As a penetration testing firm, Iterasec possesses deep expertise in how organizations are compromised. We apply that same expertise to the design and operation of our own security program — ensuring that the standards we uphold internally reflect the rigor our clients expect from a trusted security partner.

Our information security management system reflects the operational security standards expected of a firm whose core business is offensive security. We don’t simply meet compliance benchmarks such as ISO 27001 — we engineer our controls to withstand the same adversarial techniques we employ on behalf of our clients.

For inquiries regarding our security practices, please contact us.

All Iterasec accounts are managed through Google Workspace with enforced multi-factor authentication, centralized identity governance, and strict access control policies. Administrative and privileged accounts require hardware security tokens (FIDO2/WebAuthn) as a mandatory second factor — SMS and TOTP-based methods are not permitted for these roles. Access is granted on a least-privilege basis across all systems, with periodic reviews to ensure that permissions remain appropriate. Credentials and secrets are managed exclusively through 1Password, with enforced use of unique, high-entropy passwords for every service.

All personnel operate on company-issued, hardened devices managed through JAMF. Endpoints are encrypted at rest, continuously monitored, and maintained at current patch levels through enforced update policies. Personal devices are not permitted to access client data or internal systems. Remote wipe capabilities are enabled for all managed devices in the event of loss or compromise.

Iterasec maintains a formal AI usage policy governing which tools are authorized, what categories of data they may process, and under what conditions. Only enterprise-grade AI platforms covered by our corporate data processing agreements are approved for use with internal or client-related information. The use of consumer or personal AI tools for sensitive, client, or proprietary data is strictly prohibited. All AI-generated outputs — particularly those related to security findings or assessments — are subject to mandatory review by qualified personnel prior to delivery. AI services are evaluated under the same vendor risk framework applied to any third-party technology provider.

Remote access to internal systems is conducted exclusively through encrypted channels. TLS is enforced across all services, secure DNS resolution is in place, and network segmentation is applied to limit lateral movement. Communications involving sensitive data are restricted to our managed corporate environment.

Iterasec routinely handles highly sensitive client information, including vulnerability data, system architecture details, and access credentials. All engagement data is treated as confidential by default. Client data is compartmentalized, encrypted at rest and in transit, and accessible only to assigned team members on a need-to-know basis. Retention is limited to the duration required by contract, after which data is securely purged in accordance with our data retention policy.

All tools, platforms, and service providers undergo a security assessment prior to adoption. This evaluation includes a review of data processing agreements, relevant certifications, and technical controls. New tools — including AI services — must complete an internal security review and receive formal approval before integration into our workflows.

Iterasec maintains a documented incident response plan with clearly defined roles, escalation procedures, and communication protocols. Detection, containment, and resolution are executed promptly, with transparent communication to affected parties. Post-incident reviews are conducted following every event to identify root causes and drive continuous improvement of our security controls.

Our team comprises experienced offensive security professionals with a strong baseline of security awareness. In addition, Iterasec maintains a formal training program covering emerging threats, operational security best practices, secure handling of client materials, and responsible use of AI tools. All personnel complete security onboarding upon joining and participate in ongoing education throughout their tenure. Compliance with internal security policies is a shared responsibility, with oversight provided by company leadership.

Critical systems and data are backed up on a regular schedule, with recovery procedures periodically tested to validate restoration capabilities. Our cloud-first infrastructure eliminates single points of failure tied to any physical location, supporting operational resilience across a range of disruption scenarios.