SOC 2 or ISO 27001 deadline
You signed a contract that requires a passed audit by a specific quarter. You need findings, evidence, and a remediation track that does not slip the audit date.
common triggers · 15
Six common triggers for the call.
Most engagements start with one of six situations. If one matches yours, the scoping call is worth booking; we will tell you on the call whether the engagement we suggest fits.
01. in scope
What's in scope.
The six common triggers.
Post-incident response
Something happened. You need to know what else is exposed, what was missed, and where the next quarter of engineering time should go.
Pre-launch or pre-release
A major feature is about to ship. You want a security signal before customers see it, or before the press release runs.
M&A diligence
A buyer asked for a third-party security report. Or you are the buyer and want a clean read on the target before signing.
Insurance renewal
Your cyber-insurance broker is asking for a recent pentest. Premium discounts often depend on the result.
Enterprise customer ask
Your largest deal in the pipeline asked for a security report. Sales is blocked. You need turnaround in weeks, not months.
02. how we work
How we work on it.
Less common but worth a call.
- Annual cadenceYou run a test every year because that is what mature programs do. We are happy to be the firm that makes this year not feel like a copy of last year.
- Detection-engineering signalYou want to know what your SOC catches. Red team or BAS. Test what your team actually sees.
- Vendor riskYou are about to sign a critical vendor. You want a focused review of their security posture before committing.
- Insider threat scenarioYou have a real or theoretical insider concern. Compromised laptop, departing admin, privileged misuse. Scoped, structured exercise.
- You inherited an environmentNew role, undocumented infrastructure, ten years of accumulated tech debt. Get a security baseline before something goes wrong on your watch.
03. deliverables
What you walk away with.
What we typically recommend for each trigger.
Audit-driven
Penetration testing scoped to the auditor's required surface, plus a gap analysis if controls maturity is unknown.
Incident-driven
Recon and credential-exposure review first, then a pentest or red team for the specific concern. Sometimes both.
Launch-driven
Pentest of the launch surface, plus a code review of the security-sensitive paths. Tight 3-week engagement.
Diligence-driven
Pentest of the production app, plus a focused code review and supply-chain audit. Documentation formatted for the buyer or seller.
Insurance-driven
Pentest scoped to the broker's questionnaire. Attestation letter is the artifact your broker is waiting on.
Sales-driven
Fast-turn pentest with a customer-facing summary. The summary is what unblocks the deal; the full report is for your engineers.
04. when
When teams hire us for this.
When the call is not the right next step.
You are pre-product
No code or infrastructure to test yet. Talk to us about an advisory retainer instead; we can review architecture before there is anything to break.
You need free advice
We do not bill for scoping calls, but the call is to scope a paid engagement. If you need general security questions answered, blog posts and open communities are more efficient.
You want a discount for being a startup
Engagement price reflects scope and depth, not company size. Small-startup engagements still cost what they cost; we just often scope them smaller.
You expect a clean report no matter what
We will not deliver a clean report if the scope has real findings. If you need a stamp regardless of result, this is the wrong firm.
05. faq
Questions before the call.
Trigger FAQ.
How fast can you turn around an audit-deadline engagement?
Two-week kickoff is typical, two-to-three week engagement, one-week report, total six weeks from call to attestation. Faster is possible with notice.
Can you fit a pre-launch pentest in a two-week window?
Sometimes, depending on scope. We will say honestly on the call. A poorly-scoped fast engagement is worse than a delayed one.
Do you do urgent post-incident work?
Yes, on availability. Critical-incident scoping calls are scheduled within 24 hours.
What if our trigger is not in the list?
Most engagements still fit one of the six. If yours is genuinely different, the call is even more useful. We have not seen everything but we have seen most things.
Can we start with one engagement and add more later?
Yes. Many clients start with a single pentest and add a retainer, a red team, or quarterly engagements once they see how we work.
One of these match yours?
30-minute call covers your trigger, scope, and timeline. Free, no NDA.