryptography Advisory

CBOM analysis, PQC readiness assessments, crypto agility architecture and NIST PQC migration roadmaps. Prepare for CRQC-era cryptographic risk now.

NIST PQCCBOMCrypto Agility

Learn more →

Industries

Where trust carries the most weight.

We work where a failure of trust is not an inconvenience, it is a systemic event.

01

Financial Services

Banks, insurers and asset managers where a trust failure triggers systemic regulatory action.

02

Government

Public institutions where digital trust is foundational to governance and citizen confidence.

03

Digital Public Infrastructure

National identity, payment rails and data exchanges that underpin entire economies.

04

Fintech

Regulated disruptors building trust at speed across payments, lending and digital wealth.

05

Healthcare

Patient data, clinical systems and AI diagnostics where trust is a matter of life.

06

Technology

Platforms, SaaS and AI companies proving security posture to enterprise buyers and boards.

07

Private Equity

Deal teams and portfolio companies managing cyber risk through M&A and ownership cycles.

08

Critical Infrastructure

Energy, water and transport operators where a breach carries national consequences.

Work with sector specialists

Don't see your industry?
We likely cover it.

Our practitioners have operated across 40+ countries and a wide range of regulated sectors. Tell us where you are, we'll tell you how we can help.

Talk to a specialist → Meet our team →

40+Countries

600+Engagements

8Industries

250+M&A due diligence

Start with a trust review

Ready to make trust
measurable and provable?

Tell us where trust matters most in your organisation, cybersecurity posture, AI governance, code security or digital infrastructure. We will show you how to engineer it, measure it, and keep proving it to your board and regulators.

Book a trust review → Learn about Nucleus Systems

Nucleus Systems Insights

The trust frontier, in writing.

Research, frameworks and field notes from our practitioners on the questions that matter most.

0Publications

0Domains

All Publications

Careers

Engineer trustfor a living.

We are a team of specialists who would rather measure trust than talk about it. If you want your work to show up as a number a board acts on, you will fit in here.

Join the talent network → Get in touch

40+Countries

13+ yrsOf practice

6Service domains

4Frameworks to master

NS Trust Index

96.4% ▲ verified

Why Nucleus

Work that proves itself.

We hire people who care about evidence. Here is what you can expect in return.

Real frontier work

AI security, post-quantum, DPI. You work on the problems most firms are only starting to name.

Flexible by default

Hybrid and remote roles across regions, built around outcomes rather than hours at a desk.

Certifications funded

We back the credentials that matter, from CISSP to ISO 42001 lead, and the time to earn them.

Measured growth

Clear progression mapped to skill, with the same rigour we bring to client maturity models.

Small, senior teams

You work alongside experts, not layers of management. Your name is on the assessment.

Global, balanced

Competitive packages, generous leave, and travel only when it genuinely moves the work forward.

Open Roles

No opportunities at the moment.

We are not actively hiring right now. We still review every application, so if you can prove trust, introduce yourself and we will reach out when the right role opens.

Join the talent network →

Don't see your role?

We are always interested in people who can prove trust. Tell us what you do best.

Join the talent network →

Engagement Portfolio

Projects, pipeline and progress.

A single view of active engagements, the opportunities in conversion, and where each one sits in the trust lifecycle. Illustrative internal view.

Live · updated 2 min ago

Active engagements

0

In delivery now

Pipeline opportunities

0

▲ Gov programme shortlisted, top 4

On hold

0

Awaiting client approvals

Regions active

0

Across 4 continents

Engagement timeline

Jan – Jun 2026 · phases: engineered → measured → proven

Engagement

Jan

Feb

Mar

Apr

May

Jun

Engineered Measured Continuously proven Today

Engagements

Proof activity

continuous

Contact

Let's prove it.

Tell us where trust matters most in your organisation. We will come back within one business day to set up a briefing.

Request a briefing

The people behind the mission

Built by practitioners.
Driven by trust.

Our team brings together decades of hands-on experience in cybersecurity, digital finance, AI governance, and open-source infrastructure, deployed across Africa, the Middle East, and beyond.

A team forged in the world's most demanding digital environments.

Nucleus Systems was founded on a simple conviction: that digital trust must be engineered, measured, and continuously proven, not assumed. Our practitioners have built, broken, and secured the systems that underpin financial services, government infrastructure, and open-source platforms across Africa, the Middle East, and Europe.

100+Combined years

150+Engagements

16Markets served

We are practitioners first. Every member of the Nucleus team has operated in real environments, implementing cryptographic systems, leading regulatory compliance programmes, architecting cloud security for tier-one banks, and contributing to the open-source platforms that power digital public infrastructure worldwide.

This depth of hands-on experience is what separates us from advisory-only firms. When we assess your security posture, design your AI governance framework, or guide your M&A cyber due diligence, we are drawing on direct operational knowledge, not theory.

Founding CEO

Leadership

Godfrey Kutumela

Project Lead & Senior Cybersecurity Practitioner

CISSP ISO 27001 LA EU CyberNet Expert DPGA Privacy Expert Mojaloop MOSIP

A seasoned expert in digital trust, fintech, and regtech with extensive experience across African and Middle Eastern banking and payments sectors. Godfrey has held pivotal roles at institutions like Alinma Bank and MTN Fintech, supporting financial innovation across 16 African markets. As CEO of Nucleus Systems, he specialises in Digital Financial Services, Digital Public Infrastructure, and Private Equity M&A technology due diligence, having led over 150 investment-focused engagements.

Co-creator of OpenSwitchAfrica and contributor to Mojaloop, Tazama, Mifos, MOSIP, and OpenG2P.

26+ years of experience

Our Practitioners

Connect with us →

Aime Bukasa

Senior Cybersecurity Practitioner

Enterprise Security Architect with deep expertise in cryptography, EMV systems, PKI, ISO 20022, and blockchain, deployed across IBM, Standard Bank, Investec, and major financial institutions in South Africa, Europe, and the Middle East.

CISSP BTech AWS / Azure / GCP Hyperledger

Experience26+ years

Connect with us →

Kerlyn Manyi

Senior Practitioner

Seasoned cybersecurity professional leading vulnerability assessments, secure SDLC integration, and compliance for platforms like Mojaloop. Pursuing a Ph.D. in Network Security, passionate about inclusive digital ecosystems in emerging markets.

ISC2 Fortinet NSE DevSecOps Pen Testing

Experience10+ years

Connect with us →

Yash Sancheti

Practitioner

Cybersecurity researcher and solution architect specialising in DevSecOps, CI/CD security, and cloud-native infrastructure. Google Summer of Code contributor and mentor. 50+ verified vulnerabilities reported on HackerOne and OpenBugBounty.

DevSecOps GSoC Mentor HackerOne Cloud Security

Experience5+ years

Connect with us →

Akshat Sharma

Practitioner

AI, machine learning, and cybersecurity engineer with published research on stock market prediction, breach analysis, and deep learning. GSoC 2025 mentor at The Mifos Initiative. LeetCode top 3%, active open-source contributor.

AI / ML GSoC 2025 Mentor NLP BSc Honours

Experience5+ years

Work with us

Ready to put this expertise to work for your organisation?

Whether you need a Fractional CISO, a cybersecurity maturity assessment, AI governance design, or M&A technology due diligence, our team is ready to engage.

Request a briefing → Read our research →

Company Overview

The Digital Trust
Assurance Company.

Founded in 2014, Nucleus Systems is a globally active, practitioner-led firm that converts cybersecurity complexity into measurable, defensible, board-level confidence. We engineer, measure and continuously prove digital trust across 40+ countries.

13+Years operating

600+Engagements delivered

250+M&A cyber diligence

40+Countries served

Who We Are

We don't describe security.
We measure and prove it.

Nucleus Systems occupies a fundamentally different market position from global management consulting firms and specialist boutiques. The distinction is structural, not stylistic.

Our four proprietary frameworks are owned intellectual property, not adaptations of public standards. That ownership creates a moat that cannot be replicated by firms that borrow methodology from ISO or NIST. Our expert founder leads every major engagement, bringing 26+ years of practitioner experience and 250+ M&A cyber diligence transactions to each mandate.

We do not deliver compliance and audit reports. We engineer, measure, and continuously prove digital trust across cybersecurity, AI governance, software assurance, and digital ecosystems.

Proprietary IP, not adapted public standardsFour owned trust models, not ISO or NIST adaptations. The frameworks are ours; generalist firms cannot replicate the methodology.

Founder-led on every major engagement26+ years of practitioner experience with deep governance, engineering, and architecture capability, never delegated to junior delivery teams.

Attacker-informed, evidence-based assuranceWe validate, test, and produce board-ready defensible findings rather than interview checklists and documentation reviews.

End-to-end: assessment through managed operationsFractional CISO leadership, DevSecOps integration, and 24x7 MSSP-enabled operational capability beyond the engagement report.

Rapid activation, not extended onboarding cyclesAutomated findings in minutes, structured maturity assessments in days, operational trust visible from day one.

Why Nucleus Systems

The competitive advantage is structural. Owned intellectual property, founder-led delivery, and proprietary Trust Infrastructure Platforms create a market position that generalist advisory firms cannot replicate.

	Global Management Consulting Firms	Specialist Cyber Boutiques	Nucleus Systems Our Position
Methodology & IP	Primarily adapted public frameworks with standardised methodologies and reusable delivery templates	Deep expertise in specific technical domains, but limited cross-domain integration	Four proprietary frameworks integrating cybersecurity, AI governance, AI security, operational resilience, and Code Trust into a unified trust model
Leadership & Delivery	Senior leadership focused on sales and account management, with delivery delegated across layered teams	Principal-led delivery with strong niche expertise but narrower strategic breadth	Founder-led on major engagements with 26+ years of practitioner experience, 250+ M&A cyber diligence, and deep governance, engineering, and architecture capability
Evidence & Assurance	Governance-heavy assessments relying heavily on interviews, documentation review, and limited validation	Strong technical testing capability with more limited executive governance integration	Attacker-informed, evidence-driven assurance validations, governance oversight, operational resilience, and board-ready defensible reporting
Technology & Automation	Dependence on third-party tools and largely point-in-time reporting models	Select tooling with varying levels of automation and integration	Proprietary Trust Infrastructure Platforms delivering automated, continuous, and measurable trust validation rather than static assessment outputs
Speed & Agility	Large-scale mobilisation models with complex contracting and extended onboarding cycles	Faster delivery, but often narrower in operational scope	Rapid onboarding and operational activation with automated findings in minutes, and structured maturity assessments in days
Operational Continuity	Engagements typically conclude with reports and client-owned implementation responsibility	Advisory follow-through available but often resource-constrained	End-to-end operational support including Fractional CISO leadership, advisory retainers, DevSecOps integration, and CyberOne MSSP-enabled 24x7 operational capability

Our Approach

Governance, engineering execution, and operational evidence — integrated.

