How we prove our work, without breaking anyone's confidentiality.
Most consulting agencies show client logos and write up engagement victories. Both are good marketing and bad operational security. We chose the inverse.
The proof constraint is the trust signal.
We will not publish a client logo we are not contractually entitled to display. We will not publish a vulnerability writeup when the timing or technical fingerprint could let an attacker reverse-engineer which engagement it came from.
We will not write a "we hacked X in 4 hours" post for marketing leverage. These restraints cost us inbound social proof. They are non-negotiable.
The trade-off is simple: buyers who care about how their auditor handles confidentiality get a clear signal before they share anything sensitive. The absence of public case studies is not a backlog. It is an operating policy.
What we do publish.
Methodology in detail.
/how-we-work is exhaustive. The AI-Alliance protocol, evidence ladder, deliverable shape, and hard limits are public and reproducible. A buyer can review the method before trusting the operator.
The deliverable shape.
A redacted sample deliverable is available on request after the discovery call. It shows the evidence pack, executive memo, business impact framing, remediation runbook, and attestation shape without exposing a client.
Live methodology demo.
During the discovery call, the founder can walk through the protocol against a small public sample artifact. The point is to show how disagreement, steel-manning, and founder judgment are recorded.
What we provide under reciprocal NDA.
The strongest proof material is sensitive because it ties research history, references, and deliverables to real organizations. We share it only when the buyer has a real procurement reason and the confidentiality path is reciprocal.
Prior engagement references.
Up to three references from past clients, available under reciprocal NDA. The founder introduces you directly when the request is serious and contextually appropriate.
Upstream-accepted research references.
Specific identifiers and commit-level references from prior research work can be verified under NDA. They are not published on this site because the operating principle is deliberate non-publication.
Anonymized engagement deliverables.
A complete redacted deliverable from a prior engagement can be shared after a discovery call: executive memo, evidence pack, business impact, runbook, challenge log, and attestation.
How to escalate verification.
If after the discovery call you still want stronger validation before signing, we accept several verification paths. They are designed to prove method, references, or technical rigor without exposing another client or turning proof into public attack intelligence.
01
A paid 4-hour methodology audit against a public scope you choose, billed at €1,200 and credited against a future engagement.
02
A reference call with a prior client under your legal counsel's supervision and reciprocal NDA.
03
A written technical review of our methodology by an external auditor of your choice, at your cost.
04
A live walkthrough of a sanitized AI-Alliance challenge log, including disagreement and founder adjudication.
How the artifact carries proof.
Proof is not a logo wall. It is the internal structure of the deliverable: traceability, reproducibility, challenge, and closure. Those mechanics can be inspected without exposing another organization.
Traceability
Every executive statement points back to a finding, evidence item, timestamp, and collection context.
Reproducibility
The report explains how the exposure was observed from public sources without requiring trust in a screenshot alone.
Challenge record
The AI-Alliance log records false-positive arguments, severity disagreement, remediation disagreement, and founder decision.
Closure
Retest evidence and signed attestation document what changed, when it was checked, and what surface the closure covers.
What we will not turn into marketing.
We will not publish named client outcomes to compensate for a thin trust story.
We will not publish sector-size-finding cards that could be matched to a real engagement.
We will not publish acceptance emails, maintainer threads, private tickets, or commit-level identifiers on the public site.
We will not imply that private verification material is available to casual readers without a serious buying context.
Responsible disclosure without public attribution theater.
The founder operates a responsible-disclosure mailbox at [email protected] and has had research work reach upstream maintainers. Specific public-attribution items are not listed here. They can be discussed during the discovery call when relevant, and documented under NDA when sensitive.
This policy protects clients, maintainers, and the research process. It also keeps Labs aligned with the actual product being sold: diagnosis, evidence, judgment, and validated closure, not social proof extracted from someone else's incident.
Want to verify before booking?
Email us with your verification requirement. Or book the call and we will walk you through the private proof paths above.
Every engagement signed by the founder. BleedWatch Labs