A small firm built on the belief that rigorous security should be the default, not a luxury.
Onidef is an independent Polish cybersecurity firm staffed by senior practitioners. We exist because the same compromise patterns kept happening — at organisations that had bought security, just not the right kind.
We work where security gets done — not where it gets sold.
The cybersecurity industry has commoditised everything except outcomes. We are an explicit reaction to that: a deliberately small firm of senior practitioners that solves the underlying problem instead of selling the symptom of it.
We exist to put real, senior, accountable security work inside organisations that cannot afford to learn they were breached on the news. Our clients are typically Series-B to public — FinTech, SaaS, healthcare, critical infrastructure — and they are buying time, trust and quiet competence.
We do not seek scale for its own sake. The economics of the engagement matter less than the integrity of the work. We turn down two requests for every one we accept — and we publish nothing we are not willing to defend in a deposition.
Four lines we will not cross.
These are not values on a wall. They are the operating constraints we have used to walk away from work — and to keep the work we have.
-
P / 01Senior-only engagement teamsEvery test, every audit, every incident is led by a practitioner with at least ten years of operator experience. We do not staff with juniors and bill seniors.
-
P / 02Findings that survive scrutinyEvery vulnerability is reproduced with documented evidence — and a remediation path written by someone who could have shipped the fix themselves.
-
P / 03Compliance as engineering, not theatreWe build control frameworks that pass external audits and continue to hold when nobody is looking. Evidence is produced once, reused across frameworks.
-
P / 04A standing relationship, on retainerThe work is rarely done. Threat models change, codebases mutate, regulators issue new guidance. The retainer keeps a named team on the line.
A short list of work we turn down — and why.
The shortest path to better work is refusing the wrong work. We will tell you on the first call if we are not the right fit, and we will introduce you to a firm we trust.
-
× 01Scanner-only penetration testsWe will not deliver a Nessus export with a cover page. If a scanner is sufficient for your need, run one — we will recommend a good toolchain.
-
× 02Certification body workWe will never act as your certifying body. Separation of duties between consulting and auditing is the point — we will refer you to one we trust.
-
× 03Per-day staff augmentationIf you need a body in a seat, we are the wrong firm. If you need a problem closed, we are the right one.
-
× 04Work without engineering authorityWe will not engage where the security function has no path to influence the fix. We are not interested in tilting at the windmill of a paperwork-only mandate.
A short history of deliberate growth.
A short company history. We have made a point of growing slowly — adding senior people one at a time, refusing the rest.
First independent engagements — small senior team, deliberately selective scope. Pentests, audits and incident-response work for early clients across the EU.
Formal incorporation in Poland — KRS 0001090926. Operating model formalised: remote-first, senior-only, fixed-fee engagements. Compliance practice structured around ISO 27001 and SOC 2.
First retained clients for vulnerability assessment and incident-response readiness. Practice broadens to cover cloud posture, threat modeling and detection engineering.
Adding senior practitioners one at a time. Investing in offensive tooling and disclosure publication. Refusing work that does not fit the brief — as usual.