Why are we giving away what we used to charge for? Welcome to Zerolynx Lab!

For years, I've seen the same scenarios with clients, especially in the SME world, where someone is suddenly tasked with "looking into this cybersecurity thing." They do a quick Google search, find us, and then we get the question: "Hey, how am I doing?" Not "how am I doing against this specific threat," or "how am I doing against this regulation," but the overall how am I doing, the one that someone asks when they wake up on a Monday feeling like they don't know where to start.

The honest answer is always the same: it depends, my friend. It depends on which regulations apply to you, the maturity of your development, who your providers are, whether your domain exposes half a dozen headers it shouldn't... And at that point, the client, rightly so, makes a face that says "okay, but I need a starting point."

For a long time, we solved this the old-fashioned way, with an Excel questionnaire, several questions from a member of the technical team, a traffic light system, and off we went. It worked, but it was ours. It stayed internal and only visible to whoever was sitting on the other side of the Teams call.

And then there was the other part, which almost no one talks about in this sector, but it's the daily reality. For that initial diagnosis, especially in SMEs, there was no human way to charge. The request always came disguised as "send me a quote," but what was really behind it was "first, tell me how bad I am, what I would need to do, and where we would start, and then I'll decide if I hire you." A quote that was, in reality, half a free analysis, half a free roadmap, and at the end of the document, a number.

And I understand it, don't get me wrong. The person responsible for an SME doesn't have the thousands of euros that an exploratory consultancy costs to confirm what they already suspect. But for us, it was unsustainable. Each serious proposal took us days of work, and only one out of 20 was signed. Saying no, which is often what you feel like doing, wasn't an option either, because by saying no, you run out of pipeline. So, something had to be done.

And one day we asked ourselves something quite obvious: why don't we automate it and even give it away for free?

And so, without further drama, the Lab section of our website www.zerolynx.com was born. A page with free self-assessment tools that anyone can use, without registration, and without us showing up in their inbox the next day with a "hello, how are you?" We collect the email they voluntarily provide, of course, but without any intent to pursue them. That sales style has never been our thing.

The idea behind this section of our website was ultimately twofold:

1. To make the initial assessment easy. If an IT manager can sit down for ten minutes on a Friday afternoon and leave with a PDF telling them where they're weak, then we've all won. They have a starting point. We have a much more useful subsequent conversation than the "I don't even know where to start" one.

2. To give back to a community that we have been part of for over a decade. Just like Flu-Project, which was born precisely with that spirit of sharing, the Lab tools are the 2026 version of the same philosophy: here's what we use internally, for free. If it helps, great. If you then want us to go deeper with a team, you know where to find us.

What's inside

As of today, there are five published tools, covering quite distinct blocks of daily practice. I'll review them briefly:

• Cybersecurity regulatory self-assessment. By far the most used. Measures your posture against CIS Controls v8, ISO 27001:2022, ENS, and NIS2. Returns gaps and a prioritized action plan. It's the "how am I doing" question answered clearly, with the framework that applies depending on who your organization has to report to.
• Supplier identification and classification. Several security managers almost asked us for this in these exact words: "I need a quick way to explain to the committee why this supplier is critical and that one isn't." It classifies risk according to access, criticality, dependence, and connectivity, and returns applicable ENS controls and best practices by contract phase. Especially useful if you need to respond to NIS2 or Article 28 of the GDPR.
• Passive domain or URL pentesting. The favorite of the curious. Non-intrusive analysis (I insist: passive, it doesn't affect anyone) of a domain: HTTP headers, TLS, DNS, cookies, information disclosure. Following OWASP. It helps to see, without alarming anyone, what information is being unintentionally revealed.
• Secure development self-assessment. Based on OWASP SAMM v2. Measures the maturity of the development lifecycle. Designed for CTOs and technical managers who suspect their SDLC has gaps but don't know what they are. The questionnaire orders them by where the most is being lost down the drain.
• Email header forensic analysis. The one that has saved me the most headaches in my life, by the way. You paste the technical header of a suspicious email, and the tool cross-references RFC 5322, DKIM, SPF, DMARC, and RFC 8601 to tell you if it smells like spoofing, manipulation, or CEO fraud. In these times, with decent phishing every other day, it's good to have it handy.

All five are online, free, and require no registration (although yes, we ask for an email), they return a PDF, and they don't keep your information. That was another internal debate we had: whether to collect data or not... and we ended up deciding against it. We are a cybersecurity company, and data should always belong to its owner. If someone wants to talk to us, they'll find us.

The fine print that isn't so fine

I'll say it openly because I think it's important: these tools are not an audit. They are indicative. They give you an initial snapshot based on what you declare or what is visible from the outside without touching anything. They do not replace the serious work required for certification, to defend against a criminal, or to handle an incident.

What they do, and do well, is save you that first afternoon of "I don't even know how to approach this." And from there, you can decide whether to work with what you have, or ask us for a quote for something serious. If you go for the second option, you can even send us the self-assessment report in PDF directly, and it serves perfectly as a starting point for us to prepare a proposal.

Check them out

You can access the page here: zerolynx.com/pages/self-cybersecurity-audit.

Any feedback, suggestions for new tools, or a "hey, this isn't working in my browser" is appreciated and read. The idea is that the Lab won't just stay at five utilities. We have a few more in the works. But I'll talk about that another day.

Best regards!