Our culture
The work is hard. It's not hard to be here.
Most people who join PortSwigger say some version of this once the novelty of the first weeks wears off and the real texture of the place starts to show. The problems are genuinely difficult. The standards are genuinely high. And somehow, that doesn't make it harder to be here — it makes it better.
What follows is an attempt to explain why. A genuine account of how the place works — where it came from, what it asks, and what it gives back. The values described here are what happens when you put a particular kind of person in a particular kind of environment and let them build something they actually care about.
Before the business grew beyond its first few SwiggersWhat everyone at PortSwigger calls themselves. If you work here, you're a Swigger., we asked a simple set of questions. What if work could actually be fun? What if we could create a place where people wanted to be, where they strive together to build something that changed the lives of the people who used it? This is what we set out to build. But a culture like this is fragile — small decisions that seem routine can erode it quietly, and a company that loses its culture can't simply rebuild it later. So we're deliberate — and deeply committed — to nurturing it.
Read this guide properly as a genuine account of something worth protecting. You are now a carrier of the culture. Everyone at PortSwigger is. When something feels off — something that doesn't match what's written here — say something.
Where it came from
PortSwigger began with one person building a tool for himself. In 2002, Daf was a security consultant writing scripts to automate the tedious parts of web pentesting. One of them — a proxy tool named Burp, for no particular reason, complete with actual burping sound effects — caught on. He released it in 2003, anonymously, under the hacking handle he'd been using for years: PortSwigger. One who swigs port.
For the next decade, it was essentially a one-man operation. No investors. No marketing team. Word of mouth and the quality of the tool. When users emailed in, Daf replied. The tool had developed a following that went far beyond what he'd expected of a side project.
When the business grew large enough to need a team, Daf sat down and wrote out what kind of employer he actually wanted to be. He'd seen enough of the corporate world to know what he didn't want. He framed it as The Unit TestThe original six company principles Daf wrote in 2013 and put on the wall of the first Knutsford office. The direct ancestor of everything in the culture document., the way a developer checks software, and put it on the wall in the first Knutsford office in 2013: we have fun; we work hard; we make Burp as good as possible; our customer service exceeds expectations; we are fair and generous to everyone; we don't follow the herd.
For sixteen years, the business grew without a single penny of outside investment. In 2024, PortSwigger took its first — a $112 million round. Daf kept control. Those six principles didn't change. What you're reading now is the grown-up version of them.
Our mission: enable the world to secure the web.
A mission earned through the quality of what we deliver, not self-declared at the start of our journey. We build the tools practitioners trust, the knowledge that trains security professionals, and the community that makes anyone who cares about security better — so together we can make the internet safer. We do this through work we genuinely love. Joy, mastery, and purpose belong together, and here they usually do.
What that looks like depends on where you sit. Right now, somewhere in the world, a security practitioner is using our tools to find a vulnerability before someone with bad intentions does — in critical infrastructure, financial systems, healthcare, or any one of the thousands of organizations that rely on the web being secure. If you're in engineering, you're building the tools they rely on. If you work in a customer facing role like sales or customer success you get the tools into their hands and make sure they can use them effectively. If you're in finance, culture or any support function, you're sustaining an organization that has chosen, repeatedly and deliberately, to invest in the health of the broader security community rather than extract from it. That choice is the mission made operational.
We do this through work we genuinely love — and that's not an aspiration, it's a description. Joy, mastery, and purpose belong together, and at PortSwigger they usually do. Belonging here grows from that: it's built on contribution over categorization — what you bring to the work and to each other, not your title or how you might be labeled elsewhere.
The people, and how we work
Maintain the bar
Hiring here is deliberate. We look for people with exceptional potential — people who share our values, bring depth in their craft, stay curious and humble, and help strengthen the team around them as they grow. We'd rather leave a role unfilled than lower the standard. The result is a team where working alongside your colleagues is itself a form of development.
Every candidate goes through a calibrated process — confidence indicators, multiple assessment rounds, and honest discussions about fit. We've kept roles open for months rather than compromise.
Default to trust
We default to trust because it's the right thing to do and allows us all to do the right thing — building, creating, innovating — delivering on our mission.
No timesheets. No sign-off processes. No micromanagement. You are trusted to manage your own time and priorities from day one, because the alternative — monitoring, approval chains, demonstrating your hours — is a signal of distrust, and distrust is corrosive.
But trust only works if people are genuinely safe to make mistakes.
