How we work.How we work.
Six principles that decide who we are. Read them before you book a call. If they fit, we will probably work well together. If they do not, we will not.
Six principles
that decide
who we are.
Scroll to read each principle
We are a reliable long-term partner.
We did not invent the consulting model. We did not invent the security-team-on-retainer model. We assembled the discipline of one and the practicality of the other into a firm that does both.
Our engagements last years. We are month-to-month commercially because confident firms do not need lock-in. We are multi-year operationally because the work compounds and the senior partner stays on the engagement from kickoff through the third board cycle.
We scale up and down with you.
We have started engagements with three-person companies and helped clients scale to hundreds of staff. We have also helped clients scale down: when a fundraise slipped, when an acquisition reshaped the business, when a cost cycle hit.
For early-stage clients, we right-size the engagement so the senior practitioner is multiplied by software and the team stays small. For late-stage clients, we layer in dedicated team density. The shape changes; the partner accountability does not.
The right intervention at the right time.
A two-week annual security assessment is the wrong format for almost every company we work with. Embedded ongoing review is the right format.
Instead of a one-shot application security review at year-end, we participate in product design conversations when a feature is being scoped, review PRs as they happen, and run tightly scoped assessments when a feature is shipping. You get faster, cheaper, more relevant assessments.
We are not designed to be sticky.
We deploy single-tenant infrastructure. We use commercial systems when they are the best tool. We build internal tooling when we need to. We do not contractually trap our clients.
If you decide to bring security in-house, we hand the capability over and step back. We have done this before. We will do it again. We would rather be the firm clients come back to than the firm clients regret hiring.
Security is a sales job, too.
A security program that says no to every customer request loses revenue. A security program that says yes to every request loses the company. Effective security is the third path: a program that the rest of the company sells with, not around.
We integrate where your team works. Slack. Notion. Jira. PR review. Sales calls when needed. We answer security questionnaires. We attend customer security reviews. We turn the security narrative into a competitive advantage in your deal cycle, not a friction point.
We own the program. We coordinate your specialists.
Some firms try to own everything in-house: pentest, MDR, IR, managed IT, vCISO, compliance, training, all of it. The math does not work. Quality compresses. Margin compresses. Talent leaves.
We made a different choice. We own the program. We coordinate best-in-class specialists for penetration testing, managed detection and response, incident response, and managed IT. One accountable partner across all of it.
From kickoff through the third board cycle.
- Week 1
Discovery and scope.
Partner kickoff. Identity architecture review begins. Quick wins identified for delivery in week two.
- Weeks 2 to 4
Foundation.
Risk appetite session with executive team. Control gap assessment. Quick wins shipped. First evidence baseline.
- Weeks 5 to 12
Program execution.
Whichever tier the engagement is. Quarterly board pack delivered on first cycle.
- Ongoing
Cadence.
Partner runs weekly cadence. Quarterly CRQ artifact for board. Annual rescope.