We won’t try to sell you anything we feel you don’t need
Have you had the same application tested every year with virtually no actual findings?
We might suggest allocating time to attack vectors that may not have been considered such as open-source intelligence or social engineering.
We live and breathe privacy and security
We utilise privacy and security focussed software and hardware for our own systems and don’t just consider this a day job.
We support free and open source software and avoid big-tech
We support FOSS projects and avoid big-tech, commercial and closed source hardware and software as much as possible.
Projects we support and recommend include:
- Briar Secure Messenger - https://briarproject.org/
- Debian Linux - https://www.debian.org/
- Decred: Community focussed cryptocurrency - https://decred.org/
- F-Droid: FOSS applications for Android - https://f-droid.org/
- Firo: Privacy preserving cryptocurrency - https://firo.org/
- GrapheneOS: Privacy & Security Android - https://grapheneos.org/
- Hugo: Static Site Generator - https://gohugo.io/
- I2P: The Invisible Internet Project - https://geti2p.net/en/
- Monero: Private, decentralized cryptocurrency - https://www.getmonero.org/
- Qubes OS - https://www.qubes-os.org/
- Signal Secure Messenger - https://www.signal.org/
- TOR - https://www.torproject.org/
- Whonix: Anonymous OS - https://www.whonix.org/
We don’t collect and store any data we don’t need
We collect the bare minimum information required to perform our tasks and avoid collecting anything unnecessary.
We believe this is vitally important and is a key factor that all organisations should adhere to as it reduces exposure to data breaches.
We’re happy to share how we obtained our results, including details on any tools that were used
What scanner or technique was used to find the initial attack vector and how did we proceed from there?
We can walk you through the tools and techniques used so you can gain a deeper understanding of our work.
We won’t give you a report with hundreds of pages of garbage
We strive to provide real-world, applicable report findings with reproducible proof-of-concept steps, so you can perform the same steps we did to understand the core issues behind each finding, along with appropriate remediation advice.
We’ll help you raise security issues to applicable vendors
Did we find a massive security issue in Vendor XYZ’s software or hardware during testing?
We may recommend reporting the finding to the vendor and are more than happy to explain the issue on a call or meeting, as this will help the vendor understand the issue to produce a security update.
If we come across something that’s out of scope we’ll still mention it
If you’ve engaged us to perform a mobile application test but we’ve discovered a potentially significant security issue from browsing your website, we’ll immediately let you know so you can remediate as required.