How We Work

What an Engagement Looks Like

Engagements move through four phases — Discover, Assess, Report, and Re-test. Each has clear deliverables and a shared timeline, so you always know where we are and what comes next.

Before We Begin

Scoping, Paperwork, and Setup

The first conversation is short and free. From there, the formal pieces are designed to move quickly so we can get to the actual work.

  1. Scoping call

    A 30–45 minute conversation to understand the system, the question you're trying to answer, and the constraints (timeline, budget, regulatory). No NDA required — we keep this conversation high-level.

  2. NDA, then technical scoping

    Mutual NDA in place before we look at architecture diagrams, code, or sensitive context. We work from your NDA or ours — whichever moves faster.

  3. Statement of Work or MSA

    A short SOW for one-off engagements; a master agreement (MSA) plus per-engagement SOWs for ongoing relationships. Scope, deliverables, timeline, and pricing are written down before we start.

  4. Kickoff

    Access provisioning, communication channels, and the engagement plan. We confirm what's in scope, what's out, and who's the point of contact on each side.

The Four Phases

From Scope to Sign-Off

Each phase has a defined start, defined end, and a deliverable you can act on.

01 Discover Typical: 3–7 days

We learn the system, the constraints, and what success looks like. The goal is to make sure the work we do is the work that matters.

What we do

  • Architecture and threat surface walkthrough
  • Read existing documentation, design docs, prior reports
  • Confirm scope boundaries (in / out / TBD)
  • Calibrate the threat model to your business context

What we'll need from you

  • Access to systems, code, or documentation
  • 30–60 minutes from a technical lead for a walkthrough
  • Any prior security work we should build on
Output Confirmed scope memo and tailored test plan
02 Assess Typical: 1–4 weeks

The actual work — threat modeling, code review, and adversarial testing tailored to your architecture and risk profile. Cadence and methodology are tuned to the engagement: daily standups for tight timelines, weekly check-ins for broader work.

What we do

  • Threat modeling against the calibrated model
  • Manual code review and architecture analysis
  • Hands-on testing — injection, abuse, escalation paths
  • Weekly status updates and a live findings tracker

What we'll need from you

  • A point of contact for technical questions
  • Test environment access (where applicable)
  • Quick acknowledgement of any critical findings we surface mid-engagement
Output Live findings tracker, weekly status, and any urgent disclosures
03 Report Typical: 5–10 days

A written deliverable that's actually useful — an executive summary your stakeholders can act on, plus the technical depth your engineers need to fix what we found.

What you'll see

  • Executive summary — risk in business language
  • Findings with severity, impact, and reproduction steps
  • Prioritized remediation plan — ordered by risk reduction per effort
  • Threat model artifact you can carry forward

How we deliver it

  • Draft report shared for technical accuracy review
  • Walkthrough call with engineering and leadership
  • Final PDF + redacted version for board / customer use, if needed
Output Final report, prioritized remediation plan, and walkthrough session
04 Re-test Typical: 3–5 days

Re-test runs 30–90 days after the report. A finding closes when it's been verified fixed — not when someone says it has been. Re-test is included in every engagement so we can confirm remediation and document residual risk.

What we do

  • Re-verify each remediated finding against the original test
  • Identify any new exposure introduced by the fix
  • Document accepted or deferred risk in writing

What you'll see

  • Re-test summary: closed / open / accepted
  • Updated report appendix you can hand to auditors or customers
  • A definitive end to the engagement
Output Re-test summary and final engagement closure
After Sign-Off

What Comes Next

Some engagements end at re-test. Others become long-term relationships. Both work for us — we don't pressure either direction.

  • Standalone engagement

    A point-in-time assessment: scope it, run it, deliver it, close it. Useful when you have a specific question or a regulatory requirement to satisfy.

  • Quarterly cadence

    For teams shipping fast, a recurring quarterly engagement keeps the threat model current and catches drift before it compounds.

  • Retainer / embedded

    For organizations that want senior security perspective continuously available without the overhead of a full hire. Reserved hours, agreed response times, direct access.

  • Build-and-secure

    When the remediation needs more than a recommendation, we have the engineering depth to do the work — under a separate SOW, with the same care.

Ready to scope something?

Tell us what you're working on. The first conversation is short, free, and useful either way.

Start a Conversation