Freedom to fail is not accidental here — it's something we actively protect. Bold experiments are celebrated, not punished. In our All HandsWeekly company-wide meeting. Work is shared, wins are celebrated, and Swiggers can ask any question directly to leadership — on the record. meetings, SwiggersWhat everyone at PortSwigger calls themselves. If you work here, you're a Swigger. share stories of when things went wrong as openly as when things went well. In 2025, over a third of All HandsWeekly company-wide meeting. Work is shared, wins are celebrated, and Swiggers can ask any question directly to leadership — on the record. presentations included a failure story and the lessons it produced.
But freedom without structure isn't freedom — it's chaos.
Structure enables freedom. Real autonomy is intentional, not accidental. We give Swiggers genuine ownership — and we build the conditions that make it meaningful: clear goals, shared plans, and a delivery rhythm that means one person moving fast doesn't create chaos for everyone else. Autonomy without direction is just noise. Structure without trust is just control. Together, they're how things actually get done here.
That structure creates the conditions for accountability to be something people choose, not something imposed.
We hold each other to high standards. Accountability here isn't handed down from above; it's something people hold for themselves. Swiggers commit, deliver, and raise problems early rather than quietly, because that's how we respect each other's time and effort.
Doing this well relies on transparency. We work in the open. This is both the why and the what of how we work. Information is shared openly by default because visibility builds shared context and better decisions.
We believe we work better together — because it creates this visibility and accelerates our impact.
That is why we default to in-office working. Collaboration is central to both our performance and our wellbeing. Working in the same physical space enables spontaneous conversations, fast decisions, and stronger team relationships. It also helps us spot issues early, support each other naturally, and move with the trust and rhythm that high performance depends on.
We are a people first organization, where Swiggers are trusted to do the right thing. Treating Swiggers as whole humans creates the safety net that lets them use that agency. Psychological safety matters here and protecting it is essential, not nice to have. PortSwigger is its people, and we look after them.
That safety doesn't happen by accident and our culture doesn't maintain itself. That is why we're deliberate about how we grow it. We actively transmit what makes PortSwigger distinctive: through how we onboard, how we communicate, how leaders behave day to day.
Every Swigger, in every location, is a carrier of the culture. We don't leave that to chance.
Relentless learning
Purposeful learning sits at the heart of everything we do — it drives our personal development, our products, our mission, our appetite for change.
How we do that starts with every Swigger taking ownership of their development.
Development at PortSwigger is self-driven, coach-supported, and rooted in real work. Swiggers learn by doing, get help when they need it, and grow through feedback, mentoring, and everyday challenges. Roughly 70% of development comes from the work itself, not from programs. That's a deliberate bias toward immersion over instruction.
Professional development is as unique as the person pursuing it. High performance isn't about ticking boxes — it's about growing in the areas that matter most to you, with the support of coaches and the people around you.
At PortSwigger we have a bias for action. We ship, learn, and improve — in that order. Getting something real in front of the people using our tools matters more than waiting until it's theoretically right. We iterate quickly, course-correct fast, and simplify by default.
But action without evidence is just activity.
We seek to make decisions informed by data, because curiosity without evidence is just intuition. We check assumptions and update our views when the evidence points another way. Whether you're launching a product, designing a process, or setting a team direction, "what does the data say?" is always a fair question.
Our bias for action is sharpened by leaning into tools that magnify our impact.
AI is part of how we work at PortSwigger. We embed it into daily workflows, onboarding, development, research, and decision-making as a genuine multiplier. When AI emerged as the most significant shift in how software is built and security is practiced, PortSwigger didn't wait to see what others did. We moved fast.
We give every Swigger access to just about every major AI tool — software engineers, the finance team, the workplace chefs, all of us. They're here as a genuine force multiplier: think faster, work better, go further. As new tools and techniques land, picking them up is part of the work, the same self-driven way we grow in everything else.
Adopting new tools is one expression of something deeper.
Change or die. Learning for us lives in a world where change is welcomed. Where disruption and challenge provide opportunities to learn. Where trialling a non-standard solution to a problem is not seen as a career limiting decision, but instead an unlock for innovation and creativity.
And change means thinking for ourselves — not watching what everyone else does. That instinct — don't follow the herd — is one of the six principles from our original The Unit TestThe original six company principles Daf wrote in 2013 and put on the wall of the first Knutsford office. The direct ancestor of everything in the culture document..
The willingness to go where the evidence points, even when it's uncomfortable, only thrives when you feel genuinely safe to say what you actually think. That is why we believe that all Swiggers should be able to ask anything, fear-free. We protect a space where half-formed ideas are worth voicing, where admitting you don't know something isn't costly. There are no stupid questions, because asking them is how individual curiosity becomes collective knowledge.
The standard and the care
High Bar, High Care
High Bar, High Care sounds like two values in tension. It isn't. It's one coherent position.
