Our engagement model is designed to provide strategic cybersecurity guidance and oversight, rather than direct implementation or code development. Specifically, we do not modify our clients' infrastructure or write code for their projects. Instead, our approach is to impart knowledge and best practices, empowering your organization to effectively integrate security throughout its operations and processes.

It is important to note that our services are tailored for software companies that require dedicated, full-time cybersecurity expertise. Non-software companies may not be an ideal fit for our offerings.

Here are the signs that may indicate the need for our comprehensive cybersecurity solutions:

Your organization is in the process of creating a job requisition for a full-time security engineer, suggesting the need for dedicated cybersecurity resources.
Your customers or stakeholders are mandating security assurance as a prerequisite for doing business, necessitating robust cybersecurity measures.
Your team is spending significant time and effort completing security questionnaires and assessments, diverting resources from core business activities.
Your engineering teams are encountering bottlenecks and delays in delivering features due to the time-consuming process of securing systems and code.

By recognizing these signs, organizations can proactively address their cybersecurity needs and leverage our expertise to weave robust security practices throughout their operations, enabling them to meet customer demands, comply with regulations, and protect their critical assets and data.

Q: How the process works at highlevel? WIP

Gather project details and stack information (languages, frameworks, OS).
Determine the goal and scope (compliance, audit, pentest, design review, etc.).
Prepare and sign necessary contracts, NDAs, and other documents.
We thoroughly inspect the codebase, application and your practices for issues.
Deliver final result with our findings and next steps.

Q: How is your engagement model structured on a day-to-day basis?

Our approach is technology-driven, and we are not a staff augmentation firm. We do not operate effectively in environments where we are cordoned off or treated as contractors separate from the core team. Our philosophy is that a single security resource cannot adequately address the needs of even a small organization when it comes to cybersecurity.

Instead, each of our client engagements is staffed by a "Squad" composed of members from our delivery teams. This squad-based model ensures that there is no single point of failure and that a diverse set of expertise is available to our clients. When specific needs arise, such as cryptography expertise, we seamlessly integrate the appropriate subject matter experts from within our organization to work alongside the squad members with the most pertinent institutional knowledge.

Q: How do you manage projects and ensure effective communication?

Every client is assigned a dedicated project manager who serves as the primary point of contact and liaison. This project manager works closely with both your team and our squad members to ensure that everyone is apprised of the engagement's progress, provide updates on ongoing tasks, and ensure that we are kept informed of any changes or developments on your end.

The project manager acts as the "go-to" person, playing a crucial role in facilitating communication and engagement between our teams. Regular meetings and Slack communication are standard practices to maintain a high level of transparency and collaboration throughout the engagement.

By leveraging a squad-based approach and dedicated project management, we ensure that our clients receive a comprehensive and cohesive cybersecurity solution tailored to their specific needs, without the limitations and risks associated with a single-resource model.

Our approach to security issue tracking is comprehensive and methodical. We maintain an internal tracking system for all security-related issues identified during our engagement with your organization. Every potential vulnerability, risk, or area of concern is meticulously documented and monitored within our proprietary system.

The responsibility of ensuring that no security issue falls through the cracks lies with our team. We proactively follow up on all tracked items during our regular check-in meetings with your organization. These meetings serve as a platform for open communication, where we provide updates on the status of identified issues, discuss remediation strategies, and ensure that your team remains informed and aligned with our efforts.

By leveraging our robust issue tracking processes and maintaining open lines of communication, we ensure that security concerns are promptly addressed, prioritized, and mitigated in a timely and effective manner. This approach minimizes the risk of critical vulnerabilities being overlooked or lost in the shuffle, enabling us to maintain a heightened state of vigilance and proactively fortify your organization's security posture.

Q: What is the result and deliverabilities?

Every audit ends with a security report (PDF, DOC or markdown) that explains every issue and vulnerability found, including remediation steps and design recommendations.

Security Review

Q: What is your team's expertise and experience?

Our team comprises expert Security Architects and Principals who are also skilled engineers with extensive experience in commercial systems and operating businesses. We excel in documenting security designs, evaluating available open-source and commercial solutions, and providing comprehensive security architecture recommendations tailored to your specific needs.

Q: How do we do security architecture review?

A comprehensive security architecture review entails a holistic evaluation of an organization's information security risks, encompassing a broad spectrum of potential vulnerabilities. The primary objective is to develop a thorough understanding of the organization's overall risk profile. This review process facilitates collaborative efforts in prioritizing remediation measures based on the identified risks posed by the current security posture, rather than relying solely on specific vulnerabilities or conjectures.

The output of this review will consist of a security maturity assessment and a prioritized list of risks, accompanied by guidelines for remediation. Recommendations will be provided for activities that offer the highest return on investment, while also identifying areas that necessitate deeper and more comprehensive audits.

It is important to note that while this review will cover the most common risks, it is not intended to be an exhaustive assessment. The goal is not to enumerate every potential vulnerability or prevent implementation errors, but rather to identify foundational gaps that, if addressed through remediation efforts, could significantly reduce the overall risks faced by the organization.