Proprietary IP rather than adapted public methodologies

Founder-led engagements with deep practitioner and M&A cyber diligence expertise

Attacker-informed, evidence-based assurance integrated with governance outcomes

Trust Infrastructure Platforms enabling evidence-led, continuous trust validations

Rapid assessment and operational activation capability

End-to-end support from assessment through Fractional CISO leadership and managed operations

Big digital transformation consulting and auditing firms describe how you should have secure systems. Nucleus Systems measures how secure you actually are and produces the evidence that proves it, with a clear maturity measurement and improvement roadmap.

Nucleus Systems Position Statement

While many firms assess compliance posture, Nucleus Systems focuses on continuously measuring and proving operational trust across cybersecurity, AI governance, software assurance, and digital ecosystems.

The numbers behind the practice

600+

Engagements

Across enterprise, government and financial sectors

250+

M&A Deals

Cyber diligence transactions across private equity and corporate M&A

40+

Countries

Active in Africa, Middle East, Asia-Pacific, Europe

13+

Years

Operating history, founded 2014 by a seasoned cybersecurity practitioner

Ready to make trust measurable?

Speak with a Nucleus Systems practitioner about your specific environment and objectives.

Request a briefing →Meet the team

Core Pillar 1

Cybersecurity Trust
& Resilience

Our Cybersecurity Maturity Management Framework & Measurement Model (NS-CMMF V1.0) helps organisations move beyond fragmented compliance towards measurable cybersecurity resilience — across cloud, enterprise, and critical infrastructure environments.

188Cybersecurity Controls

6NIST CSF 2.0 Domains

32Frameworks Mapped

5-AxisScoring Model

L1→L5Maturity Scale

What NS-CMMF v1.0 Solves

The NS-CMMF is the most pragmatic, consultable, and regulatory-aligned cybersecurity maturity framework available for mid-market and enterprise organisations operating across multiple jurisdictions.

It addresses the single most persistent failure in cybersecurity governance: the gap between what organisations say they do and what they actually do.

Every control requires evidence of operation, not just evidence of policy. Compliance checks whether the right things are documented. NS-CMMF checks whether the right things actually work.

Proprietary Framework

NS-CMMF v1.0

270 fully re-engineered controls + 60 integrated AI governance controls. Mapped to 32 frameworks at article and clause level.

Explore the framework →

Delivery Platform

Cybersecurity Maturity Platform

Auto-scoring, domain heatmaps, board-ready report generation, and IC-ready evidence packs for M&A transactions.

See the platform →

Framework Architecture

Framework Domains & Coverage

7 domains, 330 controls, one unified score. Each domain carries a weighted allocation — together they sum to 100% of your organisation's cybersecurity posture.

GV 16%

ID 10%

PR 26%

DE 14%

RS 11%

RC 10%

AI 13%

GV — Govern Leadership, Strategy & Risk Governance Executive accountability, cybersecurity strategy, policy framework, regulatory compliance programme, and vendor risk governance

16% 35 CONTROLS

ID — Identify Assets, Data, Risk & Exposure Asset inventory, data classification, network documentation, vulnerability management, and threat landscape assessment

10% 32 CONTROLS

PR — Protect Controls, Architecture & Safeguards Identity and access management, data protection, endpoint security, network architecture, application security, cloud security, and AI security controls

26% 95 CONTROLS — HIGHEST

DE — Detect Monitoring, Detection & Threat Intelligence SIEM, SOC operations, threat intelligence, behavioural analytics, cloud detection, and continuous monitoring capability

14% 38 CONTROLS

RS — Respond Incident Management & Regulatory Notification Incident response plans, scenario playbooks, regulatory notification (NIS2, DORA, GDPR), and post-incident review

11% 30 CONTROLS

RC — Recover Resilience, Continuity & Validation Business continuity, disaster recovery, recovery testing, post-recovery validation, and continuous resilience improvement

10% 30 CONTROLS

AI — Governance Module (NS-AIGF Integration) AI Governance, Risk & Security Controls Integrated directly into NS-CMMF as the AI governance extension module — covering AI governance, AI risk management, AI security architecture, and AI operational monitoring across all 7 domains

13% 60 CONTROLS ACROSS 7 DOMAINS

Framework Specification

NS-CMMF combines measurable cybersecurity maturity, operational assurance, and multi-framework regulatory alignment into a single integrated assessment and continuous improvement model.

Controls	330 total controls — 270 fully re-engineered cybersecurity controls + 60 integrated AI governance controls, assessed together as one unified framework.
Scoring Model	5-Axis composite score per control: Policy & Governance · Implementation & Operationalisation · Monitoring & Measurement · Automation & Integration · Resilience & Assurance
Maturity Scale	5 defined levels with 7 Hard Scoring Gates that cannot be bypassed: L1 Initial L2 Developing L3 Defined L4 Managed L5 Optimised
Framework Mapping	32 frameworks mapped at article and clause level: NIST CSF 2.0, ISO 27001:2022, CIS Controls v8, GDPR, NIS2, DORA, EU AI Act, Cyber Resilience Act, PCI DSS v4, HIPAA, SOX, FedRAMP, CCPA, NIST SP 800-53, NERC CIP, IEC 62443, and more.
Maturity Tool	Excel-native and web-based assessment workbook with auto-scoring, domain heatmaps, priority gap analysis, framework filter, and board-ready report generation.
Delivery Model	5-phase client programme: Baseline Assessment → Gap Analysis → Improvement Roadmap → Implementation Oversight → Continuous Reassessment
Engagement Duration	Initial assessment2–4 weeks Ongoing advisory retainerMonthly Full maturity programme12–24 months

Services Delivered Under This Pillar

All services anchored to NS-CMMF and delivered through the Cybersecurity Maturity Platform.

01

Cybersecurity Maturity Assessment & Roadmap

Evidence-based baseline across all 13 domains with IC-ready outputs, scored maturity report, and prioritised improvement roadmap.

02

Advisory Retainer & Fractional CISO

Embedded cybersecurity leadership, board risk reporting, SOC2/ISO 27001 readiness coordination, and monthly governance rhythm.

03

M&A Cyber & Compliance Advisory

Buy-side/sell-side cyber diligence using attacker-validated evidence, Investment Committee evidence packs, and integration risk planning.

04

M&A Cyber Advisory for Seed & Pre-Series

Security foundations for pre-seed; risk validation for Seed→Series A; growth maturity for Series A→B; exit-readiness for Series B+.

05

DPI Cybersecurity Design, Assessment & Roadmap

NS-CMMF applied to national digital public infrastructure projects with multi-stakeholder governance and public-sector delivery expertise.

06

Threat, Risk & Vulnerability Assessments

Penetration testing, vulnerability assessments, and Business Exposure Management including Dark Web scanning and attack surface reduction.

07

CyberOne-Powered MSSP Services (Managed Detection & Response)

24x7 AI-augmented MXDR, SOC, Endpoint Security, Zero Trust, and Incident Response delivered in partnership with CyberOne.

Why This Matters

Every service we deliver is powered
by one of these frameworks.

These are not theoretical models or static compliance checklists. They are operational trust instruments actively used in real-world delivery, engineering governance, executive reporting, and continuous assurance programmes globally.

We help organisations convert cybersecurity from reactive compliance into measurable operational trust.

We bridge executive governance with deep engineering execution across cloud, AI, software, and critical infrastructure environments.

We enable boards, investors, regulators, and customers to gain defensible confidence in the security, resilience, and trustworthiness of digital systems.

Fractional CISO leadership combining cybersecurity governance, risk management, regulatory compliance, and board-level cyber risk reporting.

Cloud security, DevSecOps, operational resilience, and BCP/DR programmes across enterprise and critical infrastructure.

Our Vision

A world where trust is no longer assumed. It is engineered, measured, and continuously proven.

As digital ecosystems become increasingly interconnected, AI-driven, software-defined, and globally regulated, organisations require more than advisory reports. They require measurable trust, defensible assurance, operational resilience, and security programmes that can continuously adapt to emerging threats, regulatory change, and evolving technology complexity.

Start your maturity assessment

A Nucleus Systems practitioner will scope the right NS-CMMF assessment tier for your organisation and produce a trust score within an agreed timeframe.

Request a briefing →Read the NS-CMMF framework →

Core Pillar 2A · Proprietary Framework & Platform

NS-AIGF v1.0

An integrated framework that simultaneously satisfies EU AI Act, ISO/IEC 42001, and NIST AI RMF obligations — consolidating fragmented compliance into a unified, evidence-based, board-ready model for continuous AI accountability.

60Governance Controls

7Governance Domains

43Global AI Frameworks

300Maturity Interpretations

L1→L5Maturity Scale

What Is NS-AIGF v1.0 and Why Was It Built?

The Nucleus Systems AI Governance Framework and Maturity Measurement Model (NS-AIGF v1.0) was purpose-built to address the single most critical governance gap of our era: organisations are deploying AI at speed while governing it at near-zero velocity.

The EU AI Act carries penalties of up to 7% of global annual turnover. ISO 42001 certification is becoming part of enterprise procurement requirements. NIST AI RMF is board-level currency across 40+ jurisdictions.

NS-AIGF converts AI governance from regulatory anxiety into a managed, auditable, board-reportable programme with measurable progress.

EU AI Act

Up to 7% global turnover

Penalties for non-compliance with high-risk AI obligations

ISO/IEC 42001 · NIST AI RMF

40+ jurisdictions

NIST AI RMF is board-level currency; ISO 42001 entering procurement criteria

NS-AIGF Outcome

Regulatory anxiety → managed programme

Auditable, board-reportable AI governance with measurable maturity progress

Framework Architecture

Framework Domains & Coverage

7 integrated governance domains, 60 controls, one unified maturity score. Each domain carries a weighted allocation reflecting EU AI Act enforcement priorities — together they sum to 100%.

