$ cat faq.md

Questions worth asking before you hire anyone.

These are the questions we get most — about testing, hosting, and how engagements actually work. If yours isn't here, ask us directly.

$ ls /faq/security

Security assessments

What's the difference between an IT audit and a penetration test?

An audit reviews your configuration, access controls, and policies against a standard — it tells you what's misconfigured. A penetration test actively tries to exploit what it finds — it tells you what's actually exploitable. Most clients start with an audit and use a pentest to validate the highest-risk findings.

Will testing disrupt our operations?

We scope every engagement to avoid it. Aggressive scanning and exploit attempts are scheduled for low-traffic windows, and we agree on what's off-limits before anything starts. If something looks like it's about to cause an outage, we stop and call you — not after the fact.

What do we actually get at the end?

A written report ranking findings by real-world impact, not just a CVSS score dump — plus a debrief call. Every finding maps to an owner and a fix. We retest once you've shipped fixes, at no extra charge, so "closed" means actually closed.

Do you test social engineering and phishing as part of a penetration test?

They're separate engagements by default, scoped and priced independently — but we'll bundle them if that's what you need. A network pentest and a phishing simulation test very different things.

How often should we run an audit or penetration test?

Annually at minimum, and again after any major infrastructure change — a new vendor, a migration, an acquisition. Compliance frameworks like SOC 2, PCI-DSS, and HIPAA often mandate a specific cadence; we'll work to whatever yours requires.

Will employees be punished if they fail a phishing simulation?

Not by us, and we'd recommend you don't either. Punishing clicks teaches people to hide mistakes, not report them. We track click rate and report rate separately — report rate is the number that actually predicts whether a real attack gets caught in time.

Do you provide a signed scope and authorization before testing begins?

Always. You'll get written rules of engagement — what's in scope, what's excluded, testing windows, and an emergency contact — before we touch anything.

$ ls /faq/hosting

Hosting & infrastructure

Should we choose VPS, a dedicated server, or colocation?

Depends on what you're running. VPS suits most workloads and scales easily. Dedicated servers make sense once you need guaranteed resources — no noisy neighbors — for databases or compute-heavy apps. Colocation fits if you already own hardware and just need power, cooling, and connectivity. Tell us your workload and we'll recommend one, not upsell you to the biggest option.

Can you migrate us from our current host?

Yes — that's a normal part of onboarding. We'll scope the migration, schedule it for a low-impact window, and confirm everything's working before we call it done.

What kind of support do we get after setup?

A team that answers the phone, not a ticket queue with a 24-hour SLA. Since we also run the security side of the business, the same people who host your infrastructure understand what "secure" actually looks like on it.

Do you offer managed services, or just the hardware or VM?

Both — tell us how hands-on you want us to be.

$ ls /faq/general

Working with us

How much does this cost?

It depends on scope, so we don't publish a rate card — but every engagement starts with a scoping call and ends with a fixed quote before you commit to anything. No surprise invoices.

How do we get started?

Email info@arogo.net or use the contact form. Tell us what you run and what you're worried about; we'll come back with a proposed scope, not a sales pitch.

Do you work with businesses outside a specific industry or size?

We work with organizations who take their infrastructure seriously, from small teams to larger operations. If you're not sure whether you're a fit, ask — the scoping call is free.

Still have questions?

Ask us directly — we'll answer in plain English, not a sales deck.

Get in touch