Common questions about engagement models, ownership, and how the methodology actually works.
Yes. That's what Define is for: capturing the requirement in full, functional, regulatory, and business, before a line of code is written. You don't need a spec walking in.
There's no default stack. The stack is part of what gets decided during Design, scoped to the specific requirement, client, and risk profile, not chosen in advance. Our favorites are TypeScript, React, Node.js, Tailwind, and PostgreSQL, but we can work with whatever stack you have.
OWASP ASVS, NIST SSDF, ISO/IEC 27001, CIS Controls, SOC 2, and CWE Top 25. The specific mix applied to a given engagement is part of the tailored constitution assembled during Design.
You do, under both models. Nothing is licensed back to Core Secure Code.
You will host it yourself (or work with a hosting provider). We can help you choose a hosting provider and set up the environment.
A Project is typically 6-12 weeks, depending on scope. A Team Retainer is ongoing, following a sprint-based, continuous delivery model.
For a Project, price is fixed once the Design-stage blueprint is signed; it doesn't move after that. For a Team Retainer, you're paying for ongoing capacity rather than a single fixed quote.
Project is a fixed-scope, fixed-price engagement: priced once the blueprint from Design is signed, and the price doesn't move after that (as long as the scope doesn't change). Team Retainer is ongoing capacity, the same five-stage methodology running in a sprint-based, continuous delivery model.
Progress stops until it's resolved. Failures are reported honestly, not smoothed over. That's the point of an independent verification pass.
Yes, but it's explicitly logged in the engagement record. The client owns the risk, and the record shows it. Nothing ships silently on unverified work.
Just contact us. We'll follow up to scope Define, the first stage of every engagement, regardless of model.