About · Zurich · since MMXXV

Advice that stays measured.

Clypeus Horizon is a Swiss cybersecurity boutique with one clear mandate: make what's worth protecting negotiable — and then actually protect it. No tools we have to sell. No frameworks we have to repeat. Just a measured look at what actually holds your company together.

Founded 2025 in Zurich. Independent, no external investors — carried by a small group with a shared stance.
Languages German · English · French — mandates are run in the language of the mandate.
Sectors Industry, financial services, healthcare, digital services — from SME to multinational.
Stance

Cybersecurity is an economic discipline.

We think about security from an adversarial perspective. An attacker invests time, money, attention — and expects a return. Anyone who understands that stops treating security as a checklist and starts conducting it as an economic negotiation.

From this follows a simple rule: protection must match the value of the information. Not every asset deserves the same attention. But every asset whose loss would seriously damage the business deserves an investment that makes an attack unprofitable — not impossible, but too expensive.

We are not against frameworks. ISO 27001, NIST, MITRE — we speak them all. But we treat them as a language, not a destination. A compliance list is a by-product of correct work, not its content. Anyone chasing compliance misses resilience; anyone building resilience gets compliance almost as a gift.

And finally: we deliver where advice and execution usually fall apart. A report nobody operationalises changes nothing. We stay with the material until the risk is demonstrably smaller — or defensibly accepted.

Principles

Four lines we let ourselves be held to.

They are not original. But they are demanding to honour — and that's the actual value. If we fail at one of these principles, you may remind us.

i · Clarity

We say what we don't know.

Security work depends on honest situational pictures. We separate what is measurable from what we merely suspect — and we say so. A calibrated statement is worth more than a confident promise.

ii · Proportionality

Protection must match the asset.

We recommend nothing we cannot also justify — to executive management, to the board, and if in doubt to the regulator. Effort and effect are negotiable; arbitrariness is not.

iii · Operational, not just strategic

We stay with the material.

A recommendation that does not move into operation is only a document. We accompany implementation, handover, and tuning — until the measure stands in daily life and holds in audit.

iv · Discretion

Confidential stays confidential.

We work with Threema, Signal and PGP, not with tracker CRMs. We do not reference mandates without explicit consent. What was said in a tabletop stays in the tabletop.

Approach

Four phases, one line.

Whether it's a NIS-2 impact analysis, a CISO mandate, or a tabletop exercise — the stations are the same. They differ only in depth and timeline.

01 · Listen

Understand the situation.

We start with conversations, not questionnaires. What does the company protect today? What would be the biggest loss? Where do unclear responsibilities sit?

02 · Model

Map the risk.

Threat modelling, asset valuation, regulatory positioning. At the end stands a picture in which management and IT can agree on the same language.

03 · Harden

Implement measures.

Architecture, identity, supply chain, incident response — we harden where the impact per franc is highest, and document verifiably what was done.

04 · Tune

Keep it in operation.

Security decays if nobody maintains it. We come back: for exercises, for audit preparation, for the next tightening of the framework.

Advisers

Multiple minds, one doctrine.

Clypeus Horizon is backed by a small group of advisers with multi-year experience at the intersection of cybersecurity, risk management and compliance — in regulated Swiss companies as much as in EU-wide industrial groups.

What connects us is not a shared CV but a shared stance: the adversarial-economic perspective — security as a negotiation over scarce resources — combined with the discipline of Swiss diligence. No grand words, verifiable trails, documented responsibility.

Every mandate is run personally — by one dedicated point of contact who carries the dossier from the first hour to the audit. When needed, a curated network of expert partners is engaged — forensics, legal accompaniment, cloud and OT architecture.

  • LanguagesGerman · English · French — mandates are run in the language of the mandate
  • FocusNIS-2, Cyber Resilience Act, Swiss ISG, ISO 27001 / 27002, FINMA, DORA
  • MethodsThreat modelling, zero-trust architecture, tabletop exercises, board reporting
  • Mandate formsStrategic mandates · Cyber-risk assessments · Compliance architecture · Crisis support at board level
Location & reach

Zurich. Personal. Encrypted.

We work out of Zurich, on site at the client — across Switzerland and the DACH area. Initial conversations take place in Zurich, online, or on your premises. Confidential matters preferably via encrypted channels.

Headquarter

Clypeus Horizon GmbH

Rooswiesenstrasse 29
8155 Niederhasli
Switzerland
Operations area

Switzerland & DACH

On-site mandates across Switzerland
cross-border mandates in the DACH area
EU exposure on request (group, supply chain, subsidiary)
  • LanguagesDE · EN · FR — IT on request
  • ResponseInitial contact within 24 h on business days
  • EmergencyIncident response on a separate line
Company
Clypeus Horizon GmbH Limited liability company under Swiss law
Managing director
Stephan A. Weber responsible for content within the meaning of Art. 3 UWG
Registered office
Rooswiesenstrasse 29, 8155 Niederhasli, Switzerland business mail; in-person meetings by appointment
Registration
Commercial register of the Canton of Zurich UID: CHE-145.672.308
Contact
contact@clypeus.ch confidential matters preferably via Threema or Signal
Web
clypeus.ch the only binding online presence; further profiles on request
Supervision
No sector-specific supervision for advisory activity; professional duties of care are observed. Mandates in regulated sectors (FINMA, BACS) within the respective requirements
Privacy
Own privacy statement under revDSG. See privacy statement
Liability
Contents of this website are prepared with care but do not replace mandate advice. No liability is assumed for external links. the individual mandate agreement is always authoritative
Copyright
Texts, graphics and code on this website are copyright-protected. Use only with explicit consent. © 2025–2026 Clypeus Horizon
Status
April 2026 material changes are tracked here
This imprint applies to all content under clypeus.ch and all associated subdomains. Direct legal inquiries in writing to the registered office named above, or by email to the contact address — we usually respond within 24 hours on business days.

First listen.
Then model.
Only then propose.

Back to overview
For sensitive matters, please use Threema or Signal — not unencrypted email