Skip to main content

Security at Illicus

We take security seriously—both for our own operations and for every client engagement.

Our Security Posture

As a company that helps clients build security programs, we hold ourselves to the same standards we recommend. Here's how we approach security:

Access Controls

  • All team members use hardware security keys (FIDO2) for authentication
  • We use your SSO/IAM systems when accessing client environments
  • Access follows least-privilege principles—we only request what's needed
  • All access is time-limited and revoked upon engagement completion
  • We maintain detailed audit logs of our activities

Data Handling

  • Client data is never stored on personal devices
  • All communications use encrypted channels (TLS 1.3)
  • Sensitive documents are shared via client-controlled systems when possible
  • We don't access, copy, or store customer application data
  • Engagement artifacts are securely deleted after agreed retention periods

Operational Security

  • Endpoint detection and response (EDR) on all devices
  • Full-disk encryption required
  • Regular security awareness training
  • Background checks for all team members
  • Incident response procedures documented and tested

During Client Engagements

NDA by Default

Every engagement begins with a mutual NDA. Your information is confidential.

Named Individuals

You know exactly who has access. No anonymous contractors or offshore teams.

Your Controls

We work within your existing security policies and access management systems.

Audit Trail

We document what we access and why. Available for your security reviews.

Time-Limited Access

Access is granted only for engagement duration and promptly revoked.

Secure Communications

Encrypted channels for all client communications and data sharing.

Responsible Disclosure

If you discover a security vulnerability in our systems, please report it responsibly by emailing [email protected]. We appreciate your help in keeping our systems secure.

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information

We commit to acknowledging reports within 48 hours and will keep you informed of our progress.

Questions?

If you have security questions about working with us, or need additional information for your vendor security review, contact us at [email protected].

If you prefer, you can also use our contact page and we’ll route your request to the right person.

We're happy to provide:

  • Security questionnaire responses
  • SOC 2 report (under NDA)
  • Details about our security practices
  • References from similar engagements