|
 |
|
|
|
BeFresh, serving its 300+ customers, is proud to announce its ISO/IEC 27001:2022 certification for its Information Security Management System (ISMS) covering all its activities including software development such as e-invoicing tools, SaaS hosting, operating of a Peppol-certified access point hosted in a private cloud in Luxembourg.
Benoît Frisch, Managing Director: “I am really satisfied with how quickly we achieved this goal — in less than 6 months — including the building of an Information Security Management System (ISMS), its certification, intrusion tests, and the implementation of GDPR and NIS2 compliance. This remarkable pace was largely enabled by the security expertise of itrust consulting and the cloud security offered by Deep.”
Anna Chezganova, project manager from itrust consulting, about this certification: “I was happy to apply years of experience by itrust consulting in a fast-moving project in which we reached certification only 6 months after the kick-off.”
Carlo Harpes, external CISO: “Such a success is only possible thanks to the management, IT, development, and security skill of all people at BeFresh, enabling fast decision processes”.
Abdessamad Kahir, lead auditor at Certi-Trust: “This was a pleasant certification audit, not only because it succeeded, but also because we were delivered proactively most required evidence and we received prompt and relevant answers to all our questions.”
BeFresh is a Luxembourg-based company specializing in digital transformation like ERP, CRM and invoicing as a service and the development of customized software solutions. Founded in 2019 and based in Kockelscheuer, it positions itself as a technology partner for organizations seeking to modernize their workflows, with expertise in the field of billing process automation.
An 18-years-old SME from Luxembourg, specializing in Information Security Systems, helps its customers from both the public and private sectors to protect their information against any divulgation, manipulation, and unavailability. Its services are related to building, implementing, and auditing Information Security Management Systems, assessing and treating risks with its own OpenTRICK tool, deploying security experts whenever needed (SECaaS, or Security as a Service), on-request hacking of customers, handling cybersecurity incidents (See malware.lu CERT), or designing and operating security solutions for ICT such as Wazuh, RADAR, C5-DEC...
Certi-Trust is an international certification organization specializing in digital trust and regulatory compliance. The organization supports companies and government agencies in validating their management systems. Beyond certifying organizations, Certi-Trust plays a key role in the Luxembourg ecosystem, helping to strengthen the resilience, security, and digital credibility of economic players in the Grand Duchy.
We are exited to announce the launch of hestIA, an enterprise AI assistant designed for organizations that require sovereign, auditable, and access-controlled AI capabilities without relying on external providers.
The name hestIA is drawn from Hestia, the Greek goddess of the hearth. Revered for the goodness of her modest nature and her role as the guardian of the sacred flame, Hestia symbolises a place of safety, stewardship, and trust. In the same spirit, our platform is designed to keep your organisational activities securely within our infrastructure—effectively keeping your work “in our home,” where your data is protected, managed, and always under your control.
hestIA provides a familiar conversational interface — comparable to ChatGPT or Microsoft Copilot — available today as a service hosted on Luxembourg-based infrastructure operated by itrust consulting. Unlike general-purpose AI services, hestIA does not transmit data to external AI providers: all model inference is performed on itrust consulting's own systems.
Beyond general-purpose AI capabilities, hestIA allows organisations to build and maintain structured document collections that the system queries using retrieval-augmented generation (RAG). Responses are grounded in the organisation's own documents and include inline citations, giving users a clear and verifiable link between answers and their sources.
hestIA is hosted on Luxembourg-based infrastructure within the European Union. All processing — model inference, document indexing, and query handling — is performed on itrust consulting's own systems. No data is transmitted to external AI providers, making hestIA designed to support GDPR compliance for organisations processing data within the EU. Organisations using the service beyond the evaluation phase are governed by a Data Processing Agreement (DPA) with itrust consulting, establishing a clear and auditable data processing relationship.
Organisations can create and manage document collections covering any domain of activity. When users pose questions, hestIA retrieves relevant passages from those collections and returns answers with direct citations to the source documents. Supported file formats include PDF, DOCX, XLSX/XLSM, PPTX, TXT, and CSV.
Access to documents is enforced automatically at query time based on classification levels aligned with the organisation's own information governance policies — such as public, internal, confidential, or restricted. Knowledge bases can be shared with partner organisations or other tenants, enabling controlled cross-organisational knowledge exchange while retaining full authority.
The service operates in French, German, and English. Users can interact with hestIA in their preferred language, and document collections can be organized by language to ensure queries are matched against the appropriate content. A full audit trail records all activity, supporting accountability and oversight requirements.
hestIA is live today. Organisations can register for immediate access to the platform for testing and evaluation purposes. Formal use is governed by a Data Processing Agreement (DPA) available upon request. For enquiries, contact info@itrust.lu.
