A security shop on call, every month.
One-off audits find what was broken last month. A retainer catches what breaks next week, gives you a number to call at 3am, and proves to customers and regulators that someone's actually watching.
- ✓Monthly external security scan (same tooling we ship paid audits with)
- ✓Monthly 2-page plain-English report, emailed and attached as PDF
- ✓Grade-over-time tracking — shows steady improvement to prove value
- ✓Inbox access to Tre for the "hey, got a weird email — is this legit?" kind of question
- ✓2 hours / quarter of hands-on security work (configure DMARC, review an app, etc.)
- ✓30-day out. No contracts.
- ✓Everything in Small Business
- ✓Weekly external scans across all domains and subdomains
- ✓Continuous certificate-transparency monitoring (we see new subs you stand up before attackers do)
- ✓Monthly 1-hour walkthrough over video (concrete action items, not a slide deck)
- ✓6 hours / quarter hands-on (incident response, code review, policy writing)
- ✓Priority Slack / Discord / Teams channel — same-day response during business hours
- ✓Written quarterly executive summary suitable for board or client due-diligence requests
- ✓Everything in Growth
- ✓Compliance framework mapping (PCI DSS 4.0 / HIPAA / SOC 2 / NYDFS 23 / CMMC 2.0)
- ✓Custom pentest engagements scoped quarterly
- ✓Vendor / third-party due-diligence reviews on demand
- ✓Dedicated incident response SLA (4-hour initial response, 24/7 pager)
- ✓Quarterly 2-hour onsite or video walkthrough with leadership
- ✓12+ hours / quarter hands-on, scoped to whatever moves the needle
- ✓Ghost-written security blog posts or trust-center copy on request
What every retainer includes
Frequently asked
Why retainer instead of one-off pentest?+
One-off pentests are snapshots. Your attack surface changes every week as you push code and sign up for new SaaS. A monthly retainer catches the drift — new subdomains that show up without email auth, cert expirations, abandoned staging environments. It also means when you have a "holy crap, we got breached" Monday morning, you already have a number to call instead of hiring a stranger under pressure.
What does "hands-on hours" actually mean?+
Real work, not advisory calls. We configure your DMARC records, write your security.txt, audit a new vendor you're signing, run a pentest on a feature before it ships, write an incident response playbook, draft the security section of an RFP — whatever actually moves your posture forward that month. Unused hours roll forward one month.
How do you bill?+
Monthly invoice via Stripe or ACH, paid in advance. First month is prorated to day 1. 30-day cancellation notice at any time — no long-term contracts, no termination fees.
Can I start on the basic tier and upgrade?+
Yes, any time. Most growth-tier customers started on small-business for 2–3 months before jumping up when they saw the reports and wanted more coverage.
Do you work with managed service providers (MSPs)?+
Yes — we co-brand reports for MSPs who want a cybersecurity specialist on retainer without hiring full-time. Reach out and we'll structure a partner rate.
What if we already have in-house security?+
Even better. We backstop your internal team — extra pair of eyes, independent validation, and coverage during PTO. Especially useful when you're between hires or ramping a new CISO.
Ready to stop guessing?
30-minute call. Zero sales pressure. We'll look at what you've got and tell you honestly whether a retainer makes sense yet or if a one-off audit is the right first step.
Book the 30-minute call