April 11, 2025

6 minute read

Adaptix & Cyber Alchemy

Neil Richardson

Neil Richardson

Co-Founder of Cyber Alchemy and SteelCon

A strategic perspective on turning cybersecurity from a cost centre into a powerful enabler of business expansion.

Cybersecurity for Business Growth

As regulations in the approval of medical devices become increasingly demanding, Andy Barnes (Chief Operating Officer at Adaptix) and Luke Hill (Senior Security Consultant at Cyber Alchemy) offer a strategic perspective on turning cybersecurity from a cost centre into a powerful enabler of business expansion. In this case study, you’ll discover how UK-based Adaptix navigated complex cybersecurity requirements for its innovative 3D X-ray imaging technology, ultimately submitting its application on time and with robust security controls in place. Whether you’re scaling up a new product line or looking to enter a highly regulated market, these insights demonstrate how a proactive, human-first approach to cybersecurity can help reduce burdens on internal teams, meet aggressive timelines, and leverage secure cloud architecture for sustainable growth.

Client Overview

Fuelling Innovation in 3D X-Ray Technology

Adaptix is a pioneering medical device company, based in the UK, specialising in ground-breaking 3D X-ray imaging solutions for applications such as orthopaedics, veterinary care, and non-destructive testing. Its mission to provide deployable, safer, and more affordable X-ray options has already garnered a UK innovation award and seen international success. With sights set on entering major global markets, Adaptix knew it would have to navigate stringent cybersecurity requirements linked to regulatory approvals.

A Vision for Growth

By introducing the Adaptix Ortho350 system to healthcare providers in new markets, Adaptix aimed to empower clinicians with cutting-edge imaging technology while also opening up new revenue streams for the business. To achieve this dual goal of innovation and expansion, Adaptix recognised it needed a robust, well-documented security posture that would stand up to both new regulatory scrutiny standards and evolving real-world threats.

Existing Environment

Adaptix operates within a stringent regulatory backdrop, balancing the demands of both medical device standards and data protection requirements across multiple jurisdictions. While their team excels at product innovation, internal cybersecurity resources were limited, especially when it came to implementing secure operating systems and reviewing cloud-based infrastructures in Azure.

Confronting the Obstacles – The Road to Regulatory Compliance

Adaptix’s journey toward regulatory approval and entry into international markets was not without its challenges. Looming deadlines and complex security demands meant there was little room for error or delay. The Ortho350 system itself needed to meet exceptionally high security standards, both on-premises and in the cloud, to satisfy regulators and instil confidence in healthcare providers. Any misstep could mean costly delays in market entry and a missed opportunity to capture share in high-value segments.

Cyber Alchemy’s Expert Approach – Security Baked into Strategic Compliance Objectives

Adaptix’s regulatory journey is viewed internally as a growth initiative rather than a compliance process. That mindset shaped every technical decision, ensuring that each security control also accelerated, rather than impeded, the company’s market access.

Discovery & Scoping – Plotting the Fastest Route to Revenue

Adaptix’s initial security requirements developed from guidance on how to build secure Windows IoT operating systems into a deep partnership, spanning security consultancy, architecture consultancy, development documentation, and penetration testing.

Once Adaptix understood that Cyber Alchemy was the correct partner to engage in the long term, plans were developed to integrate Cyber Alchemy’s consultants into the development process. Instead of a generic “gap analysis,” we assisted Adaptix in producing milestone-driven objectives and testing plans that linked security activity to concrete regulatory artefacts. This clear line-of-sight between security tasks and commercial outcomes eliminated the stop-start friction that often derails regulatory timelines.

Assessment & Testing – Proving Trust, Not Merely Finding Flaws

Our testing programme combined red-team discipline with regulator-ready documentation:

  • Penetration testing, on-premises and in Azure, ran throughout the system’s development process, beginning with very early builds. Each round of testing closed with a remediation workshop and a digestible evidence pack written in regulatory language so Adaptix could drop artefacts straight into its final submission.
  • Secure OS builds were constructed from multiple best practice sources, including ACSC, NCSC and CIS Windows 11 benchmarks. In addition to the build process, verification that the builds matched the intended specification was essential. To achieve this, Cyber Alchemy automated the verification of these builds with PowerShell, producing repeatable proof that every production device matched the declared configuration in the regulatory submission.
  • Architecture consultancy and configuration reviews leveraged Cyber Alchemy’s Azure expertise, covering the secure configuration of complex Azure workloads. Quick-win re-configurations (for example, deploying WAF rules and DDoS protection) delivered cornerstone requirements for system availability with ease.

Customisation & Strategy – Weaving Frameworks into a Single Fabric

Many firms treat frameworks like rigid rulebooks. At Cyber Alchemy, we treat them as Lego® bricks. By blending the control statements of CIS with NCSC and ACSC implementation guidance and our own MedTech commentary, we gave Adaptix a single, plain English standard their engineers could actually follow. The result is fewer internal exemptions, less “framework fatigue,” and a security posture demonstrably stronger than any one framework alone would have afforded. This is especially true for the unique requirements of Adaptix’s innovative Ortho350 X-ray system, where best practices from a single source rarely cover all considerations.

