Services / Three disciplines

Three disciplines, practiced as one.

Overview

We work across three closely-related practices: building software, securing it, and helping the people who’ll maintain it after we’re gone. Most engagements draw on more than one. They are not separate lines of business — they are aspects of the same craft, separated here for the sake of explanation.

§ 01

Build

Production software for serious work.

We build the systems clients depend on. Web applications, internal tools, platform engineering, integrations between systems that weren’t designed to talk to each other, and the unglamorous infrastructure that lets the visible parts of a product feel polished.

We’re most useful to organisations where software failure has consequences. Financial services, fintechs, regulated industries, and companies whose internal tools are doing more work than the team realizes.

Typical engagements

  • Greenfield product development for a new line of business
  • Re-platforming an aging system without a full rewrite
  • Building internal tooling that scales beyond what a no-code stack can handle
  • Augmenting an existing engineering team for a specific project

Stack

TypeScript, Python, Go, and Rust where appropriate. Cloud-agnostic with strong defaults on AWS and GCP. We’re skeptical of architectural fashion and biased toward boring, proven choices.

§ 02

Secure

Security as a starting condition, not a final check.

Most security incidents we’ve seen up close were not caused by exotic attacks. They were caused by ordinary engineering decisions made without security in mind, and discovered too late. The cheapest place to fix a security issue is in the design conversation; the most expensive is in production.

We build with security as a starting condition rather than a final check. For systems we didn’t build, we offer review and hardening — finding the assumptions worth questioning before someone else does.

Typical engagements

  • Threat modelling and security review during product design
  • Code review and architectural audit of existing systems
  • Hardening of authentication, data handling, and infrastructure
  • Aligning practices to OWASP, NIST, PCI, GDPR, or NDPR requirements

A note on scope

We are not penetration testers. For active red-teaming we’ll point you to specialists we trust. What we do is the upstream work that makes the pen-test results boring — which is the only kind of pen-test result you want.

§ 03

Train

Sharing what a decade inside the work has taught us.

Some of our most useful engagements aren’t engineering work at all — they’re sitting with another team’s engineers and walking through how we think about a particular problem. Code review at scale. Architectural decision-making. The differences between systems that handle their first 10x and systems that don’t.

We offer this as a separate practice for teams that want to level up but don’t need a long-term consulting relationship.

Typical engagements

  • Multi-day workshops on secure-by-default engineering
  • Architectural review and mentoring for senior engineers
  • Code review practices and team standards-setting
  • One-off advisory for technical leaders facing a specific decision

Format

We work in person and remotely. Most engagements run between half a day and three days.

Not sure which fits?

Most of our best engagements started with a conversation rather than a brief.

If you’re not sure which of these maps to what you need, write us a few sentences and we’ll tell you honestly whether we’re the right team — and if we’re not, who we’d recommend instead.

Start a conversation