> It also depends on "which part of NCC" you were looking at.
For the security consultancy part of NCC, it's not like I catalogue and re-check their findings so probably this is biased, but the only report I remember is the one from Keybase where they failed to notice that the claimed end to end encryption trusts the server to deliver the right keys. This was tested together with some other people on HN and packet capturing (one theory was that it checks the third-party websites like reddit/HN/... proofs, and that it's user error if you don't have any, but no, not even that).
I was really surprised by both Keybase getting something so fundamental wrong (they claim some blockchain magic verification which you can do on the command line, but the app doesn't have a blockchain client and no manual fallback either, so it's never verifying anything and instead fully trusts the centralized Keybase-operated proprietary servers) and by NCC not noticing this problem. Someone I knew from the security stackexchange site and whom I admire greatly took part in the audit, but of course they never replied (not even declining to comment) when I emailed them with a question about how this verification works (at that point, I still felt like I must be missing something so this email wasn't phrased accusatorily).
I don't have a bad impression of NCC in general and we all make mistakes, but yeah that's the example that stuck in my mind.
My experience with them has been both knowing a large number of their consultants at certain locations, and reading the reports they issue for network and webapp pentests.
Work quality on those was a real mixed bag, some was terrible, some was excellent. It didn't leave me with much faith in their QA process.
Similar experiences with other larger consultancies (MWR - now FSecure, etc).
Very interesting perspective, thanks for sharing! Curious how people perceive my employer who is in the same line of business. I thought we'd deliver consistent quality, also because we're not a big team, but yeah it's not like it's an exact science where we'd always find every important bug in a given week.