D1 18%

D2 22%

D3 15%

D4 12%

D5 12%

D6 13%

D7 8%

D1 — Governance AI Governance & Organisational Oversight 8 controls covering governance structure, executive accountability, AI policy frameworks, ethics committee, internal audit of AI systems, and board-level AI oversight

18% 8 CONTROLS

D2 — Risk & Compliance AI Risk Classification & EU AI Act Controls 8 controls covering AI system risk classification, EU AI Act Annex III obligations, high-risk AI documentation (Art. 11), human oversight mechanisms (Art. 14), conformity assessment (Art. 43), and incident reporting (Art. 73)

22% 8 CONTROLS — HIGHEST

D3 — Lifecycle AI Lifecycle & Model Governance 10 controls covering model registries, version control, testing gates, release management, shadow AI detection, model retirement, and lifecycle documentation

15% 10 CONTROLS

D4 — Data Data Governance for AI 8 controls covering training data quality, dataset bias assessment, privacy compliance for AI data, data minimisation, labelling governance, and data drift monitoring

12% 8 CONTROLS

D5 — Responsible AI Fairness, Explainability & Responsible AI 8 controls covering fairness testing across protected characteristics, explainability mechanisms, human override capability, ethical review processes, and fundamental rights impact assessment

12% 8 CONTROLS

D6 — AI Security AI Security & Operational Monitoring 10 controls covering AI endpoint access controls, prompt-injection prevention, adversarial testing, model-extraction protection, output monitoring, and AI supply-chain security

13% 10 CONTROLS

D7 — Audit Incident, Compliance & Auditability 8 controls covering AI incident management, regulatory reporting, audit trail maintenance, continuous compliance monitoring, and third-party AI vendor risk management

8% 8 CONTROLS

Framework Specification

NS-AIGF provides a structured, measurable, and regulatory-aligned framework for operationalising AI governance, safety, security, and continuous assurance across enterprise AI ecosystems.

Controls	60 fully defined governance controls with core requirements, implementation guidance, and regulatory alignment citations for EU AI Act, ISO 42001, and NIST AI RMF.
Scoring Model	5-axis maturity assessment with domain weights reflecting EU AI Act enforcement priorities: D2 Risk & Compliance at 22% (highest weight, reflecting enforcement severity) through D7 Audit at 8%.
Maturity Scale	L1 Initial → L2 Managed → L3 Defined → L4 Quantitative → L5 Optimising — with 300 control-specific level interpretations (5 levels × 60 controls). L1 Initial L2 Managed L3 Defined L4 Quantitative L5 Optimising
Regulatory Alignment	Simultaneous alignment to: EU AI Act (Reg. EU 2024/1689) · ISO/IEC 42001:2023 · NIST AI RMF v1.0 · GDPR · POPIA · OWASP LLM Top 10 · OECD AI Principles
Scoping Mechanism	20-question organisational profiler automatically tailors control applicability to each client's context, AI footprint, sector, and regulatory jurisdiction.
Assessment Tool	8-module AI Governance Maturity Management Excel-Native Tool producing board-ready governance reports, prioritised improvement roadmaps, ISO 42001 readiness indicators, and longitudinal maturity tracking automatically.
Delivery Model	5-phase programme: Baseline Assessment → Gap Analysis → Remediation Programme → Assurance Review → Continuous Reassessment (quarterly or annual)
ISO 42001 Pathway	Integrated 5-phase certification pathway with Nucleus Systems as advisory partner from baseline through certification readiness.

AI Governance Framework & Maturity Measurement Platform

Paxley AI Governance & Maturity Management Platform

The technology delivery engine for NS-AIGF assessments and ongoing AI governance programmes. Provides a structured AI Trust Framework assessment engine, five-level maturity scoring with domain heatmaps, a policy library aligned to the EU AI Act and NIST AI RMF, regulatory alignment modules, AI risk register management, ISO 42001 readiness tracking, and board-ready reporting. Organisations can conduct self-assessments or run Nucleus Systems-facilitated governance programmes at scale.

See Paxley →

Services Delivered Under This Pillar

All services anchored to NS-AIGF v1.0 and delivered through the Paxley AI Governance Platform.

01

AI Governance Assessment & Maturity Programme

NS-AIGF assessment covering risk classification, governance gaps, and compliance posture — with board-ready AI Risk Report and 12-month roadmap.

02

EU AI Act Compliance Programme

End-to-end programme from Article 11 technical documentation through Article 43 conformity assessment for high-risk AI systems, with Nucleus as named advisory partner.

03

ISO 42001 Certification Management

Structured 5-phase certification pathway using NS-AIGF as the assessment instrument — gap analysis, remediation, and certification readiness reporting.

04

Board AI Risk Advisory

Translating AI risk into business and regulatory language for boards, audit committees, and investment committees — supporting AI disclosures in annual reports and regulatory filings.

Build an AI governance programme your board can stand behind

We scope NS-AIGF assessments to your current AI footprint and regulatory obligations, delivering a prioritised roadmap your board can act on.

Request a briefing →

Core Pillar 2B · Proprietary Framework & Platform

NS-AISCA v1.0

A complete, evidence-based, maturity-scored AI security controls architecture securing the entire AI attack surface — across data, model, prompt, RAG, agent, tool, pipeline, cloud runtime, monitoring, assurance, and incident response.

108AI Security Controls

12Security Domains

20+Standards Aligned

5Evidence Grades

L1→L5Maturity Scale

What Is NS-AISCA v1.0 and Why Was It Built?

The Nucleus Systems AI Security Controls Architecture (NS-AISCA v1.0) is the technical security counterpart to AI governance. It converts AI security principles, standards, threat models, and regulatory obligations into a single control-driven architecture that can be assessed, evidenced, scored, reported, and continuously improved.

NS-AISCA was built because AI security is not a single prompt filter, model test, cloud setting, or policy. It is a layered control architecture protecting the entire AI decision and action chain across classical ML, GenAI, RAG, AI APIs, autonomous agents, cloud-hosted AI services, AI-enabled products, and third-party foundation-model consumption.

The Problem

AI security ≠ a single control

Prompt filters, model tests, cloud settings, and policies are each necessary but none are sufficient alone

The Architecture

108 controls · 12 domains · full attack surface

Data · Model · Prompt · RAG · Agent · Tool · Pipeline · Cloud · Monitoring · Assurance · IR

The Outcome

Defensible AI security posture

Evidence-based scores boards, regulators, customers, investors, and acquirers can rely on

Framework Architecture

Framework Domains & Coverage

12 weighted security domains, 108 controls, one unified posture score. Each domain secures a distinct layer of the AI attack surface — together they sum to 100%.

D18%

D28%

D39%

D49%

D59%

D610%

D710%

D89%

D98%

D108%

D117%

D125%

D1 — Governance AI Security Governance & Accountability 9 controls covering executive ownership, AI security policy, risk appetite, exception management, board reporting, role accountability, and training

8%9 CONTROLS

D2 — Inventory AI Asset Inventory, Exposure & Classification 9 controls covering AI asset inventory, shadow AI discovery, AI-BOM, data-flow and decision-flow mapping, exposure classification, and high-risk reconciliation

8%9 CONTROLS

D3 — Secure Design AI Threat Modelling & Secure Design 9 controls covering AI threat modelling, misuse and abuse cases, trust boundaries, secure reference architectures, human oversight, and design gates

9%9 CONTROLS

D4 — Data Security Data, Privacy & Training-Set Security 9 controls covering dataset lineage, poisoning prevention, privacy, sensitive-data minimisation, vector database authorisation, and exfiltration prevention

9%9 CONTROLS

D5 — Model Security Model, Artifact & IP Security 9 controls covering model registries, artifact signing, access least privilege, model theft prevention, fine-tuning change control, rollback, and IP management

9%9 CONTROLS

D6 — GenAI Security LLM, Prompt, RAG & GenAI Application Security 9 controls covering prompt injection defence, system-prompt protection, input/output validation, RAG authorisation, context isolation, and telemetry

10%9 CONTROLS — JOINT HIGHEST

D7 — Agent Security Agentic AI, Tool & Autonomy Security 9 controls covering agent permission scoping, tool registry, human approval for high-impact actions, autonomy limits, memory governance, sandboxing, and kill-switches

10%9 CONTROLS — JOINT HIGHEST

D8 — MLSecOps MLOps, MLSecOps & AI Supply Chain Security 9 controls covering repository security, pipeline gates, AI supply-chain risk assessment, SBOM/AI-BOM linkage, dependency scanning, and reproducibility

9%9 CONTROLS

D9 — Runtime Cloud, API & Platform Security 9 controls covering workload segmentation, endpoint protection, API security, runtime hardening, secrets management, encryption, tenant isolation, and consumption controls

8%9 CONTROLS

D10 — Detection AI Security Monitoring, Logging & Detection 9 controls covering security event logging, tamper-evident logs, AI-specific threat detection, drift monitoring, SOC integration, KRIs, and forensic evidence

8%9 CONTROLS

D11 — Assurance Red Teaming & Independent Validation 9 controls covering security test plans, adversarial ML testing, LLM and agent red teaming, regression testing, independent validation, and evidence register

7%9 CONTROLS

D12 — Resilience AI Incident Response & Continuous Compliance 9 controls covering AI incident playbooks, severity criteria, regulatory reporting triggers, emergency rollback, post-incident review, continuity, and reassessment

5%9 CONTROLS

Framework Specification

NS-AISCA combines AI security architecture, adversarial testing, secure AI development, cloud runtime controls, monitoring, and continuous assurance into a single evidence-based assessment and improvement model.

