State of Volkis 2026

Quick Links

Home > Company > State of Volkis 2026
Edit on GitLab
  Matthew Strahan   10 Feb 2026

This document contains the findings of the Strategy Session in Volkis. It shows how we see ourselves, what we do well, what we can improve, and annoyances we can remove.

What are we doing well?

Externally:

  • We deliver high quality testing. Generally find lots of stuff.
  • Our reporting is great, relevant to the client, and doesn’t include lots of irrelevant stuff.
  • We are a “human” company, have a personality.
  • We’re well known in the community. We have a reputation for being open and sharing and that bleeds into how we’re seen by clients. At conferences people seek us out.
  • We offer clients more support than just doing the engagement and just completing the scope of works. For instance, having conversations and actively assisting in improving the business processes of our clients.

Internally:

  • Flexibility around personal lives of consultants. We are able to schedule around our lives, including picking up from school. Vic is great at providing flexibility around the schedule.
  • We work on skills development, getting time to learn something new.
  • When there’s something interesting happening, the team is generally interested and engaged. We “pile on” when someone’s found something interesting.

What can we improve?

  • There’s a lot of inertia in the business. If we want to make a change then it’s a lot harder than it has been in previous years.
  • Who covers when someone is sick or away? For consultants that is easier but for relationship management and project management the process breaks down.
  • Documentation about expectations around each test can be improved. What’s the difference between web app and external? What specifically do we do when performing OSINT on a company? We don’t need checklists but guidelines and “have you thought of” could be beneficial.
  • Shadowing is usually ad hoc and maybe done once a year if that.
  • We can improve with our junior training. In particular, stating goals and expectations for each new test that a junior sits on. Having a longer term training plan. Ensuring that when a junior sits on a test they get to experience the full end-to-end process from kick off to debrief, rather than being placed on snippets of tests.
  • Preso days could be improved. Maybe have activities in the afternoon? The conversation that follows presentations is also interesting and is nowadays often cut off.
  • Playdates are enjoyable but hard to fit into peoples’ schedules. The intention is to emulate the in-office time like we’re getting coffee but they are more a suprise.
  • It’s been a year since we’ve done a blog post. It’s fallen through the cracks a bit.
  • We could use more clarity around career progression and clarity around budgets and expenses.

What are the annoying things?

  • Preso day being on a Friday is difficult. It cuts into personal time and Saturday morning flying can interfere with weekend responsibilities.
  • Friday afternoon catch ups sometimes don’t work for people, for instance clashing with picking kids up from school.
  • Report Repulsor documentation needs improving. We also occasionally have inconsistent templates.
  • Handbook and Privbook is hard to update, especially for people who don’t use Git often.
  • Payroll being on a public holiday means people get paid later than usual.
  • There are no fixed expectations around expenses and how long we have to wait.

What should we keep doing?

  • Notes for each project in Trello is really useful.
  • Current scheduling is really good. Admin days have been a great add.
  • Flexibility of work and scheduling.

Actions

  • Build detailed role descriptions for Project Management and Relationship Management. Ensure that when Vic or Hortense takes leave whoever covers has enough training and documentation to cover.
  • Improve methodologies for penetration testing, potentially including shared guidelines and “have you checked?” documentation around activities for OSINT, external testing, web app testing, and mobile testing.
  • Build a “shadowing time” budget for testers. Potentially a week each year could be spent on shadowing, giving two weeks shadowing or being shadowed?
  • Play with the format for presentation days. Try activities such as CTFs in the afternoon, limit numbers of presentation and add more discussion time.
  • Work on playdates and try different formats for organising new playdates. For instance allowing people to opt in/opt out at the beginning of the week for different days or times. Try adding in games rather than just conversations.
  • Have stricter meetings around career progression and training plans.
  • Improve expenses documentation. Build clear expectations around expenses and the expectations for paying them.
  • Work on making Handbook easier to update. Either have a clear procedure or change the Handbook to allow easy updating.