Independent Engineering Bureau
Lab Status: Operational
Practice Areas

Four capabilities. One chain of evidence.

We organise around what we do, not around who we do it for. Every engagement we accept has an assessor, an auditor, or a regulator at the other end of it — and our team is structured accordingly, regardless of the sector on the invoice.

01
Build

High-assurance software engineering

Custom development for systems that must survive external assessment. Requirement-linked commits, signed build provenance, and evidence generated as a byproduct of the pipeline — not assembled the week before submission.

  • Backend, web and data platforms
  • Embedded and device software
  • Architecture & threat modelling
  • Legacy modernisation under constraint
02
Test

Independent verification & validation

Our Testing Lab operates at arm's length from our build teams. Test plans referenced to applicable standards, execution on sealed builds, and a signed report with a full evidence pack at the end of every engagement.

  • Functional & risk-based V&V
  • Performance, load and chaos
  • Hardware-in-the-loop for devices
  • Regulatory test packs
03
Attack & defend

Security engineering & offensive testing

Threat modelling and secure SDLC enablement on the build side, penetration testing and red-team exercises on the assurance side. Documented methodology, reproducible findings, and a retest cycle included as standard.

  • Application & API penetration testing
  • Cloud and infrastructure review
  • Secure SDLC & supply-chain hardening
  • Adversary simulation
04
Defend

Regulatory-grade documentation

The paperwork an assessor will actually read — written by engineers who can defend every clause. Gap analysis, technical file and design history authoring, pre-audit dry runs, and post-market surveillance support.

  • Gap analysis & remediation roadmaps
  • Technical files & DHFs
  • Pre-audit dry runs
  • Surveillance & post-market

A note on sectors

We deliberately don't organise this page by industry. The engineering discipline required to survive an external assessment is largely the same whether the assessor is a notified body, a financial regulator, a government accreditor, or an internal audit committee. If your organisation has one of those at the other end of your software, the practice areas above are the shape of how we work.