Skip to content
BastionSec
Contact us
For those who want to stay secure, and prove it

Certification isn't an event: it's a state. We keep it alive.

Periodic pentests, ISO 27001 / SOC 2 maintenance, and an always-updated Trust Center. Continuous security, demonstrable to your customers, without having to run security in-house.

  • A periodic-testing model we already deliver to real customers.
  • Your Trust Center proves to your customers you're tested.
Set up your retainerSee a sample report

You got certified. And now it decays.

Security isn't a photo: it's a film. Code changes, infrastructure changes, threats change. ISO 27001 requires annual surveillance and recertification in year 3; SOC 2 lives on a cyclical report refresh. And your customers, increasingly, won't settle for a one-off badge: they want to know you're continuously tested. Managing that in-house, without a dedicated security person, is a burden that pulls you off the product.

Why maintenance matters

  • Security decays if you don't maintain it.
  • ISO annual surveillance is mandatory, not optional.
  • Your customers want ongoing proof, not an old snapshot.

Continuous security, in three pieces

  • Periodic testing. Pentests and vulnerability assessments on an agreed cadence (e.g. bi-monthly), with recognized methodologies (OWASP, PTES, NIST 800-115) and reports that hold up.
  • Certification maintenance. ISO 27001 annual surveillance, prep for year-3 recertification, SOC 2 report refresh: we handle it.
  • Always-updated Trust Center. The tool that shows your customers, in real time, that you're tested and compliant.
  • Continuous hardening: identity, access, governance stay in order as you grow.

We already do this: it's where we come from

  • A real recurring-report model (indicative range €10-15k per report): a service we already deliver, repeatable and serious.
  • Reports that hold up: see an anonymized example.
  • Our own Trust Center is live: we maintain it on ourselves.
  • Real methodologies (OWASP/PTES/NIST 800-115, CVSS severity), not surface checks.

Go deeper

The testing, and the proof toward your customers.

Audit & Pentest

The periodic testing, with recognized methodologies and reports that hold up.

Go to service

Our Trust Center

The tool we use on ourselves to show status in real time.

Visit the Trust Center

Sample report

An anonymized security report: executive summary, CVSS findings, remediation, retest.

See the report
The €10-15k range is an indicative price range for the recurring-report model, never tied to a customer name without written consent. No customer, body or facilitator name without consent; no "100% secure," no guarantees.

The objections specific to maintenance

Why pay for maintenance if I'm already certified?

Because ISO 27001 requires mandatory annual surveillance and recertification in year 3; SOC 2 lives on cyclical report refreshes. Without maintenance, the certificate doesn't hold and your actual security decays.

How often should I run a pentest?

It depends on how much your system changes and what your customers ask: a periodic cadence (e.g. bi-monthly or quarterly) plus a test after major changes is a good starting point. We tune it to your scope at the start.

What's the Trust Center for if I already have the reports?

Reports prove security to you; the Trust Center proves it to your customers in real time, without emailing PDFs on every request. It turns testing you already pay for into a sales asset.

What does a continuous-security retainer include?

Typically: periodic testing (pentest/VA) with reports, maintenance of active certifications (ISO surveillance / SOC 2 refresh), Trust Center management, and continuous hardening. We define the scope together, with no inflated packages.

Can I start with periodic testing only and add the rest later?

Yes. We start from the scope you actually need and expand when it makes sense (e.g. once you get a certification to maintain). No oversized commitments.

Will the service level change if we formalize it?

No: we formalize to give you more continuity and predictability, not to step away. Same point of contact, with a clear scope and cadence.

How it works over time

From scope to the full cycle, always demonstrable.

  1. 1

    Scope analysis

    What to maintain (active certifications, systems to test), at what cadence.

  2. 2

    Tailored retainer

    Periodic testing + maintenance + Trust Center, with a clear scope.

  3. 3

    Full cycle, always demonstrable

    ISO: surveillance in years 1 and 2, recertification in year 3. SOC 2: cyclical report refresh. Your Trust Center reflects status in real time.

Where you come from

Enterprise deal blocked

After unblocking the deal: keep the certification alive.

Learn more

Startup pre-fundraise

Light maintenance that grows with you after the round.

Learn more

AI companies

AI governance evolves with the product and the law.

Learn more

Keep your security alive. Prove it to your customers.

We build the retainer around your real scope: what to test, how often, what to maintain. No inflated packages.

Set up your retainer