Controls	108 fully defined AI security controls across 12 weighted domains, each aligned to evidence requirements, maturity expectations, and framework mapping.
Scoring Model	Weighted average of domain maturity supported by automatic gap scoring, evidence-grade constraints, risk heatmaps, control failure visibility, KRIs, roadmap, and dashboard outputs.
Maturity Scale	L1 Initial → L2 Managed → L3 Defined → L4 Quantitative → L5 Optimising L1 InitialL2 ManagedL3 DefinedL4 QuantitativeL5 Optimising
Evidence Standard	5 evidence grades gate maturity progression: E1 InformalE2 ManualE3 StructuredE4 System-generatedE5 Adaptive
Standards Alignment	20+ standards including: EU AI Act · ISO 42001 · ISO 23894 · ISO 27001 · ISO 27090 · NIST AI RMF · NIST AI 600-1 · NIST CSF 2.0 · NIST SSDF · OWASP LLM Top 10 · MITRE ATLAS · CSA AICM · Google SAIF
Assessment Tool	12 domain sheets with maturity dropdowns, auto-scoring, evidence register, remediation roadmap, board dashboard, architecture patterns, and assurance outputs.
Primary Purpose	Secure the entire AI attack surface: data · model · prompt · RAG · agent · tool · pipeline · API · cloud runtime · monitoring · assurance · incident response
Operating Model	Baseline assessment → Gap analysis → Remediation planning → Independent validation → Continuous reassessment as AI systems, prompts, models, vendors, and threats change

AI Security Controls Architecture Assessment Platform

NS-AISCA Assessment Workbook & Operating Model

The technology delivery engine for AI security architecture assessments and continuous control improvement. Provides 12 domain assessment sheets, control-level maturity dropdowns, automatic gap scoring, evidence register, remediation roadmap, board dashboard, architecture patterns, and assurance outputs. Enables organisations to measure AI security posture across classical ML, GenAI, RAG, agentic AI, AI APIs, MLOps pipelines, and cloud AI runtime environments using a single evidence-based model.

See Paxley →

Services Delivered Under This Pillar

All services anchored to NS-AISCA v1.0 and delivered through the AI Security Controls Architecture Assessment Platform.

01

AI Security Controls Architecture Assessment & Roadmap

NS-AISCA baseline across all 12 domains with AI Security Posture Score, maturity heatmap, evidence register, and prioritised remediation roadmap.

02

AI Threat Modelling & Secure Design Review

Threat modelling covering misuse cases, trust boundaries, abuse paths, secure reference architectures, human oversight, and design gate requirements.

03

LLM, Prompt, RAG & GenAI Security Assessment

Assessment of prompt injection, system-prompt protection, input/output validation, RAG authorisation, context isolation, data leakage, and GenAI telemetry controls.

04

Agentic AI, Tool & Autonomy Security Review

Review of agent permissions, tool registry, autonomy limits, high-impact human approvals, memory governance, credential isolation, sandboxing, and kill-switch procedures.

05

MLSecOps & AI Supply Chain Security Programme

Integration of AI security controls into repositories, ML pipelines, model registries, dependency scanning, SBOM/AI-BOM linkage, artifact signing, and reproducible deployment workflows.

06

AI Runtime, Cloud, API & Monitoring Assurance

Review of AI workload segmentation, endpoint and API security, secrets, encryption, tenant isolation, consumption controls, logging, drift monitoring, SOC integration, and KRIs.

07

AI Red Teaming, Incident Response & Continuous Validation

Adversarial ML testing, LLM and agent red teaming, regression testing, AI incident playbooks, rollback readiness, forensic evidence capture, and continuous reassessment.

Secure your AI systems with a defensible, evidence-based architecture

We baseline your AI security posture across all 12 domains and deliver a prioritised remediation roadmap your board can act on.

Request a briefing →

Core Pillar 3 · Proprietary Framework & Platform

NS-CTAF v1.0

A cryptographically grounded, continuously measurable standard for software trust — ending code trust theatre and establishing a unified architecture for proving that software is trustworthy across identity, integrity, supply chain, and runtime.

86Trust Controls

6Trust Domains

30+Frameworks Aligned

430Maturity Interpretations

CTA 1–4Certification Levels

What Is NS-CTAF v1.0 and Why Was It Built?

NS-CTAF introduces Code Trust Assurance (CTA) as a distinct discipline — the practice of establishing, measuring, and continuously maintaining evidence-based trust in software across its full lifecycle: from developer identity and build integrity to deployment, runtime behaviour, and software supply-chain assurance.

Built for the supply-chain attack reality of 2026 — SolarWinds SUNBURST, Log4Shell, XZ Utils, Polyfill.io — where traditional scanning and compliance programmes cannot answer the trust questions now being asked by regulators, enterprise customers, investors, and acquirers.

▸Can you prove your code is what it claims to be?

▸Can you provide cryptographic evidence your build pipeline was not compromised?

▸Do you maintain independently verifiable SBOMs and software provenance records?

▸Can you continuously demonstrate the integrity, authenticity, and trustworthiness of your software supply chain?

The Problem

Code trust is assumed, not proven

Point-in-time scanning and compliance declarations cannot answer modern supply-chain trust questions

The Framework

86 controls · 6 domains · cryptographic evidence

Identity · Integrity · Secure Dev · Supply Chain · Runtime · Governance

The Outcome

Software trust as a measurable business capability

Operational resilience, customer confidence, regulatory readiness, and acquisition defensibility — provable, not claimed

Framework Architecture

Framework Domains & Coverage

6 integrated trust domains, 86 controls, one unified trust score. Each domain targets a critical layer of software trust exposure identified through real-world supply-chain attacks — together they sum to 100%.

D118%

D218%

D322%

D420%

D514%

D68%

D1 — Identity Developer Identity & Contributor Trust Controls covering developer identity verification, cryptographic code signing, contributor trust weighting, third-party identity vetting, and trust lineage graph maintenance. Addresses the XZ Utils-class attack vector.

18%IDENTITY LAYER

D2 — Integrity Build Pipeline Integrity & Artifact Signing Controls covering tamper-evident pipeline design, build provenance attestation, artifact signing (Sigstore/cosign), in-toto framework implementation, and pipeline security monitoring. Addresses the SolarWinds-class attack vector.

18%INTEGRITY LAYER

D3 — Secure Development SDLC Security & Code Quality Controls covering secure coding standards, SAST integration, code review governance, security training, threat modelling, automated security testing gates, and AI-generated code governance.

22%HIGHEST WEIGHT

D4 — Supply Chain Dependency Governance & SBOM Controls covering dependency inventory management, transitive dependency analysis, SBOM generation (CycloneDX/SPDX), dependency risk scoring, component origin verification, and SBOM correlation with CVEs. Addresses the Log4Shell-class attack vector.

20%SUPPLY CHAIN LAYER

D5 — Runtime Runtime Assurance & Behavioural Monitoring Controls covering runtime behavioural monitoring, anomaly detection in production, container and infrastructure security, DAST integration, incident traceability to code commits, and runtime policy enforcement.

14%RUNTIME LAYER

D6 — Governance Organisational Software Trust Governance Controls covering software trust policy framework, executive accountability, regulatory compliance reporting, customer-facing SBOM disclosure, supply chain contractual obligations, and continuous improvement.

8%GOVERNANCE LAYER

Framework Specification

NS-CTAF combines cryptographic assurance, software supply chain governance, secure development maturity, and continuous operational validation into a single, measurable Code Trust Assurance model.

Controls	86 fully defined trust controls with requirements, cryptographic grounding requirements, implementation guidance, and framework alignment citations across 30+ standards.
Scoring Model	5-axis maturity with domain weights reflecting supply chain risk concentration: D3 Secure Development at 22% (highest), D4 Supply Chain at 20%, D1/D2 Identity & Integrity at 18% each.
Maturity Scale	L1 Initial → L2 Developing → L3 Defined → L4 Managed → L5 Optimised — with 430 control-specific maturity interpretations (5 levels × 86 controls). L1 InitialL2 DevelopingL3 DefinedL4 ManagedL5 Optimised
Certification Programme	The first external software trust certification backed by a structured maturity model: CTA-1 TransparentCTA-2 VerifiedCTA-3 AssuredCTA-4 Adaptive Trust
Framework Alignment	30+ standards including: NIST SSDF SP 800-218 · SLSA · in-toto · Sigstore · OWASP SAMM · BSIMM · ISO/IEC 27001 · EU Cyber Resilience Act · US EO 14028 · NIS2 · DORA · PCI DSS v4
Management Tool	Excel-native workbook with auto-scoring, 340+ improvement recommendations, certification readiness tracker, roadmap generation, and board-ready Trust Score report.
Delivery Model	Repository-based assessment model. First automated results in <5 minutes via Paxley. Full advisory assessment: 1–3 weeks. Ongoing continuous monitoring via the Paxley platform.
Unique Differentiator	The only code security framework requiring cryptographic evidence, not self-reported status. A control cannot be rated above L2 without evidence that cannot be fabricated without computational effort proportional to the security claim.

Code Trust Assurance Platform

Paxley Code Security Platform

The automated delivery engine for NS-CTAF assessments and continuous code trust monitoring. Provides SAST (15+ languages, dataflow analysis), Software Composition Analysis with CVE detection, SBOM generation in CycloneDX and SPDX formats, IaC scanning (Terraform, Kubernetes, Pulumi, CDK), container image scanning, secrets detection (200+ patterns), and policy governance — all in one unified interface. Repository-based pricing from $99/repo/month delivers a 79% cost reduction vs per-seat incumbents. First scan results in under 5 minutes. SaaS or self-hosted deployment.

See Paxley →

Services Delivered Under This Pillar

All services anchored to NS-CTAF v1.0 and delivered with the Paxley Code Security Platform as the automated evidence layer.

01

Code Trust Assurance Assessment & Roadmap

NS-CTAF baseline across all 6 trust domains with automated Paxley scanning, Trust Score and Maturity Report, SBOM generation, and prioritised roadmap.

02

CTA Certification Programme Management

Structured pathway from CTA-1 Transparent through CTA-4 Adaptive Trust — Nucleus as advisory partner, delivering a validated software trust signal for procurement.

03

DevSecOps Transformation & Secure Engineering Enablement

Integration of NS-CTAF controls into CI/CD pipelines, engineering workflows, release governance, IaC security, and developer security operating models.

04

Virtual DevSecOps Champion Support Service

Structured retainer for organisations needing practical, independent, sustained secure SDLC leadership without committing to a full-time AppSec or product security function.

05

Code Security Risk Assessment

Automated repository scanning via Paxley — SAST, SCA, SBOM, IaC, container security, and secrets detection as a unified, continuous evidence layer.

