The Security Partner That Scaled With Them

How a UK company processing millions of electronic health records transformed mounting security debts into strong, secure foundations

Discuss Your ChallengeContact us

3 weeks

initial assessment

25–50%

engineering time saved on security remediation

4 yrs

ongoing security partnership

About the customer

This company runs a research platform that handles electronic health records and genomic data from clinical trial participants across the UK, US, and Africa. Their platform connects research teams worldwide with pseudonymised patient data from people who have consented to take part in studies.

Regulatory compliance and ethical data handling are at the core of how they operate — not just requirements to satisfy, but genuine business risks that could halt their operations if things went wrong. Large corporate investors set particularly stringent expectations around security, making it an existential risk for the business due to potential loss of future funding if security was found lacking.

As the company grew from early-stage startup into a scale-up with real traction, the security picture needed to match.

The situation

The Chief Security Officer, recently in post, had found alarming gaps in security and in visibility over what infrastructure was actually running. A significant part of the platform's codebase had been carried over from an earlier proof-of-concept, never designed for production use. Mindful of the need to balance robust security against cost pressures and the development team's ability to ship key features, he called in Threatplane.

There was an urgent need to understand the current position. At the same time, the rapid pace of development had to be preserved to hit critical funding milestones.

Threatplane has been instrumental throughout our journey of building and scaling our platform. All the security aspects have been handled to a very high standard.

Chief Operating Officer

What we did

Fixing the immediate issues was the first step. The harder work was helping the team build securely going forward — not as a set of rules to follow, but as a way of thinking about what they were deploying and why.

The assessment revealed significant gaps but also a clear, manageable plan. It covered cloud architecture, the full set of deployed resources and their configuration, and the existing Terraform codebase. We delivered a prioritised list of security controls to implement, including architectural changes that removed entire attack paths.

Threatplane directly advised the CEO and COO on security risks across the business.

We helped them shape policies for software development, quality assurance, incident response and data retention that actually matched how the team worked, rather than policies written to satisfy an audit and then ignored.

What started as a single audit became a four-year working relationship. New applications were threat modelled as they were developed. Older ones were kept current through our fixed-price review service, without internal code reviews. The engineering team estimated the structured, repeatable process saved 25–50% of the overhead they had previously spent on reactive, disjointed security work.

Threatplane advised the CEO and COO directly on risk through the company's Governance Committee. When penetration tests came around, we helped translate the outputs for external stakeholders.

In some cases we implemented the security controls ourselves. We do this rarely — separation of duties matters — but here the urgency and limited internal skills made it the right call. We agreed governance procedures with the customer to manage the conflict of interest risk.

Read more about this

Four years on

The customer worked with Threatplane throughout a number of years as critical platform applications were built or re-engineered.

Early assessments had shown numerous risks and control gaps. Over time, successive assessments showed that major risks were being managed and key controls were in place. New threat models returned no significant findings across a string of applications and changes made by the team. That, alongside strong pen test results, gave clear confidence that the work they had done was paying off.

Our involvement also brought gains across penetration testing, Cyber Essentials Plus and NHS Data Security and Protection Toolkit assessments. Threat models gave a clear picture of risk, allowed objective analysis of issues raised during penetration testing, and provided an evidence trail of existing controls that auditors could rely on.

Other companies in the same sector have faced high-profile incidents, class-action lawsuits, and the regulatory scrutiny that follows. This company has kept its data safe, its customers confident, and its business intact.

Read more about this
In this article
1About the customer2The situation3What we did4Four years on

Customer Perspective

"Meeting the stringent cybersecurity requirements of our partners while hitting other key milestones to gain investor confidence could not have been done without their thoughtful, pragmatic approach."

Founder, UK Med Tech Scale-up

"Threatplane has shown us many new angles on security for our key systems, and shown us what we need to focus on."

Chief Technology Officer

Security that keeps pace with your growth

Whether you need a one-off assessment or an ongoing security partner, we work at the pace your business demands.

Next Case Study