Security architecture, organised.
A capability-centric workspace for security architects. SecArch connects capabilities, threats and risks, business-agreed requirements, and solution patterns — so you can show your architecture is adequate.
SecArch keeps requirements (what the business signs off) separate from patterns (how capabilities are delivered), so you can show the architecture meets what was agreed and addresses the risks that matter.
Why we built it
We spent years doing security architecture inside enterprises and consulting firms, and kept hitting the same gap: architecture that started from technology and controls, with the business capabilities it was meant to protect left implicit.
SecArch starts from capabilities instead. It traces each capability to its requirements and the patterns that satisfy them, and keeps that thread intact as things change — so the architecture stays connected to what the organisation actually needs to do.
These connect as a thread, not a checklist: business services and applications face threats and risks, the business signs off requirements to secure them, patterns deliver the capabilities, and validation confirms the two meet.
Capabilities
The security capabilities the business needs — the spine everything else hangs off.
Threats & risks
Model the threats to business services and applications, and derive risk from the business impact if they are realised.
Requirements
What the business agrees and signs off — the accountable statement of what must be true.
Patterns
Solution-centric, reusable ways to deliver a capability — the "how", kept separate from the "what".
Compliance
Check the architecture against your organisation's internal security standards, traced to the requirements and capabilities they relate to.
Validation
Confirm the patterns meet the requirements and address the risk — adequacy you can evidence.
Why it's different
Most security architecture blurs what the business needs with how it is built. SecArch keeps them apart: requirements are what the business signs off; patterns are how capabilities are delivered.
Linking both to the threats and risks facing each business service and application lets you validate that the solution meets what was agreed — and shows, plainly, where it does not.
Who it's for
One view across the estate. SecArch lets you see security architecture for the whole organisation, then drill into a line of business, a business unit, or a single application — so adequacy is something you can check across the portfolio, not one design at a time.
- Heads of architecture and enterprise security architects responsible for a portfolio, not just a single project
- In-house security architecture teams in mid-to-large enterprises
- Consulting firms managing security architecture across multiple clients
- Organisations wanting design consistency across project portfolios
- Teams that need to evidence architecture adequacy to a risk committee
Trust and security
SecArch is built by security people, for security people. The platform is hosted in Australia (Microsoft Azure, Sydney), with data encrypted in transit and at rest, and access controlled on a least-privilege basis. It is developed and run under an information security program aligned to ISO 27001.
See it in action.
A short walkthrough, tailored to your team.
Request a demo