Trap
Built for UK businesses

The ghost
in your network.

GHOSTLINE helps small businesses build real cyber protection without needing an in-house security team. We combine clear guidance, practical protection, and ongoing oversight so you always know what matters, what has been done, and what needs to happen next.

Start Here See How It Works
01
Plain English. No jargon.
02
No security team needed.
03
UK compliance ready.
How We Think

We turn alerts into answers.

Most security tools send you walls of technical warnings that mean nothing to a business owner. GHOSTLINE reads every alert and tells you what happened, whether you need to worry, and what to do next. In plain English.

ghostline://signal-translator

Raw Alert

GHOSTLINE Says

43%
UK businesses breached
5.19M
Cyber crimes in 12 months
612K
Businesses attacked
25%
Have incident response plan

Source: DSIT Cyber Security Breaches Survey 2025/2026. The outsourcing trend is accelerating: 44% of micro businesses now use an external cyber provider, up from 39%.

More than just detection.

Three things that set GHOSTLINE apart from a standard security tool.

VEL

VEIL

Think of it as a silent alarm system. We place invisible tripwires across your environment. If someone who should not be there touches one, we know immediately. No guesswork, no false alarms.

ARC

ARCHIVE

A complete, tamper-proof record of everything that happens. If something goes wrong, you have the evidence already collected, timestamped, and ready for your insurer, regulator, or solicitor.

WCH

WATCH

Your security health at a glance. A simple, clear summary of where you stand, whether things are improving, and what needs attention. Designed so you can show it to a board, a client, or an insurer.

Start Here

Ready to see what GHOSTLINE can do?

Short form. No sales pressure. We will come back with a clear plan tailored to your business.

The Platform

Everything connected. Nothing missed.

GHOSTLINE is not a collection of separate tools bolted together. It is a single platform where everything talks to everything else. When your email protection spots something suspicious, your device monitoring already knows. When a threat is blocked, the record is already saved. Nothing falls through the cracks.

How information flows through GHOSTLINE

YOUR SYSTEMSdevices, email, cloud
ARCHIVErecords everything
COREconnects the dots
WATCHyour clear view

Events from your business flow in, get recorded permanently, connected together into a clear picture, and presented to you in plain English.

The Three Pillars

Everything GHOSTLINE does feeds into three core systems. Together they give you deception, memory, and visibility.

VEIL: The Tripwire System

VEIL places invisible traps across your business environment: fake files, fake login pages, fake credentials. No real person would ever touch them. So if something does, you know immediately that someone is where they should not be. It is like scattering invisible ink across your office: only an intruder leaves fingerprints.

ARCHIVE: The Permanent Record

ARCHIVE keeps a permanent, tamper-proof record of every security event and every action taken. Nothing can be deleted or changed after the fact. If you ever need to show an insurer, a regulator, or a court what happened and when, the evidence is already there, already timestamped, and already organised.

WATCH: Your Security Dashboard

WATCH shows you the state of your security in plain English. Are things getting better or worse? Are there any open issues? What has been done recently? It pulls everything together into a simple, clear view you can share with your board, your clients, or your insurance provider.

ORACLE: The Smart Assistant

ORACLE is the built-in intelligence that helps make sense of what is happening. It reads alerts so you do not have to, highlights what actually matters, and helps a small team do the work that would normally need a much larger one. Think of it as having a security analyst on call, built right into the platform.

The Tripwire System

GHOSTLINE VEIL

VEIL places believable traps across your business. If a threat touches one, we know immediately. Attackers see things that look real. You see their presence the moment they interact.

VEIL active|armed: 0 • triggered: 0
live

0

Armed

0

Triggered

4

Zones

3

Types
EMAIL
Decoy mailboxes, tokenised links
0 traps
CLOUD
Fake service principals, canary policies
0 traps
ENDPOINTS
Honeyfiles, sentinel processes
0 traps
SHARES
Honeydocs, canary credentials
0 traps
Selected Trap
Click a trap above to inspect.
state: —
zone
type
label
Types:
HT Honeytoken
DY Decoy
CN Canary
Triggered

How VEIL Works

Trap files
Fake documents and login details placed where only an intruder would find them. If anyone opens one, we know someone is inside who should not be.
Decoys
Fake services and systems that look real to an attacker. They waste time investigating things that do not exist while we watch.
Tripwires
Invisible markers scattered across your network. If someone moves between systems in a way they should not, the tripwire fires.
The idea
Give attackers something to interact with. The moment they do, they reveal themselves.

