Fixed-scope engagement
Zero-Trust Transformation
A zero-trust engagement moves your access model from "trusted because you're on the network" to "trusted because of verified identity and device posture" — enforced through policy-as-code and identity-aware access you own, not a perimeter you hope holds.
Request a scoping callThe problem this solves
"Our security still basically means VPN-in-and-you're-trusted. Remote work, contractors, and SaaS broke that model years ago, and we know one stolen laptop or credential gives an attacker lateral access far beyond what that identity should ever need. Vendors keep pitching us a zero-trust product; we need the actual architecture and enforcement, not a logo." Root cause: implicit network trust + flat internal access means a single compromised identity or device has lateral reach far beyond its need; ZTNA products without an access-policy model just relocate the problem.
What you own when we leave
- An access-policy model expressed as policy-as-code (identity + device posture + resource sensitivity → allow/deny), in your repo.
- Terraform/IaC for the enforcement points in scope (identity-aware access, segmentation, conditional access, service-to-service auth).
- A threat model showing lateral-movement paths before and after, so the risk reduction is legible and reviewable.
- Phased rollout runbooks (so you cut over without locking your own people out) and break-glass procedures.
- ADRs for the trust-boundary and enforcement decisions.
Not a maturity-model spreadsheet. A working enforcement model defined as code.
How we approach it
- 01
Discovery
We read your accounts, configs, and constraints directly (scoped read-only access or exported state), map the real current state, and agree on a written scope and success criteria before any code is written.
- 02
Architecture Decision Records
We write down the key decisions — what we’re doing, the options we rejected, and why — as ADRs in your repo, so the reasoning survives long after we’re gone and you can challenge it before we build.
- 03
Implementation
We build the solution as reviewable Terraform/IaC in small, tested pull requests against your CI, so you watch it land incrementally and nothing arrives as a black box.
- 04
Handover
We walk your team through the repo, the threat model, and the runbooks live, confirm you can apply/destroy/extend it yourselves, and then we leave. You own everything — there is no phase 5 where you still need us.
Engagement shape
A fixed-scope transformation over a defined set of users, applications, and access paths — phased so each cutover is reversible and observed. Scope is bounded by which access paths and enforcement points are in the first phase, agreed up front.
Engagements typically start at $40,000 USD. Contact for scope and a fixed price.
A sample of what we ship
# policy/access.rego — identity + device posture + sensitivity
package access
default allow := false
allow if {
input.user.mfa_verified
input.device.managed
input.device.disk_encrypted
resource_tier_permitted
}
resource_tier_permitted if {
input.resource.tier != "restricted"
}
resource_tier_permitted if {
input.resource.tier == "restricted"
input.user.group in data.restricted_access_groups
input.device.posture_checked_within_hours <= 24
}FAQ
Questions about this engagement
What do I actually get — is this just a report?
No. Every engagement ends with infrastructure-as-code in your repository: Terraform/IaC, the guardrail set (Service Control Policies or equivalents), a threat model, ADRs, and runbooks. The documents exist to help an engineer run the code — they are never the deliverable instead of the code. "We ship, not slide" is the whole point. The sample Terraform on this site shows the shape of what you get.
What if something breaks after you’ve handed over and left?
Every engagement includes a 90-day warranty: if anything we shipped does not behave as documented, we fix it at no charge — that is a defect we own, not new scope. After that window the code is standard Terraform/IaC on standard tools, so your team or any engineer can maintain it. If you would rather we come back for a defined follow-on — a new scope, a new fixed price — we are a short email away. We make ourselves unnecessary by default; we do not make ourselves unreachable.
We already have a security team / platform team. Why bring you in?
Usually because they are at capacity, or the work needs a specific senior depth (landing-zone design, zero-trust enforcement, hybrid routing, AI guardrails) that is hard to staff for a one-time build. We work as reviewable PRs against your CI so your team reviews and absorbs everything as it lands — by handover it is genuinely theirs, not a black box dropped on them.
What access do you need, and how do you handle our data and credentials?
Discovery uses scoped, read-only IAM roles that you create in your accounts and can revoke at any second — never long-lived keys we hold. Where you must export configuration or state, it lands encrypted in storage you control, and we delete our working copies on a documented schedule with written confirmation. We use no sub-processors and nothing leaves the jurisdiction you specify; wherever possible, implementation runs entirely inside your own tenancy and CI so we never hold your credentials at all. We will complete your security questionnaire (CAIQ/SIG-lite) before you grant any access. You can inspect this site too: cookie-free self-hosted analytics, Cloudflare only for edge/CDN and bot protection, a clean CSP, and no third-party trackers.