Operating principles

From a builder’s perspective, security is often seen as confusing and counterintuitive. It is hard to grok, and it often increases system complexity. The more software developers build, the more attack surface they have to protect. A larger attack surface requires more security measures. Security measures increase inherent complexity.

Taming and reducing security-related complexity while improving security is more challenging than "just add feature X / buy product Y". Security requires a meticulous search for equilibrium, and it’s worth it every time. We focus on helping customers cut through security complexity without losing the actual security.

Innovation that comes at the cost of subverting civil rights, efficient institutions, state security or the rule of law is destructive in the long term run. Subverting innovation for the sake of maintaining the status quo is no good either.

We see our Ultima Thule as ensuring that technological innovations, which change the faces of familiar and trusted things, are secure, reliable, and responsible. To do that, we must innovate in tools, methods and approaches to protecting sensitive data, enabling privacy and transparency, and improving resiliency.

We do boring work, and we’ve learnt to love doing boring work the hard way. While cutting corners is welcome in the modern tech industry to deliver faster, it’s detrimental for security work. Our mindset is to ensure that every valuable threat is covered, every test performed, every relevant threat considered, etc.

To deliver reliable and secure tooling, we don’t rely on magical thinking and “it’s gonna be good somehow”. We hire people happy to walk an extra boring mile when necessary.

In security, there is nothing good or bad. Instead, we speak in terms of "appropriate / inappropriate security measures for the chosen threat model under given circumstances". Blindly following best practices or expert advice is often a way to stop thinking and start believing. We prefer analyses and keeping a careful eye on customers’ realities.

We strive to guide our decisions with current risks, threats, and real-world considerations, backed with hard proof and experience. Sometimes, it includes the current market’s beliefs on the best practices. But we go against the grain when necessary as well.

Security prevents hazards but often brings outrage and discomfort. Balancing tradeoffs, risk exposure, and functional limitations is as significant as a clever encryption scheme. Security that hinders main functionality gets abandoned and never reaches its goals.

Being a blend of product, R&D, and advisory firm, we’ve learned to carefully balance hazards and outrage, so that security measures are adopted and persist within an organization or a software product.

We focus on protecting sensitive data in whichever way we have to. A vast range of our solutions, services, and products are aimed at one goal: ensuring that customers’ sensitive assets are available only to authorized parties in a controlled way.

Sometimes, it means using cryptography. Other times, it means fixing application security bugs, or building DRM tools, or soldering wires, or programming controllers, or enforcing statistical security on ML models. The focus is always the same—protecting the data.

Perhaps, the easiest leverage point for addressing security problems is to make developers' life easier when implementing proper security measures. Ensuring that tools, recommendations, and methodologies are easy to use and hard to misuse. No unexpected upgrade paths, undocumented APIs, forgotten debug settings, or ambiguous recommendations are present.

We’ve learnt this the hard way. After using the tools of others in the past, we feel the pain of using cumbersome tools, and prevent it while building our own software products.

Working with innovators and product businesses is a challenging task requiring special experience. Enabling speed of delivery, security requirements, and preserving unique value in every product—that’s another equilibrium we often have to control and maintain.

As a product company with a team from various product and research backgrounds, we realise how fragile and precious the process of building new things is.

We would be nowhere without excellent engineering talent that works for us.

We foster talent by constantly challenging ourselves, running continuous education programs, and doing research. We hire people with a wide breadth of knowledge and specific skills and push them hard to excel.

By continuously improving our ability to stay on the cutting edge of practical security, we keep true to our goals. Combined with sympathy for hard&boring work, this creates a unique culture of relentless inquiry and meticulousness.