Most organisations have security tools. Far fewer have security programmes that would actually withstand a determined adversary. NullVector exists to bridge that gap, through honest assessment, practitioner-led delivery, and work that holds up under scrutiny.
We are a specialist firm. We do not try to be everything to everyone. We focus on three disciplines, managed security operations, offensive testing, and cloud hardening, and we do them to a standard we'd stake our reputation on.
The security industry has a habit of selling complexity and calling it capability. We think the opposite is true, clarity about what's exploitable, honest reporting on what matters, and no padding to justify the invoice.
These are not aspirational statements. They are the filters through which we take on engagements, write reports, and advise clients.
We tell clients what we find, not what they want to hear. If your security posture is poor, we say so clearly and explain why. If a proposed engagement won't give you useful information, we'll tell you that too, even if it costs us the work.
Every engagement is executed by the same senior practitioners who scoped it. We do not use client engagements as training ground for junior staff. If a task requires a specific skill, the person with that skill is the one who performs it.
We scope precisely and price in writing before work begins. We do not expand scope mid-engagement to inflate the invoice. If we encounter something significant outside scope, we flag it immediately and discuss whether to include it, before we touch it.
A finding that cannot be acted on is not a finding, it is noise. Every vulnerability we report includes a prioritised, specific remediation step. We write separately for technical teams and for leadership, because the same words do not serve both audiences.
We do not take referral fees from technology vendors. We do not recommend tools because they benefit us. Our advice is based solely on what is right for your environment, your team, and your threat model. We are agnostic by design.
Dependency on an external security firm is not a security posture, it is a liability. We aim to leave every client more capable than when we arrived. Our reports explain the 'why' behind every finding so your team understands the risk, not just the fix.
The security industry has made a habit of mystifying its own processes. We do the opposite. Every engagement follows a clear, documented sequence, and clients are kept informed at every stage.
We begin every engagement with a scoping conversation, not a sales call. We ask about your environment, your concerns, your existing controls, and what a good outcome looks like for you. Only then do we propose a specific scope and price.
You receive a written proposal defining exactly what will be tested, how, by whom, and for what price. There are no variable rates, no "time and materials" ambiguity, and no scope that expands without a signed amendment.
You are never left wondering what is happening. For ongoing engagements, you receive regular status updates. For incident response, you receive real-time communication. We do not disappear and emerge with a report three weeks later.
Our reports are written to be read and acted on, not filed. Executive summaries are genuinely concise. Technical findings include reproduction steps, business impact, and remediation guidance. We do not pad reports to make them look thorough.
Every engagement closes with a live debrief, separately for your technical team and your leadership where appropriate. We walk through findings, answer questions, and make sure your team understands the underlying risk, not just the CVE number.
Our responsibility does not end when we deliver the report. For 30 days following any engagement, our team is available to answer questions about findings as your engineers work through remediation. No additional charge.
These are concrete, measurable commitments, not brand promises.
All engagement data, findings, and client information is handled under strict NDA. We do not use client environments as case studies without explicit written consent. Client data is never retained beyond the engagement period.
Every offensive engagement is conducted under a signed rules of engagement document. We operate strictly within defined scope and carry professional indemnity insurance, operating within Australian legal and regulatory frameworks at all times.
We do not inflate severity ratings to make our work appear more valuable. A low-severity finding is reported as low severity. We do not manufacture urgency to drive additional spend. Our recommendations are based on your actual risk profile.
We will tell you honestly if you do not need what you are asking for, even if that means a smaller engagement. A penetration test on a system with no sensitive data is not the right use of your budget. We will say so.
We have no commercial relationships with technology vendors. Tool recommendations are based entirely on fit for your environment. We will tell you when a free or open-source tool is the right choice over a commercial product.
Retainer clients have direct access to their assigned practitioner, not a helpdesk queue. For active incidents, our response SLA is under one hour at any time of day. You will not be triaged by a tier-one analyst in a security incident.
Our practitioners hold industry-standard certifications across offensive security, detection engineering, and cloud security architecture.
Start with a free 45-minute conversation. We'll give you an honest view of your current exposure, no obligation, no pitch.