IT Security

Secure software starts with sound architecture.

Do you know where you’re exposed?

Security incidents don’t just risk data – they can break customer trust and disrupt your ability to operate. We help you reduce risk with architecture that treats security as a first-class concern from day one. For existing systems, we assess weaknesses and develop pragmatic fixes. We focus on:

Who can do what?

Legacy IAM setups, tangled permission models, brittle authZ for APIs and microservices – we help you design identity and access management that stays maintainable as your needs grow.

Get supply chain risk under control

The software supply chain is more complex – and easier to attack – than ever. Compromised dependencies, tampered build pipelines, attacks on open-source maintainers: incidents like XZ Utils and SolarWinds show how widespread the fallout can be. We help you understand these risks and address them systematically.

Ship AI to production – securely

Agentic systems and LLM-based apps open up new possibilities, but they also introduce attack paths that traditional security only partly covers – from prompt injection and tool misuse to data exfiltration. We help you design for these risks from the start.

What we offer

IT security is about understanding and controlling risk: Who can access what? What does "secure enough" look like for our systems? How do we protect APIs, AI systems, and our software supply chain? We support you end-to-end – from threat modeling and picking the right approach to secure implementation and security reviews. Don't see your topic? Reach out.

Application Security and DevSecOps

How do we ship features quickly without trading away security? How do we avoid expensive cleanup when we find vulnerabilities late? We help you build security into your delivery process – using SAST, DAST, and SCA in CI/CD, security champion programs, and practices that make security part of everyday engineering work.

Focus areas: CI/CD security, secure coding guidelines, security champions, supply chain security (SBOMs, dependency management), threat modeling in agile teams.

Identity and Access Management

Who can do what? It sounds simple, but in real systems it rarely is. We help you choose and integrate IAM solutions, design authorization architectures (ABAC, ReBAC), and build authorization-as-a-service platforms.

Focus areas: Role-based access control, OAuth2/OIDC architectures, IAM integration and customization, policy-based access control (ABAC), relationship-based access control (ReBAC), fine-grained authorization, IAM migrations.

AI Security

AI can boost productivity – but how do we protect sensitive customer data and critical business processes? We help you secure AI applications so you can run them in production, with threat modeling, guardrails, and secure architectures.

Focus areas: OWASP Top 10 for Agentic Applications/LLMs, threat modeling for LLM applications, guardrails & sandboxing, secure MCP architectures, AI gateways, IAM for agentic systems, RAG security & secret management, platform integration (observability, monitoring).

Web Security and distributed systems

How do we keep web-based systems from becoming an entry point for attackers? How do we stay in control when dozens of services talk to each other? We help you build secure microservices and distributed architectures – from API security and service mesh hardening to zero-trust approaches. We align with established standards such as OWASP ASVS.

Focus areas: API security, service-to-service authentication, zero trust networking, PKI design and rollout, TLS configuration, OWASP Top 10.

Why INNOQ

We don’t treat IT security as a standalone topic. We see it as part of good architecture work – because security only works when you plan for it from the start: in architecture, processes, and the organization.

Vendor-neutral

We’re independent: whether it’s Keycloak or Zitadel, AWS or Azure, open source or commercial – we evaluate options objectively and recommend what fits your situation best.

Security is part of the architecture

If you bolt security on at the end, you pay twice: expensive rework and software that remains vulnerable. We treat security as an integral part of software architecture – so your systems are resilient from the beginning.

Pragmatic solutions

Not every risk deserves the same level of effort. We help you set priorities and choose measures that pay off. Security has to work in day-to-day delivery – not just on paper.

Enablement

As long as needed, as short as possible. The goal is your teams’ independence. We enable teams through knowledge transfer, security champion programs, and working side-by-side – so you can evolve your security practices on your own.

Proven experience

Our consultants have solved security problems in many contexts – from IAM and cloud security to AI security. We bring that experience into your project.

A holistic approach

Sustainable security isn’t just tooling. We look at how architecture, processes, and organization work together – and help you embed security into your teams’ daily work.

How we’ve helped our clients

Secure systems aren’t built in isolation. We work closely with your teams – from the first assessment through implementation and knowledge transfer.

