Alex Mercer
Founder / Head of IR
Cyber security · since 2018
Trusted by 200+ security teams across UK & EU
Stop the attack before it reaches your origin.
Engagement, detection and incident response. UK + EU based, no offshoring. Built for security teams who measure outcomes, not just alerts.
What you get on day one
Live perimeter scan + risk report
Dedicated Slack/Teams channel
24-hour incident-response SLA
What we do
Detection, defence, response — one team, one runbook.
Pick a single engagement or stack them for full-spectrum coverage. Every service is delivered by a named operator with a documented handoff.
Perimeter hardening
WAF rules, rate limiting, geo and bot policy tuned per stack. We baseline, harden, and verify against the OWASP Top 10.
Learn moreContinuous monitoring
Real-time event ingestion to your SIEM of choice. We tune detections, suppress noise, and brief on alerts that matter.
Learn moreVulnerability triage
CVE intake from Patchstack + Wordfence Intel, scored against your actual installed surface, prioritised in days not weeks.
Learn morePenetration testing
Scoped engagements: web app, API, infra, social. We deliver remediation guidance, not just findings.
Learn moreIncident response
24/7 IR retainer. Documented playbooks for ransomware, supply-chain compromise, credential breach.
Learn moreThreat hunting
Hypothesis-driven hunts across your telemetry. Surface the slow-burn intrusions automated detection missed.
Learn more
0+
Threats blocked / day
0%
Median uptime
0+
Active customers
0
Documented runbooks
8 years · 0 client breaches
Why Bastion
Operational, not theatrical.
No dashboards full of red dots without context. We surface only what needs your attention — with the action button next to it, the runbook one click away, and a one-line plain-English explanation.
- Named operator per engagement, not a ticket queue
- Plain-English alerts (no false positive noise)
- Documented runbooks for every incident class
- UK + EU only — no offshoring of your incident data
Hold-and-diff plugin updates
Supply chain
Catch a compromised update before it ships.
When your vendors push an update, we pause it for 24 hours, diff the new release against the old, and flag anything suspicious — new outbound calls, new user creation, ownership changes. That single capability blocked the April 2026 Smart Slider 3 and EssentialPlugin supply-chain attacks for every customer we have.
Recent advisories we published
How we work
From first call to fully-monitored in 14 days.
Onboarding follows the same four-step pattern every time — predictable, fast, no surprise invoices.
01
Discovery call
30 min, no slides. We listen to your stack, your last incident, and what keeps you up.
02
Scope + quote
Written engagement plan within 2 business days. No surprises in the contract.
03
Deploy + integrate
Wire up your SIEM, CDN, ticketing. We bring our own playbooks, you keep your tools.
04
Run + iterate
Weekly review, monthly tuning, quarterly tabletop exercise. Continuous, not one-shot.
Meet the team
The people on your incident, not a ticket queue.
Every engagement gets a named lead. You know their face, their cell, and where the buck stops.
Marcus Tobin
Principal Pentester
Aoife Murphy
SOC Lead
Sara Kasper
Threat Intel
Customer outcomes
Trusted by operators who know the difference.
Bastion took our MTTR from 4 hours to under 5 minutes. The integration with our existing Wazuh + Cloudflare stack was painless — they wrote shims for both within the first week.
When a malicious update of a popular slider plugin shipped, Bastion's diff caught it before it activated. Zero downtime, zero breach. That single incident paid for the year.
We were drowning in alert fatigue. Bastion stripped the noise, kept the signal, and gave us context-aware playbooks. The team finally sleeps.
From the blog
Field notes, advisories, post-mortems.
Practitioner-level writing — published from real engagements (anonymised), not vendor white-papers.
Ready when you are.
Tell us your stack, your last incident, and what keeps you up. One business day response, in plain English.