Trust & security
How we work, safely.
Last updated June 2026.
Our work touches your live systems, so the rules matter as much as the results. In plain English: nothing happens without written authorisation, testing is controlled and reversible, and your data leaves with the engagement. Detail below.
Authorised before anything runs
Every engagement starts with a signed Rules of Engagement document. It names the in-scope targets, the methods we're permitted to use, the systems that are explicitly off-limits, the test windows, and the people who can authorise or stop work. Nothing outside that scope is touched.
Controlled, not destructive
We validate what is genuinely exploitable using the least intrusive method that proves the point - passive discovery first, controlled validation second. Sensitive actions such as using a credential, moving laterally, or sending anything externally sit behind explicit, human approval gates. There are defined stop conditions and an emergency contact for the whole engagement. AI assists our research; it does not act autonomously against your systems.
Your data
We work remote-first and take the least data an engagement needs. We redact sensitive material wherever we can, and any AI vendors we use operate under defined rules - approved models only, and your content is not used to train them. Client data and temporary credentials are removed after the engagement closes; we don't retain a copy once the work is done.
Standards & certifications
Our reviews align to the ACSC Essential Eight - an aligned assessment, not an official certification. We are not SOC 2 or ISO 27001 certified today; both are on our roadmap, and we'll say so plainly here rather than imply a status we don't hold.
What you receive
Findings come as a plain-English executive summary plus evidence-backed technical detail, risk-rated by real business impact and ordered into a fix plan. The output is built to be read by your board, auditor or insurer - validated exposure reduced and verified, not a raw list of vulnerabilities.
Reporting a security concern
If you believe you've found a security issue with this website or our service, tell us through the contact form and we'll respond quickly.
This page describes our current working practice and is reviewed as the business matures. It is not a contractual warranty; engagement-specific terms are set out in your Rules of Engagement and agreement.