The security architecture review aims to identify critical limitations hindering the organization's ability to build secure systems, deploy to a safe cloud environment, or maintain confidence in the security posture of employees operating in an increasingly complex remote working landscape

Q: How do we handle security assessments and documentation?

We generate formal reports and letters of engagement that auditors and customers will likely want to see. Our approach is an active, ongoing security program rather than a one-off, monolithic, checkbox-style assessment. On an ongoing basis, we'll update these documents so that interested parties can see all the work being done. Our assessments cover everything from your network, applications, cloud, Google Workspace, GitHub, new features, etc., as well as typical areas like OWASP Top 10, CVE vulnerabilities, plugins, extensions, and other checks specific to your industry.

Q: How do we provide ongoing security support and consultation?

We maintain a dedicated channel on your organization's Slack workspace for continuous communication and support. Additionally, we offer unmetered, all-day "Office Hours" to address any security-related questions or concerns that may arise.

Q: How can we engage your team for design decisions and security reviews?

Our clients have unrestricted access to our calendar, allowing them to schedule design decision meetings, review sessions, or any other consultations where our expertise can be beneficial. We strongly encourage involvement early in the security design process for new features and projects.

Q: How can our team assist you?

Our customers have direct access to our team of Security Architects and Principals, who are available for design document reviews, Request for Comments (RFC) evaluations, and broad consultations on how to approach and architect secure solutions effectively. Our Security Architects have worked across various industries and collaborate with our other subject matter experts to help you create the best possible solutions for your organization.

Complainces

Q: How do you assist with SOC 2 compliance and readiness?

All of our clients either have a SOC 2 certification or are in the process of obtaining one. We help assess your organization's current state and provide guidance on your SOC 2 readiness. If you have specific timelines in mind for achieving SOC 2 compliance, we can evaluate the feasibility and assist in developing a realistic plan.

Q: What is your experience with compliance in regulated industries?

Our clients operate in various regulated and compliance-driven verticals. We have helped fintechs, healthcare companies, medical device manufacturers, banks, and drug testing companies achieve compliance and close deals successfully.

Our comprehensive security solution encompasses the development and continuous maintenance of the System Security Plan (SSP) and Plan of Actions and Milestones (POAM). We proactively adjust these critical documents to ensure alignment with evolving compliance requirements, such as FedRAMP and CMMC, ensuring your organization remains compliant at all times.

Moreover, our team of experts maintains in-depth knowledge of various compliance standards, including SOC2, PCI-DSS, NIST 800-171, NIST 800-53, ISO 27001, and OWASP. This broad expertise enables us to provide tailored guidance and support, ensuring your organization's security posture adheres to the highest industry standards and best practices.

Q: How do you support clients with data privacy regulations?

For SaaS companies with complex integrations and large data volumes, we provide guidance on handling privacy regulations such as GDPR, CCPA/CPRA. Our expertise enables us to translate audit requirements into actionable approaches tailored to your specific needs.

Q: How do you prepare clients for audits and assessments?

Having navigated through numerous audits and assessments, we excel at coaching clients on how to communicate effectively with auditors about their systems, policies, and compensating controls.

Q: How do you support clients in establishing a compliance practice?

For new clients without existing policies or procedures, we help establish a lightweight yet effective compliance practice that aligns with their current state and future growth plans.

Q: How do you support ongoing compliance for retained clients?

For our retained clients, we ensure that their documentation, policies, and procedures are accurate, sufficient, and that the necessary evidence for passing SOC 2 or similar audits is being collected and maintained.

Security Verticals

Q: What services do you offer for application security?

For application security, we provide code reviews and secure code training. Your team can tag us whenever they want to get a security review, and we'll review pull requests and provide comments. Our goal is to incorporate security throughout your software development life cycle (SDLC) and prescribe tooling and processes to achieve this.

Q: How do you address corporate security concerns?

We advise on corporate security matters such as mobile device management (MDM) solutions, laptop security baselines, and best practices for dealing with the risk of personal devices being used for work.

Q: How do you address Cloud/Network/Infrastructure security concerns?

Our firm boasts extensive experience in securing diverse environments, including public, on-premises, and hybrid cloud infrastructures, as well as network architectures. With our comprehensive analysis and adherence to industry best practices, we tailor solutions to address your organization's immediate and long-term security requirements. Our teams possess deep expertise in public cloud APIs, Hashicorp product lines (such as Terraform), and various Kubernetes distributions, enabling us to tackle the most intricate security challenges within the cloud and containerization domains.

Q: How do you manage third-party risk?

Third-party risk is a common challenge. Our team is available to help build a program to begin taming these risks and perform reviews for high-risk services. We also assist you in developing sound security policies and procedures for compliance audits.

Q: How do you support sales enablement?

We can help you complete Vendor Security Questionnaires (VSQs) for sales enablement. Our expertise enables us to streamline this process and empower your sales team to respond quickly and accurately to these requests.

Q: How do you assist with hiring security talent?

We support building in-house security expertise by helping you craft job descriptions, figure out how to vet candidates, run work sample tests to assess their capabilities, and provide guidance on effectively interviewing prospective hires.