Terms of engagement

1. What CyberSage is

CyberSage is a white-hat cybersecurity consultancy. We perform authorised penetration testing, vulnerability assessment, red-team simulation, and related advisory work for organisations across Europe, the UK, and worldwide on request, with Ireland as home base. The work is performed by a human consultant, supported by a proprietary AI framework that coordinates testing activity. Clients do not receive access to the CyberSage framework itself. They receive the findings, report, and remediation guidance produced using it.

2. Authorised testing only — non-negotiable

CyberSage will only test systems, networks, or services for which a duly authorised representative of the asset owner has provided written consent. This is required under Irish law (Criminal Justice (Offences Relating to Information Systems) Act 2017, sections 2 and 6) and under our own professional standards.

• Every engagement starts with a signed Rules of Engagement document listing every in-scope target, authorised testing windows, and permitted techniques.
• Any system or account discovered to be out of scope is left untouched, and the client is informed immediately.
• If you do not have lawful authority to approve testing of a given asset, you must not list it in scope. Doing so constitutes a material breach of these terms and may be a criminal offence under Irish law.
• The client indemnifies CyberSage against any loss, claim, or prosecution arising from assets included in scope without proper authorisation by the client.

3. Engagement process

1. Scoping call: we agree the objective, targets, and constraints.
2. Proposal: we send a written proposal referencing one of the published tiers (Essential / Professional / Enterprise / Custom) with price, scope, deliverables, and timeline.
3. Rules of Engagement + contract: signed by both parties before any technical work begins. Payment terms are fixed at this stage.
4. Kickoff: credentials exchanged through an agreed secure channel; point of contact confirmed; incident-response escalation path established.
5. Active testing: performed within the agreed window. The client retains a nominated contact reachable throughout.
6. Report delivery: written report delivered per the tier specification. Final report within the timeline set in the proposal.
7. Debrief + retest: per the tier specification. Retest exercises verify remediation of reported findings.
8. Close-out: engagement artefacts (credentials, test evidence) destroyed per the privacy notice.

4. Pricing and payment

• Published “Starting from” prices on the pricing page are anchors; the final engagement fee is fixed in the written proposal.
• Prices are quoted in euro, exclusive of VAT where applicable.
• Standard payment terms: 50% on contract signature, 50% on final report delivery. Net 14 days on each invoice.
• Late payments accrue interest at the rate set under the European Communities (Late Payment in Commercial Transactions) Regulations 2012.
• Retainer engagements are billed monthly or quarterly in advance.

5. Client obligations

• Provide accurate and complete scope information.
• Confirm authority to authorise testing of every listed asset.
• Take a verified backup of any production system in scope before active testing begins.
• Nominate a contact reachable throughout the testing window.
• Notify any third parties (cloud providers, IaaS / PaaS vendors) if their terms require pre-test authorisation.
• Cooperate on the remediation debrief and any agreed retest.

6. What CyberSage will not do

• Test assets outside the signed Rules of Engagement.
• Knowingly cause destructive damage, data loss, or service outage without prior written approval for that specific scenario.
• Run testing that violates the terms of service of a hosting provider or cloud platform without the client's written confirmation that they have cleared it with that provider.
• Disclose engagement findings to any third party without client consent.
• Retain engagement credentials, access tokens, or sensitive artefacts beyond the retention schedule in the privacy notice.
• Train AI models on client data or use engagement data for any purpose other than producing the contracted deliverable.
• Work on engagements where the target is reasonably believed to be a human-rights, journalism, or civil-society organisation being attacked by its adversary — including refusing engagements from state or corporate actors seeking offensive capability against such targets.

7. Confidentiality

Both parties treat information shared in the course of an engagement as confidential. CyberSage will not use client information for marketing, case studies, or public reference without the client's written consent. Confidentiality survives termination of the engagement for five years.

8. Warranties and disclaimers

CyberSage performs engagements with the skill and care expected of a competent security professional (best-efforts basis). Testing identifies a sample of the vulnerabilities present in the system at the time of the test — it cannot guarantee that every vulnerability has been found, and a clean report does not warrant that the system is free of defects. Security posture changes as code and infrastructure evolve; retesting after material change is always advised.

9. Limitation of liability

To the fullest extent permitted by Irish law, CyberSage's aggregate liability arising out of any single engagement is capped at the total fee paid for that engagement. Neither party is liable for indirect, consequential, or punitive loss, loss of profits, loss of goodwill, or loss of data. Nothing in these terms limits liability for death, personal injury caused by negligence, fraud, or any liability that cannot be excluded by law.

10. Indemnity

The client indemnifies CyberSage against all claims, losses, and costs arising from (a) assets listed in scope without proper authorisation; (b) inaccurate scope information supplied by the client; and (c) material breach of these terms by the client.

11. Intellectual property

• Client retains ownership of its code, systems, data, and the content of the deliverable report.
• CyberSage retains ownership of its methodology, proprietary AI framework, tooling, and any generic know-how developed before or outside the engagement.
• CyberSage may use anonymised, aggregated observations to improve its own methodology; no identifiable client information is used.

12. Professional standards

CyberSage engagements are designed and executed in line with industry standards including the OWASP WSTG and MASTG, the Penetration Testing Execution Standard (PTES), the MITRE ATT&CK framework for adversary simulation, and — for applicable engagements — alignment with ISO 27001, NIS2, DORA, and EU AI Act Article 15 expectations.

13. Termination

Either party may terminate an engagement for material breach on 7 days' written notice if the breach is not remedied. Either party may terminate immediately for insolvency events affecting the other. On termination the client pays for work performed up to the date of termination, and CyberSage destroys engagement artefacts per the privacy notice.

14. Governing law

These terms are governed by the laws of Ireland. The parties submit to the exclusive jurisdiction of the Irish courts. Before commencing proceedings the parties will attempt to resolve any dispute by good-faith discussion and, if that fails, by mediation.

15. Website acceptable use

Using this website, you agree not to:

• Submit false information through the contact form.
• Attempt to probe, scan, or test the vulnerability of this website — if you're curious about our stack, use the contact form and ask.
• Impersonate another person or organisation.
• Use this site to solicit services for unlawful purposes.
• Distribute malware through any form submission.

16. Contact + changes

For questions about these terms: contact@cybersage.dev. Material changes will be flagged at the top of this page and, where a change materially affects an active engagement, communicated directly to the client.