We handle assessment material as evidence.

We ask for the least access needed to answer the assessment question. In many cases, architecture diagrams, sanitized traces, sample workflows, and staged environments are enough to begin.

Production access, source access, or sensitive data access should be explicitly scoped and time-bounded.

Secrets, credentials, private keys, tokens, and regulated personal data should not be sent through the public contact form.

If sensitive data is required for an engagement, we agree on an appropriate transfer, storage, retention, and deletion path before receiving it.

Security findings are disclosed privately to the agreed client stakeholders. Reports are written to support both executive decision-making and technical remediation.

Where findings are exploitable, we avoid unnecessary replication details outside the audience responsible for remediation.

When working with agents, MCP servers, eval harnesses, model providers, or AI coding tools, we treat tool permissions, traces, generated code, and model outputs as part of the security boundary.

We do not treat AI-generated artifacts as harmless just because they were produced by a model.