HOME RED TEAM OPERATIONS COMPLIANCE RESOURCES CYBER NEWS CONTACT FAQs

FAQs

What does CM-SEC actually do?
CM-SEC performs real-world security assessments that validate whether controls work under realistic conditions. We focus on practical risk validation, evidence-backed reporting, and remediation guidance that leadership and technical teams can act on.

Do you travel outside of San Diego?
Occasionally, but our focus is local. CM-SEC primarily serves clients in and around San Diego, California. Travel outside the area may be considered in limited cases when the engagement scope and requirements justify it, and is always discussed and approved during scoping in advance.

Are you an auditor or compliance certifier?
No. CM-SEC does not certify compliance and does not provide legal opinions. We perform testing and provide documentation that supports audit and compliance programs. Final compliance determinations remain with your organization and your auditor.

What industries do you work with?
We support organizations that care about real-world attack paths and evidence-based results—especially teams that need clear reporting, safe execution, and audit-friendly documentation. If you’re regulated or have customer security requirements, we can tailor deliverables to match those expectations.

Do you sign NDAs?
Yes. NDAs are common. We can sign your NDA, or provide ours, depending on your preference.

Do you carry insurance?
Yes, we can provide proof of insurance (COI) upon request, depending on the engagement and your vendor requirements.


Engagement Basics

How does an engagement typically work?
Most engagements follow a predictable flow: discovery/scoping → authorization/ROE (where required) → testing window → reporting → debrief + remediation plan. The exact steps depend on service type and site/business constraints.

What is scoping and why does it matter?
Scope defines what’s in and out: sites, teams, time windows, constraints, and approved methods. Good scope prevents surprises, protects your operations, and makes results defensible for leadership and auditors.

Do you offer OSINT as a standalone service?
No. Open-source intelligence activities are performed only when explicitly authorized and scoped in support of a physical security or red team assessment. OSINT is used to inform realistic attack paths, validate exposure, and strengthen findings—it is not offered as an independent service.

Do you test everything or just what we choose?
We test what is explicitly authorized and scoped. You can include or exclude buildings, departments, user groups, time windows, and specific areas based on sensitivity and business risk.

Why would an organization choose destructive testing?
Some risks can only be confirmed by proving whether a barrier truly prevents entry—or only delays it. Destructive testing may be authorized to evaluate worst-case scenarios, support funding decisions for physical upgrades, or provide leadership with clear, evidence-based justification when non-destructive methods don’t fully demonstrate the real impact.

What are “Rules of Engagement (ROE)” and why do they matter?
ROE are the written guardrails for testing—what’s allowed, what’s prohibited, safety constraints, escalation/stop procedures, and verification methods. ROE is especially important for physical engagements.

What are “stop conditions”?
Stop conditions are pre-agreed situations where testing pauses or stops immediately (e.g., safety concerns, business disruption risk, unexpected sensitive activity, or a client-requested pause).

Who needs to approve an engagement internally?
Often: security leadership, IT, legal,  facilities (physical), and sometimes the business owner of the impacted systems or sites. We’ll help you identify stakeholders during scoping to avoid last-minute blocks.

Can you align to our business hours, blackout windows, and deadlines?
Yes. We can plan around business constraints: customer visits, on-call rotations, sensitive events, end-of-quarter close, and audit deadlines.

How long do engagements take?
Timeframes vary by scope and complexity. Most engagements involve a defined test window plus reporting time. If you have an audit deadline, we can align deliverables and milestones to it.


What We Do vs What We Don’t

What does CM-SEC do?
We scope to relevant sites/systems/users and document boundaries, perform testing and risk validation, provide reports/remediation/evidence packages, provide completion/attestation letters when requested, and offer retesting to validate remediation.

What doesn’t CM-SEC do?
We don’t provide legal opinions. We don’t guarantee compliance outcomes. We don’t operate outside written authorization or agreed scope.


Audit & Compliance Support

How does CM-SEC support audit readiness?
We produce evidence-backed deliverables that auditors and customer risk teams can review: clear scope, methods, findings, evidence references, and remediation steps. We can also provide an audit-friendly “artifact trail” and optional retest validation.

Do you map findings to a framework (ISO/NIST/SOC 2/etc.)?
Yes—when requested. We can structure reporting language and organize findings to align with your target framework or auditor expectations, including scope/boundary statements and control references where appropriate.

Can you tailor the report to our auditor’s format?
Yes. If your auditor or customer risk team has required language, structure, or evidence expectations, we can align deliverables during scoping.

Can you work directly with our auditor or customer risk team?
Yes. We can support reasonable Q&A sessions to clarify scope, methods, boundaries, and deliverables so third parties can review efficiently.