Collaboration & Knowledge Transfer – Leaving Capability, Not Dependence

Rather than parking a security “black box” on-site, we embedded two Cyber Alchemy consultants inside Adaptix’s development processes. Together we:

  • built system verification documents and automated tools to verify OS images against baseline scripts before they ship to customers;
  • introduced a cloud-security-posture-management (CSPM) tool and coached Adaptix’s engineers to triage alerts themselves;
  • had detailed post-assessment discussions where findings from the assessments were traced back to “first principles”, and controls were developed to prevent reoccurrence.

Within nine months, the Adaptix team said they felt more confident about security principles, with a senior software engineer saying:

When regulations are increasing their demands in response to real world cyber threats we weren’t sure of the scope of work we needed to undertake; Cyber Alchemy helped to clarify the exact project ahead of us, and then integrated with us throughout the project to comprehensively deliver it.  Looking past the regulatory side, we’re now confident we can deliver a secure system to our customers.
Andy Wilson
Adaptix Senior DevOps Manager

Alchemical Insights

  1. Anchor every control to a business milestone. Map security artefacts to submission sections or board KPIs; it keeps funding unlocked and priorities clear.
  2. Sprint your pen tests. Short, iterative tests followed by immediate fix workshops deliver regulator-ready artefacts and early risk reduction.
  3. Invest in internal enablement. Pair external experts with engineers during the build phase; by certification time, your team will own the process, and the auditors will notice.
  4. Overlay, don’t replace, frameworks. Start with one benchmark (e.g., CIS) and enrich it with NCSC/ACSC nuance to avoid contradictory guidance.

Beyond Assessment – Extended Support for Ongoing Success

Overcoming New Hurdles in Real Time
Over the course of a year, project requirements evolved. Regulatory expectations and internal timelines shifted, necessitating a flexible and responsive partner. Cyber Alchemy’s agility helped Adaptix adapt promptly, minimising unforeseen costs or delays.

Remediation & Prioritisation
Alongside penetration testing and OS sign-offs, Cyber Alchemy guided Adaptix in prioritising remediations based on risk, resources, and market objectives. Crucially, the OS configuration sign-off proved essential for advancing to the next stage of product development and verification.

Ongoing Collaboration
Even after the formal submission of Adaptix’s application, Cyber Alchemy remains engaged. This commitment ensures that Adaptix’s cloud architecture and security practices continue to mature, setting them up for future regulatory challenges and expansions into additional markets.

Triumphant Outcomes – Results That Propel Business Growth

  1. Accelerated Market Entry
    Through streamlined security processes and comprehensive documentation, Adaptix kept its regulatory submission on track, ensuring it could capitalise on target market opportunities as planned.
  2. Reduced Internal Burden
    By entrusting complex tasks like OS build sign-offs and Azure reviews to Cyber Alchemy, Adaptix’s engineers could focus on product innovation, rather than wrestling with compliance minutiae.
  3. Enhanced Security Resilience
    Cyber Alchemy’s integration of best practices across OS builds and cloud services provided Adaptix with a fortified foundation—critical for sustaining both regulatory compliance and day-to-day operations.
  4. Long-Term Partnership
    A collaborative roadmap continues to guide Adaptix’s cybersecurity evolution, positioning them to seize future growth opportunities without being hampered by security concerns.

Testimonials

We were extremely pleased with Cyber Alchemy’s flexibility and expertise. They quickly became an integral part of our team, guiding us through every phase of the submission process—even advising on our Azure environment.
Duncan Smith
Adaptix DevOps Engineer
Cyber Alchemy came in, gave us great confidence in our scope when we weren’t sure of the full regulatory demand and distilled it into manageable work packages.  They then guided us, advised, and sat with us to enable our execution every step of the way.  It has been an enjoyable partnership with their character shining through as well as their capability.  From top to bottom, you can see the culture with the great people we’ve dealt with.  Thanks Luke & Bob!
Andy Barnes
Adaptix COO

Your Invitation to Growth

Adaptix’s story exemplifies how a carefully orchestrated cybersecurity strategy can serve as a catalyst for entering lucrative new markets. By partnering with Cyber Alchemy, they secured the essential OS sign-offs, refined their Azure deployments, and documented compliance—ultimately paving the way for a swift market entry and ongoing international expansion.

Ready to turn cybersecurity into a driver for your organisation’s growth?
Contact Cyber Alchemy to discover how we can protect and enhance the value you’re creating in even the most heavily regulated environments.

About the Authors

Andy Barnes, Chief Operating Officer, Adaptix Ltd
Andy has had a broad career in leadership, starting on the Government Fast Stream to operational deployment in Iraq, to running his own commercial company to now very much enjoying the medtech world with Adaptix.  Andy is driven by the company mission to transform radiology, with this new technology set to improve the pathway for patients, clinicians and the healthcare economy,  Cyber Alchemy were an integral part of realising this.

Author

Neil Richardson

Neil Richardson

Co-Founder of Cyber Alchemy and SteelCon

I am the co-founder and partner of Cyber Alchemy LTD and an associate lecturer in the computing department at both Sheffield Hallam University and The University of Warwick.