Frequently asked questions

Most engagements are multi-year framework agreements with quarterly delivery and a midpoint review at six months. Smaller pilots — a single quarter, a single business unit — are available to test fit. We do not run one-off campaign engagements; our minimum useful unit is a quarter.

No. We do not sell simulation software. We design and run programmes using either your existing platform or one we recommend based on your specific context. We have no commercial relationships with platform vendors and no resale arrangements.

Phishing-click rate, reporting rate, simulation engagement, time-to-report, repeat-clicker rate, segment-level cohort metrics. We lead executive reports with reporting rate as the primary metric, with click-rate as a secondary diagnostic. Sector-anonymised benchmarks come from our active client population.

Yes. Our awareness modules are natively produced in 14 languages — not machine-translated. We retain subject-matter consultants in each language we ship. Simulation content is available in all 14 languages and a handful of additional regional variants on request.

Client data — including simulation engagement data, employee identifiers, and any operational personal data — is processed in line with the EU GDPR and the equivalent local regimes where we operate. We retain client data only for the duration of the engagement plus the contracted retention window. For more on data handling, see our privacy notice.

Vintrip Labs is ISO 27001:2022 certified. SOC 2 Type II is in progress with completion expected in Q3 2026. Cyber Essentials Plus is held by our UK delivery arm.

Yes, although less commonly than private-sector clients. We are on the cybersecurity-services provider directory of the Cyber Security Agency of Singapore (CSA) and have completed framework engagements with two regional government clients in ASEAN.

Annual programme engagements are typically priced as a fixed annual fee with a defined deliverable calendar. Smaller projects are priced on time and materials. We share indicative pricing within the first conversation; we do not have a hidden enterprise sales process.

Engagements are led by a named senior consultant who is your single point of contact. A typical engagement involves quarterly campaign delivery, monthly check-ins with the security manager, and a quarterly executive briefing. We do not run long quiet periods between deliverables; communication is continuous.

Yes. Where engagements require capabilities we do not provide — penetration testing, GRC tooling, IAM consulting — we work with a small network of trusted partners. We are transparent about partner relationships and never receive commission on referrals.

We are glad to scope a small initial diagnostic — typically one campaign and a maturity assessment — that produces a recommendation on programme scope and timing. The diagnostic deliverable is yours to take to a different vendor if you decide not to engage us further; there is no lock-in.

Selected work is published on the field notes page on this site and via our Medium channel. Conference talks at FIRST, AISA, and BlackHat Asia are linked from the press page where the host's policy allows.