Security, privacy, and AI-assurance packages for New Zealand teams. Each one is a fixed scope, a fixed price, a written deliverable. No "from $X" pricing, no surprise-invoicing, no 90-page document nobody reads. Prices in NZD, ex-GST.
A fast, external read of your application's security posture. Not a pen test — a triage. You'll know whether you need one, and where to spend if you do.
What's included
External unauthenticated scan (TLS, headers, exposed endpoints, common misconfigs)
OWASP Top 10 light sweep against a single web app
Dependency vulnerability scan
One-page written report with prioritised findings
30-minute debrief call
What's not
Authenticated testing, manual exploitation, business-logic flaws, source code review — those need Tier 2 or above.
Deliverable: PDF report (1–2 pages) plus call recording.
Tier 023 days · report in 2 weeks
Web App Pen Test
$5,995
A focused penetration test of a single small web app. Manual testing on top of automation, written for a developer to act on Monday morning.
Written report with reproducible PoCs, severity ratings, fix proposals
1-hour debrief
Free retest after remediation (one round, within 90 days)
Scope assumption: Single app, up to ~30 endpoints, two user roles. Larger scope rolls to Tier 3.
Deliverable: PDF report with PoC code, prioritised remediation list.
Tier 035 days · report in 3 weeks
Full Pen Test
$11,995
Standard pen test for a growing SaaS — web application plus API. Manual exploitation, attack-chain analysis, the works. The kind of report your enterprise customers will ask to see.
What's included
Everything in Tier 2
API testing (REST, GraphQL, WebSocket)
Multi-role privilege escalation, IDOR, broken access control
Authentication and session deep-dive (JWT, OAuth, passkeys, MFA, password reset)
Written report, 1.5-hour debrief, free retest within 90 days
Scope assumption: Single product, single environment. Mobile apps and multi-product scopes quoted separately.
Deliverable: PDF report, PoC repository, prioritised remediation roadmap.
Tier 042–3 weeks end-to-end
Pen Test + Remediation
$24,995
The differentiator. Most pen test firms hand you a PDF and bill again for follow-up. We find the issues, then fix them.
What's included
Everything in Tier 3
Hands-on remediation of findings in your codebase (up to 15 findings; criticals beyond that re-quoted)
Pair-programming session with your engineers so the fix sticks and the team learns the pattern
Verification retest after fixes are merged
30-day post-engagement support (questions, regression checks)
What's not
Major architectural rewrites — re-quoted as a separate project.
Production deploys. We open PRs against your repo; your team merges and ships.
Prerequisite: We'll usually want a Tier 2 or 3 first so we know the codebase before committing to fix it. If you've already had a recent pen test from a reputable firm, we can work from that.
Deliverable: Tier 3 deliverables plus merged PRs plus verification report.
Tier 054 days · report in 2 weeks
Code Security Review
$6,995
Different from a pen test. We read the codebase the way an attacker would — auth flows, session handling, input validation, secrets handling, dependencies, infra config. Catches things black-box testing misses.
Infrastructure-as-code review if present (Terraform, Docker, Kubernetes)
Written report with file:line references and fix proposals
1-hour debrief with engineering team
Scope assumption: Single repository, up to ~50k lines of application code. Larger codebases quoted by size.
Deliverable: PDF report with file-and-line evidence, fix-by-fix breakdown.
Tier 062 days · report in 1 week
NZ Privacy Act Review
$3,995
How you collect, store, share, and dispose of personal information — measured against the 13 Information Privacy Principles of the Privacy Act 2020. Practical and OPC-credible, not a 90-page theatre piece.
What's included
13 IPPs mapped to your actual system and data flows
Data flow diagram (what's collected, where it lives, who it's shared with, how long it's kept)
Vendor and sub-processor audit (offshore data transfers, US-based SaaS, analytics SDKs)
Privacy notice / policy review (or draft, if you don't have one)
Breach-readiness check against OPC notification requirements
1-hour debrief
Add-on: GDPR alignment review for teams operating into the EU — +$1,995.
Deliverable: PDF report plus data flow diagram plus updated privacy notice.
Tier 072 days · report in 1 week
AI Safety Review
$4,995
An honest read of how you're using LLMs. Where the risks are, what to monitor, what to change. Practical, not academic.
What's included
Prompt design review (injection surface, data exposure, jailbreak resistance)
Data flow into and out of LLM providers (what's leaving your perimeter)
Hallucination and failure-mode handling (where the model is allowed to be wrong, where it isn't)
Evaluation and regression coverage
Cost, rate-limit, and observability controls
1-hour debrief
Best for: Teams who've shipped one or two LLM features and want a sanity check before shipping more, or before a customer asks.