Activity Log

live feed
Waiting for trap activity...
Offensive Testing Platform

SPECTRE

GHOSTLINE protects you. SPECTRE tests whether that protection actually works. It looks at your business the way an attacker would, finds the weak spots, proves they are real, and tells you exactly how to fix them. Then it checks again to make sure the fix worked.

14
Testing modules
3
Safety levels
Human approval required
Works with GHOSTLINE

What SPECTRE is not

SPECTRE is not a basic scanner that produces a list of theoretical issues. It is not a one-off test you run once a year. It is a continuous testing system that finds real, provable weaknesses in your defences and shows you how an attacker could use them, with evidence and clear steps to fix each one.

Safety Levels

LEVEL A
Observation only. Looks at publicly available information about your business without touching anything. Like reading a shop window from the pavement.
LEVEL B
Active but safe. Sends standard web requests, checks security settings, and takes screenshots. Like trying the front door handle to see if it is locked.
LEVEL C
Deeper testing. Checks whether weaknesses can actually be used by an attacker. Always requires your written approval before running.

The 14 Modules

COMMAND A

Controls who can run tests, what they can test, and keeps a complete record of every action taken.

SURFACE A

Discovers everything about your business that is visible from the internet: websites, subdomains, cloud services, and open doors.

DARK MIRROR A

Checks whether your staff credentials or company data have appeared in known data breaches, leak sites, or dark web markets.

VERIFY B

Confirms whether a weakness is real and exploitable, with screenshots and evidence. Not just a theoretical risk score.

GHOST PROTOCOL B

Tests your defences the way a real attacker would: carefully, quietly, and without triggering obvious alarms.

SIGNAL A

Connects findings to real-world threat data: which weaknesses are being actively targeted right now? How urgently should you fix them?

NEURAL CHAIN B

Maps how multiple small weaknesses could be chained together to achieve a serious breach. Shows the full attack path, not just individual issues.

PHANTOM C

Simulates the behaviour of real threat groups against your systems to see how your defences respond under realistic pressure.

STAND ALONE COMPLEX C

Runs full end-to-end testing campaigns that chain multiple modules together for comprehensive assessments.

OPERATIONS A

Manages the scheduling, running, and tracking of all tests. Makes sure everything runs smoothly and nothing is forgotten.

EVIDENCE A

Stores proof for every finding: screenshots, logs, timestamps. Evidence you can show to an insurer, auditor, or regulator.

DOSSIER A

Produces clear reports: what was found, why it matters, how to fix it, and whether things are improving over time.

WATCHTOWER A

Watches for changes between tests. If something new appears or a fix is undone, you get an alert straight away.

PANOPTICON A

A live dashboard showing every test in progress, every finding, and the overall state of your security testing programme.

The Continuous Cycle

SPECTREfinds weaknesses
PRIORITISEranks by impact
GHOSTLINEfixes and protects
SPECTREchecks the fix worked

GHOSTLINE protects. SPECTRE tests. Together they create a continuous cycle: find weaknesses, fix them, verify the fix, and repeat. Your security gets stronger every cycle.

Live Demo

See it in action.

Click the commands below to see how GHOSTLINE works. Each one simulates a real capability of the platform.

ghostline://ops
mode: calm
status: watching quietly|utc: --:--:--
status
core tour
baseline check
inbox sweep
surface scan
deploy traps
simulate attacker
explain last
Click commands above. CORE routes signals. BASELINE steadies noise. VEIL catches presence.
Jump to VEIL
The Permanent Record

GHOSTLINE ARCHIVE

A live, readable record of everything that happened: who did what, when, and what GHOSTLINE did about it. Evidence you can show to an insurer, regulator, or solicitor.

ARCHIVE|events: 0
retention: on
Your Security Dashboard

GHOSTLINE WATCH

Your security health at a glance. Pulls together protection status, email risk, and compliance into one clear view you can share with anyone who needs to know.

WATCH|assurance: 78/100
Exposure
Low
Based on external reachability.
Email Risk
Moderate
Based on phishing pressure.
Controls
Good
Based on evidence freshness.
Executive Summary
Posture is stable. No urgent actions required. VEIL traps armed. ARCHIVE capturing memory continuously.
Available Now

Security partnership. Priced with intent.

While the GHOSTLINE platform is in active development, our managed security services are live and operational. Real protection, delivered today, built on the same principles that power the platform.

