// Sancto CS · Cybersecurity

Find the holes before someone less friendly does.

Penetration testing, security audits, SOC 2 readiness and incident response. A boutique team of OSCP-grade testers — no interns, no offshore farm. Reports your engineers can actually act on, not 200 pages of security theatre.

Book a 30-min call See pricing

// what we do

Offense informs defense.

We break things the way an attacker would, then we help you fix them — and where you want, we do the fixing too. Senior testers only.

Security audit

Application + infrastructure review. We map your attack surface, prioritise by exploitability and business impact, deliver a remediation roadmap. Not a wall of low-severity noise.

Web app review
Cloud (AWS / GCP) audit
Identity & access (IAM)
Data flow & encryption

Penetration testing

Manual + automated. OWASP Top 10 + business logic + chained exploits. We deliver a report your engineers can act on, with a free retest after you fix.

Web app pentest
API pentest
Mobile pentest
Free retest after fixes

Hardening

Implementation, not just recommendations. We fix what we find — SSO, MFA, RBAC, secrets management, logging, monitoring, runbooks. SOC 2 / ISO 27001 prep included.

SSO + MFA rollout
Secrets management
Network segmentation
SOC 2 / ISO 27001 prep

Incident response

When something happens — we're on it. Forensics, containment, post-mortem, communication. 24/7 retainer or one-off emergency engagement.

24/7 retainer (24h SLA)
Forensic analysis
Containment & recovery
Post-mortem & remediation

// how we work

Scope, break, fix, verify.

01
Scope
A scoping call defines targets, rules of engagement, and what "done" looks like. No spray-and-pray.
02
Test
Manual + automated testing by senior, certified people. We chain findings the way a real attacker would.
03
Report
Executive summary + technical detail + concrete remediation, prioritised by exploitability × impact.
04
Verify
You fix, we retest (free in mid/high tiers). We confirm the holes are actually closed.

Legal · Security

Verba Sec

Security audit, hardening and a private client-portal redesign for a Balkan-wide law practice handling sensitive client data. We mapped the attack surface, fixed what we found, and stood up the access controls a legal firm needs to keep privilege intact.

47Issues found & fixed

0Escaped to production

SOC 2Type I ready

// pricing

Scoped, not vague.

From a single web-app pentest to a full red team. Full numbers and retainers on the pricing page.

Web App Pentest

$6,900

2 weeks

One app, OWASP Top 10 + business logic. Report + remediation + free retest.

Cloud + API Pentest

$19,500

3–4 weeks

App + AWS/GCP + APIs. For Series A+ SaaS pursuing SOC 2 Type II.

Red Team

$45,000+

4–8 weeks

Full-scope adversarial: social, physical, network, supply chain.

See all options & retainers →

// faq

Straight answers.

Do you do SOC 2 prep?

Yes. We use Vanta/Drata for the framework and add the AI-specific controls those platforms miss — sub-processor mapping, model governance, tenant data isolation.

How is your report different?

Executive summary your board can read, technical detail your engineers can act on, and remediation steps prioritised by exploitability × business impact. Not an automated scan dump.

Can you retest after we fix things?

Yes. Free retest included in the Cloud+API and Red Team tiers; +$2k on the entry web-app pentest. Fixes that aren't verified don't count.

Who actually does the work?

OSCP-certified senior testers. No interns, no offshore farm, no "we'll assign someone." You'll know who's on the engagement before you sign.

Can you respond to incidents?

Retainer ($3–8k/mo) for a 24-hour response SLA, or a one-off emergency engagement if something's already on fire. Forensics, containment, post-mortem.

Want to know what an attacker would find?

30 minutes on a call to scope the right tier. We'll tell you honestly whether you need a full pentest or just a few fixes.

Book a 30-min call Read: pentest pricing 2026