Productised offers have fixed fees. Retainers have monthly deliverables. We don’t sell time-and-materials except on edge-case engagements where the scope genuinely can’t be defined in advance — and we tell you so before you sign.
No associates, no offshore delivery, no juniors learning on your account. The cost structure is honest about this; we don’t pretend to be an agency at agency rates with sole-practitioner economics.
Deliverables are running infrastructure, evidence pipelines, code in your repo, policies in your wiki. Where we produce documents, they’re documents your team will actually open after we leave.
.webp)
On one side, Big-4-adjacent firms whose proposals start at six figures and twelve months, staffed by associates learning on your account. On the other, freelance consultants who’ll write you a 200-page ISMS template and disappear. Neither is what a Series-B fintech needs at 2am the night before a customer security review.
.webp)
.webp)
The practice is built by people who’ve held principal security and engineering roles at Percona, Airalo, Cint, Taxually, Xapo, Xplor and the UK Ministry of Defence. We’re not consulting against your CTO from the outside; we’ve been your CTO.
ISO 27001 Lead Auditor and Lead Implementer. IASME Cyber Essentials and Cyber Essentials Plus. GDPR Practitioner. The credentials shorten the auditor conversation; the experience shortens everything else.
.webp)