High ambition without real support produces burnout. Real support without high ambition produces drift. PortSwigger holds both.
At PortSwigger we aim to win. We aim to be the best in the world at what we do — because the practitioners who trust our tools are doing consequential work, and they deserve nothing less. When a bug gets through to a customer, or a response is slower than it should be, someone cares — because we know who's on the other side and what they're trying to accomplish.
Our high ambition sets the standard every day: shipping things that genuinely surprise and delight; reviewing each other's work with the scrutiny we'd want applied to our own; holding the quality bar when it would be easier to let something through, striving to achieve your best not just "clear a ticket".
But our high bar can't be achieved in isolation. At PortSwigger care and performance aren't opposites — one is what makes the other possible.
We see them as Yin–YangThe shorthand for PortSwigger's dual commitment: high performance and high support. Neither trades off against the other. Both are expected.: high performance and high support. We work hard and aim high. We also hold each other with genuine care — checking in, keeping pressure healthy, building the psychological safety that makes honest feedback possible and bolder goals worth setting. The support at PortSwigger extends beyond the professional and into the personal — and that isn't incidental to how we perform; it's what makes high performance sustainable.
This sentiment extends to our workplaces. Our workspace experience sets the bar and shows care. Our offices are living expressions of our high standards and high support — environments where SwiggersWhat everyone at PortSwigger calls themselves. If you work here, you're a Swigger. can aim higher and that looks after them while they do so.
We recognize that holding to high standards is hard. So we design our internal system to make high performance easier. Our leaders lead by lifting others, they see their role as enabling others. Leadership here is shared, not status-based. We collaborate without ego, support each other to succeed, and help others grow beyond the role they were hired for.
Sometimes the bar is hard to reach. When someone is struggling to meet the bar, we name it — early, directly, and with genuine support behind the conversation. We try to find the path back to success together: a real conversation, a proper attempt, not a slow drift toward an outcome no one has named. That's a tension held honestly rather than smoothed over: we say so early when someone isn't meeting the standard, and we invest meaningfully in the attempt to change that.
The Immune SystemHow PortSwigger handles performance when it drifts. Always support-first: step in early, be clear about the gap, invest meaningfully in improvement. is the name we give to how we handle performance when it drifts — and the instinct is always support-first. Step in early, be clear about the gap, invest meaningfully in the person's improvement. Quarterly HPRsHigh Performance Reviews. Quarterly conversations between Swiggers and their coaches — learning conversations, not verdicts. and Swigger Success Champions from the Culture team are part of the same joined-up approach.
Our cultural contract — the give and the get
Generous by default
Generosity at PortSwigger starts close. SwiggersWhat everyone at PortSwigger calls themselves. If you work here, you're a Swigger. are generous with each other — with their time, knowledge, support, and care — and the same instinct shapes how we show up for the people we build for.
One of the most visible expressions of that generosity is how we treat knowledge.
We see knowledge sharing through a force-for-good mindset. The Web Security Academy has been free since the day it launched, as has Community Edition of Burp Suite. The vulnerability research we publish goes straight back into the industry, openly and without restriction. These aren't marketing choices — they're expressions of a founding instinct: when knowledge moves freely, the bar rises for everyone.
That instinct runs through the organization. You can go to anyone at PortSwigger and ask a question. The response is an eager willingness to share. We share knowledge openly: what matters is what we can collectively learn and achieve with it, not where you sit in the structure.
This same instinct drives how we treat customers.
Our customers are security practitioners doing work that matters — and we don't lose sight of that. We aim to surprise and delight, and the way we treat them isn't a customer service strategy; it's our culture applied outward. Being generous, doing the right thing, enabling people rather than extracting value from them. The anchor is always the mission: we're here to enable practitioners to do better security, not just to sell software.
And generosity applies inward too. When PortSwigger wins, we all win.
PortSwigger rewards generosity. Above-market pay and share options recognize individual contribution, promote fairness, and align our long-term success with the value we create together.
This generosity is also shared between Swiggers.
At PortSwigger, feedback is a gift. Giving and receiving feedback is part of how we help each other achieve the incredible. We give feedback thoughtfully, with care for the recipient. We receive it with openness and gratitude.
Our feedback culture only works because we leave egos at the door.
Swiggers act with humility. We don't shout the loudest or seek the spotlight. We focus on doing great work, sharing credit, and letting the impact speak for itself. This keeps us open to learning and centered on what really matters — delivering value for others.
That humility extends to our culture itself.
The actions of every Swigger matter. Protecting our culture requires us all to recognize what it is, live up to the challenge, and speak out when it's at risk. We pull together to protect our superpower.
