Every engagement at ThePenz follows the same four phases: Discover, Diagnose, Deliver, Defend. What changes between engagements is the depth, the timeline and the deliverables โ not the structure. The page below explains what happens in each phase, what you receive, and how we keep clients informed throughout.
Every engagement begins with a structured discovery phase. We resist the temptation to make recommendations before we've understood your reality โ too many consultancies arrive on day one with a deck that was rewritten lightly from the previous client's deck. The Discover phase exists so we don't do that.
We run scoping workshops with the right people โ not just the project sponsor โ including the senior practitioners who own the controls in scope, the engineers who actually maintain them, and where appropriate, members of the second-line risk function and internal audit. We build out a current-state asset and information inventory, identify the regulatory frameworks in play, and capture existing-control evidence.
Outputs of this phase form the bedrock of everything that follows. Get this wrong, and the rest of the engagement is reactive cleanup.
With the Discover outputs in hand, we move to formal diagnosis: gap analysis against the relevant standards, threat modelling for the systems and services that warrant it, and the production of a quantified findings register.
Our gap analyses are fully traceable โ every gap is attached to the specific clause or control it relates to (ISO 27001 Annex A control 5.7, PCI DSS requirement 8.3.6, etc.). Findings are scored on both inherent severity (CVSS where it applies, our internal scoring otherwise) and on residual risk after compensating controls.
We deliver a remediation roadmap with named owners, estimated effort, dependencies and a recommended sequence โ not just a list of issues. This is what makes Diagnose actionable.
Deliver is where most consultancies become invisible โ billing happens but artefacts don't appear. Not us. The Deliver phase is run on a published cadence with weekly checkpoints and a visible project board.
Deliverables include policies and procedures (signed, approved, version-controlled), control implementation work (often hands-on configuration of identity, endpoint and network controls), scanner and tooling deployment, training rollouts, and the evidence packs needed for downstream audits.
We work alongside your team, transferring knowledge throughout. Our explicit goal is that your team can run the new controls without us once Deliver concludes.
The Defend phase is the optional ongoing operating layer. Most clients engage Defend as a structured retainer covering continuous monitoring, scheduled assurance activities (vulnerability scans, simulated phishing, control sampling), and quarterly reviews with a board-grade reporting pack.
Defend exists because compliance is not a project โ it is a posture. The threat environment changes. Regulations change. Your business changes. We provide the connective tissue that keeps the security programme aligned to all three.
Defend retainers are sized to the firm. Smaller mutuals might engage at one or two days a month. Larger fintechs operate Defend across a multi-disciplinary team with dedicated programme management.
Most clients start with a paid Discover-phase engagement to see the methodology applied to their specific situation. Two to three weeks. Fixed fee. No commitment to follow-on phases.
