The Method
How engagements actually run.
Not a sales pitch. An engineering document.
01
Diagnose
We map your systems, your risks, your constraints, and your goals. We interview your technical leads, review your architecture, and run an initial threat model. We do not propose solutions before we understand the problem.
A written diagnostic report: system map, risk register, constraint list, and a proposed engagement scope.
1–2 weeks
Your side: CTO or equivalent, one technical lead. Our side: engagement lead and one specialist.
If your internal documentation is incomplete or access is restricted, the diagnostic takes longer. We will tell you this before it costs you money.
02
Architect
We design the system. Security model, data flows, API contracts, infrastructure topology, interface architecture. We present the design for your review before building anything.
Architecture document, threat model, infrastructure diagram, interface mockups (if applicable), and a revised project timeline.
1–3 weeks depending on scope
Your side: technical lead and product owner. Our side: full engagement team.
Architecture changes mid-build are expensive. We invest here to avoid them. If your requirements change after architecture sign-off, we renegotiate scope.
03
Build
We ship production-grade code in weekly cycles. Every pull request is reviewed by a second engineer. Security controls are built in, not bolted on. You have read access to the repository from day one.
Weekly builds deployed to a staging environment. Full repository access. Bi-weekly progress calls.
Varies by scope. Typical projects: 6–16 weeks.
Your side: one technical point of contact for review and feedback. Our side: 1–3 engineers depending on scope.
Scope creep is the most common cause of overruns. We flag scope changes in writing before acting on them.
04
Harden
We red-team our own work. A member of our security practice who was not on the build team runs an adversarial review of the delivered system. We fix what we find before handover.
Adversarial review report, remediation commits, final security sign-off, runbook, and handover documentation.
1–2 weeks
Your side: minimal — review and sign-off. Our side: security specialist plus build lead.
Harden sometimes reveals architectural issues that require more than patch fixes. We have never shipped a system we were not willing to put our name on.