Confidentiality is the default posture.

We are comfortable signing a mutual NDA before reviewing sensitive architecture, prompts, model behavior, source code, eval results, logs, security posture, or production workflows.

We do not need secrets, credentials, regulated personal data, or live production access to begin scoping most engagements.

Client materials are treated as confidential by default, including system diagrams, tool manifests, MCP server details, evaluator outputs, jailbreak findings, and internal governance documents.

We keep findings private and share them only with the agreed client-side audience and delivery channels.

We do not publish client names, identifying details, exploitable findings, prompts, code, traces, or screenshots without explicit permission.

Public references to our work use anonymized descriptions and codenames unless a client has approved attribution.