What engagement artifacts do you provide (audit trail)?
As applicable to scope: Proposal / SOW, signed authorization and ROE (where required), high-level test plan/schedule (as applicable), final report (executive + technical), sanitized evidence package (as appropriate), prioritized remediation plan, debrief/readout summary, optional retest summary, and optional attestation/completion letter.

What is an attestation/completion letter?
It’s an audit evidence document on letterhead confirming services performed, dates, high-level scope boundaries (in/out), and deliverables issued (report version/date, remediation plan, retest summary if applicable). It confirms work performed—not compliance certification.


Deliverables & Reporting

What makes your deliverables “audit-ready”?
Clear scope/boundaries, defensible testing narrative, severity ratings, evidence references, attack paths where relevant, and remediation guidance that can be tracked to closure.

Do you provide executive-friendly reporting?
Yes. We provide an executive summary with risk in plain language, a prioritized remediation roadmap, and a business impact narrative.

Do you provide technical detail for engineering teams?
Yes. Findings include severity, evidence references, and clear reproduction/validation notes so teams can confirm issues and verify fixes.

How do you rate severity?
Severity reflects realistic impact and likelihood: what an attacker could achieve, how repeatable it is, and what business consequences follow. We prioritize findings so teams can focus on what reduces risk fastest.

Do you include screenshots/photos as evidence?
When appropriate and permitted. Evidence is included to support findings, but we avoid unnecessary exposure of sensitive information and can sanitize/redact evidence.

Can you split deliverables (exec report vs technical appendix)?
Yes. We can provide a leadership-facing report and a separate technical appendix. We can also provide a restricted evidence addendum if needed.

Can you present findings live?
Yes. We typically provide a debrief/readout to walk through the results, answer questions, and align on remediation priorities.

Do you provide remediation plans?
Yes. We provide fix guidance and prioritization. The goal is practical remediation that can be executed and verified.

Do you help verify fixes?
Yes. Retesting is available to validate remediation and provide a retest summary suitable for audit files.


Evidence Handling & Sensitive Information

How do you handle sensitive findings?
We apply least-privilege handling and need-to-know distribution. We document enough detail to remediate without unnecessarily increasing exposure. For exceptionally sensitive issues, we can restrict distribution and cover certain details live.

What is your redaction/sanitation approach?
We redact or sanitize sensitive details when it reduces risk without reducing usefulness—masking personal data, internal identifiers, or unnecessary sensitive context—while preserving enough proof for remediation and audit review.

What is your photo handling policy (physical testing)?
Photos are taken only where permitted and are “minimum necessary.” We avoid capturing faces, badges, screens, personal documents, and confidential whiteboards when possible. If photography is restricted, we use alternative evidence methods and document constraints.

How do you secure engagement data?
Engagement data is treated as sensitive: encrypted storage at rest, secure transfer in transit, access-restricted handling, and data minimization.

What is your data retention policy?
Retention is defined in the SOW (shorter/longer options available by request). By default, encrypted engagement data is retained only as long as needed to support reporting, debrief, and any agreed retest window, then securely deleted. Deletion confirmation can be provided upon request.

Who receives reports and how is distribution controlled?
You define the distribution list. We can support restricted distribution (executive-only, security-only, role-based) and split deliverables as needed.


Safety, Authorization, and Professional Conduct

How do you ensure testing is authorized?
We operate only under written authorization and agreed scope. For engagements that require it (especially physical) we use ROE to document guardrails, methods, escalation paths, and stop conditions.

How do you keep testing safe and non-disruptive?
We plan around your business constraints, define safety constraints and stop conditions, and coordinate with designated points of contact for real-time deconfliction if something unexpected occurs.

What happens if you find something critical mid-test?
We follow the escalation path defined during scoping and notify the designated point of contact promptly. We focus on practical next steps to reduce risk quickly, then document the finding in the final deliverables.


Scheduling & What We Need From You

What do you need from us to get started?
Typically: scope boundaries (what’s in/out), constraints (hours/blackouts/no disruption rules), stakeholder approvals, preferred reporting format, deadlines, and a point of contact for scheduling and escalation.

Can you work around an audit deadline?
Yes. Share the audit date and required deliverables, and we’ll propose a scope and timeline that fits.

Can you do recurring assessments?
Yes. Many organizations run assessments on a recurring cadence (quarterly, semiannual, or annual) to measure improvement and maintain evidence for audit and risk management.


Pricing & Commercial (optional FAQs—use if you want)

Do you provide fixed-fee pricing?
Often, yes. After scoping, we can provide a fixed-fee proposal tied to clear boundaries so there are no surprises.

Can you start small?
Yes. A scoped “baseline” engagement is often the fastest way to build evidence, find the big risks, and then expand intelligently.