How an engagement actually runs.
Operational specifics for buyers evaluating us. The engagement lifecycle from first contact through delivery; what we need from your team; response and SLA commitments; and the questions we get asked most often before a customer signs.
Five steps from first contact to delivered.
Scoping call
First conversation. We confirm objectives, scope, the right product mix, and whether we are the right answer at all. If a different vendor or a different product is the better fit, we will tell you.
Engagement agreement
Formal scope, hard guardrails on out-of-scope assets, engagement window, operator mode, and deliverables. A single signed agreement covers the engagement; we will sign a separate Master Service Agreement (MSA) when your procurement team requires one.
Kickoff
Access provisioning for any cloud, internal, or Active Directory scope. Introductions to your engagement contact and agreed communications channel (typically Slack or email). SOC notification follows the protocol set in scoping — broad brief for APT and purple-team CAE engagements; restricted to a small "control group" of stakeholders for red-team CAE, so detection capability is tested under realistic conditions.
Execution
The engagement runs against the agreed scope under the selected operator mode. The portal is accessible throughout — findings, attack path, and MITRE coverage update as the agent works. Review-before-exploitation engagements queue exploitation steps for your team's approval. An out-of-band escalation channel covers any critical findings discovered mid-engagement.
Delivery & remediation cycle
Executive summary and technical report issued within two business days of engagement close. Portal access continues for an agreed audit window — typically ninety days, often longer for SOC 2 evidence. Retests run on demand within the window. If your team needs hands-on remediation help, SHIELD hours or a retainer can be attached at this point.
Six things to put in place before kickoff.
We keep customer overhead minimal. The list below is what we have found is necessary on every engagement — mostly paperwork and access provisioning rather than deep technical preparation.
Authorized signer
Someone with authority to sign the engagement agreement on behalf of the organization being tested.
Single point of contact
One named person on your team for engagement communication. Additional reviewers can be added; the SPOC owns scope and approval decisions.
Confirmed scope
The exact assets in scope, with explicit out-of-scope items. Hard guardrails are encoded into the agent before kickoff.
Access provisioning
For internal, cloud, or AD engagements: read-only or appropriately-scoped credentials, VPN or bastion access, and any IP allowlisting required.
Change-window check
Confirmation that the engagement window does not collide with a planned release, change freeze, or other production-affecting activity. If there is a conflict, we will find a window that fits.
SOC notification protocol
Approach depends on engagement type. APT and purple-team CAE brief your SOC up front so legitimate testing is not mistaken for a live incident. Red-team CAE intentionally restricts awareness to a small control group so detection capability is tested under realistic conditions. We will confirm which fits during scoping.
What you can expect from us, on the clock.
Standard response and turnaround commitments. Enterprise engagements carry custom SLA terms agreed in writing during scoping; the table below is the default applied across all non-enterprise engagements.
Operational specifics buyers ask before signing.
What if the agent finds a critical mid-engagement?
Immediate notification via the agreed escalation channel — Slack ping, phone call, or email per your preference. The finding is recorded in the portal with full evidence; the engagement continues, pauses, or escalates per your direction. For findings that suggest active third-party compromise, we will halt immediately and consult before proceeding.
What if the scope needs to change during the engagement?
Scope changes require a written amendment to the engagement agreement. The agent will not proceed past the original agreed perimeter until the amendment is signed. We can move quickly on amendments — typically within the same business day for additive changes.
What if we want to halt the engagement?
Halt at any time, for any reason. You retain access to all findings produced up to the halt point, and we issue an abbreviated report covering the work performed. There is no penalty for halting.
What happens after the engagement window?
Portal access continues for the agreed audit window — typically ninety days, longer where audit evidence retention requires it. Retests can be commissioned at any time during or after the window. Engagement data is retained per our data-retention policy, shared during scoping.
How do you handle out-of-scope discoveries?
The agent refuses out-of-scope actions by design. If the agent discovers something concerning that touches the boundary of scope — evidence suggesting prior third-party compromise, exposed customer credentials in public dumps, infrastructure misconfigured against a vendor we cannot test — we flag it in the portal and consult with your SPOC before any further action.
How is the engagement priced once the scope is confirmed?
Per the published tiers on our pricing page, sized to the confirmed scope. The scoping call produces a written quote that holds for thirty days. We do not bill by the hour during the engagement window itself; pricing is per engagement, with SHIELD remediation hours separately scoped if added.
Start with a scoping call.
First conversation is free and lands within one business day. We’ll cover scope, fit, and what the next step looks like.