Security Philosophy

These principles guide how we work.

Core Principles

Defense in Depth

No single control is sufficient. We layer protections so that if one fails, others remain:

• Device level: Encryption, EDR, MDM compliance, patch management
• Network level: VPN, network segmentation, firewall rules
• Application level: MFA, RBAC, audit logging
• Process level: Training, access reviews, incident response

Least Privilege

Team members receive only the access necessary for their work:

• Project-specific credentials that don’t span engagements
• Role-based permissions within each project
• Time-limited access for temporary needs
• Regular access reviews throughout engagement

Project Isolation

Every engagement is a silo, enforced technically:

• Dedicated credentials per project
• Separate communication channels
• No code or data sharing between clients
• Infrastructure isolation where applicable

Transparency

• We welcome security questionnaires and audits
• We’ll explain any control in detail upon request
• We proactively share relevant security information with clients

Risk-Based Approach

Not all data and systems carry equal risk. We calibrate controls accordingly:

• Higher sensitivity → stricter controls, more isolation
• We discuss risk levels openly during scoping
• We recommend appropriate security postures, not one-size-fits-all

Continuous Improvement

• Regular training updates
• Periodic review of tools and practices
• Learning from industry incidents
• Feedback loops from client engagements

What We Don’t Do

• No shared credentials between team members or projects
• No code reuse from one client engagement to another
• No access persistence after engagement ends
• No shortcuts that trade security for convenience
• No assumptions about what “secure enough” means for you