Operators only.
// Every name on our bench has spent a decade in offensive cyber, inside a nation, a sanctioned red team, or a vendor research group whose findings ended up in the news. The firm exists because the operators wanted a place to keep doing the work, with paperwork, on a clearance, and with the discipline that a real adversary campaign requires.
The shape of the bench.
Six tenets.
The work is the product.
The work itself is what we sell. The report, the methodology slide, and any post-engagement followup exist to evidence that the work happened, in a form a customer can act on.
Operators carry the last word.
Every senior operator has veto authority on scope, on pairing, and on go-or-no-go calls during a campaign. The operator answers ahead of sales and ahead of account management on every question a campaign raises.
Hiring is slow on purpose.
Reference depth before resume length. A working tradecraft sample before any interview that touches strategy. The bench grows by one or two people a year, on purpose, so the median operator stays senior.
Patience is the multiplier.
A campaign run on threat-actor time surfaces findings a fiscal-quarter sprint will miss. Pricing covers the campaign as a whole, so an operator who waits three weeks before the next move is doing the job correctly.
Quiet is the default posture.
Loud is a decision an operator makes against data when the data calls for it, and every operator on the bench knows the moment that decision arrives.
The customer is the blue team.
The blue team is who we work for on every engagement, ahead of procurement and ahead of the audit committee, even when someone else signs the check. Every deliverable lands in their hands first.
The bench publishes.
// Skill at this level is verifiable. Our operators ship CVEs, present at the conferences your team already attends, and maintain tooling that runs in other red teams' kits. The work below is sanitized for the open web. Named talks, CVE numbers, and repository links arrive with the scoping packet under NDA.
CVEs in the gear on your perimeter.
Coordinated disclosures across enterprise VPN appliances, identity providers, and management software. Each one becomes an N-day we replay where the engagement scope allows.
Primitives the industry adopts.
AD and ADCS escalation work beyond the published ESC set, Kerberos abuse refinements, and cloud IAM confused-deputy classes. Presented at major industry conferences and folded into the engagement playbook.
Code that ships in other kits.
BloodHound collector extensions, a Kerberos abuse module, and an agentic-emulation harness. Maintained in the open once a technique is widely understood, used by red teams beyond our own.
Credentials and frameworks.
// The bench carries every certification on the left. We scope engagements against any of the frameworks on the right when the deliverable needs to land inside a compliance program.