What we do
We organise client relationships around how the work is going to be done, not around a fixed service catalogue. This page describes the shape of the engagements we run — the structures clients move through depending on what they need, when they need it, and how the relationship grows.
The point of having multiple engagement shapes is that the same client rarely needs the same thing forever. A relationship often starts with a specific project or a defined advisory question, grows into ongoing operational work, and eventually settles into a steady managed-services arrangement with project work flowing through it. The engagement shape adjusts; the practice underneath stays the same.
Why this matters
Most providers in this market lock clients into a single commercial structure — a fixed monthly contract, a service tier, a per-seat licence — and shape the work to fit the contract. We do the work the other way around. The engagement shape follows what the work actually is. If a client needs a defined project with a defined deliverable, that is what they get. If they need ongoing operational support with no defined endpoint, that is what they get. If they need both at once, the structure accommodates that.
This is not flexibility for its own sake. It is the recognition that information security work, operational work, and advisory work do not all have the same shape — and pretending they do produces engagement structures that frustrate everyone.
The shapes engagements take
There are roughly three shapes our work runs through. Most relationships involve more than one, sometimes simultaneously.
Managed services arrangements
For ongoing work — operational responsibility, monitoring, continuity, ISMS operation, the disciplines that have to run continuously — the engagement is structured as a managed-services arrangement.
The shape varies. Some clients prefer a defined block of hours per period — predictable, capped, with a clear understanding of what is included and what is additional. Others prefer a monthly retainer — broader scope, fewer commercial conversations during the work itself, designed for clients where the operational footprint is large enough that hourly accounting becomes its own overhead. Others sit somewhere between, with a defined retainer scope plus block hours for the work that falls outside it.
The right shape depends on what is being managed, how much variability there is, and how the client wants to think about the commercial relationship. We work this through with clients up front and adjust as the relationship matures.
Project engagements
For work with a defined scope and a defined endpoint — a deployment, a migration, an ISMS implementation, a continuity remediation, a specific advisory deliverable — the engagement is structured as a project.
Project engagements have agreed scope, agreed deliverables, agreed timelines, and agreed costs. They start, they run, they end. They are the right shape for work where the boundaries can be drawn cleanly and the client wants to know what they are committing to before the work begins.
Project engagements often run alongside managed-services arrangements rather than replacing them. A client on an ongoing operational retainer may run a discrete project for a specific deployment without disturbing the underlying relationship.
Advisory engagements
For work that is fundamentally about thinking and recommending rather than building or operating, the engagement is structured around the question being answered rather than around the time it takes.
Advisory engagements vary in shape — a few days for a focused decision, several weeks for a roadmap, an ongoing cadence for clients who want a steady security-led perspective on decisions as they arise. The defining feature is that the work is the recommendation, not the implementation. Where advisory work surfaces implementation needs, those flow into project engagements or managed-services work as appropriate.
How relationships typically evolve
Most of our long-term relationships did not start as long-term relationships. A few common patterns:
A client engages us for a specific advisory question — a regulatory analysis, an architecture review, a vendor evaluation. The advisory work goes well; the client is comfortable with how we operate; an implementation engagement follows; ongoing operational work follows that. The relationship grows because each stage proves out the next.
A client engages us for a defined project — an ISMS implementation, a network refresh, a continuity remediation. The project completes successfully. The client recognises that the operational disciplines we apply during the project are valuable on an ongoing basis, and the relationship transitions into managed-services work.
A client engages us for managed-services work because they have outgrown an existing arrangement. The relationship is the operational core, with project work and advisory questions flowing through it as the business changes.
There is no canonical path. Clients enter the relationship where their immediate need is, and the engagement shape adjusts as the relationship matures.
How we think about commercial terms
Commercial terms are agreed in conversation, not selected from a price list. The reason is that the right commercial structure depends on the work being done, the duration, the scope variability, and the client’s own preference for how they want to think about the relationship.
We discuss this up front. By the time an engagement starts, the client knows what they are paying, on what schedule, with what review points. If the engagement evolves and the commercial shape needs to adjust, we have the conversation rather than allowing drift.
A few practical points worth knowing:
We do not commit clients to terms longer than the work justifies. Where vendor or licensing agreements impose specific term lengths — common in some software and connectivity arrangements — we explain those clearly and they form part of the engagement design conversation.
Most managed-services arrangements are documented as twelve-month agreements, which gives both sides a stable basis to plan operations. Where there are no linked services with their own term constraints, we will negotiate early-exit arrangements case by case — relationships should not be held together by contract length when the work itself is not serving the client.
Our time tracking and costing is honest. Where block-hour arrangements are in place, the hours are committed up front and used during the agreed period; this is the trade-off that makes block hours economically sensible for both sides. Where engagements run on time-and-materials or advisory terms, you pay for the time the work actually takes.
Who this is for
The engagement shapes work for organisations at very different stages of the relationship.
For first-time clients, advisory and project engagements give a defined entry point — a specific question or a specific deliverable, with clear boundaries. The relationship can grow from there, or not, depending on whether it serves both sides.
For clients with ongoing operational needs, managed-services arrangements give the continuity that the work actually requires. Operations, monitoring, ISMS, and continuity work are all things that have to keep happening, and an engagement shape designed for ongoing work serves them better than a series of discrete projects.
For clients with mixed needs — some ongoing work, some project work, some advisory questions — the structures combine. This is the most common shape for mature client relationships.
It works less well for organisations looking for the cheapest hourly rate without an underlying relationship. The engagement shapes assume that the work has substance behind it; transactional break-fix arrangements are not what we do well.
A few honest things to know
Engagement design takes a conversation. We do not have a self-service signup page, and we are unlikely to build one. The reason is that the right engagement shape depends on the work, and the work needs to be understood before the structure is committed to. A conversation that takes thirty minutes up front saves weeks of mismatched expectations later.
We adjust as relationships mature. The right engagement shape at the start of a relationship is rarely the right shape three years in. We have review conversations as relationships grow. Sometimes the shape stays the same; sometimes it tightens; sometimes it expands. The discipline is to keep the structure aligned with the work rather than letting it drift.
Want to talk?
The fastest way to start is a conversation. Tell us what you are trying to do, the rough shape and timeline of it, and any constraints we should know about up front. We will read it carefully and reply with what we think the right engagement shape would look like for your situation — and a sense of what working together would actually involve.
Engagement design is not something we do over email. The conversation matters, and a thirty-minute call is usually enough to understand what you need and to schedule a more detailed discussion if it makes sense to take it further. If you would like to set up that first call, send a message and we will arrange it.