FAQ
Frequent questions, honest answers.
Timelines, pricing, differences between standards and “is this real?”. We tell you straight, even when the answer is “it depends” or “no”.
Is this real?
Is this real, or facade compliance?
Real. We don't sell the stamp: we genuinely make you secure with real pentests and hardening, and the certification follows. Want proof? See our anonymized sample report and our Trust Center: we run on ourselves what we sell.
Who issues the certification? Do you sign it?
No, and that's a good thing. For ISO we accompany you up to the audit of an accredited body that assesses and issues. For SOC 2 the report is signed by an independent CPA. That independence is what makes your certification valid in front of investors, clients and auditors.
Differences between standards
Are ISO 27001 and SOC 2 the same thing?
No. ISO 27001 is a certification (issued by an accredited body), recognized in Europe and worldwide. SOC 2 is an attestation (a report signed by a CPA), mostly required by US enterprise clients. Often you need both: write to us and we'll work it out together.
SOC 2 Type I or Type II?
Type I assesses the design of controls at a point in time. Type II also assesses how they operate over time and requires an observation period (typically 3-12 months). Enterprise clients usually ask for Type II.
What's the difference between a vulnerability assessment, a penetration test and a red team?
A VA finds vulnerabilities (broad scan). A pentest exploits them in a controlled way to prove real impact. A red team simulates a real attacker against objectives, testing people and processes too. For most cases, a pentest is what you need.
Is ISO 42001 the same as the EU AI Act?
No, but they're synergistic. ISO 42001 is a voluntary, certifiable AI management system (AIMS); the EU AI Act is EU law. Having ISO 42001 helps you demonstrate AI governance and approach the AI Act more easily.
Timelines
How long does it really take?
It depends on the standard and how ready you already are, and we tell you upfront with a gap analysis. Roughly: ISO 27001 prep 3-6 months, then the body's audit and a 3-year cycle (annual surveillance, recertification in year 3). SOC 2 Type II requires an observation period (3-12 months). ISO 42001 is similar to ISO 27001. Be wary of anyone promising a flat “3 months”.
How long does an ISO certification last?
The ISO cycle lasts 3 years: annual surveillance and recertification in year three. That's why security is a state to maintain, not an event. That's what we do with a retainer.
Pricing
How much does it cost?
We give tiered pricing: “from” and ranges per path, SOC 2 and enterprise on request. The exact figure depends on how ready you are, and we give it after a first conversation. See the pricing page.
Are you cheaper than automation platforms?
We don't aim to be the cheapest, but the most efficient: AI lets us work faster, and that saving shows up in the price. The real difference is this: software leaves you to do the work; we do the work with you, real pentest included.
Is it for me?
My enterprise deal is blocked by SOC 2 (or ISO 27001). Can you unblock it?
It's our most frequent case. We get you ready in the shortest time possible, with something that truly holds up in front of your client's CISO, not theatre. Start with the “enterprise deal blocked” path.
I'm a foreign company that wants to enter Italy/EU. Can you help?
Yes: we're your local partner. We speak your language, know the rules here (GDPR, NIS2, possibly the AI Act, ISO 27001) and get you genuinely compliant. Your US SOC 2 often isn't enough in the EU: we'll tell you honestly.
I'm a pre-fundraise startup. Do I really need this now?
Sometimes a little is enough to be credible in due diligence, and we'll tell you honestly after a first conversation. Start with the essentials, grow when needed.
About us and method
What does AI have to do with it? Is my data safe?
AI speeds up the repetitive part (documentation, evidence gathering, first analysis); people do the substantive work and validate every deliverable. Your data stays protected: it's what we do. There are no “AI agents that certify you”.
Do you re-test after I fix the issues?
Yes: the retest is part of the job. A report doesn't close until we verify the risk is genuinely reduced.
Go deeper
Trust Center
We practice what we sell: compliance status and policies, in public.
Visit the Trust CenterStartup pre-fundraise
The essentials to be credible in due diligence, without draining cash.
Go to path