Frequently Asked Questions

Reach out via the contact form or email. We'll have a short discovery call where I learn about your systems and security concerns. From there, I provide a fixed quote with clear deliverables and timeline.

Usually within a few business days after the discovery call. Urgent security issues are prioritized.

A brief overview of your tech stack and any specific concerns helps, but isn't required. I'll guide you through what I need during our call.

Yes. I regularly collaborate with in-house teams and MSPs. I can provide guidance for your team to implement, or work alongside them directly.

I specialize in API security testing and server hardening. This includes penetration testing, security audits, configuration reviews, and ongoing security support.

Authentication and authorization testing, input validation, business logic review, detailed vulnerability report with severity ratings, remediation guidance with code examples, and a debrief call.

SSH and remote access hardening, firewall configuration, service minimization, user and privilege management, logging setup, and security baseline documentation.

Depends on scope. A focused API assessment typically takes 1-2 weeks. Broader infrastructure tests take longer. You'll get a clear timeline in your proposal.

I take care to minimize disruption. Most testing can be done safely on production systems. For aggressive testing, we schedule off-peak windows. We agree on approach and risk levels beforehand.

Fixed quotes after a discovery call. The price depends on scope and complexity, but you'll know the exact cost before work begins. No surprise charges.

Never. If additional work is needed beyond the original scope, I discuss it first and provide a separate quote. You won't receive unexpected invoices.

For larger engagements, milestone-based payments are available. Ongoing support is billed monthly.

Yes. I offer reduced rates for early-stage startups and registered non-profits. Every organization deserves good security regardless of budget.

REST, GraphQL, gRPC, and SOAP APIs. Web applications, mobile app backends, and microservices architectures.

A vulnerability scan is automated software checking for known issues. A penetration test is manual, creative testing by a security professional who thinks like an attacker. Pen tests find complex vulnerabilities that scanners miss.

Yes. I assess AWS, Azure, and GCP configurations including IAM policies, storage permissions, network security groups, and more.

Linux distributions (Ubuntu, Debian, CentOS, RHEL, Alpine) and Windows Server. Both cloud VMs and on-premises systems.

Yes, I specialize in small and medium-sized businesses. Unlike large consultancies, I provide direct, personalized service without enterprise pricing.

Most security work is done remotely. I'm UK-based and available for on-site visits when needed. Remote engagements work worldwide.

All engagements are covered by NDA. I never share client information, findings, or client names without explicit permission. Your sensitive information stays between us.

You receive a comprehensive report with findings and recommendations, plus a follow-up call to discuss results. Retesting is available to verify fixes. Many clients choose ongoing support for continuous improvement.