The source code of hestIA will be made publicly available in the near future, allowing any organisation to self-host the platform independently.
The following capabilities are planned for future releases:
Asset inventory management: ISO 55000:2024 and ISO/IEC 27001 aligned taxonomy and ontology enabling asset classification, coherence verification, inventory validation, and lifecycle tracking
Document generation pipeline: efficient production of administrative documents from approved templates and the organization's knowledge base
Audit assistance agent: AI-assisted auditing against configurable standards and frameworks, covering gap identification, non-compliance detection, and mitigation suggestions
The platform is co-funded by the Ministry of Foreign Affairs. The use during the pilot phase until mid 2027 is free. After the pilot phase, the cost is going to be part of the service package which includes OpenTRICK and hosting on our cloud.itrust.lu for the total cost of 100€ per month.
We are happy to announce two new open-source releases that together complete a fully automated, intelligence-driven security operations pipeline, closing the loop on hybrid rule-based and AI-driven threat detection and response.
IDPS-ESCAPE (v0.7 + v0.8) brings the most significant functional leap since RADAR was introduced:
RADAR risk engine — a principled weighted fusion model combining anomaly detection signals, signature-based risk, and live CTI scores into a three-tier automated response: notification, remediation with case creation, and full host isolation
DECIPHER integration — a fully operational client that queries CTI from MISP, fuses scores into RADAR's risk model, and opens structured Flowintel incident cases automatically — no manual SOC intervention needed
SONAR — a multivariate anomaly detection engine for Wazuh, powered by the deep learning algorithm MTAD-GAT, with a YAML-based scenario system for repeatable, code-free detection workflows, and debug mode for offline train-detect cycles without a live Wazuh instance
SATRAP-DL (v0.4) delivers the other side of that integration:
DECIPHER — an open-source REST microservice for automated, IOC-based severity-confidence scoring of security alerts backed by MISP threat intelligence and prioritized Flowintel case creation
PyFlowintel — a clean Python library wrapping the Flowintel API, enabling programmatic case management
One-command deployment of the full stack: DECIPHER + MISP + Flowintel
Together, these two releases close the MAPE-K loop end-to-end: RADAR detects a threat → DECIPHER enriches it with live CTI → a risk score drives the right automated response → a prioritized Flowintel incident case lands in the analyst's queue. Entirely open-source.
We are excited to announce C5-DEC CAD v1.2 - our open-source, AI-enabled toolkit for computer-aided secure system design, development, and evaluation.
C5-DEC CAD unifies Common Criteria (CC) tooling, SSDLC traceability, compliance workflows, cyber-physical system security assessment, cryptography, and resource management in one repository-centric platform.
C5-DEC CAD helps teams run a complete secure-by-design workflow in one place:
Common Criteria engineering support with structured knowledge and specification workflows
End-to-end requirements, design artifacts, tests, and traceability built on our SpecEngine subsystem
Practical SSDLC tooling for compliance, threat modelling, risk analysis, documentation, and evidence generation via our DocEngine
What’s new in v1.2:
CRA compliance module: Annex I checklist, Annex VII technical documentation generation, Annex V EU Declaration of Conformity, with support for Default, Class I, Class II, and Critical classes
SBOM lifecycle management: Syft-based generation (CycloneDX/SPDX), validation, diffing, traceability, and CRA cross-verification
Native cryptography module: PQC, SHA-256 integrity checks, GnuPG signing/encryption, Shamir’s Secret Sharing, and digital signatures
Expanded CPSSA: threat model generation (OWASP pytm/Threagile-compatible), FAIR-based quantitative risk analysis, STRIDE-based reporting
SpecEngine and DocEngine enhancements: richer traceability visualization, interactive specification browser, traceability statistics, Mermaid rendering pipeline, design artifact hygiene utilities, and CRA-ready report/presentation templates
Also in v1.2: completed CC:2022 knowledge base content, stronger Docker hardening, and a significantly expanded test suite.
The NIS 2 law and a resilience law have finally been voted today, unanimously, by the parliament of Luxembourg. From the 10th May on, all private entities considered as important or essential (up to them to find out, see link below) and all public entities (all, including municipalities, inter-municipal association, ministries…) MUST have a top-management-approved risk assessment and risk treatment plan and several policies enforcing cybersecurity, such as asset management, Human Ressource security, access control, … A huge task for which itrust consulting is prepared to help. Here our tactic: First a high-level risk treatment plan to get compliant after a week, then a fine-tuned an improved version for reporting to the regulator, both work to be achieved thanks to our free tools OpenTRICK and OpenARIANA.