Pair with: Tier 8 if you also need governance / board-level assurance, not just a technical read.
Deliverable: PDF report with prioritised changes.
Tier 082.5 days · report in 1 week
AI Risk & Governance Review
$5,995
Different from the AI Safety Review. That one is for engineers. This one is for the board, the audit committee, legal counsel, and the CISO. The question it answers: can we sign off on how this organisation uses AI?
What's included
AI use inventory — what AI tools are being used, by which teams, for what tasks, with what data
Vendor due diligence — data residency, training-data use, contractual protections, sub-processors, model change-control
Regulatory exposure — Privacy Act 2020, OPC AI guidance, EU AI Act if relevant, copyright and IP risks
Liability and insurance — what your PI / cyber cover does and doesn't say about AI
Board memo — a signable assurance document for the audit committee or risk register
Best for: Organisations being asked AI-readiness questions by customers, insurers, regulators, or their own board — and not sure what a credible answer looks like.
Pair with: Tier 7 if you want both the technical and governance picture in one engagement (bundled price below).
Deliverable: PDF assurance report plus board memo plus policy drafts.
Tier 091.5 days
Pre-launch Security Check
$2,995
For startups about to go live. Catches the obvious things before your first real users hit it. Not a substitute for a pen test once you have traction — a baseline so you're not embarrassing yourself on day one.
Hosting and DNS configuration check (TLS, headers, CSP)
30-minute debrief with founders
Deliverable: PDF checklist with red / amber / green per area, plus a 'fix before launch' shortlist.
Tier 101 week turnaround
M&A Security Due Diligence
$9,995
For acquirers. We read what you're about to buy. Independent, fast, written for non-technical decision-makers as well as the engineering team that'll inherit the code.
What's included
Codebase security audit (focused on red flags, not exhaustive)
Infrastructure and hosting review
Privacy posture (Privacy Act 2020, GDPR exposure)
Dependency, licence, and IP risk audit
Secrets-in-repo check (git history)
Outstanding-disclosure check (HaveIBeenPwned, public incident history)
Written report with risk-rated findings and remediation cost estimates
1-hour debrief with the deal team
Deliverable: PDF due diligence report (red / amber / green, with cost-to-remediate estimates).
Tier 1112-month minimum, then month-to-month
Security Retainer
$2,495 / month
For teams that don't have a CISO but need security thinking baked into how they ship. A security partner on call, plus an annual pen test included.
What's included
Monthly 1-hour review of what shipped and what's coming
One pen test per year included (Tier 2 or 3, your choice)
Slack / email access for ad-hoc questions (24-hour response on business days)
Code review on new auth-touching or PII-touching features (up to 3 PRs/month)
Quarterly dependency and posture review
Incident response standby — first responder if something goes wrong (incident work billed at $250/hr above the retainer)
Best for: Annual equivalent: $29,940 — roughly the cost of an annual pen test from a big firm, with year-round support included.
Deliverable: Monthly review notes plus annual pen test report.
Bundles & discounts
Ways the maths gets better.
Health Check → upgrade credit
If you start with Tier 1 and upgrade to Tier 2, 3, or 4 within 60 days, $1,000 of the Health Check fee is credited.
Annual pen test prepay
Two Tier 3 pen tests in the same calendar year — $19,995 (saves $4,000).
Retainer launch
First month of any retainer is free if it follows a Tier 3 or Tier 4 engagement.
AI Safety + AI Risk bundle
Tier 7 plus Tier 8 together — $9,495 (saves $1,495). The full technical and governance picture in one engagement.
Charity / NFP rate
NZ-registered charities and not-for-profits — 25% off all tiers. Evidence of registration required.
What's always true
The rules that don't move.
Fixed price, fixed scope
If we agree it, that's what it costs. If scope changes, we re-quote — we don't surprise-invoice.
Engagement letter first
Always. No test traffic flows, no code gets read, until the letter is signed.
Plain English
No 90-page document nobody reads. The point is a list of things to fix.
NZ-based, NZ-owned
Data stays in NZ unless you explicitly direct otherwise.
Findings, not vibes
Every finding has evidence, severity, and a concrete fix proposal.
Ready to talk?
Quote turnaround is one business day for any tier. Engagement start is typically within two weeks of a signed letter. The first conversation is free and runs 30 to 60 minutes — no deck, no pitch.