Threat Unknown requires administrative access to client environments to do the work. That's not a secret. Here's exactly how that access is scoped, documented, and removed.
Every change Threat Unknown makes — policies, configurations, DNS records, access controls — is committed to a GitHub repository that the client owns. Nothing happens off the record. When the engagement ends, the client has a complete, version-controlled history of every change made to their environment.
Access is provisioned for the specific engagement scope and documented from day one. Admin console changes are screenshotted and logged as evidence. Every access point granted is tracked — so deprovisioning at offboarding is a checklist, not a guess.
At the end of every engagement, Threat Unknown runs the same account inventory process we deploy for clients — on ourselves. Every access point is explicitly confirmed removed. The client receives a offboarding record they can verify independently using the tools installed during the engagement.
Every change Threat Unknown makes is committed to a GitHub repository that the client owns. You don't need a detection system to find what we did — it's in your git history, with timestamps, commit messages, and pull request descriptions. That record exists whether we are engaged or not, and you can review it at any time.
This is one layer among several — alongside the access log, the scoped provisioning, and the offboarding record. No single mechanism is a guarantee. The combination is.
After any Threat Unknown engagement, you can confirm the following independently:
The offboarding record provided at engagement close documents each of these items with the date confirmed and how to check.
If you have specific concerns about how access is managed for your engagement, ask us directly. We'll walk you through it.