Independent European cyber capability.
Merlon exists to make Europe a more independent and capable player in cyber security. We do serious technical work for government organisations, government suppliers, NGOs and investigative journalists, and we invest in the people doing it.
Independent European cyber capability, built quietly with partners that share the view.
How we work.
Sovereignty
We are owned and operated in Europe, with no foreign investors and no obligations to non-European disclosure regimes.
People and curiosity
Small team, deep bench. We hire for curiosity and the willingness to be productively stupid on the cutting edge, and we make room for sharing what we learn.
Back to society
We contribute to open source, standards bodies, public talks and training. A more capable community is a more secure continent.
Two diciplines, one mission.
Detection & Response
Defensive architecture, monitoring design, incident response, tabletop exercises and post-incident hardening for organisations that cannot afford to fail quietly.
Offensive Security & Research
Vulnerability research, exploit development, protocol and firmware review, and sovereign capability development for partners that need a deep technical edge.
Many of our researchers prefer not to be named publicly. Detailed bios and clearance information are available under NDA on request.
Knowledge bank.
Research notes, case write-ups and field reports from our engagements. Curated, technical, and open to read.