NexcurAI
Talk to us Start a project
G2.2 Guide · Cross-cutting

← Getting started

Reading your Signature Handbook.

The handbook is the deliverable. This guide is how to use it in week one, how to hand it off to an operator, and how to drive the quarterly refresh.

Length: 7 min Audience: founder / CTO / security lead / CMO Last updated: 2026-04-19

What a handbook is, in one sentence

A Signature Handbook is a living document that encodes everything we learned about your company during the engagement, written in a voice you can hand to a new engineer on day one and they can start doing the work.

What it is not

  • It is not a slide deck. It does not summarize the engagement for a board; it describes the engagement at the resolution required to act on it.
  • It is not a one-time artifact. It updates.
  • It is not a PDF we email you once and disappear. The retainer clients own a copy that refreshes.
  • It is not a generic best-practices document. The specificity is the whole point.

Week one: the first read

We recommend two sittings.

  • Sitting one (45 minutes). Executive summary, then the roadmap at the back. This is the shape of what happens in the next ninety days. Bring this to your next leadership meeting.
  • Sitting two (two to three hours). The findings / observations section in full. Highlight as you go; note questions in the margins. You are the client; you know things about your company that we do not. If a finding looks wrong or the severity looks off, flag it. That is how the review becomes ours together.

Do not try to read the whole handbook end-to-end on day one. It is structured so that you can read the summary in a morning and come back to the reference chapters as they become relevant.

The structure

Every handbook has the same top-level structure:

  1. Executive summary. One page. Anyone on your leadership team can read this in four minutes.
  2. Context. How we understood your company, what we scoped, what we did not scope and why.
  3. Findings / observations. The primary substance. Structured per finding: one claim, the evidence, the remediation, the residual risk.
  4. Architecture / system view. Diagrams, data flow, attack-path or customer-flow visuals depending on the service line.
  5. Roadmap. The ninety-day remediation or build plan. Sequenced into waves scoped to your team's capacity.
  6. Appendix. Detail exhibits, scripts, terraform samples, prompt libraries, whatever is artifact-shaped.
  7. Methodology. How we ran the engagement. Which parts Claude drafted, which parts the operator authored. Fully reproducible by you or by another firm.
  8. Provenance. Who worked on it, on what dates, with which reviewer. The signature page.

How to hand it off

If you are handing the handbook to a direct report to execute, the handoff is shorter than you think.

  1. Give them the whole handbook, not a summary. The specificity is load-bearing.
  2. Walk them through the roadmap in person. Ten minutes. Explain which findings you care most about, and why.
  3. Ask them to read the handbook and come back with three questions. The questions will tell you whether they read it and whether they understood it.
  4. Book the handover call with us. We answer questions from the operator directly. Included in the engagement, no extra billing.

The quarterly refresh (retainers)

If you are on a retainer, the handbook is a living document. Every quarter, we:

  • Re-run the parts of the engagement that depend on changing state (posture scans, share-of-answer runs, architecture diffs).
  • Update findings: mark remediated items closed, add new findings, re-rank severity.
  • Update the roadmap: move completed items to the “closed” tab, add new wave items.
  • Update the methodology section if we changed how we do anything.
  • Deliver a refresh note at the front: two pages, what changed since last quarter, what we recommend you act on before next quarter.

The refresh is priced into the retainer. You do not schedule it; it shows up.

How to make it yours

A handbook that sits in a shared drive and never gets edited is a handbook that will go stale inside a year. The clients who get the most from it treat it as the company's document, not ours. Practical habits:

  • Keep it in a system your team uses. We deliver HTML, PDF, and Markdown. Pick the one that your team will actually open.
  • Add internal annotations. When your team implements a recommendation, annotate the finding with the PR link, the date, the owner. The handbook becomes a ledger.
  • Reference it in standups. The shortest way to keep a document alive is to say its name in meetings.
  • Share the sanitized companion with enterprise prospects under NDA. This is what the companion is for.

Common mistakes

  • Reading only the executive summary. Acceptable for a board member. Not acceptable for the operator who owns execution.
  • Treating the roadmap as aspirational. The roadmap is scoped to your actual team size. If you cannot do the wave-1 items, the rest will not matter.
  • Not flagging disagreements. If a finding looks wrong or a recommendation looks off, tell us. The handbook we ship is a draft until you have had the review conversation.
  • Waiting for the handover call. You can book the call before you finish reading. Two hours into your first read, if you have questions, that is a good time to book.

If you did not read the whole thing

Many clients do not. The quarterly refresh is designed for that. The refresh note at the front tells you what changed; the roadmap tells you what to do next. You can operate off those two sections and pick up the reference chapters the week you need them.

Related