What the merger was actually for

Hedgehog Security and UK Cyber Defence merged this month. Here is the thinking the announcement did not contain — what we were trying to fix, and what kind of firm we are now trying to be.

The announcement on the 4th of November said the two firms had merged and that I was the chief executive of the combined business. That is true, and the press release does what press releases are for. This post is the version of the story that does not fit in a press release. It is the one I would tell a friend over coffee, or a board chair who asked the obvious question: why?

The shape that was there before

For most of a decade Hedgehog had two characters. One was a penetration testing and offensive-security firm with a strong CREST footprint, an accredited STAR presence, and a reputation in the UK for telling clients the truth when other firms would not. The other was an incident response practice that picked up the phone at unsociable hours, sometimes from people who were panicking and sometimes from people who should have been.

The two characters fed each other. The offensive side made the IR side better — you cannot help a client through a compromise if you have never thought like the people on the other end of it. The IR side made the offensive side honest — there is no faster cure for theatrical pen testing than spending a weekend in someone's network the morning after a real intrusion.

The thing the structure could not do, however, was scale at the speed the market needed. We were good at depth. We were average at breadth. We were unfashionable on capacity. And the firms we were increasingly being asked to work with — water utilities, financial services, large healthcare providers, central-government departments — needed a partner whose retainer was not always within an unlucky weekend of being saturated.

What UK Cyber Defence had that we did not

UK Cyber Defence had what we lacked. A larger consultancy bench, a deeper governance and compliance practice, a managed-services capability, and — this matters — a Tier 4 SOC that I do not need to apologise for. Their managed detection and response work had the kind of operational discipline that I associate with people who have spent time in defence or critical national infrastructure rather than start-up culture. Several of their senior team had.

What they lacked, charitably, was the offensive depth and the long-running CREST footprint. They could buy that capability in. They had stopped wanting to.

We had been in conversation for most of 2025. The conversation moved from should we partner more closely in the spring, to should we structure this formally by mid-summer, to a serious agreement in early autumn. By the time the paperwork was signed in November, it felt less like an event and more like a thing that had been quietly true for some weeks before anyone wrote it down.

What I was trying to fix

There are three things the merger is meant to fix, in order of how often I find myself coming back to them.

One: depth-at-breadth. The single biggest gap in the UK cyber market right now is firms that can give a customer board-level governance advice, technical assurance, threat-led penetration testing, and 24/7 detection-and-response under one roof, without the customer noticing that the firm is internally three different cultures stapled together. That is what most of the larger consultancies do, and the customer always notices. The combined firm has a fighting chance of doing it without the staples showing.

Two: making craft fundable. I have spent a long time in firms small enough that the people doing the work are the people deciding the work. That is a precious property. The risk of consolidation is that you lose it. The reason I agreed to the merger rather than fold Hedgehog into a larger acquirer, or accept one of the private-equity approaches that come round every eighteen months, is that the other side wanted the same property protected. We agreed up front that the senior practitioners stay senior practitioners. The org chart was the last thing we discussed, not the first.

Three: not getting boring. Hedgehog had been around long enough that I could feel the gravity of steady-state starting to pull. A merger forces a step-change. It rewrites the operating assumptions. It puts the firm in a position where the question for the next two years is not how do we optimise what we have but what would the firm look like if we built it again now, with the people we have, for the threats we now see. I would rather work in the second firm than the first.

What I am not pretending

I am not pretending the next twelve months will be free of friction. Two cultures do not blend gracefully on a press release. There will be a quarter, probably the one we are now in, where some of our customers cannot quite tell which firm they are talking to, and where some of our staff cannot quite tell which org chart they sit under. We have a post-merger integration plan that we are working through honestly, and I am writing about it openly here because hiding it would be silly.

I am also not pretending that bigger automatically means better. Most mergers in this market either fail or merely tread water. The way you fail is by treating it as an accounting exercise. The way you tread water is by treating it as a marketing exercise. The way you make it work, I think, is by treating it as a craft exercise — what can we do for clients now that neither of us could do before — and being ruthlessly bored by everything else.

What changes for the people who used to call Hedgehog

Almost nothing visible. The phone number still works. The IR retainer still pays out the same way. The people you have been working with for years are still the people you will be working with next year — they have larger desks now, and slightly more colleagues. What changes, with luck, is what we can do when the call escalates. If your incident gets bigger than two engineers can hold in their heads, we now have the bench to put a proper team round it without subcontracting the bits we do not run ourselves.

What changes for me is that I am now the chief executive of a firm that is meaningfully larger than the one I founded, and the bits of the job that involve being able to write the code or run the test myself are, by mathematics, becoming a smaller fraction of the role. That is the part I will have to discipline myself about. The blog you are reading is part of that discipline.

One sentence

If I had to write one sentence about what the merger was for, it would be this: we wanted to build the firm we thought the UK needed, rather than the one that scaled most efficiently from where we already were.

That is a long sentence. It will have to do.