06

M&A-Focused Code Risk Assessment

Pre-close assessment of product and supply-chain risk embedded in codebase — IP and licensing exposure identification, attacker-validated evidence for investment committees.

07

DPI & Digital Public Goods Code Trust Service

NS-CTAF assessment and secure development advisory for DPGs and DPI — ensuring community-built software meets regulatory and trust requirements for public-purpose digital systems.

08

SBOM Governance & Continuous Software Transparency

Enterprise SBOM governance, supplier software transparency assessments, continuous dependency trust monitoring, and customer-facing software trust reporting aligned to CRA, NIS2, DORA.

09

Open Source Software Trust & Community Governance Advisory

Governance, contributor trust validation, secure open-source release management, dependency risk governance, and cryptographic integrity assurance for open-source software ecosystems and community-led engineering environments.

Prove your software is trustworthy — cryptographically, continuously

We baseline your code trust posture across all 6 domains and deliver a roadmap from assumed confidence to verifiable, board-reportable software trust.

Request a briefing →

Proprietary Framework · Cybersecurity Maturity

NS-CMMF v1.0

The most comprehensive, consultable, and regulatory-aligned cybersecurity maturity framework available — replacing fragmented compliance checklists and opaque maturity ratings with a single, evidence-based instrument for measurement and continuous improvement.

270Re-Engineered Controls

5-AxisScoring Model

32Frameworks & Regs Mapped

6NIST CSF Domains

L1–L5Maturity Progression

Why NS-CMMF Was Built

Ask any experienced CISO whether their organisation is compliant, and you'll hear 'yes'. Ask them whether it is secure, and the conversation becomes considerably more nuanced. This gap is a structural failure of frameworks relied on for more than two decades.

A single Level 3 rating for 'Endpoint Protection' can conceal an enormous range of operational realities — full-coverage behavioural EDR, automated patch management, and application allowlisting scores identically to legacy antivirus on 70% of endpoints with no formal patch process. The difference is the difference between containing a ransomware attack and losing 60% of systems before detection.

NS-CMMF addresses this through Cybersecurity Maturity Intelligence — 270 specific, auditable controls replacing broad categories, with control-level regulatory mapping at article granularity, and financial quantification of every finding.

Problem 1 — Specificity

Controls are too imprecise to be useful

Where a legacy framework has one 'Endpoint Protection' control, NS-CMMF has 14 distinct, auditable sub-controls each with binary-verifiable requirements at every maturity level.

Problem 2 — Fragmentation

Compliance runs as a separate programme

Parallel ISO 27001, DORA, NIS2, and PCI DSS programmes generate five separate evidence packages from a single operational control. NS-CMMF collapses this into one.

Problem 3 — Communication

Boards cannot act on what they receive

NS-CMMF produces a weighted score, auto-generated Board Report, and financial quantification — replacing traffic-light dashboards with governance-grade maturity intelligence.

Framework Architecture

Domain Weights & Coverage

NS-CMMF maps to the 6 NIST CSF 2.0 domains. Domain weights reflect empirical observation of where organisations actually fail under regulatory scrutiny — PROTECT carries the highest weight at 27%.

GV16%

ID10%

PR27%

DE14%

RS13%

RC10%

GV — Govern Governance & Organisational Context AI governance, risk management strategy, roles and responsibilities, policy framework, supply chain risk governance, and regulatory compliance programme management — including 7 dedicated AI governance controls.

16%GOVERNANCE LAYER

ID — Identify Asset Management & Risk Assessment Asset inventory (IT, cloud, OT/ICS), vulnerability management, third-party risk identification, business environment mapping, and risk assessment methodology — including dedicated OT/ICS asset inventory control ID-08.

10%IDENTIFY LAYER

PR — Protect Protective Controls & Safeguards The largest domain at 27% — covering identity and access management, endpoint security (14 controls), network security, data protection, cloud security (13 controls), AI security (10 technical controls), and OT/ICS network security. Where organisations most commonly fail under attack.

27%HIGHEST WEIGHT

DE — Detect Threat Detection & Monitoring SIEM log ingestion and coverage, anomaly and behavioural detection, threat intelligence integration, OT/ICS threat detection, and continuous security monitoring — with control-level mapping to PCI DSS, DORA, NIS2, SOX, HIPAA, GDPR, ISO 27001, and FedRAMP.

14%DETECT LAYER

RS — Respond Incident Response & Regulatory Notification Incident response planning and execution, NIS2 three-stage notification process (RS-18), DORA major incident reporting (RS-19), OT/ICS incident response with engineering involvement, and crisis communication governance.

13%RESPOND LAYER

RC — Recover Recovery & Resilience Business continuity and disaster recovery planning, backup integrity and restoration testing, OT/ICS safety validation before operational resumption (RC-15), lessons learned integration, and resilience maturity measurement.

10%RECOVER LAYER

Framework Specification

NS-CMMF scores every control across five independent dimensions, applies seven non-negotiable hard gates, and maps each finding to its applicable regulatory obligations at the article level — producing an assessment that is simultaneously board-ready, audit-ready, and investment-grade.

Design · 20%	Is the control well-designed for its intended purpose? Policy documented and reviewed within 12 months; regulatory mapping explicit; design addresses the specific threat scenario; approved by the appropriate authority.
Coverage · 25%	Is the control deployed across 100% of the in-scope population? Coverage ≥ 95% of in-scope assets; exceptions formally documented with named owner and expiry; scope confirmed through automated discovery.
Operating · 25%	Does the control operate consistently in production? 3-month operational evidence available; SLA adherence ≥ 95%; exceptions trigger formal exception process; no evidence of control bypassing or workarounds.
Monitoring · 20%	Is the control independently tested and validated? KPI or KRI defined and measured; annual independent test; exceptions trigger formal escalation; trend reporting active.
Automation · 10%	Is the control automated, self-healing, and continuously evidenced? Partial automation of evidence generation; alert on control failure; evidence does not rely entirely on manual collection.
Framework Alignment	32 frameworks and regulations mapped at article and section level — NIST CSF 2.0 · ISO/IEC 27001:2022 · CIS Controls v8 · GDPR · NIS2 · DORA · Cyber Resilience Act · HIPAA · SOX · PCI DSS v4 · FedRAMP · EU AI Act · NIST AI RMF · ISO 42001 · OWASP LLM Top 10 · IEC 62443 and more.
Hard Scoring Gates	Seven non-negotiable ceiling constraints prevent any composite score from exceeding a defined level regardless of the five-axis score: No owner → Max L2 No 3-month evidence → Max L3 No KPI/KRI → Max L4 No automation → Max L5 Reg obligation unmet → Max L2 Interview-only evidence → Max L2 Attestation-only → Max L1.5
Assessment Tool	Excel-native workbook with auto-scoring, 1,350 auto-generated recommendations (5 per control × 270 controls), priority roadmap auto-sorted by Gap × Domain Weight, 32-framework filter for instant regulatory evidence packaging, 44-row assessment history for longitudinal tracking, and 200-row evidence register with expiry management.
Delivery Model	10–12 business day engagement from scoping to final delivery. 188+ stakeholder interviews across CISO, CTO, DPO, Head of IT, AppSec, Cloud, and OT leads. Deliverables: scored assessment tool, regulatory exposure matrix, prioritised 12-month roadmap, board presentation, and 32-framework compliance reports.

Built for 2026's Threat Landscape

AI, Cloud & OT — Natively Addressed

Legacy frameworks respond to new threats at the pace of their governance committees — typically 3–5 years between major updates. NS-CMMF was built from the ground up for today's attack landscape, not retrofitted from a 2018 baseline.

Artificial Intelligence

17 AI Controls

7 GV governance + 10 PR technical

GV-29–35: AI Governance Committee, Risk Classification, Acceptable Use Policy, Shadow AI Detection, Ethics, Model Lifecycle, GenAI/LLM Risk

PR-86–95: Prompt injection prevention, model access control, output monitoring, training data provenance, adversarial testing, model supply chain security, RAG security, agentic system security, deepfake detection

EU AI ACT · NIST AI RMF · ISO 42001 · OWASP LLM TOP 10

Cloud-Native Security

13 Cloud Controls

5 new in v1.0 for multi-cloud reality

PR-81: Configuration Drift Prevention — IaC enforcement, drift detection ≤15 min

PR-82: Kubernetes Security — CIS benchmark, network policies, RBAC hardened

PR-83: Cloud Workload Protection — VMs, containers, serverless

PR-84: Multi-Cloud Identity Federation — unified governance across all CSPs

PR-85: FinSec — cost anomaly detection correlated with security events

Operational Technology

5 OT/ICS Controls

First systematic OT coverage in a general-purpose framework

ID-08: OT/ICS Asset Inventory — protocol mapping and security zone classification

PR-58: OT/ICS Network Security — IT/OT boundary firewall, unidirectional gateways

DE-25: OT/ICS Threat Detection — OT-native IDS, industrial protocol monitoring

RS-17: OT/ICS Incident Response — engineering involvement mandatory

RC-15: OT/ICS Recovery — engineering safety validation before resumption

What an NS-CMMF Assessment Produces

The output is not a report — it is an evidence base, a precision roadmap, and a financial model that any board member, regulator, or investor committee can act on directly.

01

Board-Ready Maturity Score

A weighted overall score defensible before a board audit committee — based on specific, documented evidence at the control level, not a traffic-light dashboard. A board member who asks "how do we know this control works?" gets directed to 3-month operational evidence and KPI trend data.

02

Regulatory Evidence Packages

The 32-framework filter generates instant regulatory evidence packages. When a regulator requests DORA ICT risk management capability evidence, the package for all DORA-mapped controls is immediately available — assembled during the assessment, not reconstructed under time pressure.

03

Prioritised Improvement Roadmap

1,350 auto-generated recommendations sorted by Priority Score (Gap × Domain Weight). A control currently at L2 receives the L2→L3 recommendation — not generic advice to 'improve'. Each recommendation includes effort estimate, target quarter, owner assignment, and status tracking.

04

Longitudinal Assessment History

44-row assessment history providing a board-presentable, audit-ready evidence trail demonstrating consistent security programme maturity over 3–5 years of quarterly or semi-annual assessments — one of the most compelling evidence artefacts in regulatory investigations and M&A due diligence.

