Pragmable is a cybersecurity software house. We build bespoke security tooling
for regulated operators — heavy tech, compiler-grade engineering, sovereign infrastructure.
Three engagement modes, from a six-week co-design sprint to a multi-year build & operate
contract.
// what we are
A cybersecurity publisher & bespoke software house
// who we serve
Regulated operators · banking · healthcare · critical infra
// how we engage
Co-design · bespoke build · build & operate
// where we run
Residency follows the workload — EU · US · on-prem · SecNumCloud-ready
§01 — WHO THIS IS FOR
If one of these sounds like you.
01
Your environment is too specific for off-the-shelf.
Custom IAM models, internal RBAC tiers, multi-cloud + on-prem permission graphs that
no SaaS vendor will faithfully evaluate. We meet the model where it lives.
02
A regulator gave you a deadline.
NIS2, DORA, CRA, sector-specific mandates. You need a defensible, signed, traceable
answer — not a dashboard screenshot. We ship deliverables your auditors can read.
03
Your data cannot leave your perimeter.
Air-gapped, on-prem, SecNumCloud, HDS — environments where calling a US-hosted API
is not an option. We package, sign, and deliver software that runs offline.
04
The internal team needs heavy-tech engineers, briefly.
Compiler design, formal methods, applied crypto, distributed systems — skills you
need for one project, not one decade. We embed, ship, and hand off.
§02 — HEAVY TECH
What we build with.
→ stack-by-stack on request
§ AUTHORIZATION ENGINES
Custom policy evaluators at the source.
Six-layer chain evaluators, ABAC graph systems, policy-as-code compilers, condition-key
coverage — bespoke when off-the-shelf can't cover your model.
RustDatalogSMTOPACedar
§ DETECTION & GRAPH
IAM graph & behavioral pipelines.
Continuous re-evaluation, blast-radius simulators, deviation detectors — built on
streaming infra that scales to millions of principals.
RustKafkaClickHouseNeo4j
§ SOVEREIGN INFRA
On-prem & SecNumCloud distributions.
Air-gapped builds, SecNumCloud-ready packaging, HDS-compatible deployments. Ship
security tooling to environments that cannot phone home.
OVHcloudOutscaleS3NSOpenShift
§ FORMAL METHODS
Provable policy correctness.
SMT-backed policy verification, model-checked authorization rules, machine-checked
invariants. For environments where "we tested it" isn't a defense.
Z3TLA+CoqDafny
§ LANGUAGES & DSLs
Domain-specific query languages.
RQL is ours — the query language behind Whocan. We bring compiler-grade language
design to bespoke builds: compliance DSLs, audit query languages, configuration
grammars.
Tree-sitterLALRPOPLSPWASM
§03 — ENGAGEMENT MODELS
Three ways to work with us.
→ we'll recommend the right one in the first call
Across all three modes: we own the build's security, quality, and fix lifecycle ourselves.
No offshore patches. No third-party hand-offs. Residency follows the workload — EU, US,
on-prem, or sovereign-cloud / SecNumCloud-ready.
▸ MODE 01 · CO-DESIGN SPRINT
Scope & specify.
Four to six weeks alongside your security architects to scope the problem
and produce a written technical specification — buildable by us or by your team. No code
commitment, no lock-in.
Three to nine months building the system end-to-end — architecture,
code, tests, deployment, documentation. Security and bug fixes stay in-house with us
for the duration. Source code transferred under perpetual license; hand-off or
continued operation as you choose.
Twelve months and longer. We build the system and run it for you — SLA,
on-call, continuous evolution. You stay the data controller; we stay the engineering
team. Residency wherever your workload lives.
You write to build>pragmable.com with the problem in your own words. We read every one.
→ first response · 48h
02
Discovery call
90 minutes, with one founder and one engineer. We ask hard questions; we share what we can build, what we won't, and what shouldn't exist.
→ go / no-go in writing
03
Written scope
A short, signed memo — problem statement, success criteria, engagement mode, price, team, dates. Everything matters and nothing is implied.
→ scope memo · 1 week
04
Build
Weekly written progress, biweekly demo. Source code in a repo you control. Engineers named. No black-box delivery.
→ usable increments / 2 wks
05
Hand-off
Production deploy, documentation, runbooks, training. We transfer or we operate — your choice, written into the original scope.
→ signed acceptance
Tell us your hard problem.
One paragraph is enough for the first reply. We respond within 48 hours, every time.
If we can't take it on, we'll tell you who could.
▸ Intake reviewed weekly
▸ NDAs supported · we sign yours, or use ours
▸ All correspondence reaches both founders
▸ Residency follows the workload — EU, US, on-prem
One paragraph is enough for the first reply: the problem, the regulator (if any), the
constraint that makes off-the-shelf insufficient. Your email reaches both founders.