Single auditor of record.

What "single auditor of record" actually means

When a CISO commissions a Labs Board-Ready audit, the founder scopes the engagement, runs discovery, decides which findings survive the evidence ladder, writes the remediation runbook, leads the restitution call, and signs the retest attestation. No junior team member touches the work product. There is no "delivery team behind the salesperson." The brand is the auditor.

This is unusual in the consulting market. It is intentional. The reasons below are commercial, not stylistic.

Why this matters commercially

1. The buyer is buying judgement. What a CISO actually purchases when they commission an audit is the judgement that a specific finding is real, that the impact statement is defensible, and that the remediation will close the surface. Judgement does not delegate well. A senior partner who sells the engagement and a junior consultant who delivers it produce a different artefact than a single senior who does both. The senior partner cannot vouch for what they did not see.

2. The signature carries professional standing. When the founder signs the retest attestation, the founder's name is on the document. That name will be quoted in the buyer's downstream conversations — to the board, to the cyber insurer, to the regulator under NIS2 or DORA. The signature has weight only if it belongs to the person who did the work. A delegated signature is a brand asset, not a judgement record.

3. The accountability chain is short. If something is wrong in the deliverable — a finding misclassified, a rung overstated, a remediation that fails on retest — the buyer's call to make is to one person. The escalation does not pass through a partner who needs to "talk to the delivery team." The founder is reachable; the founder corrects; the deliverable is reissued. This compresses the post-engagement loop from weeks to hours.

4. The methodology is the founder's. The AI-Alliance Challenging protocol, the evidence ladder, the Proof-of-Threat doctrine — these are not Labs IP separate from the founder. They are the founder's working method, encoded. Delegating the work means delegating the method. The buyer can verify the method only by inspecting the founder's output.

The obvious objection

"Does this not limit your capacity?"

Yes. Limited capacity is a deliberate constraint, not an accident. The constraint translates into three commercial properties the buyer should value:

• Pricing discipline. Labs cannot underprice. A junior consultancy can offer a Board-Ready audit for €10,000 because they can run twenty in parallel. Labs cannot, so we do not. The pricing reflects the constraint honestly.
• Engagement cadence. Labs runs one Board-Ready audit at a time. The previous audit is closed — retest signed — before the next one begins. The buyer is not behind a queue of others sharing the founder's attention.
• Refusal of bad-fit engagements. Because capacity is finite, declining engagements that are not a good fit is operationally necessary. A buyer who needs ten subsidiaries audited in parallel is not a Labs buyer. A buyer who needs one organisation audited well is.

What the buyer gives up

This model is not universally optimal. A buyer who needs:

• Multi-region simultaneous coverage with on-the-ground consultants
• A blended hourly rate across many specialisations
• A 24/7 incident response retainer with named on-call rotation
• A 50-person SOC delivery
• Branded reporting from a top-tier firm to satisfy a procurement template

— is not a Labs buyer. Each of these is a real category in the market, served by real firms. Labs is not that firm.

The buyer who is a Labs buyer needs:

• A signed attestation from a named auditor on a specific surface, at a specific time.
• Methodology transparency strong enough for the buyer's CISO to defend internally.
• A short loop from finding to remediation to retest.
• Public references — under reciprocal NDA — from prior buyers who can speak to all of the above.

How this shows up in the engagement

Practically, the model produces three observable behaviours during an engagement:

• The first call is with the founder, not a salesperson. Discovery scoping is technical from minute one. The founder asks about the artefact namespace, the cloud accounts in scope, the deployment boundary. The buyer learns the founder's frame before signing.
• The deliverable is written, not assembled. The Board-Ready report is not generated from a template with a placeholder section. It is written by the founder, in the founder's voice, with the founder's specific reasoning visible. The buyer can identify the writing style; the writing style is a verification signal.
• The retest is performed personally. Fourteen days after the deliverable, the founder re-reads the surface, re-runs the AI-Alliance Challenging on the closed findings, and signs or refuses the attestation. The retest is not a checkbox. It is the moment the attestation becomes real.

A note on succession

A reasonable question from a buyer planning a multi-year continuous-assurance engagement is "what if the founder is unavailable." The honest answer:

• For Discovery Brief and Board-Ready (point-in-time engagements), the work is scoped to fit within the founder's availability. If the founder is unavailable, the engagement is rescheduled, not delegated.
• For Continuous Assurance (12-month engagements), the contract includes a designated successor — a named individual at a partner firm, agreed at contract signature — who can complete the engagement if necessary. The successor is named, the buyer can interview them, and the methodology transfer is documented. This is the only path Labs permits for delegation, and it is contractual.

If the buyer's risk model requires a delegated team from day one, the model does not fit. We will say so during the first call.

What this looks like on the brand

The Labs brand will remain small by design. There is no plan to scale headcount in the next 24 months. The plan is to publish — methodology, redacted artefacts, occasional research — so that the brand develops outside the engagement queue. The engagement queue stays small because the work product depends on it.

This is what "founder-led" means at Labs. The phrase is overused in the consulting market; it has been emptied of meaning by partners who delegated everything and kept the title. Labs uses the phrase literally.