Skip to content
Comply Strike logoComply Strikeoffensive · compliant · resilient

Engagement process

Honest about how the work runs.

No surprises mid-engagement. Three contract structures, four engagement sizes, one set of inclusions, and a short honest list of who we're not for.

Models
Fixed · T&M · Retainer
Stages
4 — Discovery to handover
First reply
2 business days
NDA
Mutual, before sensitive scope

Contract models

Three structures. Choose the one that fits the work.

We never push a client into a model that benefits us at their expense. The right structure follows the shape of the work.

01

Fixed fee

When scope is well-defined and outcomes are crisp.

Typical examples

  • Penetration testing of a defined scope
  • ISO 27001 / SOC 2 / PCI DSS gap assessment
  • DORA / NIS2 readiness review
  • Tabletop exercises with set objectives
  • Sample audit and report deliverables

You know the cost up front. We absorb scope-execution risk if our estimate was wrong, not yours.

02

Time & materials

When scope is exploratory or evolves as findings land.

Typical examples

  • vCISO / fractional CISO engagements
  • Active incident response and digital forensics
  • M&A cybersecurity due diligence
  • Long-tail remediation support
  • Custom tooling or detection-engineering work

Lower commitment to start. Weekly burn reports keep the budget visible. Cap and stop-work clauses honoured.

03

Retainer

When you need a named team on call, not a one-off project.

Typical examples

  • Pre-incident IR retainer with named responders
  • Managed SOC / MDR with monthly hours pool
  • Quarterly board reporting and exec coaching
  • Standing red-team purple-team rhythm
  • Continuous attack-surface monitoring

Hours pool that rolls over within a quarter. Activation SLAs in writing. Cancel with 60 days' notice.

Engagement stages

Four stages, in this order, every time.

Whether the engagement is two weeks or twelve months, the path through it is the same. Predictability matters more than novelty.

01

Discovery

30 min · free

A direct call with a partner-level consultant. No pre-sales filter, no scripted demo. We learn what you're trying to achieve; you learn whether we're a credible fit.

02

Scoping

1–2 weeks

A short paid scoping engagement: kickoff workshop, written scoping note, mutual NDA, agreed assumptions and exclusions. You can stop here with a deliverable in hand.

03

Delivery

Variable

Field work runs to a public weekly cadence. Findings are shared as we surface them, not stockpiled for the report. Daily standups with your team if you want them.

04

Handover

Defined

Final report, walkthrough with the engineers who'll fix it, free retest of every fix within 60 days, lessons-learned session. Door left open for the next engagement.

What every engagement includes

Standard, no surcharges.

  • Named senior consultants — the people who scope the work run it
  • Kickoff workshop + written scoping note + mutual NDA
  • Weekly status calls (or Slack/Teams cadence if preferred)
  • Findings shared as we surface them, not held for the final report
  • Final report with executive summary + technical detail + remediation playbook
  • Walkthrough of every finding with the engineers who'll fix it
  • Free retest within 60 days for testing engagements
  • Post-engagement support window — questions answered for 30 days
  • Attestation suitable as audit evidence for SOC 2 / ISO 27001 / regulator submissions

What's not included

Honest exclusions.

  • Third-party tool licences (you bring or we scope a separate purchase)
  • Remediation implementation — we recommend; your team or a follow-on engagement implements
  • On-site work outside agreed travel scope
  • After-hours response unless on a retainer with stated SLAs
  • Anything outside the SOW — change requests are documented and re-scoped
  • Pure offshore-priced delivery — we don't compete on rate against staff-augmentation shops

When we're a fit

You're our buyer if…

  • You operate in a regulated industry — financial services, government, healthcare, critical infrastructure — and your auditor is non-negotiable about evidence quality.
  • You've outgrown a checkbox vendor and need depth, not headcount.
  • Your security programme has internal stakeholders who will push back on findings, and you want a partner whose work holds up under that pressure.
  • You've had bad experiences with the “Big Four send juniors” pattern and want a small senior team end-to-end.

When we're not

We'll send you elsewhere if…

  • You're a sub-$5M ARR business looking for a one-off pen test on the cheapest budget — there are good shops whose pricing fits that brief better than ours.
  • You want a tool reseller — we don't take vendor commissions and we don't sell licences.
  • You want pure staff augmentation by the rate card — we do staff augmentation, but at consultant rates, not body-shop rates.
  • You want a green-dashboard outcome — we're going to tell you what we found, including the bad bits, and hand you a list of work to do.

Sound like a fit?

Tell us the deadline and the constraint. We'll come back with a written scoping note within two business days — free, no commitment, useful even if you don't go further with us.

Start the conversation