Built from the field, not the boardroom.

Who We Are

ForgeWork was founded on a straightforward observation: the cybersecurity industry has no shortage of advisory firms, and no shortage of product vendors, but remarkably few organizations that operate credibly in both spaces. We set out to be one of them.

We are a cybersecurity consultancy headquartered in Belgium, staffed by practitioners who have spent years working inside security operations centers, leading incident response engagements, dissecting malware, and architecting defenses for organizations that cannot afford to get it wrong. Our team includes former SOC analysts, digital forensics examiners, threat intelligence specialists, and security engineers who chose consulting not because they wanted to leave the technical work behind, but because they wanted to bring it to more organizations.

What makes ForgeWork different is not a proprietary framework or a clever acronym. It is the fact that every service we offer and every tool we build comes directly from operational experience. We do not theorize about threats in isolation. We respond to them, study them, and then figure out how to help our clients handle the next one better. That feedback loop between the field and the workshop is the core of everything we do.

We work primarily with mid-size and large organizations across Europe, though our engagements and platforms serve teams worldwide. Whether you are a government agency preparing for a nation-state threat, a financial institution tightening its compliance posture, or a hospital group that just realized its security program has gaps, we bring the same rigor, the same directness, and the same commitment to leaving you stronger than we found you.

Our Philosophy

We believe that security is not something you buy. It is something you build, test, and rebuild. Products can support that process, but they cannot replace it. This conviction shapes everything at ForgeWork, from the way we scope engagements to the way we design our training platforms.

Every tool in our portfolio started as an internal need on a real engagement. DFIR Assist began as a set of scripts and runbooks our responders kept refining between incidents. The Malware Analysis Academy grew out of the training materials we built to onboard junior analysts. IR TTX Training was born when we realized that most tabletop exercises produce interesting conversations but no measurable improvement. In each case, we built what we needed, pressure-tested it in the field, and only then made it available to others.

This philosophy extends to how we work with clients. We do not chase long-term dependencies. We are not interested in becoming a permanent fixture in your budget. Our goal on every engagement is knowledge transfer: teaching your people the reasoning behind the recommendations, not just handing them a checklist. When an engagement ends, your team should understand not only what changed but why it changed and how to sustain it.

We are also transparent about what we do not do. We do not sell managed security services. We do not operate your SOC. We do not resell third-party tools with a markup. If a problem falls outside our expertise, we will tell you directly and, where possible, point you to someone who can help. Trust is the only currency that matters in this industry, and we do not spend it carelessly.

What We Do

Our work spans four core service areas, each grounded in operational experience and designed to address the security challenges we see most often in the field.

Incident Response

When a breach occurs, the first hours determine the outcome. Our incident response team provides rapid containment, forensic investigation, and structured recovery for organizations under attack. We have handled more than fifty major incidents across government, financial services, healthcare, and technology sectors, maintaining a response SLA of under four hours with full 24/7 availability. Every engagement follows a disciplined methodology: contain the threat, preserve evidence, identify root cause, eradicate the attacker, and restore operations with verified integrity. We also work closely with legal counsel and, when necessary, law enforcement to ensure that the forensic chain of custody is maintained throughout. Learn more about Incident Response.

Threat Assessment

Understanding your exposure before an adversary does is the most cost-effective investment in security. Our threat assessments combine vulnerability analysis, penetration testing, and adversary simulation to give you a realistic picture of your risk surface. We go beyond automated scanning to include manual testing by experienced operators who think like attackers and report like engineers. Every finding comes with context: what it means, how it could be exploited, and what to do about it, prioritized by actual impact rather than generic severity scores. Learn more about Threat Assessment.

Security Engineering

Good security architecture does not happen by accident. Our security engineering practice helps organizations design, implement, and validate defenses that align with their operational reality. This includes architecture reviews, security tooling integration, detection engineering, cloud security posture assessments, and infrastructure hardening. We work alongside your engineering and operations teams to build security into the systems you rely on, rather than bolting it on after the fact. Learn more about Security Engineering.

Training & Exercises

The most sophisticated defenses fail when people do not know how to use them under pressure. Our training programs and tabletop exercises are built to develop real capability, not just check a compliance box. We design custom scenarios based on your threat landscape, run role-based exercises that engage everyone from analysts to executives, and measure performance across multiple dimensions so you can track improvement over time. Learn more about Training & Exercises.

Our Approach

We follow a structured methodology across all engagements, adapted to the specific context of each client but consistent in its rigor. This approach has been refined over years of operational work and ensures that nothing critical falls through the cracks.

