our services

Current Day Rate:
$1500.00 NZD

We aim to make this day rate all inclusive. Travel or other project specific expenses may be included where they make sense.

Otherwise all other fees such as project management, admin, and Quality Assurance is included in the day rate!

So you can be sure that what you thought you’d pay is what you’ll end up paying.

Please find below our common services with indicative pricing.

A free retest of findings is also included in the Penetration Testing estimates for up to ten findings. We pride ourselves on being on average 30% more bang for buck than our competitors!

Enterprise Security Architecture

Implementing secure architecture is a confusing process. In an ever-shifting landscape let our security architects help shift security to the left.

Secure by Design Review

Usually about 3 days or
$4 500.00

One of our security architects will sit with you and work through your design to offer practical security advice and provide a report showing the architecture's compliance to a security standard.

Our design reviews are always conducted to a standard, and we have experience with most common standards such as: NZISM,
CIS,
EN 18031-1 and EN 1803-2,
AWS and Azure guidelines,
SABSA framework

Rent a Security Architect

Rented in 8 hour blocks of a "day" or $1 500.00

If your team needs expert security guidance on implementing a new enterprise wide security control like Secure Development (SecDev), or needs an embedded resource on the project as its being developed, you can rent one of our amazing security architects to be available when needed. .

One of the big advantages this has is that our architects have often already tackled the problem you're facing and can bring that experience with them.

General Risk and Compliance

Everyone manages risk, even if they don’t know it. Great risk management is about letting you take the right risks at the right time.

Security Risk Assessment

Usually 4 days or $6 000.00

A Security Risk Assessment is a structured approach to evaluating the threats against a project or organisation. It helps you make decisions about whether additional controls are needed, and how they should be prioritised. We pride ourselves on not doing cookie-cutter assessments, blindly using risks from a pre-prepared spreadsheet with no real value to you. We will work with you to create a practical, accurate, timely and accessible risk assessment that drives change and gets the right conversations going.

Control Validation Audit

Usually 3 days or $4 500.00

We work with you to choose the most important controls for your organisation, and then figure out how well they're implemented.

For any controls that aren't effective, we include detailed and practical recommendations. As well as common templates and examples.

The base bundle includes auditing of about twenty controls, and every additional day adds about ten controls.

A great way to get started is with an 'Essential Eight' assessment. This covers a practical range of critical controls.

NZ Governemnt Bundle

$18 000.00 for 14 days of work ($3 000.00 savings!)

This bundle is the collection of the most common security artifacts government agencies ask for from vendors.

If you're looking to speed up procurement or assure an agency that your product or service is secure, this can be a great help.

The bundle includes:
Security Risk Assessment
Control Validation Audit
Completed DIA Cloud Risk Assessment
Four days of penetration testing
A day of consulting in between artifacts
and for help during procurement

Penetration Testing

We offer other technical testing services as well as the ones listed, please get in touch if what you’re looking for isn’t listed below.

Simple website

Usually 3 day or $4 500.00.

A great example of this is our DiffSec website. Its a brochure with a form for contact details.

It would take us roughly a day or two to do the testing and a day for report writing, admin, and support after we deliver the report and some time if we need to move the test around.

Cloud Review

Usually 5 days or $7 500.00.

This review can be targeted at a specific account/product or at a broader environment review. An AWS, or Azure environment review is conducted against their respective best practice guidelines as well as CIS benchmarks. The environment review focuses on letting your product teams develop quickly and securely.

Account/product level reviews include code and specific service configuration review.

IOS or Android Application Testing

Usually 5 days or $7 500.00

Mobile application penetration testing focuses on both common attack methodology as well the OWASP Mobile Application standard to help ensure your application is secure.

We also work with you to determine what common risks could occur, potential actions to take to mitigate these, and the trade-offs that would need to be navigated.

A good example is anti-piracy controls. These are more secure, but can make the app less compatible with older devices.

Complex Websites or Web Apps

Usually 5 days or $7 500.00

This depends on the amount of functionality you have. We usually end up taking three to four days for the testing and a day for report writing, admin, and support after we deliver the report and any other delays.

Some examples of websites we could test at this price are Google Drive, or an online grocery store.

Windows or Mac Review

Usually 5 days or $7 500.00

Staff endpoints are the most common entry point for attackers into your networking. Setting them up securely is foundational to maintaining control of your business.

This review focuses on the most common tactics an attacker will use to gain access to endpoint, as well as the appropriate CIS benchmark.

Red Team Excercises

Starts at 3 days or $4 500.00

Red team exercises are when we try and breach your organization using the same tactics we see hackers using day-to-day.

It is one of the most valuable exercises you can do and often turns up major vulnerabilities in your system.

We usually do a three day exercise to get started. This can be scaled to fit your needs and risk profile. Options also include adding a site visit.

Training and Training Excercises

All our training comes with, at minimum, one bag of chocolate fish and a Kahoot quiz. These can range in time from 10 minutes to a whole day workshop. We have a range of free ten minute online training topics if your keen to give us a go!

Aimed at non-technical

We have a variety of training exercises we customize to your organization. Our exercises are a great way to get people engaged and thinking about security.

Some examples of training we've done:
- Tawdry tales of phishing
- Social Media horror stories
- Is that publicly available information? (NZ Edition)

Aimed at the security team

We offer workshop facilitation as well as incident response exercises for your security team. 

For both we work with you to figure out every part of the day from the facility, agenda, goals, scope and audience. 

We are experienced at light touch workshops, with an emphasis on goals and easy wins. We can also do more in-depth and challenging planning sessions. 

Aimed at the technical team

Technical teams generally love a deep dive, we have experts on most common technology platforms such as AWS, Azure or Salesforce. And can create a training specific to your technology stack.

Some examples of training we've done:
- Live penetration test demo (follow along available)
- Surviving Azure Networking
- Using OWASP day to day