What's in this page
Security is a complex, multifaceted problem. Most businesses trying to start a security practice don’t need a “security person” as much as they need application security work on Monday, guidance from a Cloud security person on Tuesday, a third party risk management security review on Wednesday, handle SOC 2 compliance on Thursday and be the resident IT expert on Friday. Oh, and they’re responsible for security monitoring throughout the week while being on-call for incidents. And, of course, they need to be a gifted manager, because they’re expected to be able to build out the entire security practice.
Maybe you’re currently writing a JD for that unicorn, or you’re the lucky person who just landed that role and now has to deliver. Either way, we’re here to help. Instead of trying to do the impossible, you engage us. We have a diverse team of experts pre-equipped with processes and power tools covering an enormous range of security capabilities. That lets you de-risk building your team while ensuring you have every security capability you need at your fingertips.
We invented the security-team-in-a-box model, and we’ve been delivering on it for nearly a decade. One key difference with traditional security services is that we are ongoing, like an internal security team would be, rather than point-in-time, the way typical assessments are done. Our engagements often last years.
We also help your security program’s resilience through our deep bench of staff. If one member of our staff is unavailable for whatever reason, we can ensure business continuity, even in the face of illnesses, vacations or other leaves of absence.
Because we work with clients for a long time, we’ve learned how to scale all of our services up as clients grow, and down, so we can work with early-stage companies with only a few people.
We’ve helped clients scale up all the way to thousands of full-time staff. Working with startups means we’re also familiar with the sometimes harsh realities of when things don’t go so well. We’ve helped clients reduce their security spend drastically with minimal capability loss.
Working with clients for an extended period of time has a significant impact on how we deliver services.
For example, instead of doing an annual, broad-spectrum, two-week application security assessment, we can be an active participant in your systems development life cycle:
This means you get a much faster, cheaper and more effective assessment. Not only is the assessment done by someone who knows what they’re looking at and what they’re looking for: it’s done by someone who understands the context of your business so they can pay attention to what really matters.
Even though we tend to work with clients for a long time, we don’t require a long-term commitment. We’re month-to-month, even though many of the tools we deploy for you ordinarily require annual commitments.
For example, we deploy single-tenant infrastructure. That’s often much more complex for us to handle, but it’s the right thing for the client. It lets us seamlessly invite you in as you grow your own capabilities, and enables you to eventually, should you want to, bring those capabilities in-house entirely.
It’s common for security to turn into the team of “no”: a pure cost center that has borderline adversarial relationships with the rest of the company. We understand that an effective security practice needs to be sold: both to internal and external stakeholders.
We integrate with internal stakeholders by meeting them where they are, be it in the design process (typically in Notion, Jira, or Google Docs), the development process (PRs), or just day to day (Slack). We try as hard as possible to make sure we’re an integral member of the team, with as little friction as possible to engaging us.
As we perform regular assessment work, we’ll provide you with formal reports and letters of engagement that your auditors and customers will likely want to see. Rather than perform monolithic tests and one-off reports, we’ll generate documents demonstrating an active security assessment program instead of a performative checkbox approach. We’re happy to simply provide those documents and let you work with them, or take a more active role with your prospective customers or auditors.
For clients who need it, we even go so far as to own the security sales enablement challenge entirely, from answering questionnaires to meeting with prospective customers.
We’ll use commercial systems when they’re the best tool for the job, but we’re not a VAR. In order to guarantee the quality control and integration we needed, we needed to make sure we could deliver all of our services in-house.