Security and compliance, done for real.

Real certifications · Pentests · Managed security and infrastructure · Trust Center. We get you compliant and keep you secure and operational: the right fit for startups and SMEs with no in-house security or IT team, and for foreign companies entering the Italy/EU market.

We take you all the way to the certification body: a real certificate, not a PDF.
Pentests and reports that hold up in front of your client's CISO.
Managed workspace, devices, network and infrastructure: we configure and manage, we don't sell hardware.

Why BastionSec

Real, not for show

We come from real pentesting and hardening. No paper compliance: we make you genuinely secure and prove it.

Fast, for a credible reason

AI speeds up the repetitive part (documentation, evidence, first analysis). People do the substantive work and review everything.

Honest about roles

We take you to certification; an independent body issues it. That independence is a value, not a limitation.

What we do

Four pillars, one method, for those too structured to wing it but too small for an in-house SOC (the "missing middle").

Compliance & Certifications

ISO 27001, SOC 2, ISO 42001, GDPR · NIS2 · DORA. We support you end-to-end up to the body or the CPA.

Learn more

Offensive Security

Vulnerability assessment, penetration testing and red team with recognised methodologies. Our most verifiable work.

Learn more

Managed Security & IT

Workspace and identity, devices, network, infrastructure, Zero Trust, monitoring. We configure and manage, we don't sell hardware.

Learn more

Trust Center

The public trust page for your enterprise clients and investors. We run one on ourselves too.

Learn more

Where are you starting from?

Pick where you are: the path adapts to you.

My enterprise deal is blocked

You need SOC 2 or ISO 27001 to unblock a contract. We tackle it first.

Go to path

I'm entering the Italy/EU market

Foreign company that must get compliant in Europe. A local partner, in your language.

Go to path

I'm about to fundraise

An investor asks for compliance in due diligence. Ready, without draining your cash.

Go to path

ISO 42001

I use or sell AI

ISO 42001 and AI governance, before clients or the EU AI Act ask for it.

Go to path

I want to stay secure

Recurring audits and an always-updated Trust Center. Certification is a state, not an event.

Go to path

We practice what we sell

Our Trust Center is public and live: compliance status, policies, site security. For a security vendor, applying to itself what it sells is the first sign of seriousness.

Visit our Trust Center

How we work

A transparent process: from gap analysis to audit, through to maintenance. Human-Led, AI-Powered: AI speeds up, the expert validates. No shortcuts on quality.

See our method

Transparent pricing

No opaque quotes: start from a clear range.

Pentest/audit: "from" + range.
ISO 27001/42001: range, 3-6 months prep given adequate readiness.
SOC 2: on request (Type II needs an observation period).

See pricing

Frequently asked

Do you guarantee the certification?

No, and beware of anyone who promises it. We get you ready and support you: an independent body issues the certificate. That's how it works, and it's right that way.

How long does it take?

It depends on the standard and how ready you already are. ISO 27001: typically 3-6 months of prep. SOC 2 Type II: readiness + an observation period (3-12 months). We give honest timelines, not promises.

Are you actually capable, or is it just paperwork?

We come from real pentesting and operational security. You can see an anonymized sample report and understand our method before you decide.

I'm a foreign company. Can you help me enter Italy/EU?

Yes, it's one of our core paths. We get you compliant with GDPR, NIS2 and (where needed) DORA, with a local point of contact.

Have a security or compliance need?

Tell us about it: we'll reply with an honest view.