Operator-curated artefacts.
Available on request.
Templates, checklists, and sample deliverables we share with prospective clients. Each item is delivered manually after a short request — no public download links, because most of these resources include real (anonymised) client artefacts that ship under NDA.
We do not host these as public downloads.
Two reasons. First, the most useful resources here — the sample VAPT report, the cloud scope template — are derived from real engagement work. They are anonymised, but the structural choices, the phrasing, the way evidence is presented, all reflect work done for paying clients. We share them under a brief mutual NDA out of respect for those engagements.
Second, request-based delivery means we know who is using them. A short reply email costs almost nothing and means we can flag updates, point you at a more relevant document, or recommend a scoping conversation if your situation has moved past the template.
Every card below links to /contact?ref=resources — that lets us route the request directly to the operator who owns the artefact.
Templates, checklists, and sample deliverables.
Pentest RFP Template
PDFA working RFP a security lead can copy into procurement on Monday morning. Twelve sections covering scope, methodology, deliverables, retest, insurance, and a weighted vendor evaluation matrix — including the five questions a weak vendor will never answer well.
Best for
Security leads and procurement teams sourcing an external pentest vendor.
CISO Board Deck Template
PPTX / PDFA 12-slide board deck built around the questions audit committees actually ask — not the metrics a dashboard happens to surface. Speaker notes on every slide and a one-slide decisions-requested close so the minutes capture what the board approved.
Best for
CISOs and security directors reporting to a board or audit committee.
SOC 2 Readiness Checklist (60 items)
PDF + CSVSixty checklist items grouped across CC1-CC9 plus the Availability and Confidentiality criteria. Each item names the evidence artefact your auditor will ask for — not what you should have a policy for. CSV imports directly into Drata / Vanta / Secureframe.
Best for
Security engineers, compliance leads, and CISOs preparing for SOC 2 Type II.
Red Team Rules of Engagement Template
PDF + DOCXA drop-in ROE for adversary simulation. Twelve sections covering authorisation, objectives, allowed and prohibited TTPs, deconfliction, escalation triggers, and the get-out-of-jail letter. Aligned to TIBER-EU and CREST STAR conventions.
Best for
CISOs, red team leads, and internal counsel authorising adversary simulation work.
Vulnerability Disclosure Policy Template
PDF + MarkdownA complete VDP your legal team will sign and your security team can operate. Safe-harbour clause, response SLAs, severity rubric, and an RFC 9116-aligned /.well-known/security.txt sample. Aligned to ISO 29147 and CISA BOD 20-01 conventions.
Best for
CISOs, security engineers, and counsel standing up a vulnerability disclosure programme.
Anonymised Sample VAPT Report
PDFA real engagement deliverable, redacted of client identity, hostnames, and proprietary indicators. Includes the executive summary, three full technical findings, the compliance crosswalk, and the retest closure section. Ships under a short mutual NDA.
Best for
Security leads evaluating vendors. Procurement teams writing comparable RFPs.
Case Study — Government VAPT
PDFAnonymised case study covering a multi-month VAPT engagement spanning 200+ servers and 40+ applications across a mixed government estate. Documents methodology, tooling, representative findings, and the ~40% exposure reduction measured at retest.
Best for
Public-sector security leads scoping multi-month VAPT programmes.
Case Study — Shipping & Logistics
PDFAnonymised case study from a global shipping & logistics group: rolling, multi-quarter VAPT covering 2000+ servers and 65+ applications. Wave-based scoping, AD attack-path enumeration, and a measured ~80% organisational risk reduction.
Best for
Enterprise CISOs running multi-quarter VAPT programmes across regional estates.
Case Study — MENA Banking VAPT
PDFAnonymised case study from a regulated MENA banking institution: comprehensive VAPT covering 1000+ servers, 100+ applications, mobile banking apps, and a sizeable AD forest. Two-track reporting aligned to regional cyber-resilience guidance.
Best for
BFSI security and compliance leads preparing for regulatory cyber-resilience submissions.
Mutual NDA Template
DOCXTwo-page mutual non-disclosure agreement covering pre-engagement scoping conversations and shared sample artefacts. Drafted under Indian contract law, with optional jurisdiction overrides for US, UK, Singapore, and UAE counterparties.
Best for
Counsels who would rather not negotiate from scratch.
VAPT Scoping Checklist
CSV / MarkdownEverything we ask for in a scoping call, structured so your team can answer asynchronously before the call even happens. Covers asset inventory, authentication paths, third-party dependencies, exclusions, testing windows, and escalation contacts.
Best for
Engineering leads preparing for their first external pentest. Repeat buyers who want to compress the scoping conversation to 20 minutes.
DPDP Act 2023 Compliance Crosswalk
CSVSection-by-section mapping of India's Digital Personal Data Protection Act 2023 to common security controls and the relevant CWE / OWASP categories that surface during testing. Useful for security and DPO collaboration ahead of an engagement.
Best for
DPOs at Indian SaaS, fintech, healthtech, and ed-tech companies. CISOs aligning their existing SOC 2 / ISO programme with DPDP obligations.
SOC 2 Readiness Checklist
MarkdownA pragmatic readiness checklist for SOC 2 Type I and Type II — focused on the technical control areas where pentesting and vulnerability management evidence directly satisfies CC6 / CC7 control activities. Not a substitute for an auditor, but it stops you walking into Stage 1 cold.
Best for
Series A and B SaaS preparing for first SOC 2. Security engineers gathering evidence before the auditor walkthrough.
Cloud (AWS) Pentest Scope Template
CSVPre-built scope template for AWS-hosted environments. Covers account inventory, IAM boundary documentation, in-scope vs. out-of-scope services, regions, IMDSv2 configuration baseline, and the formal AWS customer support pentest notification language.
Best for
Platform engineers running cloud-only environments. CTOs who do not want to forget the AWS notification step.
No drip campaigns. No sales sequence.
Requests are read by the operator who owns the artefact, not by a marketing system. For documents that ship under NDA (the sample report and the cloud scope template), we send the NDA template first; once it is countersigned, the resource lands in your inbox the same business day. For the open templates (the scoping checklist, the SOC 2 checklist, the DPDP crosswalk), we ship immediately — no NDA required.
You will not be added to a mailing list. We will not auto-enrol you in a webinar. If we have follow-up questions about your situation we will ask in a single email — and only if it looks like the artefact you requested might not be the best fit for what you are actually trying to do.
If you would rather skip the artefact request and have a direct conversation about your scoping problem, the contact form routes the same way and a 30-minute scoping call is free.
Need something not listed?
Our operators have written internal tooling, scoping aids, and reporting templates well beyond the six artefacts published here. If you have a specific need — a regulator-facing template, a sector-specific scope, an evidence pack for a particular control — ask. The answer is usually yes.