Threat-model, harden, test, certify. Done together they reinforce each other; done alone they decay.
A written model your team can defend; not a STRIDE worksheet.
CIS benchmarks, OWASP ASVS, custom posture per service.
Findings that ship as PRs, not as a PDF.
Audit-ready evidence, not theater.
Built so that posture doesn’t regress after the certificate hangs on the wall.
Written, versioned, reviewed. Every new high-risk feature triggers an update — not a one-off Confluence page.
Five business days after testing ends. Findings with reproductions, suggested fixes, and severity rationale. Retest within 90 days.
Where the fix is code or IaC: shipped as PRs against your repos, not as recommendations. Reviewable and merge-able.
Detection rules in your SIEM (or one we set up), wired to your paging. Runbook per alert. Tabletop exercise to test it.
Vanta/Drata-compatible evidence collection or manual. Policies tailored to your operating reality, not templates.
Pen-test repeated annually with diff reporting against prior years. Trend visible to leadership in a 1-page summary.
Security is usually scoped as a project, not a monthly retainer. Pricing reflects scope, not seat-time.
The difference between a pen-test that improves you and one that doesn’t is what happens after the report.
Written scope, named in-scope and out-of-scope surfaces, threat model with you in the room. No surprises during testing.
Active testing with daily standups so you’re never surprised. Findings documented as they’re confirmed, not at the end.
Report inside 5 business days of test end. Hardening PRs against your repos where the fix is code or IaC.
Free retest of all findings within 90 days of the original report. Attestation letter once severity-1 and severity-2 are closed.
If something isn’t answered here, ask in your intro email — we keep this list short on purpose.
OWASP ASVS L2 as the floor, OWASP API Security Top 10, cloud-specific CIS benchmark verification, custom test plan per system. Black-box, gray-box, and white-box on request.
No — we’re not a CPA firm and shouldn’t be. We work alongside three audit firms we trust; we prepare you and stay through fieldwork.
Yes, through HackerOne or Bugcrowd. We tune the scope, triage incoming reports, and ship the fixes. Most clients see a steady-state ~3 reports/week after the launch surge.
Yes, on the larger engagements. Multi-week red team with phishing, physical, and assumed-breach scenarios. Always with a clear rules of engagement document signed by your CISO.
Send a paragraph about the problem. We’ll come back inside 48 hours with a written take — team shape, cost envelope, riskiest assumptions.