Rules of Engagement

Rules of Engagement

Clear professional boundaries that govern every assessment we perform. These rules protect you, your business, and the integrity of our work.

Authorization Requirement

We never begin any assessment without your explicit written authorization. The authorization must clearly define the scope of the assessment, the domain(s) to be reviewed, and the specific checks requested. This is non-negotiable and is our core operating principle.

What We Do

  • Review publicly accessible website content and HTTP responses
  • Check HTTPS configuration and TLS certificate validity
  • Analyze HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)
  • Verify DNS email authentication records (SPF, DKIM, DMARC)
  • Review publicly accessible files (robots.txt, sitemap.xml, security.txt)
  • Check for common public file exposures (.env, .git, backup files)
  • Identify technology stack indicators from public response headers and HTML
  • Document findings with business-impact context and practical remediation guidance
  • Provide manager-friendly PDF reports with prioritized recommendations
  • Conduct retests within the agreed timeframe after remediation

What We Never Do

  • Denial of Service (DoS) or any activity that could disrupt website availability
  • Brute force attacks or credential guessing of any kind
  • Social engineering, phishing, or employee targeting
  • Payment bypass testing or transaction manipulation attempts
  • Destructive tests or any activity that could modify data
  • Accessing, downloading, or attempting to view private data
  • Port scanning or network vulnerability scanning
  • Exploiting vulnerabilities or running any exploit code
  • Testing without explicit written permission — ever
  • Sharing or publishing client data, findings, or reports without consent
  • Installing or uploading any files to client servers
  • Using automated vulnerability scanners against client websites

Client Responsibilities

  • Provide written authorization before assessment begins
  • Clearly define the scope: domain(s), specific checks, and any exclusions
  • Ensure you have the authority to authorize the assessment for the specified domain(s)
  • Notify relevant team members that an external review is taking place
  • Review findings and prioritize remediation based on your business context
  • Contact us if any unexpected behavior occurs during the assessment

Communication Protocol

  • All communication is conducted via email
  • Initial authorization request sent to you for review and signature
  • Assessment begins only after written authorization is received
  • Findings delivered as a PDF report via email
  • Support and questions handled via email within the agreed timeframe
  • Retest requests submitted via email with a description of changes made
Professional Security Analysis

Ready to Begin?

Contact us to discuss your needs and receive a written authorization template. We'll start only when you're ready.

Request Authorization Template View written authorization details