Starting Point

Cyber Clarity Review

A structured first step for businesses that want to understand current exposure, priority risks, and what a sensible next phase looks like before committing to a retainer.

Includes
Exposure and posture review
Output
30-60-90 day action plan
Risks
Ranked by business impact
Credit
Credited toward onboarding
ONE-OFF REVIEW
£950
Get started
MONTHLY
ANNUAL SAVE 10%
// TIER 1 — FOUNDATIONAL

ASSURED FOUNDATIONS

A premium managed baseline for businesses that need clear ownership and practical protection.
£695
/ month
> From pricing | up to 50 endpoints
  • Managed endpoint monitoring (TRACE)
  • Email security baseline (INBOX)
  • Quarterly vulnerability scanning
  • Monthly security report (WATCH)
  • Cyber Essentials readiness (BASELINE)
  • Canary and exposure monitoring (VEIL)
  • Credential / dark web checks (SIGNAL)
  • Next-business-day advisory response
  • 30-day data retention (ARCHIVE)
Establish
// TIER 2 — ACTIVE

ACTIVE DEFENCE

Always-on monitoring and managed response for businesses that need real operational coverage.
£1,695
/ month
> From pricing | up to 100 endpoints
  • Everything in Assured Foundations
  • Round-the-clock monitoring (CORE)
  • Automated response to common threats
  • User account and Microsoft 365 monitoring
  • Threat awareness integration (SIGNAL)
  • Monthly external checks (SURFACE)
  • Ongoing tuning to reduce noise
  • Quarterly security review (WATCH)
  • 4-hour response target
  • 90-day evidence retention (ARCHIVE)
Deploy
// TIER 3 — STRATEGIC

STRATEGIC PARTNER

Active defence plus senior guidance for businesses under higher operational or compliance pressure.
£3,495
/ month
> From pricing | up to 200 endpoints
  • Everything in Active Defence
  • Your own dedicated security lead
  • Senior security advisory (up to 4 hrs/month)
  • Board-ready security reporting (WATCH)
  • Compliance support and roadmap (BASELINE)
  • Incident readiness planning
  • Help answering client security questionnaires
  • Custom rules tuned to your business
  • 1-hour response target
  • 180-day evidence retention (ARCHIVE)
  • Preferred rates on offensive testing
Engage

Extend Your Protection

Incident Response Retainer
From £1,500/mo
Enhanced emergency response coverage with reserved time, faster engagement and structured forensic reporting.
Penetration Testing
From £2,500
External, internal, and web application testing with clear remediation guidance and optional re-test.
Tabletop Exercises
From £1,500
Scenario-led incident exercises for leadership and technical teams to improve readiness before a real event.
Security Awareness
£3/user/mo
Interactive training with phishing simulations, user reporting workflows, and stronger day-to-day security habits.
Compliance Dashboard
£200/mo
Evidence tracking, control visibility, and reporting support for Cyber Essentials, ISO 27001, and supplier assurance.
Extended Retention
Scoped on request
Longer log and evidence retention for businesses with insurance, contractual, or forensic requirements.

Common Questions

How is pricing scoped?

The figures shown are starting points. Final pricing depends on endpoint count, identity scope, cloud footprint, retention needs, and response expectations.

Minimum contract?

Monthly rolling is available. Annual commitments reduce the effective monthly rate by around 10% and are better suited to longer-term programmes.

What is in the GHOSTLINE module names?

Module names like TRACE, INBOX, SIGNAL, VEIL, WATCH, ARCHIVE, and BASELINE map to our managed service capabilities today and will become the native platform modules when GHOSTLINE launches. Same principles, same philosophy.

What happens when the platform launches?

Existing managed service clients transition to the platform with priority access and preferred pricing. The managed service wraps around the platform. Nothing breaks.

Can I start small?

Yes. The Cyber Clarity Review is a one-off engagement that gives you a grounded view of where you stand. From there, we scope a retainer that fits.

In Development

The GHOSTLINE Platform

The platform is being built. Nine modules, three pillars, one unified intelligence fabric. Current managed service clients get priority access and seamless transition when it launches.

