Back to about us
Operating principles
Every team relies on operating principles, guidelines, and protocols to get work done. Some call them "secret sauce", but we're pretty open about the fundamental approaches we follow.We adhere to these principles in everything we do: building our tools, submitting bug reports to third parties, conducting audits, or designing solutions for our customers. We don't think these principles are unique, but our customers often recognize and praise Cossack Labs' value proposition and engineering excellence.
Cut through complexity
From a builder’s perspective, security is often seen as confusing and counterintuitive. It is hard to grok, and it often increases system complexity. The more software developers build, the more attack surface they have to protect. A larger attack surface requires more security measures. Security measures increase inherent complexity.
Taming and reducing security-related complexity while improving security is more challenging than "just add feature X / buy product Y". Security requires a meticulous search for equilibrium, and it’s worth it every time. We focus on helping customers cut through security complexity without losing the actual security.
Taming and reducing security-related complexity while improving security is more challenging than "just add feature X / buy product Y". Security requires a meticulous search for equilibrium, and it’s worth it every time. We focus on helping customers cut through security complexity without losing the actual security.
Responsible innovation
Innovation that comes at the cost of subverting civil rights, efficient institutions, state security or the rule of law is destructive in the long term run. Subverting innovation for the sake of maintaining the status quo is no good either.
We see our Ultima Thule as ensuring that technological innovations, which change the faces of familiar and trusted things, are secure, reliable, and responsible. To do that, we must innovate in tools, methods and approaches to protecting sensitive data, enabling privacy and transparency, and improving resiliency.
We see our Ultima Thule as ensuring that technological innovations, which change the faces of familiar and trusted things, are secure, reliable, and responsible. To do that, we must innovate in tools, methods and approaches to protecting sensitive data, enabling privacy and transparency, and improving resiliency.
Boring and pragmatic
We do boring work, and we’ve learnt to love doing boring work the hard way. While cutting corners is welcome in the modern tech industry to deliver faster, it’s detrimental for security work. Our mindset is to ensure that every valuable threat is covered, every test performed, every relevant threat considered, etc.
To deliver reliable and secure tooling, we don’t rely on magical thinking and “it’s gonna be good somehow”. We hire people happy to walk an extra boring mile when necessary.
To deliver reliable and secure tooling, we don’t rely on magical thinking and “it’s gonna be good somehow”. We hire people happy to walk an extra boring mile when necessary.
Risk-centric pragmaticism
In security, there is nothing good or bad. Instead, we speak in terms of "appropriate / inappropriate security measures for the chosen threat model under given circumstances". Blindly following best practices or expert advice is often a way to stop thinking and start believing. We prefer analyses and keeping a careful eye on customers’ realities.
We strive to guide our decisions with current risks, threats, and real-world considerations, backed with hard proof and experience. Sometimes, it includes the current market’s beliefs on the best practices. But we go against the grain when necessary as well.
We strive to guide our decisions with current risks, threats, and real-world considerations, backed with hard proof and experience. Sometimes, it includes the current market’s beliefs on the best practices. But we go against the grain when necessary as well.
Balancing hazard and outrage
Security prevents hazards but often brings outrage and discomfort. Balancing tradeoffs, risk exposure, and functional limitations is as significant as a clever encryption scheme. Security that hinders main functionality gets abandoned and never reaches its goals.
Being a blend of product, R&D, and advisory firm, we’ve learned to carefully balance hazards and outrage, so that security measures are adopted and persist within an organization or a software product.
Being a blend of product, R&D, and advisory firm, we’ve learned to carefully balance hazards and outrage, so that security measures are adopted and persist within an organization or a software product.
Focus on sensitive data
We focus on protecting sensitive data in whichever way we have to. A vast range of our solutions, services, and products are aimed at one goal: ensuring that customers’ sensitive assets are available only to authorized parties in a controlled way.
Sometimes, it means using cryptography. Other times, it means fixing application security bugs, or building DRM tools, or soldering wires, or programming controllers, or enforcing statistical security on ML models. The focus is always the same—protecting the data.
Sometimes, it means using cryptography. Other times, it means fixing application security bugs, or building DRM tools, or soldering wires, or programming controllers, or enforcing statistical security on ML models. The focus is always the same—protecting the data.
Engineer-centric security
Perhaps, the easiest leverage point for addressing security problems is to make developers' life easier when implementing proper security measures. Ensuring that tools, recommendations, and methodologies are easy to use and hard to misuse. No unexpected upgrade paths, undocumented APIs, forgotten debug settings, or ambiguous recommendations are present.
We’ve learnt this the hard way. After using the tools of others in the past, we feel the pain of using cumbersome tools, and prevent it while building our own software products.
We’ve learnt this the hard way. After using the tools of others in the past, we feel the pain of using cumbersome tools, and prevent it while building our own software products.
Fostering innovators
Working with innovators and product businesses is a challenging task requiring special experience. Enabling speed of delivery, security requirements, and preserving unique value in every product—that’s another equilibrium we often have to control and maintain.
As a product company with a team from various product and research backgrounds, we realise how fragile and precious the process of building new things is.
As a product company with a team from various product and research backgrounds, we realise how fragile and precious the process of building new things is.
Exceptional talent
We would be nowhere without excellent engineering talent that works for us.
We foster talent by constantly challenging ourselves, running continuous education programs, and doing research. We hire people with a wide breadth of knowledge and specific skills and push them hard to excel.
By continuously improving our ability to stay on the cutting edge of practical security, we keep true to our goals. Combined with sympathy for hard&boring work, this creates a unique culture of relentless inquiry and meticulousness.
We foster talent by constantly challenging ourselves, running continuous education programs, and doing research. We hire people with a wide breadth of knowledge and specific skills and push them hard to excel.
By continuously improving our ability to stay on the cutting edge of practical security, we keep true to our goals. Combined with sympathy for hard&boring work, this creates a unique culture of relentless inquiry and meticulousness.