Services & pricing

Productised. Fixed-price. Written down.

Security, privacy, and AI-assurance packages for New Zealand teams. Each one is a fixed scope, a fixed price, a written deliverable. No "from $X" pricing, no surprise-invoicing, no 90-page document nobody reads. Prices in NZD, ex-GST.

At a glance

Tap any row to jump to the detail.

# Package Price
1 Security Health Check $1,995
2 Web App Pen Test $5,995
3 Full Pen Test $11,995
4 Pen Test + Remediation $24,995
5 Code Security Review $6,995
6 NZ Privacy Act Review $3,995
7 AI Safety Review $4,995
8 AI Risk & Governance Review $5,995
9 Pre-launch Security Check $2,995
10 M&A Security Due Diligence $9,995
11 Security Retainer $2,495 / month

Bundles and discounts available — see below.

Tier 01 1 day turnaround

Security Health Check

$1,995

A fast, external read of your application's security posture. Not a pen test — a triage. You'll know whether you need one, and where to spend if you do.

What's included

  • External unauthenticated scan (TLS, headers, exposed endpoints, common misconfigs)
  • OWASP Top 10 light sweep against a single web app
  • Dependency vulnerability scan
  • One-page written report with prioritised findings
  • 30-minute debrief call

What's not

  • Authenticated testing, manual exploitation, business-logic flaws, source code review — those need Tier 2 or above.

Deliverable: PDF report (1–2 pages) plus call recording.

Tier 02 3 days · report in 2 weeks

Web App Pen Test

$5,995

A focused penetration test of a single small web app. Manual testing on top of automation, written for a developer to act on Monday morning.

What's included

  • Authenticated and unauthenticated testing
  • OWASP Top 10 coverage (injection, broken auth, sensitive data, access control, misconfig, XSS, deserialisation, vulnerable deps, logging)
  • Manual business-logic testing
  • Written report with reproducible PoCs, severity ratings, fix proposals
  • 1-hour debrief
  • Free retest after remediation (one round, within 90 days)

Scope assumption: Single app, up to ~30 endpoints, two user roles. Larger scope rolls to Tier 3.

Deliverable: PDF report with PoC code, prioritised remediation list.

Tier 03 5 days · report in 3 weeks

Full Pen Test

$11,995

Standard pen test for a growing SaaS — web application plus API. Manual exploitation, attack-chain analysis, the works. The kind of report your enterprise customers will ask to see.

What's included

  • Everything in Tier 2
  • API testing (REST, GraphQL, WebSocket)
  • Multi-role privilege escalation, IDOR, broken access control
  • Authentication and session deep-dive (JWT, OAuth, passkeys, MFA, password reset)
  • Third-party integration review (webhooks, OAuth providers, payment processors)
  • Attack-chain documentation (how findings combine end-to-end)
  • Working PoCs (code, not screenshots)
  • Written report, 1.5-hour debrief, free retest within 90 days

Scope assumption: Single product, single environment. Mobile apps and multi-product scopes quoted separately.

Deliverable: PDF report, PoC repository, prioritised remediation roadmap.

Tier 04 2–3 weeks end-to-end

Pen Test + Remediation

$24,995

The differentiator. Most pen test firms hand you a PDF and bill again for follow-up. We find the issues, then fix them.

What's included

  • Everything in Tier 3
  • Hands-on remediation of findings in your codebase (up to 15 findings; criticals beyond that re-quoted)
  • Pair-programming session with your engineers so the fix sticks and the team learns the pattern
  • Verification retest after fixes are merged
  • 30-day post-engagement support (questions, regression checks)

What's not

  • Major architectural rewrites — re-quoted as a separate project.
  • Production deploys. We open PRs against your repo; your team merges and ships.

Prerequisite: We'll usually want a Tier 2 or 3 first so we know the codebase before committing to fix it. If you've already had a recent pen test from a reputable firm, we can work from that.

Deliverable: Tier 3 deliverables plus merged PRs plus verification report.

Tier 05 4 days · report in 2 weeks

Code Security Review

$6,995

Different from a pen test. We read the codebase the way an attacker would — auth flows, session handling, input validation, secrets handling, dependencies, infra config. Catches things black-box testing misses.

What's included

  • Full source code read of the application repo
  • Auth, session, RBAC, secret handling, input validation
  • Dependency audit (CVEs, abandoned packages, licence issues)
  • Infrastructure-as-code review if present (Terraform, Docker, Kubernetes)
  • Written report with file:line references and fix proposals
  • 1-hour debrief with engineering team

Scope assumption: Single repository, up to ~50k lines of application code. Larger codebases quoted by size.

Deliverable: PDF report with file-and-line evidence, fix-by-fix breakdown.

Tier 06 2 days · report in 1 week

NZ Privacy Act Review

$3,995

How you collect, store, share, and dispose of personal information — measured against the 13 Information Privacy Principles of the Privacy Act 2020. Practical and OPC-credible, not a 90-page theatre piece.

What's included

  • 13 IPPs mapped to your actual system and data flows
  • Data flow diagram (what's collected, where it lives, who it's shared with, how long it's kept)
  • Vendor and sub-processor audit (offshore data transfers, US-based SaaS, analytics SDKs)
  • Privacy notice / policy review (or draft, if you don't have one)
  • Breach-readiness check against OPC notification requirements
  • 1-hour debrief

Add-on: GDPR alignment review for teams operating into the EU — +$1,995.