Assessment Platform

Cybersecurity Maturity Platform

Purpose-built for continuous NS-CMMF assessment, scoring, and executive reporting. Turns point-in-time audits into a live maturity index that boards can track and regulators will accept. Auto-populates the roadmap from assessment findings, generates 32-framework regulatory evidence packages on demand, tracks evidence expiry through a 200-row evidence register, and produces board-ready reports with a single export.

Request a demo →

Move from checkbox compliance to measurable, defensible security maturity

We assess your posture across all 270 controls, produce a precision roadmap, and deliver regulatory evidence packages your team can act on immediately.

Request a briefing →Explore Core Pillar 1 →

Proprietary Framework · AI Governance

NS-AIGF v1.0

A proprietary, structured, and automation-ready approach to AI governance for organisations deploying, developing, or procuring AI in regulated and high-impact environments — replacing fragmented compliance efforts and aspirational governance with a single, evidence-based, board-ready model for continuous AI accountability.

60Governance Controls

7Weighted Domains

300Control Interpretations

3Frameworks Unified

L1–L5Maturity Progression

Why NS-AIGF Was Built

For most of the past decade, organisations deploying AI have operated on a fundamentally flawed premise: that having an AI ethics policy, a responsible AI statement, and a risk committee that meets quarterly constitutes AI governance. It does not. It constitutes AI governance theatre — the appearance of accountability without the operational substance that accountability requires.

That world is over. The EU AI Act entered into force in August 2024. ISO/IEC 42001, the world's first AI Management System standard, was published in December 2023. Regulators across 40+ countries reference the NIST AI RMF. AI governance is no longer an ethical aspiration — it is a regulatory obligation.

NS-AIGF v1.0 was designed from first principles as a purpose-built AI governance architecture for this regulatory environment. Every control was designed through four lenses: specificity (one auditable requirement per control), regulatory alignment (specific article or clause mapping), evidence clarity (what adequate evidence looks like at L1–L5), and maturity differentiation (distinct criteria distinguishing ad hoc intent from automated, continuously validated governance).

The Gap

Governed on paper, exposed in practice

Organisations with comprehensive responsible AI policies and active ethics committees are being found non-compliant with EU AI Act requirements every year — not because they lack principles, but because they lack the specific operational controls that binding regulation requires.

The Cost

Fragmented compliance is expensive

Managing EU AI Act, ISO 42001, and NIST AI RMF as three separate programmes — 600–1,200 person-hours annually in duplicate evidence collection, separate audit cycles, and inconsistent maturity views rather than one defensible truth.

The Answer

One control library. Three regulatory obligations. One evidence base.

Control 15 — Human Oversight, implemented to NS-AIGF v1.0 standard, simultaneously satisfies EU AI Act Art. 14, ISO 42001 §8.4, and NIST AI RMF MANAGE 2.2 — with one evidence collection exercise and one maturity score.

Framework Architecture

Domain Weights & Coverage

7 weighted governance domains across 60 controls. Domain weights reflect EU AI Act enforcement priorities and ISO 42001 certification requirements — not arbitrary allocation. D2 Risk Classification carries the highest weight because getting AI risk classification right is the prerequisite for all other compliance obligations.

D118%

D222%

D315%

D412%

D512%

D613%

D78%

D1 — AI Governance & Oversight Governance Structure & Accountability AI Governance Charter, executive accountability, AI inventory ownership, shadow AI detection, third-party AI vendor governance, AI acceptable use policy, and AI training programme. Foundational governance authority — without it, all other controls are legally insufficient.

18%8 CONTROLS

D2 — Risk Classification & EU AI Act EU AI Act Compliance Controls AI risk classification (four-tier EU AI Act taxonomy), high-risk AI identification against Annex III, prohibited use controls (6 banned categories), conformity assessment management, risk reassessment on model change, and technical documentation (Art. 11). Classification errors create direct and immediate legal exposure.

22%HIGHEST WEIGHT

D3 — AI Lifecycle & Model Governance Operational AI Control Points Use case approval gate, model registry, model versioning (Art. 11), testing gates before production deployment, rollback capability, post-market monitoring (Art. 9), and model retirement. Without these, governance policies have no operational implementation.

15%LIFECYCLE LAYER

D4 — Data Governance for AI Training Data & Pipeline Integrity Data lineage, data quality management, bias in data detection (EU AI Act Art. 10), consent and legal basis (GDPR), data minimisation, sensitive data handling, and data drift detection. Most AI failures trace to data governance failures that occurred before the model was trained.

12%DATA LAYER

D5 — Fairness & Responsible AI Explainability, Fairness & Human Oversight Explainability framework, model cards, transparency obligations (Art. 13), human oversight mechanisms (Art. 14), bias testing and fairness, fairness monitoring in production, adverse impact assessment, and ethical review process. Non-negotiable for regulated and public-facing AI.

12%FAIRNESS LAYER

D6 — AI Security & Monitoring MLSecOps & AI-Specific Attack Surfaces Prompt injection defence (OWASP LLM #1), adversarial robustness testing, model theft prevention, data poisoning controls, AI model access control, continuous performance monitoring, security logging (Art. 12), and anomaly detection. AI attack surfaces that standard cybersecurity frameworks do not adequately address.

13%SECURITY LAYER

D7 — Incident & Auditability Incident Response & Audit Trail Completeness AI incident response playbooks, regulatory reporting (EU AI Act Art. 73 — mandatory for high-risk AI providers), audit trail completeness (tamper-evident), continuous compliance monitoring, and ISO 42001 §9.1 monitoring requirements. The audit trail is the primary evidence source for regulatory investigations.

8%AUDIT LAYER

Framework Specification

NS-AIGF v1.0 replaces voluntary principles with 60 specific, auditable controls — each with 300 control-specific maturity interpretations, a 5-level maturity scale, and simultaneous alignment to the EU AI Act, ISO/IEC 42001, and NIST AI RMF at the article and clause level.

Controls	60 fully defined governance controls across 7 weighted domains — each addressing one auditable governance requirement with specific evidence standards at every maturity level. 300 control-specific interpretations eliminate assessor-dependent scoring.
Maturity Scale	L1 Initial (ad hoc, no structured evidence) → L2 Managed (manual, partially defined) → L3 Defined (standardised, repeatable — baseline for EU AI Act compliance and ISO 42001 certification readiness) → L4 Quantitative (automated, metrics-driven) → L5 Optimising (self-improving, predictive). L1 InitialL2 ManagedL3 DefinedL4 QuantitativeL5 Optimising
Framework Alignment	Every control maps simultaneously to all applicable frameworks at the specific article, clause, and function level: EU AI Act (Articles 9–14, 43, 50, 73) · ISO/IEC 42001 (§4–§10) · NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE functions). One control satisfies obligations across all three frameworks from a single evidence base.
ISO 42001 Pathway	Completing an NS-AIGF v1.0 assessment simultaneously completes a pre-certification readiness assessment. The ISO 42001 Readiness module maps domain scores directly to §4–§10 clauses and calculates a gap-to-certification score — the assessment IS the gap analysis. One improvement programme serves EU AI Act compliance, NIST AI RMF alignment, and ISO 42001 certification simultaneously.
Scoring Formula	Domain maturity scores = mean of all in-scope control scores within the domain. Overall score = sum of domain scores × domain weights. Priority Score = Gap × Domain Weight — a control in D2 with a 3-level gap scores 0.66; the same gap in D7 scores 0.24. Roadmap auto-sorts by priority to direct governance investment where it reduces the most risk.
Assessment Tool	Eight interconnected modules: 20-question Scoping Module (auto-applies control applicability logic), 7 Domain Assessment Modules, auto-generated Board Report, Prioritisation Engine, Evidence Register (collection date, expiry date, owner, status), ISO 42001 Readiness module, and Assessment History for longitudinal maturity tracking across multiple cycles.
Delivery Model	Structured engagement delivering 60-control baseline assessment, domain maturity scores, board governance report, prioritised improvement roadmap, ISO 42001 readiness indicator, and regulatory evidence packages per framework. Continuous reassessment cadence recommended quarterly for high-priority controls.

Controls Organisations Most Commonly Miss

The Operational Controls Principles Cannot Replace

The controls most consistently absent from enterprise AI governance programmes are not strategic — they are operational, technical, and specific. And they are the ones regulators are actively enforcing.

C6

AI Inventory Ownership

A complete register of every AI system deployed, consumed, or integrated across the enterprise — with a named owner accountable for each system's governance compliance. Almost universally missing despite its fundamental importance. At L4, auto-updated through deployment pipeline integrations.

C11

Prohibited Use Controls

Technical and procedural controls that actively prevent the 6 EU AI Act banned AI categories from reaching production — social scoring, real-time biometric surveillance, subliminal manipulation, emotional inference in workplaces. At L4, embedded in deployment pipelines and fire automatically.

C23

Rollback Capability

When a model begins producing incorrect, biased, or harmful outputs in production, the organisation needs the ability to revert to a prior known-good version rapidly. Consistently one of the least mature and most consequential controls in initial assessments. The difference between L2 and L3 here could be the difference between a contained incident and a sustained public AI failure.

C25

Shadow AI Detection

A significant proportion of AI usage in organisations with 100+ employees occurs without IT or governance awareness — ChatGPT, Copilot, Claude, and dozens of vertical-specific tools processing sensitive customer data, proprietary information, or regulated health records without DLP controls or audit trails. At L4, detection is continuous through CASB and network monitoring.

C34

Data Drift Detection

Automated monitoring to detect when the statistical distribution of production data has drifted significantly from the training distribution — causing well-validated models to produce degraded, unreliable, or unsafe outputs silently over time. EU AI Act Art. 9 requires post-market monitoring. This is the technical mechanism through which that obligation is operationalised.

C44

Prompt Injection Defence

OWASP LLM Top 10 #1 — consistently absent or immature in organisations deploying large language models. Prompt injection attacks override model instructions via malicious inputs, causing models to disclose confidential information, ignore safety guardrails, or perform actions outside their intended scope. At L4, automated testing is integrated into the deployment lifecycle.

