Approach
Slow enough to be right.
Fast enough to matter.
Every engagement follows the same unhurried rhythm. No templated deliverables. No ghost-written executive summaries. A small number of people doing careful work, in the open, with you.
Listen
Before a single scan, we spend time with your people. What keeps the board awake. What the engineers quietly patch around. What last year's audit did and did not catch. The truth of your organisation lives in those conversations.
Map
We build a concrete picture of your environment and adversaries. Attack paths, blast radius, crown jewels, and the mundane assets that make the expensive ones reachable.
Act
The operational phase. Simulation, review, engineering, or incident support — whichever the work calls for. We keep a tight channel to your team throughout. No surprises at the end.
Report
Two documents, always. A narrative for the humans who make decisions, and a technical appendix for the humans who make changes. Both are written by the practitioner who did the work.
Stand beside
The report is the beginning, not the end. We stay available through remediation — on a call, in the room — until the work is genuinely finished. Then we leave.
Some work we will not take.
It matters as much what we decline as what we accept. We will tell you honestly, at the first conversation, if we are not the right practice for your need — and who we would call in our place.
- Engagements against unwitting or non-consenting parties.
- Offensive work without clear legal authority.
- Certification-theatre without remediation intent.
- Work we cannot staff with experienced practitioners.
- Contracts that require us to name clients we cannot name.