Skip to content
BastionSec
Contact us
Services

Real certifications · Pentests · Managed security and infrastructure · Trust Center.

Four pillars, one method. We get you compliant and keep you secure and operational over time: the right fit for startups and SMEs with no in-house security or IT team, the "missing middle" between the consultant who only does paperwork and the enterprise with its own SOC. Human-Led, AI-Powered: AI speeds up the repetitive part, experts analyse and validate.

  • We take you all the way to the accredited body or the CPA: the auditor's independence is what makes the certification valid.
  • Audit & pentest is the line we already deliver, with recognised methodologies (OWASP, PTES, NIST 800-115).
  • On network, infrastructure and physical services we design, configure and manage, we don't sell hardware.
Contact usCompare pricing

The catalogue by family

Four families plus cross-cutting services. Standard pages explain what a standard is; these pages say what we do to get you there and keep you secure over time. Write to us and we'll figure out where to start together, with no imposed packages.

Compliance & Certifications

We support you to certification or attestation. We prepare and coordinate; the accredited body or independent CPA issues it.

ISO/IEC 27001

Support all the way to certification: ISMS, Annex A, Statement of Applicability, 3-year cycle. We take you to the body; the accredited body issues the certificate.

Learn more

SOC 2

Readiness for the AICPA attestation (Type I and Type II), US-market focus. We take you to readiness and coordinate; the independent CPA signs the report.

Learn more
New

ISO/IEC 42001

AIMS for AI governance, aligned with the EU AI Act. We build the management system; an accredited body issues the certificate.

Learn more

EU Compliance (GDPR · NIS2 · DORA)

EU rules, each with its own scope, not one indistinct block. We guide you to GDPR compliance and, where relevant, NIS2 and DORA.

Learn more

Offensive Security

Our strongest proof point: we put your security to the test with recognised methodologies (OWASP, PTES, NIST 800-115) and CVSS severity. Reports your client's CISO can read without raising an eyebrow.

Audit & Pentest

The offensive security hub: how we choose between vulnerability assessment, penetration testing and red team based on your goal.

Learn more

Penetration Testing

A targeted test that simulates a real attacker against web apps, APIs, network or cloud. CVSS severity, reproducible evidence, prioritised remediation.

Learn more

Vulnerability Assessment

Systematic scanning and analysis of vulnerabilities, with human validation to strip out false positives. The baseline for knowing where you're truly exposed.

Learn more

Red Team

An objective-driven, multi-vector attack simulation (technical, physical, social). It tests not just systems, but also detection and response.

Learn more

Managed Security & IT

The evolution of compliance: we don't just get you compliant, we keep you secure and operational. We design, configure, integrate, monitor and manage, we don't sell hardware. Built for those with no in-house security or IT team.

Managed Workspace & Identity

Hardening of Google Workspace/Microsoft 365, SSO and MFA, password manager, onboarding/offboarding, DLP and Zero Trust access. Identity as the perimeter.

Learn more

Managed Devices (MDM)

MDM enrollment, CIS baselines, patch management, disk encryption, managed EDR and endpoint compliance. We configure and manage the fleet, we don't sell it.

Learn more

Network & Enterprise WiFi

Firewall, segmentation/VLANs, enterprise WiFi (WPA3/802.1X), VPN/ZTNA, monitoring and logs. We design, configure and manage the network: you choose the hardware.

Learn more

Servers & Infrastructure

Management of servers and cloud, hardening, patching, 3-2-1 backups and BCDR (RPO/RTO), log & monitoring, high availability. Operational security that doesn't stop.

Learn more

Video Surveillance & Access Control

Configuration, network integration and segmentation, software/NVR management, accounts and monitoring. We secure and manage, we don't sell cameras or locks.

Learn more

Zero Trust

Architecture per NIST SP 800-207: no implicit trust, continuous verification across identity, device and network. Cross-cutting across workspace, devices and infrastructure.

Learn more

Detection & Response

Monitoring, alerting and incident response on a retainer. Honest: we start from monitoring + response, we don't promise a 24/7 SOC until the real capacity is there.

Learn more

Data Protection

Concrete protection of data and documents, beyond paper compliance.

Data Protection

Classification, encryption, access control and data lifecycle management. The substance behind compliance, not just the policy.

Learn more

Metadata Scrubbing

Removal of hidden metadata from documents before external sharing. Not GDPR anonymisation nor forensics: it's file hygiene that prevents accidental leaks.

Learn more

Cross-cutting

Services that span every family and prove your security to the outside world.

Trust Center

A public trust page for your enterprise clients and investors: compliance status, policies, security. We built one on ourselves.

Learn more

Cyber Insurance

We help you meet the technical requirements of cyber policies and smooth the path to coverage, starting from the security you actually have.

Learn more

Frequently asked about services

Which service should I start with?

Write to us and we'll figure out what you need together: where you stand and which family (compliance, offensive, managed security & IT, data protection) and engagement (project, retainer, add-on) you actually need. No imposed packages.

Who is BastionSec for?

For the "missing middle": startups and SMEs, and foreign companies entering Italy/EU, with no in-house security or IT team. Too structured to wing it, too small for an in-house SOC. We get you compliant and keep you secure and operational.

On managed services, do you also sell the hardware?

No. On network, infrastructure, video surveillance and access control we design, configure, integrate, secure, monitor and manage. You choose the hardware (or we help you choose); we don't resell it. Managed is the evolution of compliance, not IT reselling.

What's the difference between these Services pages and the Standard pages?

Standard pages explain what a standard is and how it works (ISO 27001, SOC 2, GDPR…). Services pages say what we do to get you there and keep you secure. To understand, start with Standards; to do it, start with Services.

Project or retainer: which is better?

A project has a start and an end (e.g. getting a certification or a pentest). A retainer keeps security alive over time: ISO requires annual surveillance and recertification in year 3, security needs continuous testing, and managed services live on a subscription by nature. Many start with a project and continue on a retainer.

Do you actually do pentests or just the paperwork?

We do them for real: it's one of the lines we already deliver, with recognised methodologies (OWASP, PTES, NIST 800-115) and CVSS severity. You'll find an anonymised sample report in resources.

How much do the services cost?

Graduated transparency: a starting-from price plus a range for projects; a per-user or per-device/month fee for managed services; SOC 2 and enterprise on request. Details are on the Pricing page.

Not sure which one you need?

Write to us and we'll figure out together where you stand, what you actually need and how long it takes.

Contact us