When identity is compromised, it is game over. We built Nimbus Cyber around that single, uncompromising truth.
Every service we deliver, every architecture we design and every engagement we lead starts from the same place — identity is the primary control plane of modern security. Not the network. Not the endpoint. Identity. Secure it first. Secure it properly. Build everything else on top.
Kostas Tsiolas
Founding Director & Principal Advisor
CISSP · CCSP · Microsoft Cybersecurity Architect Expert · Ex-Microsoft
I have spent 25 years working at the intersection of enterprise IT and security — from the server rooms of Greek financial institutions to leading identity security teams at Microsoft across Europe. I have sat on both sides of the table: as the engineer who builds and maintains the systems, and as the advisor who tells leadership what is broken and what needs to change. That dual perspective is what makes the difference between security advice that sounds right and security architecture that actually holds.
At Microsoft I spent nearly 8 years as a Senior Cloud Security Solution Architect, leading a dedicated Identity Security team working with enterprise and financial services organisations across Europe on some of the most complex identity and cloud security challenges I have encountered. That experience gave me a precise understanding of where identity architectures fail under real-world conditions — not in theory, but in production environments under real operational pressure. I have seen what breaks, I know why it breaks, and I know exactly how to build it so it does not.
I founded Nimbus Cyber in 2024 with a single conviction: that identity — human and non-human — is the primary control plane of modern security. When identity is compromised, every other control you have invested in becomes irrelevant. The attacker does not break in. They log in. My work is to ensure that never happens to the organisations I work with — by building proactive, architecturally sound security foundations before incidents occur, not reactive fixes after the damage is done.
Why Nimbus?
In ancient Greek tradition, the nimbus was the divine cloud — a luminous presence signifying protection, clarity and guidance. We chose this name deliberately. In a world where cloud infrastructure has become the foundation of every modern enterprise, identity and security are the only forces that can protect what lives within it. On-premise perimeters are gone. The cloud is the environment. Identity is the shield. Nimbus Cyber exists at exactly that intersection.
Nimbus Cyber was founded in 2024 with a singular mission — to help organisations build proactive, identity-first security architectures that are defensible, audit-ready and built to withstand real threats. We are deliberately focused. Not a generalist consultancy trying to cover every domain of IT, but a specialist advisory firm that goes deep where it matters most — identity, access governance, privileged security, Zero Trust and cloud security architecture. Engagements are led personally by Kostas and supported where needed by a trusted network of specialist associates in GRC, cloud architecture and regulatory compliance. Every client receives senior expertise on every engagement — not a junior consultant following a methodology.
How we work — and why it matters to you
Four principles that shape every Nimbus Cyber engagement. Not aspirations. Operational realities that every client experiences from day one.
Principle 01
Proactive before reactive
Most organisations call a security advisor after something breaks. By that point the remediation cost — in time, money, architectural rework and reputational damage — is an order of magnitude higher than building it correctly from the start. We are engaged before incidents happen. We build the secure foundations, the governance frameworks and the access architectures that prevent the breach rather than respond to it. Every client we work with proactively is a client who does not become a case study in someone else's incident report.
Principle 02
Architecture before tools
The security industry is built around selling tools. We are not. We are vendor-agnostic advisors who design the right architecture first — then help you select and configure the tools that fit it. We have no commercial relationship with any vendor. We have no incentive to recommend a product that does not serve your specific environment and requirements. What you get is independent advice driven entirely by what is right for your architecture — not what generates a referral fee.
Principle 03
Boardroom to terminal
Security fails when the boardroom and the engine room speak different languages. Executives make uninformed risk decisions because nobody translated the technical reality into business terms. Engineers implement the wrong controls because nobody translated the business requirements into precise architecture. We speak both languages fluently. We present to boards in terms of business risk and regulatory obligation. We design for engineers in terms of specific controls, configurations and implementation sequences. The translation gap between strategy and execution is where most security programmes break down. We close it.
Principle 04
Europe-wide, personally delivered
Nimbus Cyber operates across Europe — serving clients in financial services, manufacturing, maritime, government, energy and healthcare sectors in both English and Greek. Every engagement is led personally by Kostas. Not delegated to a junior consultant. Not managed remotely by a project coordinator. When you engage Nimbus Cyber, you get 25 years of enterprise security experience and nearly 8 years of Microsoft identity security expertise applied directly to your environment. Senior expertise on every engagement — from the first diagnostic call to the final deliverable.