Continuous Compliance Engine

AI Governance Maturity Assessment Tool

The delivery vehicle for NS-AIGF v1.0 — transforming a governance evaluation into a living management system. Eight interconnected modules automatically generate board-ready governance reporting, a prioritised improvement roadmap, ISO 42001 certification readiness indicators, and longitudinal maturity tracking across assessment cycles. The board report translates maturity scores into governance health narrative that audit committees can act on directly. The evidence register tracks every governance artifact with collection date, expiry date, owner, and status — transforming a week-long audit preparation exercise into a dashboard query. The governance programme generates management intelligence as a natural output of operations rather than as a separate, expensive reporting effort.

Request a demo →

End AI governance theatre — permanently

We assess your AI governance posture across all 60 controls, identify your highest-priority gaps, and build you the board-ready, regulator-ready evidence infrastructure that genuine AI accountability requires.

Request a briefing →Explore Core Pillar 2A →

Proprietary Framework

NS-AISCA

Nucleus Systems AI Security Controls Architecture. A comprehensive technical security framework for AI systems, models, pipelines and infrastructure.

Version 1.1.0 · 2026

108Security controls

12Security domains

GenAICoverage

Agentic AICoverage

Design philosophy

NS-AISCA addresses a gap that most cybersecurity frameworks do not cover: the security of AI systems as technical artefacts. General cybersecurity frameworks (ISO 27001, NIST CSF) treat AI systems like any other IT asset. They are not. AI models have unique attack surfaces, adversarial inputs, training data poisoning, model extraction, hallucination exploitation and agentic autonomy risks, that require specialised security controls.

NS-AISCA defines 108 controls spanning 12 domains, organised to cover the full AI system lifecycle from data ingestion through model training, deployment, monitoring and decommissioning. It is the technical counterpart to NS-AIGF's governance layer.

Threat model coverage

Adversarial ML Prompt Injection Model Inversion Data Poisoning Model Extraction Agentic AI Risks MLSecOps AI Supply Chain

Domain coverage

D1

Data Security & Integrity

Training data validation, poisoning detection, data provenance and pipeline integrity controls.

D2

Model Security

Model file integrity, access controls, serialisation security and model registry governance.

D3

Adversarial Robustness

Input validation, adversarial testing, evasion attack resistance and robustness benchmarking.

D4

LLM & GenAI Security

Prompt injection prevention, output validation, system prompt security and hallucination risk controls.

D5

Agentic AI Security

Agent boundary controls, tool use authorisation, autonomy constraints and multi-agent trust architecture.

D6

MLOps & Pipeline Security

CI/CD pipeline security for ML, experiment tracking security, model versioning controls and deployment governance.

D7

Infrastructure Security

GPU/TPU security, inference endpoint hardening, API security and compute isolation.

D8

Privacy & Inference Attacks

Membership inference defences, model inversion prevention, differential privacy implementation and data minimisation.

D9

Supply Chain Security

Third-party model vetting, pre-trained model integrity, dataset provenance and open-source AI component risk.

D10

Monitoring & Detection

Runtime anomaly detection, model drift monitoring, adversarial input detection and security telemetry.

D11

Incident Response

AI-specific incident classification, model rollback procedures and post-incident forensic analysis.

D12

Compliance & Assurance

OWASP ML Top 10 alignment, MITRE ATLAS mapping and regulatory reporting for AI security incidents.

Apply NS-AISCA to your AI systems

Book an NS-AISCA scoping call to define which domains are most relevant to your current AI deployment and threat model.

Request an assessment →Back to Pillar 2B

Proprietary Framework

NS-CTAF

Nucleus Systems Code Trust Assurance Framework. A structured certification model for software trustworthiness across the full development and delivery lifecycle.

Version 2.0.1 · 2026

86Trust controls

6Trust domains

CTA-1→4Certification tiers

PaxleyPlatform delivery

Design philosophy

NS-CTAF was built on the premise that trust in software must be established at the point of creation and continuously maintained through every change. It defines 86 controls across 6 trust domains, covering source code integrity, dependency trust, CI/CD pipeline security, SBOM governance, open-source risk and AI-assisted code, and introduces a four-tier certification model (CTA-1 through CTA-4) that allows organisations to communicate code trust levels to internal and external stakeholders.

The Paxley platform is the primary delivery vehicle for NS-CTAF, scanning every commit, PR and release against the framework's control definitions and maintaining a live Code Trust Score.

Certification tiers

Tier	Definition
CTA-1	Foundational code trust, basic security hygiene, secrets scanning, known vulnerability prevention
CTA-2	Structural trust, dependency governance, SBOM management, licence compliance, signed commits
CTA-3	Pipeline trust, CI/CD security, container image hardening, IaC security, deployment integrity
CTA-4	Advanced trust, AI-assisted code security, supply chain integrity, provenance attestation, adversarial code testing

Domain coverage

D1

Source Code Integrity

Secrets scanning, SAST, code signing, commit attribution and malicious code pattern detection.

D2

Dependency & Supply Chain Trust

SCA, SBOM generation, dependency pinning, licence compliance and open-source risk scoring.

D3

CI/CD Pipeline Security

Pipeline hardening, workflow integrity, runner security, artefact signing and deployment controls.

D4

Container & Infrastructure Security

Container image scanning, IaC security, registry trust and runtime environment integrity.

D5

AI-Assisted Code Trust

AI-generated code security assessment, copilot policy governance, AI code review and hallucination risk controls.

D6

Governance & Assurance

Security policy enforcement, developer security training, audit trail management and Code Trust Score reporting.

Certify your software supply chain

Start with a Paxley demo to see NS-CTAF controls in action, or request a scoping call for a standalone code trust assessment.

See Paxley →Request an assessment

Our Product

Paxley

The code security platform that enforces trust at every commit, from your first repository to your thousandth agentic AI workflow.

Book a Paxley demo → Start a trial

Pillar 3 · NS-CTAF

Paxley for Code Trust

GitHub-native scanning across every commit, pull request and release. Continuous NS-CTAF control enforcement, SBOM management, dependency governance and CTA-1 to CTA-4 certification scoring.

Explore Pillar 3 →

Pillar 2A · NS-AIGF

Paxley for AI Governance

Continuous NS-AIGF control monitoring for AI systems in production. Audit trails, governance dashboards, EU AI Act compliance tracking and board-level AI trust reporting.

Explore Pillar 2A →

What makes Paxley different

Built on Nucleus Systems proprietary frameworks, not generic rulesets.

NS-CTAF & NS-AIGF enforced

Every scan maps directly to Nucleus Systems proprietary control frameworks, not commodity SAST rules.

GitHub-native

Installs as a GitHub App. Scans every PR and commit in context. No agent to deploy, no pipeline to maintain.

Repo-based pricing

Priced per repository, not per developer. Security costs scale with your codebase, not your team size.

Continuous trust scoring

Live Code Trust Score across all repositories. Track improvement over time. Report to boards and auditors.

SBOM & dependency governance

Automatic SBOM generation, dependency health scoring, licence compliance and open-source risk tracking.

Hybrid deployment

SaaS or self-hosted. Data residency options. Designed for enterprises with strict infrastructure requirements.

Supported frameworks

Paxley operationalises Nucleus Systems proprietary frameworks at the point of development.

NS-CTAFCode Trust Assurance Framework

NS-AIGFAI Governance Framework

Ready to see Paxley in action?

Book a 30-minute demo with a Nucleus Systems practitioner. We'll show you Paxley running against your own repositories.

Book a Paxley demo →Start a trial

Platform · Pillar 1

Cybersecurity Maturity Platform

The purpose-built platform for delivering, scoring and tracking NS-CMMF cybersecurity maturity assessments at enterprise scale.

Built to deliver NS-CMMF, not adapted from a generic tool

The Cybersecurity Maturity Platform is the operational engine for Core Pillar 1. It implements all 188 NS-CMMF controls as structured assessment modules, calculates domain scores using the 5-axis model, produces board-ready trust scores and generates remediation roadmaps automatically from assessment findings.

The platform enables continuous assessment rather than point-in-time audits, so organisations can track maturity improvement between assessments, monitor regression risks and benchmark against sector-specific maturity targets.

Key capabilities

188-control NS-CMMF assessment engine
5-axis scoring per control (Policy, Process, Technology, People, Measurement)
Domain-level and aggregate trust score calculation
Industry benchmark comparison
Automated remediation roadmap generation
Board-level executive reporting suite
Multi-period trend tracking and maturity progression charts
Evidence management and audit trail

Underlying Framework

NS-CMMF

The 188-control cybersecurity maturity framework that this platform implements.

Explore NS-CMMF →

Parent Pillar

Cybersecurity Trust & Resilience

The full services, assessment methodology and outcomes model for Core Pillar 1.

Explore Pillar 1 →

See the platform in action

Request a platform walkthrough or book an NS-CMMF scoping call with a Nucleus Systems practitioner.

Request a briefing →

Platform · Pillar 2B

AI Security Assessment Platform

The structured assessment and reporting platform for delivering NS-AISCA evaluations across AI systems, pipelines and infrastructure.

Structured assessment for AI security findings

The AI Security Assessment Platform operationalises all 108 NS-AISCA controls as structured assessment modules. Assessors use the platform to evaluate controls across all 12 security domains, with each finding automatically categorised by severity, domain, control ID and remediation effort.

The platform produces findings reports, risk-scored remediation roadmaps and executive summaries aligned to technical and board audiences. It supports both point-in-time assessment engagements and ongoing monitoring programmes.

Key capabilities

108-control NS-AISCA assessment engine
12-domain security coverage with severity scoring
Automated remediation roadmap generation
MITRE ATLAS & OWASP ML Top 10 cross-mapping
Technical findings report and executive summary
Multi-engagement trend tracking
Agentic AI and GenAI-specific assessment modules

Underlying Framework

NS-AISCA

The 108-control AI security controls architecture that this platform implements.

Explore NS-AISCA →

Parent Pillar

AI Security & Assurance

Full services, assessment methodology and outcomes for Core Pillar 2B.

Explore Pillar 2B →

Assess the security of your AI systems

Book a scoping call to define which NS-AISCA domains are most relevant to your current AI environment.

Request a briefing →

Domain-Specific Solution · S1

Managed Detection & Response

24/7 managed detection, investigation and response services delivered in partnership with CyberOne, one of Africa's leading MSSP providers, underpinned by the NS-CMMF framework.

Continuous threat detection backed by NS-CMMF maturity

Nucleus Systems partners with CyberOne to deliver managed detection and response services that go beyond standard MSSP tooling. Every MDR engagement is anchored to the NS-CMMF framework, so detected threats are contextualised against the client's actual maturity posture, not a generic baseline.

