TKOResearch Logo
TKO Research

Security Practices

Last updated: December 17, 2025

TKOResearch LLC · 1500 Chestnut Street Suite 2, Philadelphia, PA 19102

Overview

TKOResearch provides technical analysis, threat intelligence, and technical security services for private sector clients. This page describes how we handle data, protect systems, and maintain operational security for our engagements.

We are a principal-led boutique practice. The practices described here reflect our actual operational procedures, not aspirational marketing claims.

Data Handling

Client Artifacts & Case Data

  • Physical artifacts is stored in locked, access-controlled laboratory space
  • Digital artifacts is stored on encrypted drives (AES-256) with documented chain of custody
  • Artifacts is retained only for the duration specified in engagement agreements, then securely destroyed
  • We do not share client artifacts with third parties except as required by law or with explicit written authorization

Communications

  • Sensitive case communications available via Signal upon request
  • Standard communications via email ([email protected])
  • We do not store client credentials or access keys beyond the engagement period

Infrastructure Security

Website & Public Systems

  • This website is hosted on Vercel with automatic TLS
  • No customer PII is stored on the public website
  • Contact form submissions are transmitted via encrypted API to our email system
  • Analytics are privacy-focused with consent management

Internal Systems

  • Analysis workstations are air-gapped or network-isolated during artifacts examination
  • Multi-factor authentication required for all internal systems
  • Regular software updates applied to analysis tools and operating systems

Crisis Management

In the event of a security incident affecting client data, we will:

  • Notify affected clients within 72 hours of confirmed breach
  • Provide a written incident report describing the scope and remediation
  • Cooperate with client security teams and legal counsel as needed

To report a security incident involving TKOResearch systems or data, contact:[email protected]

Vulnerability Disclosure

We welcome responsible security research on our public-facing systems. If you discover a vulnerability in tkoresearch.com or related TKOResearch properties:

  • Report to: [email protected]
  • Include technical details sufficient to reproduce the issue
  • We will acknowledge receipt within 5 business days
  • We will not pursue legal action against good-faith security researchers

For full details, see our Vulnerability Disclosure Policy.

Limitations

We are a small practice without the infrastructure of a large enterprise. Specifically:

  • We do not maintain SOC 2 or ISO 27001 certifications
  • We do not have 24/7 monitoring capabilities for our own systems
  • Physical security is appropriate for a professional office, not a government SCIF

Our security practices are appropriate for the sensitivity of the work we perform. Clients with specific compliance requirements (HIPAA, CJIS, etc.) should discuss their needs during the scoping process.

Contact

For security-related inquiries: