Legible.
Testable.
Enduring.
These three standards govern every piece of work we deliver. They're not aspirational — they're the criteria by which we judge whether advice is ready for a project team.
Legible
We make the risk story clear — credible scenarios, plain-language priorities, and decisions that designers, engineers, and executives can act on. No black-box risk registers, just a defensible line from "what could happen" to "what we're doing about it."
Scenario-based threat analysis, structured risk prioritisation, plain-language risk narratives
Testable
We translate risk logic into requirements you can check, buy, and assure. Clear performance intent, traceable rationale, and evidence you can carry through review, procurement, and design gates.
Performance-based specifications, traceability matrices, verification and validation planning
Enduring
We design for the full lifecycle. What gets built, operated, maintained, and owned in the real world. Solutions that survive handover, budget cycles, staffing changes, and day-to-day constraints.
Lifecycle cost modelling, operational readiness assessment, maintenance and ownership planning
Rigorous self-funded research
Active research programmes across vehicle-as-a-weapon threat analysis, the state of CPTED in NSW, protective placemaking, security culture, security talent, and the security landscape to 2030 — so our advice is grounded in current evidence, not inherited convention.
Practical frameworks and tools
HB167-aligned risk assessment frameworks, performance-based specification templates, and traceability tools that bring consistency and rigour to every engagement.
Publication and knowledge-sharing
Peer-reviewed journal articles, conference papers, standards contributions, and open resources that advance the professional body of knowledge.
Design-integrated mindset
We speak design language. Security advice that ignores architecture, public realm, and user experience creates more problems than it solves. Our team works with designers, not around them.
Independence trusted on both sides
We advise government clients, their tier-1 contractors, and private developers — often on the same programmes.
When Core42 has done its job, project teams have:
Threats calibrated, not assumed
Priority scenarios grounded in empirical evidence — our proprietary databases, site-specific crime data, quantified risk positions. When assumed threats don't withstand structured analysis, we build the evidence to challenge them.
Design integration, not design conflict
Security requirements in design language with individually tracked designer responses. We work alongside architects and landscape designers, embedding protection into spatial features and developing purpose-built tools for each project's unique constraints.
Disproportionate expenditure prevented
Proportionate, evidence-based analysis that protects your budget. We differentiate protection levels across complex environments rather than applying uniform measures — each decision backed by defensible evidence, not inherited assumptions.
Arguments that hold under scrutiny
SFAIRP arguments and structured security cases built on evidence that withstand regulatory review and independent audit. Over 100 individually tracked requirements per project, each traceable end-to-end from risk scenario to verification.
Enduring operations
Security measures that operators can maintain, own, and run. We design enterprise operating models with role definitions, KPI frameworks, and procurement-ready documentation — not just telling clients what they need, but enabling them to procure the capability.
Want to see what legible, testable, enduring looks like on your project?
A 30-minute diagnostic conversation to identify where your project's security risks sit, what decisions need to be made now, and where integration saves time downstream.
Book a Diagnostic CallThe Built Environment Security Benchmark
A 10-question diagnostic to assess how effectively security is integrated into your project — before it becomes a problem.
Take the benchmark →