The relational contract between PortSwigger and each Swigger is real. The organization genuinely takes care of you — not just professionally, but as a whole person. We protect time to recharge, support different personal commitments, and we don't measure contribution in hours. When something's hard, there's no form to fill in, no case number. There's a person whose job it is to listen and help you get what you need. As one Swigger put it: "it can be that personal."
In return, you genuinely take care of the mission. That means full presence when you are at work, real focus, and a genuine drive to make things excellent. Both sides of this are high standards — and the trust underlying the exchange is what makes it possible.
What it feels like to be here
Low ego, high engagement
The fun here is real, and it takes work. PortSwigger was born from a hobby, and that playful spirit hasn't left. The humor is real, and the banter is genuine. When work is genuinely fulfilling — when you're solving hard problems with people you respect, building something that practitioners genuinely rely on — that's what fun means here.
And the fun is richer because of who's in the room. We don't tolerate brilliant arseholes — we're kind, humble, and collaborative, and that makes work feel good.
We bring together people with different backgrounds, areas of expertise, and experience levels, because our differences make us stronger. That breadth of perspective is a strategic and human strength. Different viewpoints lead to better discussions, better decisions and, ultimately, better products.
That richness shows up most in how we spend time together.
SwiggersWhat everyone at PortSwigger calls themselves. If you work here, you're a Swigger. enjoy spending time together. Fun lives closest to the work — in teams, squads, and everyday interactions. It comes from the people who bring it, and from an environment that doesn't squeeze it out. Work should be fulfilling. If we're not enjoying the journey, we're doing something wrong.
But fun at work is only sustainable if the rest of life is looked after too.
We care about whole-person wellbeing, about people's lives beyond work. Protecting time to recharge, supporting different personal commitments. We measure contribution based on achievement not on hours. Regular overworking is not encouraged. Sustainability is the aim. At times achievement means going the extra mile, putting in those extra hours. But we do this in the knowledge that sustainability is not a nice to have, it's a core requirement. People do better work when they're not running on empty.
The six principles from the wall in 2013 are still there. What you've just read is what they look like from the inside.
Reference
Glossary of principles.
A reference guide to the shared language used throughout this narrative.
Default to trust
Freedom with responsibility
- Default to trust
- Brilliant people doing brilliant work. Trust is the foundation for agency, collaboration, and innovation. We hire exceptional people and get out of their way.
- Freedom to fail
- Bold experiments are celebrated, not punished. Learning comes from doing and from getting things wrong in an environment where wrong isn't career-ending.
- Structure enables freedom
- Agency works best when everyone is pulling in the same direction. Clear goals, shared plans, and a delivery rhythm that lets individuals move fast without creating chaos for each other.
- Accountability
- Trust comes with clear ownership and the expectation of follow-through. High trust requires high reliability.
- Transparency — work in the open
- Information shared openly by default across teams, roles, and locations. The why as well as the what.
- We work better together
- Collaboration is central to both performance and wellbeing. Co-location enables the trust and rhythm that high performance depends on.
- People first
- Treating Swiggers as whole humans creates the safety net that lets them use their agency. Psychological safety is essential, not nice to have.
- Deliberately building culture
- Culture doesn't maintain itself. We actively transmit what makes PortSwigger distinctive — and we don't leave that to chance.
Relentless learning
Curiosity beats certainty
- Own your development
- Self-driven, coach-supported, rooted in real work. Swiggers grow through feedback, mentoring, and everyday challenges.
- Bias for action
- Pragmatic progress over theoretical perfection. Iterate quickly, learn by doing, simplify by default.
- Decisions informed by data
- Curiosity without evidence is just intuition. We measure what matters and update our views when the evidence points another way.
- AI as part of how we work
- AI embedded into daily workflows as a genuine multiplier — not a novelty, but a tool that makes thinking sharper.
- Change or die
- We embrace disruption before it finds us. Trialling a non-standard solution is an unlock for innovation, not a career risk.
- Don't follow the herd
- Decisions based on reason and evidence, not industry defaults. Original thinking is valued over standard playbooks.
- Ask anything, fear-free
- A blameless space where half-formed ideas are worth voicing and admitting you don't know something isn't costly.
High Bar, High Care
Ambition + support
- Aim to win
- We want to be the best in the world at what we do. Ambition is a daily practice, not a quarterly aspiration.
- Long-term orientation
- We play the long game, not the quarterly one. Quality today protects excellence tomorrow.
- We lead by lifting others
- Leadership is shared, not status-based. Our leaders see their role as enabling others to succeed and grow.