IoT, Home appliances

The Thermomix as an online platform with up to 45 million accesses per day

Read the case study

IoT, Automation technology

Eckelmann increases competitiveness through IoT platform

Read the case study

The security workshop with INNOQ really helped us understand our potential weaknesses. We were pretty wiped by the end of the day, but it was clear what we needed to do next.
Jan RedepenningSoftware Developer, PharmGenetix GmbH

Security Reviews

Find issues before they turn into incidents: Our reviews are technically deep, methodical, and tailored to your audience – from engineering teams to executives.

Technical Security Review

We review your security-critical components – source code, APIs, architectures, and protocols. We focus on authentication, encryption, and access control. You get a clear write-up with prioritized, actionable recommendations.

Request a review

Architecture Security Assessment

We assess the security of your overall system architecture – from inventory and threat modeling to concrete recommendations. We include risk analysis and help you define and validate security requirements.

Request a review

Security Maturity Assessment

We assess your security processes across development and operations and recommend organizational and technical improvements. We base this on established standards such as OWASP SAMM, OWASP ASVS, ISO 27001, and NIST.

Request an assessment

Workshops that work

Our trainers are working security practitioners. Trainings combine concepts with hands-on exercises – so your teams can apply what they learn.

Web Security (iSAQB® module WEBSEC)

Protect web apps effectively: In this hands-on training, you’ll learn how to identify and fix common weaknesses and design secure web architectures.

Learn more

OWASP Top 10 in practice

Learn how to find and fix vulnerabilities in web applications. In practical exercises, you’ll take the attacker’s perspective and see how real-world attacks work. We use the OWASP Top Ten as a guide – the list of the most critical security risks for web applications.

Learn more

Securing legacy software

How do you tackle security in an evolving legacy codebase in a structured way? In this workshop, you’ll practice a systematic approach on a larger Java application – from analysis to hardening. For software developers and architects.

Learn more

Agentic Software Security

Agentic systems and LLM-based apps introduce new attack vectors – from prompt injection and tool misuse to data exfiltration. In this two-day training, you and your team will learn the fundamentals to understand and address these risks.

Learn more

Threat Modeling Workshop

A workshop for your teams: We analyze your system architecture, identify threats, and define mitigations. Hands-on threat modeling for your specific system.

Request workshop

Dive deeper

Blog Post

What’s Wrong with the Current OWASP Microservice Security Cheat Sheet?

Modern microservice architectures require evolving security practices. Yet popular resources like the OWASP Microservice Security Cheat Sheet are starting to show their age and need a fresh look.

Blog Post

I sandboxed my coding agents. You should too.

LLM coding agents are extremely powerful because they can run programs on our computers using our permissions. However, this same power also makes us very vulnerable. It only takes one mistake or one prompt injection to compromise the whole system.

Primer

Advanced IAM Patterns and Strategies

Article

Beyond the hype: An engineer’s journey into ReBAC and AI with the Model Context Protocol

In this article, I share my experiences on my journey into the AI world. During this journey, we’ll build our own Model Context Protocol (MCP) Server using C Sharp, learn about access management with relationship based access control (ReBAC) on the way, and in the end I’ll provide my thoughts on the current state of AI and MCP, focusing on security and UX.

Article

Kubernetes sicher und transparent – Erste Schritte mit Cilium

Cilium bringt Observability-, Security- und Netzwerkfeatures für Kubernetes – dank eBPF ganz ohne den eigentlichen Anwendungscode zu ändern. In dieser Artikelreihe lernen wir, wie wir ein lokales Cilium-Setup aufsetzen, wie Cilium funktioniert und in weiteren Teilen auch, eigene Netzwerkregeln durchzusetzen und sie in Echtzeit zu überwachen. Starte deinen lokalen Cluster und werde zum Kubernetes-Jedi-Meister - oder folge der dunklen Seite der Macht.

Security Podcast

MCP Security

Sicherheitsrisiken beim Model Context Protocol

Podcast

Security Podcast

Our podcast on IT security, secure software development, and current security topics.

Video

Technology Lunch

Identity & Access Management: Not new, but often implemented poorly. In this live session, our experts talk about common mistakes when building IAM systems, modern patterns, and practical ways to do authentication and authorization securely in distributed architectures.