From first conversation to retest: one narrative

Commercial and operational phases visible to buyers and technical teams. Each card summarizes the phase; detail expands activity, roles, and what unlocks next.

Engagement structure

Three blocks connect commercial, technical, and closure. Depth in each phase depends on the engagement type and the signed scope.

Phases 1–2

Pre-contract

Briefing, objective alignment, and written scope. No invasive testing without a signed SOW.

Phases 3–6

Technical execution

Kickoff, reconnaissance, controlled exploitation, and reporting. Single escalation point and traceability.

Phases 7–8

Post-report

Remediation on your side, focused retest, and documented closure of residual risk.

Phase 1

Approach and briefing

Initial alignment and go/no-go criteria.

Fortress Offensive Security and client

Activity: Discovery call; objective alignment (compliance, release, due diligence).
Roles and frame: Fortress Offensive Security and client — no technical commitment until a written agreement.
Unlocks: Decision to proceed to a scope sheet or a formal proposal request.

Phase 2

Scope, NDA, and SOW

Closed scope and legal frame.

Legal and technical counterparts

Activity: In-scope assets, technique exclusions, windows, contacts, and escalation rules.
Roles and frame: Signed NDA and SOW; explicit exclusion of techniques and surfaces.
Unlocks: Signed NDA and SOW; no invasive testing without documentation.

Phase 3

Operational kickoff

Traceable operational go-live.

Technical lead + your team

Activity: Communication channels, on-call coverage, environments, test credentials, and detailed schedule.
Roles and frame: Fortress Offensive Security technical lead and your designated operational counterpart.
Unlocks: Start of technical work with traceability and a single escalation point.

Phase 4

Reconnaissance

Agreed surface and prioritization.

Fortress Offensive Security operators

Activity: Map the agreed surface; preliminary findings handled under controlled disclosure.
Roles and frame: Operators under engagement rules and contractual windows.
Unlocks: Vector prioritization; renegotiation if materially new surface appears.

Phase 5

Exploitation and validation

Evidence and business-aligned severity.

Fortress Offensive Security operators

Activity: Controlled testing, chaining where applicable, and business-impact validation.
Roles and frame: Operators with reproducible logs and shared severity criteria.
Unlocks: Reproducible evidence and severity aligned to your context.

Phase 6

Report and readout

Technical report and stakeholder readout.

Fortress Offensive Security + your leadership / engineering

Activity: Technical report + executive summary; optional stakeholder readout session. Language and document structure per the SOW.
Roles and frame: Formal delivery and agreed channel for remediation questions.
Unlocks: Prioritized remediation list and agreements for a next cycle if applicable.

Phase 7

Remediation on your side

Fixes in your perimeter and controls.

Your engineering and security teams

Activity: Patches, configuration changes, and compensating controls per your capacity.
Roles and frame: Your organization implements changes; Fortress Offensive Security available for scoped clarifications.
Unlocks: Stable environment for retest or formal finding closure.

Phase 8

Retest and closure

Focused verification and documented closure.

Fortress Offensive Security (retest) and both parties (closure)

Activity: Focused verification of fixes within the contractual window; closure report.
Roles and frame: Retest scoped to the contract; sign-off or closure memo if applicable.
Unlocks: Final finding status and lessons learned for residual risk.

Methodology in the console

Each phase leaves verifiable traceability

Pick a lifecycle phase: the console shows a fictional gate aligned with how we document scope, evidence, and closure — not a substitute for the SOW or formal report.

What stays clear for procurement and operations

One thread across sales, legal, and technical execution.
No invasive testing before NDA and SOW are signed.
Reproducible evidence and aligned severity before the readout.

Active phase

lifecycle-gate — simulation

fortress@engagement:~$ ./gate phase_01

stakeholders_aligned=true · objectives captured

PASS intake_complete

unlock: scope_questionnaire → commercial review

View services Manual depth Request a briefing