Engagement Process

Principal-Led.
Operator-Run.

Every engagement is scoped, executed, and reported by the same practitioner. There is no junior staff running automated tooling, no offshore delegation, and no account-management layer between the customer and the consultant. The person who scopes the engagement is the person handling the keyboard during testing, writing the findings, and answering questions during remediation. Customers work with a senior consultant directly, from first email to final re-test.

This model trades scale for depth. CSPI runs fewer engagements per quarter than a large consulting firm. The engagements that do run get the full attention of someone whose technical background is verifiable through certifications, public CVEs, and published research, rather than a CV summary.

NDA
Before Anything Else.

No environment information, account inventory, or scoping detail is requested or discussed before a mutual NDA is in place. The initial conversation can happen without one (general approach, capability fit, timeline questions), but the moment a real environment is being described, the NDA goes first.

Engagement data is stored in an engagement-specific vault. Captured credentials, screenshots, and report drafts never travel over unauthenticated channels. Final reports are delivered via authenticated portal or PGP-encrypted email at the customer's preference. After engagement closure, all engagement-specific data is retained only as long as required for the re-test pass, then destroyed. A formal data-handling addendum is available on request for organisations that need it for procurement.

Rules of Engagement.
Signed Before Testing Begins.

Every engagement begins with a written rules-of-engagement document signed by both an authorised sponsor on the customer side and the consultant. The document covers:

• In-scope and out-of-scope assets, with named hosts, IP ranges, applications, identities, and accounts.
• Permitted and prohibited techniques, including denial of service, social engineering against unconsented individuals, and any operations against shared third-party infrastructure.
• Testing windows, with the customer's preferred working hours and any blackouts (releases, audits, financial close).
• Emergency stop procedures, including a named contact reachable during testing hours and an out-of-hours escalation path.
• Escalation triggers, defining what constitutes a finding that must be reported within minutes rather than at end of day.
• Change control during the engagement. Scope changes are written, signed, and dated, not handled verbally.

The signed ROE is the working document throughout the engagement. Any ambiguity is resolved by referring back to it rather than improvising.

Daily Status.
Immediate Escalation on Critical Findings.

During active testing, the customer receives a daily status note covering: what was tested today, what is planned for tomorrow, any blockers, and any findings worth raising. Critical findings are not held for the end-of-week summary. They are escalated through the agreed channel within minutes of validation, with enough information for the customer's team to begin containment if needed.

Coordination calls are scheduled at engagement milestones (kickoff, mid-engagement checkpoint, pre-reporting review, debrief). Ad-hoc calls happen when the engagement uncovers something that needs immediate two-way conversation. Communication channels are agreed in the ROE and used consistently throughout.

Every Finding
Manually Validated.

Every finding in a CSPI report is manually validated. Scanner output is a starting point for enumeration; it is never the deliverable. Each issue is reproduced with documented steps, exploited where authorised to confirm impact, and contextualised against the customer's environment.

Reports include CVSS scoring alongside a contextual risk rating that reflects what the finding actually means in the customer's business. A CVSS 9.8 in a non-routable segment with no sensitive data has a different business risk than the same CVSS 9.8 on an internet-facing identity provider. The report makes that distinction explicitly so engineering and leadership can prioritise correctly.

Audit-Ready
Where It Matters.

Reports map to the compliance frameworks the customer operates under. Common mappings include:

• PCI DSS v4.0: requirements 6.3.2, 8.3.1, 11.4.1, 11.4.3, 11.4.5 with explicit segmentation testing evidence.
• SOC 2 (Trust Services Criteria): CC6.1, CC6.6, CC6.7, CC7.1, CC7.2 with control-by-control evidence packages.
• ISO 27001: Annex A.12, A.13, A.14, A.18 with finding-to-control mapping.
• HIPAA Security Rule: 164.308 (administrative), 164.310 (physical), 164.312 (technical) safeguard evidence.
• PIPEDA Schedule 1, Principle 7: evidence supporting reasonable safeguards on personal information.
• NIST CSF / CIS Controls: mapping to relevant subcategories where customers use these as their primary framework.

Engagements can be timed to specific audit windows. Where the engagement is the input to a SOC 2 Type II observation period or a PCI DSS annual assessment, the reporting schedule and evidence format are arranged to match the auditor's intake requirements.

Built For
Regulated Enterprise Environments.

The practice serves medium and large enterprises in financial services and fintech (payment processors, banking, brokerages), healthcare (covered entities and business associates handling PHI), SaaS and multi-tenant platforms (B2B and enterprise SaaS with regulated customer data), critical infrastructure (operators in energy, telecom, and transport), and cloud-first organisations running production workloads on AWS, Azure, or GCP.

Clients are based across Toronto, the Greater Toronto Area, Ontario, and Canada, with select international engagements. Industry detail is on the industries page.

Senior Hands
On the Keyboard.

Larger consulting firms operate on a leverage model. A senior partner sells the engagement, a manager scopes it, and one or more junior consultants execute the bulk of the testing. The model works at scale but it dilutes technical depth and adds communication layers between the customer and the people doing the actual work.

A boutique consultancy inverts that. The senior practitioner is the practitioner. There is no leverage to apply, which means engagement capacity is finite, but the depth and continuity benefit. Customers see fewer status meetings, fewer handoffs, fewer mis-translated findings, and faster turnaround when something needs a real-time decision. For regulated enterprises where engagement metadata itself is sensitive, fewer people on the engagement means a smaller confidentiality surface.

Frequently
Asked Questions.