Security
Three things: continuous external penetration testing on whatever cadence your release pace warrants, a virtual CISO retainer for the strategic work that needs an executive’s judgement, and full end-to-end preparation for ISO 27001 or SOC 2 certifications including the back-and-forth with the auditor.
Continuous by default
The traditional security engagement is a once-a-year penetration test plus a certification cycle that runs in the months before the next renewal. That cadence keeps the paperwork current. For a system that ships code every week, the security work has to operate on the same clock as the releases.
Our pentest service runs continuously: monthly, weekly, or daily depending on your release pace. The vCISO retainer is ongoing, so a control gap can be raised the week it appears and tracked to closure inside the same quarter. The ISO/SOC 2 work is structured so the certification falls out of the daily practice the team already runs, with the evidence collected as it happens.
The three engagements we run
Most clients hire us for at least two of them together. Tap any card to see scope, cadence, and starting price.
Posture review to ongoing programme
Security posture review
One- to two-week structured review of where the security programme is today: existing controls, current pentest coverage, certification status, data flows, compliance obligations, prior incidents. Output is a prioritised gap analysis with a recommended sequence of work and a fixed-price quote for the engagement that follows.
Continuous operation
Pentest scans run on the chosen cadence (monthly, weekly, daily); findings are triaged, ranked by severity, and tracked to remediation. The vCISO holds the risk register, attends compliance conversations, and represents the security function in board reporting. Compliance preparation runs in parallel where applicable.
Audit and renewal
When the certification audit arrives, we’ve been collecting evidence the whole way through, so the auditor sees a programme that has been operating all year. We sit in the audit calls. We respond to findings. We carry the artefacts forward into the next surveillance cycle.
Where each service starts
Penetration Testing
Monthly: €99 / month · Weekly: €250 / month · Daily: €500 / month. Every scan is a full deep scan — the cadence is the only variable.
Virtual CISO
Retainer from €3,000 / month. Strategic security leadership without the full-time hire. Pairs well with the pentest service: vCISO owns the programme, pentest produces the artefacts.
ISO 27001 & SOC 2
Single-framework cycle from €15,000. ISO 27001 standalone from €12,000; SOC 2 readiness from €4,500. Certification-body audit fees are separate.
Security engagements — questions we field
Do you work alongside our internal security team?
Yes — most engagements look that way. The internal team owns operations and incident response; we own external testing, certification preparation, and strategic vCISO work that benefits from outside perspective. The split varies by engagement; we’ll write it down explicitly in the scoping document so there are no ambiguities about who answers what.
What does “continuous penetration testing” actually cover?
Full external attack-surface scans on the chosen cadence — web applications, APIs, exposed infrastructure, authentication flows, configuration weaknesses, known vulnerable dependencies. Each scan produces a written report with findings ranked by severity, evidence, and remediation guidance. The scope is your external surface; internal-network pentesting and physical security assessments are separate engagements.
How does the vCISO retainer differ from hiring a CISO?
A vCISO works with you part-time on a retainer, handling the strategic and governance responsibilities of the CISO role without sitting in the org chart full-time. Useful when the company needs senior security judgement — for vendor reviews, board reporting, compliance roadmaps, incident response leadership — but isn’t at the scale where a full-time CISO is justifiable. Often paired with the in-house team that handles day-to-day security operations.
ISO 27001 or SOC 2 — which do we start with?
Depends on who’s asking for the certification. Enterprise procurement in the US asks for SOC 2 by default; European enterprise and NIS2-scope organisations ask for ISO 27001. If both are in your future, we run a combined engagement because the underlying control work overlaps heavily — doing them sequentially costs more than doing them in parallel.
What if a finding turns into an actual incident?
If we’re your vCISO retainer, incident response leadership is part of the scope — we’re on the call, helping coordinate the response. If we’re only your pentest provider, findings are still tracked to remediation, with response leadership held internally by your team. The scope document defines which arrangement applies; many clients hire us for both for exactly this reason.
Tell us about your security posture
Tell us where the security programme is today and what’s being asked for next. We’ll come back with a recommended sequence and fixed-price scoping for the engagement that follows.
Kontakt aufnehmen → See pricing