- Yin–yang: high performance and high support
- High ambition and genuine care are not in tension — they're one coherent position. Both are required to sustain high performance.
- When the bar is hard to reach
- Early honesty, a genuine attempt, and genuine support. If the path back doesn't exist, we part with respect and dignity.
Generous impact
Think beyond yourself
- Open knowledge, force-for-good mindset
- When knowledge moves freely, the bar rises for everyone. WSA, Community Edition, and our research are expressions of this instinct.
- Delight customers
- We aim to create products and experiences that customers love. Our value proposition should make the product an obvious choice.
- Reward generously
- Above-market pay and share options recognize individual contribution and align long-term success with the value we create together.
- Feedback is a gift
- Give thoughtfully. Receive with openness and gratitude, even when it's not the gift you were hoping for.
- We act with humility
- Great work, shared credit, impact speaks for itself. Keeps us open to learning and centered on what really matters.
- We pull together to protect our superpower
- Protecting our culture requires every Swigger to recognize it, live up to it, and speak out when it's at risk.
Fun is fundamental
If it stops being fun, rethink
- Fun at PortSwigger is real — and it takes work
- The playful spirit is present in how we approach problems, spend time together, and treat each other. It lives in the work, not in company programs.
- Our differences make us stronger
- Diversity of background, perspective, and experience is a strategic and human strength. Inclusion isn't an initiative — it's what makes the culture work at its best.
- We enjoy spending time together
- We don't tolerate brilliant arseholes. Authentic laughter beats contrived team-building. The relationships we build are what turn a good job into a great community.
- Whole-person wellbeing
- Achievement not hours. Sustainability is the aim. We work hard, but recognize that people do their best work when they're not running on empty.
Confidential — Internal Use Only
PortSwindler Ltd.
Employee Reference Document
Revised May 2026
- Deliver Shareholder Value
- Operate Within Defined Parameters
- Follow Established Procedures
- Performance Managed to Agreed Targets
- Protect Proprietary Assets
- Maintain Professional Conduct at All Times
1. Deliver Shareholder Value
The purpose of the organization is to generate sustainable returns for its shareholders. Employees are expected to understand and support this objective in the performance of their duties. All decisions should be evaluated against their contribution to the financial health and growth trajectory of the business.
Strategic direction originates at the leadership level and is cascaded through line management structures. Employees are encouraged to focus on their defined areas of responsibility and to escalate decisions that fall outside their delegated authority.
2. Operate Within Defined Parameters
Tasks are assigned by your line manager in accordance with business priorities. Employees are expected to complete assigned work within the agreed timeframe and to the standard specified. Requests for variation to agreed scope should be submitted in writing for approval prior to commencement.
Access to information is granted on a need-to-know basis as determined by your line manager. Employees should not seek information beyond the scope of their role. Questions regarding business strategy or financial performance should be directed to the relevant management contact.
3. Follow Established Procedures
Procedures exist to ensure consistency, compliance, and operational reliability. Employees are required to follow all applicable procedures without modification. Deviation from established procedures, even where the employee believes an alternative approach would be more effective, is not permitted without prior written authorization.
Employees who identify a potential improvement to an existing procedure should complete Form PR-7 and submit it to the Process Governance Committee for review. Review timelines are typically 60–90 working days.
4. Performance Managed to Agreed Targets
Performance is assessed against key performance indicators agreed at the start of each appraisal cycle. Employees are expected to demonstrate measurable progress against these indicators at quarterly review points. The appraisal process is managed centrally and all outcomes are subject to moderation by the HR Leadership Board.
Employees who do not meet their targets for two consecutive review periods will be entered into a Performance Improvement Process. Details of the PIP framework are available from your HR Business Partner upon request.
5. Protect Proprietary Assets
All work product created during the course of employment is the intellectual property of PortSwindler Ltd. and must be treated as confidential. Employees must not discuss, share, or refer to internal processes, systems, or business information with any external party without prior written approval from the Legal & Compliance team.
The sharing of knowledge with external parties — including at conferences, in publications, or through online communities — requires pre-approval and must be reviewed for any inadvertent disclosure of competitive or sensitive information. Knowledge is a commercial asset.
6. Maintain Professional Conduct at All Times
PortSwigger operates a professional working environment. Employees are expected to maintain appropriate professional conduct in all work-related interactions, including virtual communication and social media. Personal expression that could bring the organization into disrepute is subject to disciplinary review.
The company is committed to diversity and inclusion as required by applicable legislation. A copy of the Equality & Diversity Policy is available on the intranet. Employees are encouraged to complete the mandatory online training module by the end of Q2.
·
·
·
You've been kettled.