// How we operate
Our clients are security professionals. They don't take operational claims at face value. We don't expect them to. This page answers the questions you'd ask in any due diligence conversation - in plain language, not marketing language.
// This page is not a privacy policy. It is an explanation of how we actually work. If something here doesn't answer your question, contact us. We will answer directly.
data retention
When an engagement ends, your environment data is deleted. We retain billing information and contact details - nothing else. Host inventories, control configurations, network topology, crown jewel definitions, gap analysis inputs: all of it is deleted at engagement close.
We do not aggregate client data. We do not benchmark one client against another. We do not use your environment details to inform work with other clients. The data you share with us during an engagement is used for that engagement. When it's over, it's gone.
If you want confirmation of deletion for a specific engagement, ask. We will provide it.
ai & report generation
We use AI assistance for report organization and writing. This is a real efficiency advantage - it lets us produce higher-quality, more consistent reporting faster. We are transparent about it because you should know.
All AI inference runs locally on our infrastructure, containerized using tools like Ollama. No client data is sent to external model providers. No data reaches back to any cloud system. Client environment details, findings, and gap analysis inputs never leave a controlled environment.
We do not use hosted AI APIs - OpenAI, Anthropic, Google, or any other - for content involving client data. The models we run are self-hosted and isolated. If this changes, we will update this page and notify active clients.
AI does not write our findings or our conclusions. It handles structure, prose editing, and formatting. The analysis - what we found, what it means, what you should do - comes from the practitioner. We review every report before it goes to a client.
who does the work
We are a small firm. There is no pyramid of junior analysts running your exercise while a senior person signs the report. The people who scoped your engagement, built your scenario, and analyzed your environment are the people in the room when the exercise runs.
This matters because the quality of a tabletop exercise depends almost entirely on the facilitator. A facilitator who doesn't understand the technical environment cannot follow up on a vague answer. They cannot probe whether "we'd investigate that alert" reflects a functioning detection pipeline or wishful thinking. We can. We do.
If we grow to a size where this changes, we will update this page. Right now, it doesn't.
what we report
Our reports capture what happened - including where your team failed, where answers were vague, where escalation paths didn't function, and where detection coverage was assumed rather than verified. We do not soften findings for internal optics.
If you need the exercise to produce positive outcomes for a board presentation or an auditor regardless of what actually happened in the room, we are not the right firm. We will refer you to someone who offers that.
why this page exists
Security professionals will ask about data handling. They will ask about AI usage. They will ask who is actually in the room and whether the report was written by a person. They will want to know if there's a clause somewhere that lets us use their environment data for anything else.
These are the right questions. We wrote this page so that the answers are available before you ask - not in a contract you're negotiating under time pressure, not in a sales call where we might frame things favorably.
If something on this page is unclear or incomplete, email us. We will answer directly and, if the answer should be public, update this page.
// Quick reference
// Questions? Ask them.
If this page doesn't answer a specific question about how we operate, contact us. We will answer directly - and if the answer should be on this page, we'll add it.