Throughout this process, our emphasis is on knowledge transfer rather than dependency. We want your team to understand the "why" behind every decision so they can maintain and extend the work after we leave. This is not altruism; it is pragmatism. Organizations that understand their own defenses respond faster, escalate smarter, and make better risk decisions.

The Tools We Build

Our products exist because we needed them first. Each one was developed to solve a specific problem we encountered repeatedly during client engagements, and each one has been shaped by continuous operational use before being offered externally.

DFIR Assist

Incident response demands speed, consistency, and coordination. DFIR Assist is the platform we built to deliver all three. It provides structured workflows for every phase of an incident, from initial triage through forensic analysis to final reporting. The platform includes pre-built runbooks for common incident types, evidence tracking with chain-of-custody documentation, automated artifact collection, and collaborative investigation workspaces that keep distributed teams aligned.

DFIR Assist is not a replacement for skilled responders. It is the operational backbone that lets skilled responders work faster and more consistently, especially under the pressure of a live incident when clear process matters most.

Available at dfir.forge-work.com.

Malware Analysis Academy

Training malware analysts is expensive and slow. Most organizations struggle to build this capability internally because the learning curve is steep and the available training is either too academic or too narrowly focused on specific tools. The Malware Analysis Academy was created to change that.

The platform offers structured learning paths that take analysts from foundational concepts through advanced reverse engineering techniques, with hands-on labs, real-world samples, and practical exercises at every stage. The curriculum was written by analysts who do this work professionally, and it reflects the skills and workflows that actually matter in operational settings.

Available at mal-academy.forge-work.com.

IR TTX Training

Tabletop exercises are one of the most effective ways to prepare for incidents, but only if they are designed well. Too many TTX sessions devolve into vague discussions with no measurable outcomes. IR TTX Training was built to fix that.

The platform delivers role-based tabletop exercise sessions where every participant engages with the scenario from their actual operational perspective. Exercises are scored across five dimensions, what we call 5D scoring, covering detection, decision-making, communication, coordination, and containment. This structured evaluation framework produces concrete metrics that organizations can use to track their readiness over time and identify specific areas for improvement.

Available at ir-training.forge-work.com.

Sectors We Serve

We work with organizations across sectors where security failures carry serious consequences. Our experience spans the following industries, and in each case, we bring an understanding of the specific regulatory, operational, and threat landscape challenges involved.

• Government: National and regional government agencies face persistent threats from nation-state actors and hacktivists. We support government clients with incident response, security architecture reviews, and exercises designed to test inter-agency coordination. Our work in this sector has given us deep familiarity with the regulatory and procurement frameworks that govern public-sector cybersecurity.
• Financial Services: Banks, insurers, and payment processors operate under intense regulatory scrutiny and are high-value targets for financially motivated threat actors. We help financial institutions strengthen their defenses, test their resilience through adversary simulation, and prepare their teams to respond effectively when controls fail.
• Healthcare: Healthcare organizations face a unique combination of legacy systems, sensitive data, and life-safety implications. We work with hospitals, clinics, and health technology companies to address these challenges through pragmatic security improvements that respect the operational constraints of clinical environments.
• Technology: Software companies and technology providers need to secure both their own infrastructure and the products they ship to customers. We support technology organizations with architecture reviews, secure development practices, and incident response capabilities that scale with rapid growth.
• Critical Infrastructure: Energy, water, transportation, and telecommunications providers underpin the systems that society depends on. We bring specialized expertise in operational technology security and help critical infrastructure operators build defenses that account for the convergence of IT and OT environments.

Knowledge Sharing

We believe that a stronger security community benefits everyone, including us. That is why we invest significant effort in sharing what we learn through our operational work.

Our Insights blog publishes technical research, analysis of emerging threats, lessons learned from incident engagements (anonymized, of course), and practical guidance that security teams can apply immediately. We write for practitioners, not for marketing purposes. Every article reflects real experience, and we strive to share the kind of detail that is genuinely useful rather than the surface-level commentary that dominates much of the cybersecurity media landscape.

Beyond the blog, we contribute to open methodologies and participate in the broader security community through conference presentations, working group participation, and collaborative research. When we develop a technique or approach that could benefit others, we look for ways to share it. Security through obscurity does not work at the industry level any better than it works at the technical level.

Our Resources section provides access to whitepapers, reference guides, and tooling documentation that complement our services and training platforms. These materials are freely available because we believe that an informed client is a better client, and an informed community is a safer one.