Cybersecurity

For clients on our IR on-call retainer, the default SLA is acknowledgement within two hours and an active analyst engaged within four hours, around the clock. For non-retainer clients we aim to have a scoping call and initial triage underway within one business day, but response speed is significantly faster on retainer because onboarding (understanding your environment, obtaining access, aligning with your team) is already complete.

If you are experiencing an active incident and are not currently a client, contact us at [email protected] with "INCIDENT" in the subject line and we will prioritise your request.

Scope is agreed before testing begins in a written rules-of-engagement document signed by both parties. A typical web application test covers authentication and session management, input validation (injection, XSS, CSRF), access control logic, business logic flaws, API endpoints, and third-party integrations. A network test covers external-facing assets, service enumeration, exploitation of known CVEs, credential attacks, and lateral movement within agreed boundaries.

What a pen test does not cover without explicit agreement: production data exfiltration, denial-of-service testing, physical security, and social engineering of employees. Each of these can be scoped separately if required. We will always recommend the appropriate scope in our pre-engagement discussion.

Timeline depends heavily on your starting point. For organisations with minimal existing controls, a realistic timeline to ISO 27001 certification is six to twelve months — covering gap analysis, control implementation, policy documentation, and the Stage 1 / Stage 2 audit cycle. For organisations with a strong existing security posture, six months is often achievable. SOC 2 Type I (point-in-time) can be achieved more quickly; SOC 2 Type II requires a minimum observation period (typically six months) before the report can be issued.

Our gap assessment in the first two weeks of an engagement will give you a calibrated estimate based on your actual current state. We do not quote compliance timelines without first understanding what controls are already in place.

Zero-trust is an architectural principle, not a product. It means that no user, device, or network segment is implicitly trusted — every access request is verified against identity, device health, and context, regardless of whether it originates inside or outside your perimeter. In practice, implementing zero-trust typically involves:

• Strong identity verification with MFA enforced across all users and service accounts
• Least-privilege access policies reviewed and tightened regularly
• Micro-segmentation to limit lateral movement if a credential is compromised
• Device health checks before granting access to sensitive systems
• Continuous monitoring of access patterns for anomalies

You do not need to complete a full zero-trust transformation to significantly reduce risk. Our approach is to identify the highest-value zero-trust controls for your environment and sequence them pragmatically rather than prescribing a multi-year programme from day one.

If our testers encounter sensitive data (PII, payment card data, health records, credentials) during an assessment, we follow a strict protocol: we document the discovery with the minimum evidence necessary to demonstrate the issue, do not copy or retain the data beyond the evidence screenshot, notify your point of contact immediately, and flag it as a priority finding. The rules-of-engagement document we sign before every test codifies these obligations along with our data handling and confidentiality commitments. All findings are transmitted and stored encrypted; reports are delivered to named recipients only.