Insights
Two years of JAG Secure
JAG Secure has completed its second year. The business was founded in January 2024.
Year one: proving it could be done
The first year was learning, building and finding out whether the idea held up outside of theory.
The idea was straightforward enough. Most consultancies sell you a senior tester and send somebody more junior to do the work. The name on the proposal and the person at the keyboard are frequently not the same, and the client is rarely told. JAG Secure was set up to make that structurally impossible, by having the certified senior tester scope the engagement, run it, write the report and carry out the retest.
That is easy to say and it constrains everything. It caps how much work can be taken at once. It makes the calendar the binding limit on the business rather than the pipeline. It means turning work down, which is uncomfortable when you are new and every enquiry feels like it might be the last one.
The first year answered the question. Clients came back, and they came back specifically because the person they spoke to was the person who did the work.
Year two: strengthening the foundations
The second year was less about proving the model and more about building the things underneath it.
Accreditation and professional standing. Membership of the industry bodies that speak for the sector. Infrastructure built and controlled here rather than rented from somebody else, so that client data stays in the United Kingdom and never touches an offshore third party. Reporting and delivery processes that produce the same standard of output whether it is a first engagement or a fifth.
None of that is visible from the outside and all of it is the difference between a person doing testing and a business that can be relied on.
What has not changed
The model. It would be easier to grow by hiring juniors and selling their time at senior rates, which is the standard route and it works commercially. It is also the exact thing the business exists to avoid.
The focus. Penetration testing only. No managed services, no compliance consultancy, no general advisory. Narrower, harder to scale and the only way to remain genuinely good at it.
What comes next
More of the same, done better. There is no growth story here about headcount or offices. The interesting question for year three is whether the standard can be held while the work increases, and that is a question about discipline rather than ambition.
Thanks to every client who took a chance on a business with no track record in that first year. There was no reason to and you did it anyway.

