When you hire Rimrock, you're not buying access to a firm. You're working directly with the person running your engagement — start to finish.
I'm Cody Shepherd — founder of Rimrock Security and the person who runs every engagement. My background spans network penetration testing, physical intrusion assessments, and social engineering, which means I approach security the way attackers do: across every surface, not just the digital ones.
I started Rimrock because most of the businesses in the Pacific Northwest — especially the small federal contractors and SMBs around the Tri-Cities — don't have access to the kind of hands-on security testing that actually finds real risk. What they get instead is vulnerability scans with cover pages and compliance checklists that leave the biggest gaps untested.
Rimrock is built to fix that. Every engagement is done personally, the reporting is written for business owners and leadership teams — not just IT staff — and the pricing is built for organizations that aren't spending six figures on security consultants.
If you've got a question about your security posture, the right answer is a real conversation — not a quote form. Reach out.
No surprises. No scope creep. Every engagement follows a clear process and ends with findings you can act on.
We talk through your environment, what you're trying to protect, and what's in scope. You get a fixed-scope engagement letter before anything starts — no surprises, no scope creep.
The engagement runs on a defined timeline. You know when testing starts and ends. I'm reachable throughout and will flag anything critical immediately rather than waiting for the final report.
Every engagement ends with a written report — an executive summary your leadership can read plus a technical section your IT team can act on. We walk through the findings together on a debrief call.
At a large firm, your engagement is sold by a senior consultant and run by whoever is available — often a junior analyst following a playbook. The senior consultant reviews the output and puts their name on the report. You're paying for the brand, not the person.
With Rimrock, you get the practitioner. The person who scopes your engagement is the person who runs it, writes the report, and sits on the debrief call. There's no translation layer and no quality control risk.
For the kinds of engagements Rimrock focuses on — network pentests, physical assessments, phishing campaigns, and compliance gap work — a focused specialist delivers better results than a generalist firm at half the price.
Initial consultations are free. No pitch, no pressure — just an honest conversation about your security posture.
Get in Touch