Ten years ago (5 October 2015), ElysiumSecurity Ltd was incorporated in the UK.
At the time, it was simply a decision to build something small, independent, and useful: a security practice focused on what actually reduces risk in the real world, prevention where it's sensible, detection where it matters, and response that works when things go wrong.
It also started as a side project! as Sylvain Martinez, ElysiumSecurity's founder, was still fully employed at BP.
Sylvain had agreed with his management to only work out of office hours, at weekend and not for the big four or a competitor. That's why he focused on Hedge Funds.
And a small but important details, Sylvain no longer had one early appraisal, but monthly appraisals!

If you've followed our writing over the years, you'll recognise the themes: less theory, more practical and proven advice. The website tagline says "Cyber Protection & Response" and that has always been the point, help organisations stay upright when the inevitable happens, and help them land better when they don't.

A lot has changed since 2015. The industry has chased new acronyms, new tooling, and new "must-have" checklists. Attackers, meanwhile, stayed ruthlessly pragmatic: steal credentials, exploit weak identity controls, abuse trust in third parties, and monetise disruption. The most consistent lesson across the decade is that fundamentals still win: asset visibility, privilege control, segmentation, logging, and tested recovery paths.

ElysiumSecurity's story is tied to the idea that cyber security should fit real life: real budgets, real teams, real constraints. The early journey of moving countries, taking on a CISO role in Mauritius for a year, then choosing to build an independent practice spanning the UK and Mauritius wasn't a last minute decision; it was a deliberate choice to work differently.
Small teams don't have the luxury of bloated programmes. They need a clear plan, quick prioritisation, and operational discipline.

What a decade teaches you (appart from having more grey hair)

• "We have controls" is not the same as "we can recover.". Many organisations still test detection more often than they test restore. When systems are down and identity is untrusted, your backup strategy and rebuild playbooks are either real—or imaginary.
• Incident response is a capability, not a document. Plans are necessary, but muscle memory matters more: roles, escalation paths, comms, evidence handling, decision logs, and a rhythm that does not collapse under pressure.
• Third parties are part of your attack surface. If your business depends on SaaS, MSPs, payment providers, logistics platforms, or cloud identity, you need to assess those dependencies like you assess your own systems—and you need contingency options when they fail.
• Security is a business function. The strongest programmes are the ones where cyber is embedded into how the organisation runs: procurement, onboarding/offboarding, change management, and crisis management. Not bolted on after the fact.
  
  To past, present and future clients, peers, and readers: thank you for trusting a small team that values agility and efficiency over rigidity and over overengineering.
  The goal hasn't changed since day one: practical cyber security that stands up in the real world.
  Our passion, drive for excellence and focus is very much alive!