100% a Pen Testing business, despite having plenty of services listed on their website, almost all of the work they do is small bog standard Penetration Testing work of a few days work at a time.
They have a shiny Managed Services business (a buy out from Accumili a few years back) but they simply don't know what to do with it or how to sell it. NCC's Pen Testing 'job based' culture is at odds with contracted managed services, revealing itself most clearly in the Sales Management who try to manage these types of deals like they are a Pen Test, "You quoted it last week, can we get the PO by the end of the month?' Essentially trying to manage strategic deals like they transactional ones, that will never work.
All work, even the smallest of Pen Testing jobs takes days to quote, requiring numerous sign off's internally making clients bewildered on why they can just have the quote. When they do get the quote it has far too many days work required and excessive reporting time built in at exorbitant day rates; this may have been possible 10 years ago but doesn't fly in this day and age. Clients demand more from their suppliers and expect them to be agile; NCC still operates like it's 2007.
There is about 10,000 layers of management, no-one can understand why most of these people are there and what they do, utterly byzantine.
Its a real shame that the quality of the structure & management doesn't match the technical quality within the business.
