How we work

The Malwise approach

Every engagement follows the same discipline. The scope changes. The rigour does not. Here is what to expect when you work with us.

Our principles

What we hold to on every engagement.

These are not aspirations. They are the things we will not compromise on, regardless of timeline or commercial pressure.

01

Understand before testing

Most penetration tests fail before the first packet is sent, because nobody agreed what the system actually means. We start with a scoping conversation. What is in scope, what is out, what is the worst case for the business, what does success look like? A test without a clear brief is theatre. We do not do theatre.

That scoping conversation is free. It is also where we will tell you honestly if what you are asking for is not what you actually need.

02

Real attacks, not just scanners

Automated scanners have their place in the process, but they do not model an attacker. They find known vulnerabilities against known signatures. A skilled attacker chains misconfigurations, abuses trust relationships, and exploits business logic that no scanner has a signature for.

We use the same tools, techniques, and creative manual testing that real adversaries use. The findings that matter most in our reports are almost always the ones that automation missed entirely.

03

Reports your team can actually use

A penetration test report that nobody reads is a waste of everyone's time. We write for two audiences in one document. The executive summary is on the first page, in plain English, with the business risk stated clearly. The technical section contains evidence, reproduction steps, and remediation guidance specific to your stack.

Risk ratings reflect real exploitability and real business impact, not a generic severity score that ignores your environment. If a finding is high severity but requires physical access to a locked server room, we say so.

04

Walk-throughs, not handovers

We do not email a PDF and disappear. After every engagement we sit down with your team, engineers, IT leads, executives, and walk through findings live. Questions get answered while the context is fresh. You leave the meeting knowing what to fix, in what order, and why it matters.

That debrief is included in every engagement. It is not an optional extra and it does not come with an additional invoice.

05

Retest until it is actually fixed

Remediation often introduces new issues. A developer fixes an injection vulnerability and inadvertently creates a broken access control in the process. We include a free retest after remediation on every engagement, to verify that fixes work as intended and no new issues have been introduced.

You also get a clean record for auditors and insurers confirming that findings were remediated and retested. That document has real value when your clients, insurers, or regulators ask for evidence of security work.

What we will not do

Where we push back.

Working with an independent firm means you get honest advice, including when that advice is uncomfortable. These are the things we will decline, regardless of who is asking.

i

Scope creep dressed as urgency

If something needs doing, it goes through proper scoping with a clear brief and a fixed price. Expanding scope mid-engagement without agreement is how quality falls apart and how businesses end up with findings that were not properly tested. We will stop and re-scope. We will not just keep going.

ii

Compliance theatre

We will not certify controls that do not work, even if doing so would speed up a certification or make a deadline easier to hit. A certificate that does not reflect reality is worse than no certificate, because it gives false confidence to the business and false assurance to anyone relying on it.

iii

Vendor-shaped advice

We do not resell products. We have no vendor relationships that shape what we recommend. If your existing stack is genuinely doing the job, we will tell you that clearly. If it is not, we will tell you what needs to change, not what would be most convenient for us to sell you.

In practice

What working with us actually looks like.

Most engagements start with a free 30-minute call. We listen to what you are trying to achieve, ask questions about your environment and obligations, and tell you honestly whether what you are describing is the right engagement for your situation.

If we take the work on, you will receive a fixed-price proposal with a clear scope, methodology, timeline, and deliverables. No hourly billing. No scope-creep invoices. No surprises.

The work is done by the person you spoke to in the scoping call. We do not hand engagements to junior staff or subcontract the technical work. The consultant you briefed is the consultant who delivers.

After the work is complete, you have a report, a debrief, a free retest, and a record of what was found and what was fixed. If you have questions six months later, we are still reachable.

The engagement arc

  • Free scoping call, no commitment, no sales pitch
  • Fixed-price proposal with clear deliverables
  • Active engagement delivered by senior consultants
  • Report written for both technical and executive audiences
  • Live debrief included on every engagement
  • Free retest after remediation
  • Clean remediation record for auditors and insurers
Book a scoping call
Ready when you are

Start with a free 30-minute call.

No commitment. No sales pitch. We will tell you whether what you are describing is the right engagement, and if it is not, we will tell you what would be.

Get in touch