Deliverable: PDF report plus data flow diagram plus updated privacy notice.

Tier 07 2 days · report in 1 week

AI Safety Review

$4,995

An honest read of how you're using LLMs. Where the risks are, what to monitor, what to change. Practical, not academic.

What's included

  • Prompt design review (injection surface, data exposure, jailbreak resistance)
  • Data flow into and out of LLM providers (what's leaving your perimeter)
  • Hallucination and failure-mode handling (where the model is allowed to be wrong, where it isn't)
  • Evaluation and regression coverage
  • Cost, rate-limit, and observability controls
  • 1-hour debrief

Best for: Teams who've shipped one or two LLM features and want a sanity check before shipping more, or before a customer asks.

Pair with: Tier 8 if you also need governance / board-level assurance, not just a technical read.

Deliverable: PDF report with prioritised changes.

Tier 08 2.5 days · report in 1 week

AI Risk & Governance Review

$5,995

Different from the AI Safety Review. That one is for engineers. This one is for the board, the audit committee, legal counsel, and the CISO. The question it answers: can we sign off on how this organisation uses AI?

What's included

  • AI use inventory — what AI tools are being used, by which teams, for what tasks, with what data
  • Vendor due diligence — data residency, training-data use, contractual protections, sub-processors, model change-control
  • Regulatory exposure — Privacy Act 2020, OPC AI guidance, EU AI Act if relevant, copyright and IP risks
  • Policy review or drafting — acceptable use, employee guidance, customer-facing disclosure
  • Liability and insurance — what your PI / cyber cover does and doesn't say about AI
  • Board memo — a signable assurance document for the audit committee or risk register

Best for: Organisations being asked AI-readiness questions by customers, insurers, regulators, or their own board — and not sure what a credible answer looks like.

Pair with: Tier 7 if you want both the technical and governance picture in one engagement (bundled price below).

Deliverable: PDF assurance report plus board memo plus policy drafts.

Tier 09 1.5 days

Pre-launch Security Check

$2,995

For startups about to go live. Catches the obvious things before your first real users hit it. Not a substitute for a pen test once you have traction — a baseline so you're not embarrassing yourself on day one.

What's included

  • External scan plus OWASP Top 10 sweep
  • Auth flow review (signup, login, password reset, session)
  • Secrets / credential hygiene check
  • Dependency audit
  • Hosting and DNS configuration check (TLS, headers, CSP)
  • 30-minute debrief with founders

Deliverable: PDF checklist with red / amber / green per area, plus a 'fix before launch' shortlist.

Tier 10 1 week turnaround

M&A Security Due Diligence

$9,995

For acquirers. We read what you're about to buy. Independent, fast, written for non-technical decision-makers as well as the engineering team that'll inherit the code.

What's included

  • Codebase security audit (focused on red flags, not exhaustive)
  • Infrastructure and hosting review
  • Privacy posture (Privacy Act 2020, GDPR exposure)
  • Dependency, licence, and IP risk audit
  • Secrets-in-repo check (git history)
  • Outstanding-disclosure check (HaveIBeenPwned, public incident history)
  • Written report with risk-rated findings and remediation cost estimates
  • 1-hour debrief with the deal team

Deliverable: PDF due diligence report (red / amber / green, with cost-to-remediate estimates).

Tier 11 12-month minimum, then month-to-month

Security Retainer

$2,495 / month

For teams that don't have a CISO but need security thinking baked into how they ship. A security partner on call, plus an annual pen test included.

What's included

  • Monthly 1-hour review of what shipped and what's coming
  • One pen test per year included (Tier 2 or 3, your choice)
  • Slack / email access for ad-hoc questions (24-hour response on business days)
  • Code review on new auth-touching or PII-touching features (up to 3 PRs/month)
  • Quarterly dependency and posture review
  • Incident response standby — first responder if something goes wrong (incident work billed at $250/hr above the retainer)

Best for: Annual equivalent: $29,940 — roughly the cost of an annual pen test from a big firm, with year-round support included.

Deliverable: Monthly review notes plus annual pen test report.

Bundles & discounts

Ways the maths gets better.

Health Check → upgrade credit

If you start with Tier 1 and upgrade to Tier 2, 3, or 4 within 60 days, $1,000 of the Health Check fee is credited.

Annual pen test prepay

Two Tier 3 pen tests in the same calendar year — $19,995 (saves $4,000).

Retainer launch

First month of any retainer is free if it follows a Tier 3 or Tier 4 engagement.

AI Safety + AI Risk bundle

Tier 7 plus Tier 8 together — $9,495 (saves $1,495). The full technical and governance picture in one engagement.

Charity / NFP rate

NZ-registered charities and not-for-profits — 25% off all tiers. Evidence of registration required.

What's always true

The rules that don't move.

Fixed price, fixed scope

If we agree it, that's what it costs. If scope changes, we re-quote — we don't surprise-invoice.

Engagement letter first

Always. No test traffic flows, no code gets read, until the letter is signed.

Plain English

No 90-page document nobody reads. The point is a list of things to fix.

NZ-based, NZ-owned

Data stays in NZ unless you explicitly direct otherwise.

Findings, not vibes

Every finding has evidence, severity, and a concrete fix proposal.

Ready to talk?

Quote turnaround is one business day for any tier. Engagement start is typically within two weeks of a signed letter. The first conversation is free and runs 30 to 60 minutes — no deck, no pitch.