This integration means that when a threat is detected and responded to, the findings inform the client's broader cybersecurity maturity programme. Detection events become data points in continuous improvement rather than isolated incidents.

Technology & standards

CyberOne MSSP NS-CMMF SIEM / SOAR EDR / XDR MITRE ATT&CK 24/7 SOC

Services included

24/7 Managed Security Operations Centre (SOC)
Threat Detection & Correlation (SIEM/SOAR)
Endpoint Detection & Response (EDR/XDR)
Threat Hunting & Proactive Investigation
Security Incident Management & Response
Vulnerability Management & Prioritisation
Threat Intelligence Integration
NS-CMMF Maturity Integration for Detection Context
Monthly Threat & Posture Reporting
Incident Response Retainer

Get continuous threat detection backed by maturity intelligence

Contact us to scope an MDR engagement that integrates with your NS-CMMF maturity programme.

Request a briefing →

Domain-Specific Solution · S2

Payment Security & Digital Public Infrastructure

Security advisory and assurance for payment systems, real-time payment infrastructure and digital public infrastructure, with specialist expertise in Mojaloop, Tazama and COMESA frameworks.

Payment security at the infrastructure layer

Nucleus Systems has deep specialist expertise in the security of digital payment infrastructure, particularly open-source payment systems and digital public infrastructure (DPI) frameworks deployed across Africa, Asia and the Middle East. Our practitioners have direct experience with Mojaloop (the real-time payments platform), Tazama (transaction monitoring) and the COMESA framework.

We combine payment-specific security expertise with our NS-CMMF maturity methodology to deliver security assessments that address both technical vulnerabilities and institutional governance gaps.

Technology & standards expertise

Mojaloop Tazama COMESA PCI DSS ISO 20022 DPI Standards SWIFT CSP

Services included

Payment System Security Assessment (PCI DSS, ISO 20022)
Mojaloop Platform Security Review
Tazama Transaction Monitoring Security Assessment
Digital Public Infrastructure (DPI) Security Advisory
Real-Time Payment System Security Architecture
Financial Crime & Fraud Risk Assessment
SWIFT Customer Security Programme (CSP) Assessment
Central Bank Digital Currency (CBDC) Security Advisory
Payment API Security Assessment
Correspondent Banking Security Review

Secure your payment infrastructure

Speak with a Nucleus Systems payments security specialist about your specific infrastructure and regulatory obligations.

Request a briefing →

Domain-Specific Solution · S3

Verifiable Credentials & Digital Identity Security

Security advisory and assurance for digital identity systems, verifiable credential infrastructure and national identity programmes, with expertise in MOSIP, OpenG2P, GovStack and OSIA.

Securing the infrastructure of trust for digital identity

National digital identity programmes are among the most sensitive and highest-risk digital transformation initiatives any government undertakes. Nucleus Systems brings specialist expertise in the security of identity platforms, particularly open-source DPI stacks such as MOSIP (Modular Open Source Identity Platform) and OpenG2P, and in the verifiable credential ecosystems being deployed across Africa, Asia and the Pacific.

Our engagement model combines security assessment, architecture review and ongoing advisory to ensure that identity programmes are secure from inception, compliant with international standards and resilient to the specific threat models that national identity infrastructure attracts.

Technology & standards expertise

MOSIP OpenG2P GovStack OSIA W3C VC DID Standards ID4Africa eIDAS 2.0

Services included

Digital Identity Security Architecture Review
MOSIP Platform Security Assessment
OpenG2P Security Review
Verifiable Credential System Security Assessment
Decentralised Identity (DID) Infrastructure Review
Biometric System Security Assessment
National ID Programme Security Advisory
eIDAS 2.0 Compliance Advisory
Identity Proofing & Verification Process Review
Privacy-Preserving Identity System Design

Secure the infrastructure that underpins digital identity

Speak with a Nucleus Systems digital identity specialist about your programme and risk environment.

Request a briefing →

Domain-Specific Solution · S4–S5

Financial Inclusion & Emerging Markets

Security and trust assurance for financial services providers operating in emerging markets, mobile money, off-grid payments, microfinance and inclusive fintech ecosystems.

Trust infrastructure for the next billion users

Financial inclusion requires security inclusion. Mobile money operators, microfinance institutions, agent banking networks and fintech platforms serving unbanked and underbanked populations face security and regulatory challenges that are distinct from those of established financial institutions. They operate at the intersection of fintech innovation, telecoms infrastructure and regulatory uncertainty, often with limited internal security capacity.

Nucleus Systems brings practitioner experience across sub-Saharan Africa, East Africa, West Africa, South-East Asia and the Pacific, with deep familiarity with the mobile money ecosystem, the regulatory frameworks that govern it and the specific threat models that emerging-market financial services providers face.

Market expertise

Mobile Money Agent Banking Microfinance GSMA Guidelines Off-grid Payments Sub-Saharan Africa South-East Asia

Services included

Mobile Money Platform Security Assessment
Agent Banking Network Security Review
Off-grid & Last-Mile Payment Security Advisory
Microfinance Institution Security Programme
Financial Inclusion Fintech Security Assessment
GSMA Mobile Money Security Guidelines Compliance
Regulatory Readiness Assessment (emerging market)
Digital Financial Services Risk Framework Design
Fraud & Social Engineering Risk Assessment
Digital Onboarding & KYC Security Review

Build trust infrastructure for financial inclusion

Our practitioners bring first-hand experience in emerging market financial services security across multiple continents.

Request a briefing →

Domain-Specific Solution · S6

Post-Quantum Cryptography Advisory

Preparing enterprises and governments for the quantum threat, cryptographic inventory, PQC readiness assessment, CBOM analysis, crypto agility design and migration roadmaps aligned to NIST PQC standards.

The quantum clock is running. Most organisations are not ready.

NIST finalised the first post-quantum cryptography standards in 2024. Cryptographically Relevant Quantum Computers (CRQCs) may be capable of breaking current public-key cryptography within a decade. Harvest-now-decrypt-later attacks, where adversaries collect encrypted data today to decrypt once quantum capability arrives, are already documented.

Nucleus Systems provides the advisory capability organisations need to understand their cryptographic exposure, build a credible migration roadmap and implement crypto agility architectures that can adapt as the quantum threat evolves. We work across enterprise, government and financial services sectors, with particular focus on organisations that manage long-lived sensitive data or critical infrastructure.

Standards & frameworks

NIST FIPS 203 NIST FIPS 204 NIST FIPS 205 CBOM Crypto Agility NSA CNSA 2.0 ETSI QSC

Services included

PQC Readiness Assessment
Cryptographic Bill of Materials (CBOM) Analysis
Cryptographic Inventory & Risk Mapping
Harvest-Now-Decrypt-Later Threat Assessment
Crypto Agility Architecture Design
NIST PQC Standards Migration Roadmap
TLS & PKI Infrastructure PQC Readiness Review
Long-lived Data Encryption Risk Assessment
PQC Vendor & Product Evaluation
Executive PQC Briefing & Board Reporting

Start your PQC readiness programme now

The time to prepare is before quantum capability arrives, not after. Contact us to scope a CBOM analysis or PQC readiness assessment.

Request a briefing →

The code security platform that enforces trust at every commit.

We don't describe security.We measure and prove it.

Framework. Platform. Service.Every engagement, in that order.

Proprietary IP, built from first principles.

Purpose-built delivery, not point-in-time audits.

Practitioner delivery, specialist, not generalist.

From the Nucleus Systems desk

Built by practitioners.Driven by trust.

Four domains of digital trust. Each with its own framework, platform and service.

Cybersecurity Trust & Resilience

AI Trust & Governance

AI Security & Assurance

Code Trust & Secure Digital Delivery

Four frameworks.Zero borrowed standards.

Purpose-built.Not off-the-shelf.

Where frameworks meetspecialised market demands.

Thirteen years of proving trust.

Founded

NS-CMMF launched

M&A cyber practice

Global scale

AI assurance

Paxley platform

600+ engagements

Where trust carries the most weight.

Financial Services

Government

Digital Public Infrastructure

Fintech

Healthcare

Technology

Private Equity

Critical Infrastructure

Don't see your industry?We likely cover it.

Ready to make trustmeasurable and provable?

The trust frontier, in writing.

All Publications

Engineer trustfor a living.

Work that proves itself.

Real frontier work

Flexible by default

Certifications funded

Measured growth

Small, senior teams

Global, balanced

No opportunities at the moment.

Don't see your role?

Projects, pipeline and progress.

Engagement timeline

Engagements

Proof activity

Let's prove it.

Thank you. Your enquiry is in.

Built by practitioners.Driven by trust.

A team forged in the world's most demanding digital environments.

Godfrey Kutumela

Our Practitioners

Aime Bukasa

Kerlyn Manyi

Yash Sancheti

Akshat Sharma

Ready to put this expertise to work for your organisation?

The Digital TrustAssurance Company.

We don't describe security.We measure and prove it.

Why Nucleus Systems

Governance, engineering execution, and operational evidence — integrated.

The numbers behind the practice

Ready to make trust measurable?

Cybersecurity Trust& Resilience

What NS-CMMF v1.0 Solves

Framework Domains & Coverage

Framework Specification

Services Delivered Under This Pillar

Cybersecurity Maturity Assessment & Roadmap

Advisory Retainer & Fractional CISO

M&A Cyber & Compliance Advisory

M&A Cyber Advisory for Seed & Pre-Series

DPI Cybersecurity Design, Assessment & Roadmap

Threat, Risk & Vulnerability Assessments

CyberOne-Powered MSSP Services (Managed Detection & Response)

We don't describe security.
We measure and prove it.

Framework. Platform. Service.
Every engagement, in that order.

Built by practitioners.
Driven by trust.

Four frameworks.
Zero borrowed standards.

Purpose-built.
Not off-the-shelf.

Where frameworks meet
specialised market demands.

Don't see your industry?
We likely cover it.

Ready to make trust
measurable and provable?

Built by practitioners.
Driven by trust.

The Digital Trust
Assurance Company.

We don't describe security.
We measure and prove it.

Cybersecurity Trust
& Resilience

Every service we deliver is powered
by one of these frameworks.