Leading specialists in AI security. identity.

FM CyberSecurity is a Norwegian cybersecurity firm founded in 2025 by Fredrik Standahl and Maximilian Sharoyan, headquartered in central Oslo.

• Specialist team — seven senior consultants today, growing to fifteen during 2026.
• Capability areas — identity & PAM, exposure management, MDR/SOC, endpoint security & MDM, application security, AI security, and compliance & GRC.
• Strategic partners — CrowdStrike (Falcon Complete Next-Gen MDR, Falcon AIDR, Charlotte AI), CyberArk, Tenable, and Aikido. Operated end-to-end, not just resold.
• Two sides — Secured by FM is our standardized package for SMB and SMB+, launched in 2026; for enterprise we run custom consulting engagements.

We operate from central Oslo (Henrik Ibsens gate 36) and deliver across the Nordics and internationally.

• Customer mix — SMB+ and enterprise on the consulting side; SMB and SMB+ on the Secured by FM CyberSecurity side.
• Languages — English and Norwegian, both for delivery and for written documentation.
• Engagement model — monthly retainers, scoped sprints, or single deliverables (e.g. a pentest or a board-ready security strategy).

We prefer ongoing relationships but take scoped one-off work when the situation calls for it.

We sit between the two and consciously avoid both ends.

• vs. a traditional MSSP: an MSSP sells you monitoring contracts. We operate the entire security function — vCISO, identity, MDR, exposure, compliance — as one practice. Monitoring without architecture and identity context is just noise.
• vs. Big-Four advisory: advisory firms give you slide decks. We don't. Every consultant on our team has hands on a console — CrowdStrike Falcon, CyberArk PVWA, Tenable, Aikido. Recommendations come from operating the systems, not surveying them.

As our cofounder note puts it: built around someone actually answering when something breaks, not around a sales organization.

A SOC is the security function — the team, processes, and tooling that detect and respond to threats. You can build one in-house or buy it as a service. An MDR is a productized version of that service: a vendor operates 24/7 detection, threat hunting, and response on your behalf, on their platform, under SLA. We deliver CrowdStrike Falcon Complete Next-Gen MDR, CrowdStrike's flagship MDR service.

• 24/7 detection across endpoints, identity, and cloud workloads.
• Charlotte AI for agentic alert triage and enrichment.
• CrowdStrike analysts investigate, contain, and remediate under SLA.

FM CyberSecurity is a certified CrowdStrike partner in Norway, handling onboarding, tuning, and local delivery.

Three distinct risks, three operational answers.

• Shadow AI — employees pasting sensitive data into ChatGPT, Claude, Lovable, Copilot. Handled by CrowdStrike Falcon AIDR: browser extension plus Falcon sensor inspect prompts in real time and either redact sensitive content (PII, secrets, customer data) or block the submission. We default to redact so people keep working — friction-free policy beats blanket bans that get worked around.
• Vibe-coded applications — AI-generated code carrying embedded vulnerabilities. Covered by Aikido: continuous AppSec on every pull request (SAST, dependencies, IaC, containers, secrets), plus AI pentesting on each deployment. Manual pentests on top when scope demands.
• Agentic AI inside your environment — internal copilots, autonomous agents, AI features shipping in your product. Governed by Falcon AIDR: detects prompt injection, jailbreaks, data leakage, and unsafe agent actions before they execute.

We treat compliance as a byproduct of real security, not a separate paper trail. The work runs in three layers.

• ISO 27001 — operational baseline. Maintained controls library, evidence collection, audit-defense materials. Our Secured by FM model delivers focused SMB scope from onboarding to certification-ready in roughly four weeks, on templated controls and an integrated GRC tool.
• NIS2 — applies to organizations across 18 regulated sectors (11 essential under Annex I, 7 important under Annex II), or those feeding regulated supply chains. Norway's incorporation is progressing via the EEA Agreement. We sequence ISO 27001 first because the controls work doubles as NIS2 readiness evidence — the same Annex A measures map directly to NIS2 Article 21.
• DORA — financial services and ICT third-party providers. Operational resilience testing, ICT risk management, major-incident reporting. In force since January 2025.

The vCISO embeds in your leadership team; SOC and exposure data become the evidence audits actually want to see.

Continuously at the code level, with an AI-driven pentest each quarter and on every major release.

• Every time a developer pushes new code, our platform automatically checks it for security issues. When something gets fixed, it's tested again to confirm the fix worked.
• On major releases and quarterly, autonomous AI agents run a full pentest against the live app — they try to break in the way a real attacker would, and only report what they actually exploited.

It replaces the once-a-year manual pentest model, where an app sits untested for 364 days at a stretch. We do this for web apps and APIs; if you need network pentesting, social engineering, or red-team work, we'll refer you to a partner who specializes in that.

We architect and operate CyberArk — the platform that secures the most sensitive accounts in your organization. Our customers are mostly regulated Nordic environments: banks, energy, public sector, manufacturers.

• The credentials your administrators and systems rely on sit in a central vault, rotate automatically, and never get shared in chat or spreadsheets.
• Every privileged session is recorded and governed. When an audit asks 'who accessed this and when,' the answer is ready.
• Service accounts, API keys, and other machine credentials are managed in the same controlled flow — out of source code, out of config files.

Principal-led — Robin Kvernevik and the team hold CyberArk delivery-engineer certifications. We design, implement, and operate. No deck-then-handoff.

We operate Tenable across IT, cloud, and identity systems — finding what's exposed and ranking what actually needs fixing first.

• We continuously discover what's running in the environment — cloud workloads, servers, endpoints, and identity systems like Active Directory and Entra ID.
• We don't hand you a 50,000-row CSV. We hand you the 200 things that actually matter this week, ranked by how exploitable they are and how much they'd hurt the business.
• The same data feeds your ISO 27001 audit evidence and our SOC for active threat hunting — so the work delivers value beyond a dashboard.

MSSP-level Tenable certifications. Delivered as a dedicated exposure-management service, as part of Secured by FM (where Tenable Identity Exposure is included by default), or inside a broader consulting engagement.

A packaged subscription for organizations up to 100 employees that are locked out of enterprise contracts and public-sector bids — because they don't have ISO 27001 or a real security posture. One vendor, one contract, one price — with an ISO 27001 certification guarantee at the core.

• ISO 27001 with refund guarantee — if the main audit doesn't pass within the agreed window, you get the money back. (Gross negligence on the customer side voids the guarantee.)
• NIS2 readiness — the same controls work doubles as NIS2 evidence.
• vCISO and security architecture from senior consultants embedded in your team.
• 24/7 MDR via CrowdStrike Falcon Complete Next-Gen MDR.
• Exposure management on Tenable, including Tenable Identity Exposure.
• Application security and AI pentesting on Aikido.
• A GRC tool to hold your controls library, evidence, and audit trail.

The same components our consulting practice delivers separately, operated as one service by the same team that scopes them. Built for organizations that need the four-vendor capability to win the contracts they're locked out of today.