FAQ

Frequently Asked Questions

Common questions about engagement models, ownership, and how the methodology actually works.

We don't have a full technical spec yet. Can we still start?

Yes. That's what Define is for: capturing the requirement in full, functional, regulatory, and business, before a line of code is written. You don't need a spec walking in.

What tech stack do you use?

There's no default stack. The stack is part of what gets decided during Design, scoped to the specific requirement, client, and risk profile, not chosen in advance. Our favorites are TypeScript, React, Node.js, Tailwind, and PostgreSQL, but we can work with whatever stack you have.

What standards do you build to?

OWASP ASVS, NIST SSDF, ISO/IEC 27001, CIS Controls, SOC 2, and CWE Top 25. The specific mix applied to a given engagement is part of the tailored constitution assembled during Design.

Who owns the source code after delivery?

You do, under both models. Nothing is licensed back to Core Secure Code.

How do we host the application?

You will host it yourself (or work with a hosting provider). We can help you choose a hosting provider and set up the environment.

How long does a typical engagement take?

A Project is typically 6-12 weeks, depending on scope. A Team Retainer is ongoing, following a sprint-based, continuous delivery model.

How is pricing determined?

For a Project, price is fixed once the Design-stage blueprint is signed; it doesn't move after that. For a Team Retainer, you're paying for ongoing capacity rather than a single fixed quote.

What's the difference between the Project and Team Retainer models?

Project is a fixed-scope, fixed-price engagement: priced once the blueprint from Design is signed, and the price doesn't move after that (as long as the scope doesn't change). Team Retainer is ongoing capacity, the same five-stage methodology running in a sprint-based, continuous delivery model.

What happens if a verification gate fails during Determine?

Progress stops until it's resolved. Failures are reported honestly, not smoothed over. That's the point of an independent verification pass.

Can a failed gate be overridden if we want to ship anyway?

Yes, but it's explicitly logged in the engagement record. The client owns the risk, and the record shows it. Nothing ships silently on unverified work.

How do I start an engagement?

Just contact us. We'll follow up to scope Define, the first stage of every engagement, regardless of model.

Still have a question?

Start an Engagement
Core Secure CodeSM — a Mirability, LLC service