Platform: In Build
early access coming

ESSENTIAL

Pricing TBC
Micro businesses
  • CORE + TRACE + INBOX + BASELINE
  • Three pillars: WATCH, VEIL, ARCHIVE
  • Plain-English alerts via ORACLE

PROFESSIONAL

Pricing TBC
SMEs
  • Essential + SIGNAL + SURFACE + ORACLE
  • Threat intelligence fusion
  • Attack surface monitoring

ENTERPRISE

Pricing TBC
Mid-market
  • Full platform + SPECTRE testing
  • Senior security advisory
  • Custom rules, guaranteed response times

Platform pricing will be published closer to launch. Managed service clients receive priority access and preferred rates.

SPECTRE

Continuous offensive exposure validation. Also in active development alongside the platform.

SPECTRE: In Build

RECON

Pricing TBC
  • Attack surface discovery
  • DARK MIRROR monitoring
  • WATCHTOWER drift alerts

VALIDATE

Pricing TBC
  • RECON + VERIFY + EVIDENCE
  • Exposure validation with proof
  • DOSSIER reporting engine

ADVERSARY

Pricing TBC
  • Full 14-module platform
  • PHANTOM adversary emulation
  • NEURAL CHAIN attack paths

Offensive testing is available now as a managed add-on. The SPECTRE platform will launch alongside GHOSTLINE.

Get Started

Let's have a conversation.

Fill in the short form below. No commitment, no sales pressure. We will come back with a clear plan that fits your business.

The Team

Built in Cardiff. Built for businesses like yours.

GHOSTLINE exists because too many security products are built for large enterprises and sold to small businesses at a price and complexity level that does not fit. We started with a simple question: what would cyber security look like if it was designed around the needs of a 10 to 200 person business from day one?

Founder

Mohammed Khan. Over 10 years in cyber security. Master's degree in Computer Forensics from the University of South Wales (GCHQGovernment Communications Headquarters. The UK's signals intelligence and cyber security agency. A GCHQ-accredited course meets their standards for quality and rigour.-accredited). Career spans enterprise security, digital forensics, incident response, and building security operations centres from scratch. Holds multiple professional certifications across offensive security, threat intelligence, and defence.

Wales Ecosystem

Cardiff-based. Active member of Cyber WalesWales's national cyber security cluster. Over 2,700 individuals and 900 organisations working together to strengthen cyber security across the Welsh economy., connected to the £9.5M Cyber Innovation Hub, and part of the GlobalEPIC network linking 45 security ecosystems across 18 countries. Local knowledge, international reach.

Our Approach

We believe security tools should be calm, clear, and respectful of your time. GHOSTLINE tells you what matters when it matters and stays quiet when there is nothing to say. No unnecessary alerts, no walls of jargon, no panic-inducing dashboards. Just honest, useful information delivered when you need it.

Accreditations

Current: Cyber EssentialsA UK government-backed certification that covers the basic technical controls every business should have in place to protect against the most common cyber attacks., Cyber Essentials PlusThe advanced version of Cyber Essentials. Includes hands-on technical verification by an external assessor, not just a self-assessment., Cyber Wales Ecosystem Member. Coming next: IASMEThe IASME Consortium manages the Cyber Essentials scheme and offers a broader cyber assurance certification. Cyber Assurance, ISO 27001The international standard for information security management. Shows you have a structured, audited system for managing security, not just tools., CRESTAn international accreditation body for the cyber security industry. CREST membership means your testing and services meet independently verified professional standards. Membership.

From the Team

Useful reading.

Plain-English guides, real data, and clear thinking on the threats facing UK businesses. Written for the people who run the business, not the people who run the firewall.

PROGRAMME
Guide5 Days2026

The Cyber Sprint: Five Days to Clarity

Most business owners want to know one simple thing: are we actually protected, or are we hoping we are? The Cyber Sprint answers that question in five working days, with an honest report and a clear plan.

12 min read
DOCTRINE
DoctrineDeep Read2026

We Do Not React. We Deny the Ground.

How GHOSTLINE defends businesses inside a worldwide cyber war. The doctrine, the reasoning, and the historical evidence behind why most security programmes fail and what actually works instead.

18 min read
DIRECTIVE
LegislationInteractiveMay 2026

The Cyber Security & Resilience Bill

The UK has just changed the law on cyber security for the first time in seven years. New rules on incident reporting, supplier responsibility, and serious fines for getting it wrong. What it means for your business, in plain English.

10 min read
FILE 612K
DataInteractiveApr 2026

The 2025/2026 UK Cyber Breaches Survey

Last year, around 612,000 UK businesses were hit by a cyber attack. Most of them started with an email. A clear readout of the official numbers, what they mean for businesses like yours, and a simple check on where you stand.

