Senior engineers run every engagement
The person scoping is the person testing. No bait-and-switch where the demo engineer hands off to a junior. We have no juniors to hand off to.
positioning · 14
Why teams pick us over the alternatives.
The market is full of firms that bill by the hour, rotate teams, ship scanner output as findings, and charge extra for retest. We do the opposite of all four. Below: specifics.
01. in scope
What's in scope.
The four differences buyers notice within the first week.
Fixed price, written before kickoff
You know the number before we start. If we finish early, you do not owe less; you got the deliverable. If scope grows, we sign a change order before any extra work.
Working PoCs for every finding
Reproducible exploit code or step-by-step instructions for every claim in the report. Your engineers can verify before they fix.
Retest included in the engagement
One round of post-fix retest within 30 days. Most firms charge extra; we ship it as part of the deliverable.
02. how we work
How we work on it.
Things we are honest about.
- We will not pretend to find things we did notIf the scope is clean, the report says so. Padding catalogs with vendor noise is what makes pentest reports feel hollow. We do not do it.
- We will tell you when a different firm fits betterSome engagements (FedRAMP 3PAO work, hardware reverse-engineering, certain regulated industries) are not us. We will introduce vetted alternatives and not take referral fees.
- We will push back on bad scopingScoping that guarantees a clean report is not testing; it is theater. We will say so and propose the scope that actually answers the question.
- We will fail visibly when we shouldIf a goal-based red team objective is not achievable, the report says so. We do not invent success to justify the invoice.
03. deliverables
What you walk away with.
Where we are different from the average firm.
We do not white-label
Every engagement is run by senior engineers on staff. We do not sub-contract. The brand on the report is the brand that did the work.
We do not maximize hours billed
A two-week engagement at fixed fee is what it is. We do not stretch to fill a quote. Engineer time is allocated to what changes the report quality.
We do not commoditize the work
We do not publish price lists; price reflects the question being answered, not a SKU. If a firm sells a "Web App Pentest, Tier 2" off the shelf, they are not testing your app; they are running yours through a template.
We do not ghost after delivery
Retest is included. Questions weeks later get answered. Your engineer is reachable by email after the engagement closes.
04. when
When teams hire us for this.
When we are not the right firm.
You want a one-day scanner-based pass for cheap
Plenty of firms do this well. We are not the cheapest option for a vulnerability-scan-with-narrative deliverable.
You need FedRAMP 3PAO certification
Specific accreditation requirements. We refer to vetted 3PAOs.
You need hardware reverse-engineering
Niche specialization. We refer to firms with the lab and equipment.
You want a vendor that will say yes to anything
We push back when scoping or expectations are wrong. Most clients appreciate it; some do not. If you want a yes-person, this is the wrong firm.
05. faq
Questions before the call.
Differentiator FAQ.
Who actually does the work?
Named senior engineers. Bios available on request. The engineer on the scoping call runs the test, writes the report, runs the readout, and runs the retest.
How big is your team?
Small. We have grown headcount slowly because adding mid-level engineers waters down the model. The headcount stays low; the engagement count stays manageable.
Do you do staff augmentation?
No. We sell outcomes, not bodies. If you need full-time security hires, we will recommend better-fit partners.
What is the catch?
Lead time. Because we do not over-hire, scheduling can be 2 to 4 weeks out. Plan accordingly, especially for audit-driven engagements.
Are you cheap?
No. We are not in the same price band as scanner-based firms or offshore consultancies. We are in the band of firms that ship engineering-quality work and stand behind it.
Want a straight answer about fit?
30 minutes, no NDA needed. We will tell you within the call whether we are the right firm for what you need.