Every Gattica engagement follows a structured four-phase process — from initial scoping through formal delivery. The same framework applies whether the engagement is remote-only or includes managed on-site field work.
Every engagement begins with a structured scoping call or written intake process. We agree the assessment objectives, define the scope boundary, and specify exactly what documentation and data we need from the client.
This phase eliminates ambiguity before work begins — scope creep and vague deliverables are common failure modes in security assessments. We fix both upfront.
The core analytical phase. For remote engagements, we conduct a structured review of all client-provided documentation — applying threat modelling, vulnerability identification, and control effectiveness assessment frameworks.
For on-site engagements, field operatives conduct the physical inspection in parallel with the desktop analysis, using Gattica's standardised data collection framework. All field findings are submitted to Gattica for QC review before entering the assessment.
Findings are consolidated into a formal report with a structured risk register, prioritised findings, and actionable remediation recommendations. Every recommendation is linked to a specific identified risk — we don't make generic security suggestions.
A draft is prepared and reviewed internally before any client delivery. The final report is formally signed off by the Gattica principal — establishing professional accountability for the findings.
The final signed report is delivered digitally. An optional debrief session is available for clients who want to walk through findings with the Gattica team — particularly useful when presenting to boards, regulators, or insurers.
Six commitments that shape every Gattica engagement — regardless of scope or sector.
We have no commercial relationship with security vendors or contractors. Our findings are not influenced by remediation sales. You get the true picture.
Every report is reviewed and formally signed off by a qualified security risk professional. No report leaves without accountability attached.
We scope to what the risk actually warrants — not the maximum billable hours. Engagements are sized to the threat environment and the asset.
Every finding references specific evidence. Every recommendation is linked to a specific risk. We don't trade in vague concerns or vendor-influenced opinion.
Scope is agreed before work starts. Delivery timelines are committed to and met. We don't run open-ended engagements.
All client information, site data, and findings are handled with professional confidentiality. Reports are never shared without explicit client authorisation.
Report format and timeline vary by engagement scope, but these are the defaults for standard engagements. Complex or multi-site assessments are scoped individually.
All reports are delivered in PDF format with a signed cover page. Source data is retained by Gattica for 12 months post-delivery.