Skip to main content
Oakstone Security Group

An official website of Oakstone Security Group

Methodology

Introduction

Security work is only as valuable as the process behind it. This page explains how Oakstone Security Group approaches every engagement, from initial scoping through final delivery, and outlines the commitments we make to every client we work with.

We believe that transparency about how we operate is part of earning your trust. If you have questions that are not answered here, take a look at our FAQ or contact us.

What We Strive For

We set a high bar for ourselves. Our goal is to find what matters, communicate it clearly, and leave every client better positioned than when we started. That means being thorough without being noisy, honest without being alarmist, and precise in everything we report.

We follow industry-recognised methodologies including OWASP, the Penetration Testing Execution Standard (PTES), and NIST where applicable. Every finding is verified manually before it appears in a report. We do not pad engagements with low-quality automated output.

We also recognise that not every client is a corporate entity. For individuals and families, we apply the same rigour and precision, adapted to a personal context. The standard of care does not change based on the size of the engagement.

When Incidents Occur

If, in the course of an authorised engagement, we identify evidence of an active compromise or ongoing attack by a third party, we will pause our work and notify the client immediately. We will never knowingly allow a known threat to go unreported.

All testing is conducted strictly within the agreed scope and rules of engagement. Any deviation from that scope requires written authorisation from the client before work continues. We document our activities throughout every engagement, so there is always a clear record of what was tested, when, and how.

Errors and Omissions

Penetration testing is a professional assessment conducted within a defined scope, timeframe, and set of conditions. It is not a guarantee that a system contains no vulnerabilities. We make every effort to be thorough and accurate, but no test is exhaustive.

Our reports reflect findings identified during the engagement period. Conditions change, and vulnerabilities that emerge after an assessment closes may not have been present or detectable at the time of testing. We stand behind the quality of our work, and we encourage clients to treat penetration testing as a regular practice rather than a single event. You can view our full range of services and pricing or get in touch to discuss ongoing options.

If a client believes a finding was materially incorrect, we will review it. We are committed to getting it right.

Pricing Transparency

Our hourly rate covers professional time only. Materials, equipment, travel, and any third-party costs associated with an engagement are not included in the hourly billing rate and will always be itemised separately in the statement of work before any engagement begins.

We will never bill for costs that were not agreed to in writing upfront. If circumstances change during an engagement and additional expenditure is required, we will come to you first. No materials will be purchased, no travel booked, and no equipment sourced without explicit client authorisation. If you do not approve it, we do not spend it.

We believe that financial surprises have no place in a trust-based relationship. The statement of work exists to protect both parties, and we take it seriously. To discuss scope and costs for your engagement, contact us.

Working With Individuals

Corporate engagements follow predictable rhythms. Personal ones often do not. If you are an individual or family working with us, you may find that concerns arise outside of normal business hours. That is expected, and it is something we plan for.

We make a genuine effort to be available to our individual clients when it matters. That means answering calls in the evening, responding to messages on weekends, and being present when a situation requires it. We are not a helpdesk and we cannot promise instant availability around the clock, but we will always do our best to be there when you need us.

Our goal is to feel less like a vendor and more like a trusted advisor you can call. If something does not feel right, call us.

Confidentiality

We do not advertise our clients. We do not discuss who we work with, what we find, or the nature of any engagement with anyone outside of the client relationship. This applies without exception.

Every engagement is governed by a mutual non-disclosure agreement. We do not retain client data beyond what is required for delivery, and all sensitive materials are handled in line with agreed data handling protocols. If you have specific requirements around data retention or destruction, we will accommodate them.

Our discretion is not a selling point. It is simply how we work.

Version
Status Month and Day Year
Approved April 28th 2025
Published May 1st 2025

© 2025 - 2026 Oakstone Security Group All Rights Reserved.