14 min read
SIGNAL
GuideInteractiveApr 2026

Threat Intelligence: Knowing What Matters

The security industry loves to talk about threats. What most business owners actually need is to know which threats apply to them, how urgent they are, and what to do about each one. A plain-English guide.

11 min read
RECOVERY
ThreatInteractiveApr 2026

Ransomware: What It Is and How to Stop It

Ransomware locks you out of your own systems and demands payment. It is one of the biggest threats to UK businesses today. How it gets in, what happens when it strikes, and the practical steps that stop it.

10 min read
COMPARISON
TechnicalInteractive2026

Antivirus vs Modern Protection

"We have antivirus, so we are protected." That used to be true. It is not anymore. See exactly where traditional antivirus stops working and what modern protection does differently, with side-by-side examples.

8 min read
MORE COMING SOON

We add new guides as the threats and rules change. Next up: supplier risk for small businesses, and what AI tools mean for your data.

Your First Step

Not sure where to begin?

That is completely normal. Most businesses we work with started exactly where you are now: knowing security matters, not knowing what to do about it. Here is the path, step by step.

Each step is designed to reduce friction. No jargon. No pressure. You move at your own pace.

1

Have a conversation with us

Fill in the short form. We will come back to you within 24 hours with a quick call or email. We want to understand your business, your concerns, and what matters to you. No sales pitch.

⏱ 2 minutes to fill in · 15 minute follow-up call
2

We run a Cyber Sprint

Over five working days, we review your security posture: your email setup, devices, access controls, backups, and external exposure. You get a clear written report in plain English, a prioritised action plan, and a debrief call where you can ask anything.

⏱ 5 working days · £950 fixed fee (credited if you continue)
3

You decide what happens next

Some businesses take the report and handle things themselves. Some want us to implement the plan. Either way, you walk away with something genuinely useful. If you continue, the £950 is credited in full towards your first retainer. Zero wasted money.

⏱ Your call · No lock-in, no pressure
4

Ongoing protection (if you want it)

We offer three tiers of managed security, starting from £695 per month. We monitor your systems, respond to threats, track compliance, and give you a clear monthly report. You focus on running your business. We handle the security.

⏱ Monthly retainer · Cancel any time

The hardest part is the first message.

After that, we handle everything. You just answer a few questions about your business.

Common questions at this stage

"Is this going to be expensive?"

The Cyber Sprint is £950 and is credited if you continue. Managed protection starts from £695 per month. We scope everything to your size and budget. No surprises.

"We are too small to be a target."

43% of UK businesses experienced a cyber breach last year. Automated attacks do not check how many employees you have. Small businesses are targeted precisely because they tend to have fewer protections.

"We already have antivirus."

Antivirus catches known threats. Modern attacks use techniques that bypass it entirely. Our blog article on AV vs EDR explains this in detail with an interactive simulator.

"How long does this take?"

The Cyber Sprint takes 5 working days. If you move to a managed retainer, onboarding typically takes under a week. You will have protection and visibility within days of starting.

Breathe

You are in the right place.

If you think your business has been hacked, hit with ransomware, or compromised in any way, we can help. Take a breath. You have got us now.

We respond to breach enquiries within 1 hour during business hours.

While you wait, here is what to do right now

1
Do not turn anything off

Unless you are actively watching data being destroyed, leave computers on. Turning them off can destroy evidence we need to help you.

2
Disconnect from the network

Unplug the network cable or turn off Wi-Fi on affected machines. This stops the attacker spreading further without destroying evidence.

3
Do not pay anything

If you are seeing a ransom demand, do not pay it yet. Payment does not guarantee recovery. We need to understand the situation first.

4
Write down what happened

When did you first notice something wrong? What did you see? Which systems are affected? On paper or your phone is fine. This helps us move faster.

5
Fill in the form below

We will get back to you as quickly as possible. Include a phone number so we can call you directly.

Get help now

Fill in as much as you can. We will call you back.

What happens after you contact us

Within 1 hour

We call you back, assess the situation, and give you immediate guidance on containment.

Within 4 hours

We begin remote investigation. We will tell you what we can see, what the attacker has done, and what needs to happen next.

Within 24 hours

You have a clear picture: what happened, what data is affected, who needs to be notified, and a recovery plan. We handle the technical response while you focus on your business and your people.

You can also call the NCSC directly on 0300 020 0973 or report to Action Fraud on 0300 123 2040.