Common questions

Yes. Engagements are governed by rules of engagement (RoE), safe words, stop conditions, named points of contact, and proportional tactics. The goal is realism with control, not disruption. Nothing begins until the full framework is agreed with your team.

No. We focus on systems, process, training, and environment. Human interactions are used to identify where controls fail in practice — not to single out individuals. Reports attribute findings to control failures, not to specific people.

Most engagements run around 2–3 weeks end-to-end, including a defined onsite window (typically up to 5 days). The final report is delivered within 10 working days of the onsite activity completing. We confirm dates and milestones in the proposal.

Yes. Multi-site engagements are common and are usually delivered as a single engagement with a defined schedule — often site-by-site. This allows us to compare consistency across locations, identify systemic weaknesses, and prioritise fixes that reduce risk across the estate.

Where explicitly authorised, we can validate downstream exposure following a physical compromise — demonstrating physical-to-technical impact. This is always scoped and controlled under RoE, and is used selectively to show material impact rather than as routine activity.

Where appropriate, we provide a verbal close-out on the final onsite day to confirm outcomes and immediate risk themes. The final report is delivered within 10 working days of onsite completion. You receive an executive summary, an evidence pack, an attack path narrative, and a prioritised remediation plan—plus a leadership debrief if required.

Yes. Retesting can validate whether changes measurably reduced access likelihood and contained impact. It's often included as an option in the engagement proposal, and can be scoped separately if remediation takes time.

Every engagement has named points of contact, escalation routes, and immediate abort criteria agreed before testing begins. Safe words allow any party — client or tester — to pause activity instantly. We also deconflict with any ongoing operational sensitivities before arriving on site.

No—disruption is designed out. Testing is planned around your operational constraints, with a defined onsite window, deconfliction, and clear stop conditions. Where appropriate we use off-peak activity and low-footprint techniques. If anything creates unintended impact, we pause immediately under the agreed RoE.

It depends on the objectives and the level of realism required. Engagements can be delivered as black-box (no assistance), grey-box (limited information or coordination), or white-box (full coordination). Any access arrangements, escorting, or constraints are agreed in the RoE before testing begins.

Yes. We provide documented authorisation aligned to the agreed RoE, including named contacts and escalation routes. This confirms the scope, onsite dates, and approval to conduct the agreed activities.