Threat modeling new features
You ping us before a design doc lands. We sit in the architecture meeting, run a STRIDE pass, and write up the risks and the controls. Async or live; your call.
on-call security · 03
On-call security advice for product and engineering.
A senior security engineer on retainer for your team. Threat modeling new features, reviewing architecture decisions, triaging the alert that does not fit a runbook, answering the auditor question that lands at 5pm Friday.
01. in scope
What's in scope.
What a retainer covers in a typical month.
Architecture review
Authentication redesign, multi-region migration, new IAM model, third-party integration. We review the diagram, list the failure modes, and suggest the controls.
Code review on security-sensitive PRs
Crypto, authentication, authorization, deserialization, file handling. We do not block your release pipeline; we comment in time for the next sprint.
Incident triage
Something fires at 2am. We hop on a Slack huddle, help you classify, contain, and decide whether it is an incident or a false positive. Post-mortem support on request.
Vendor security questionnaire support
You receive a 400-question security questionnaire from a prospect. We draft answers, push back on the impossible questions, and turn it around in two business days.
Compliance preparation
Quarterly SOC 2 evidence, ISO 27001 internal audit, HIPAA risk assessment. We work alongside your compliance lead, not replace them.
02. how we work
How we work on it.
How a retainer works.
- Discovery call60 minutes. We learn the stack, the team shape, the regulatory context, and the current pain. No commitment.
- Retainer agreementMonthly hours, response SLAs, named engineer, escalation path, written and signed. Cancellable with 30 days notice.
- Onboarding weekArchitecture walkthrough, repo access, alert runbook review, comms setup. We are useful by end of week one.
- Steady stateWeekly sync, async Slack channel, ticket queue. Hours roll over month-to-month within a quarter.
- Quarterly reviewWhat we worked on, what we deferred, what the next quarter should look like. We are honest if the retainer is not earning its fee.
03. deliverables
What you walk away with.
What a retainer produces month over month.
Threat model documents
One per major new feature. Lives in your wiki under the feature design doc. Reviewed quarterly for drift.
Architecture risk register
Living document. Risks ranked by likelihood and blast radius, with mitigations and owners.
Security review notes on PRs
Inline comments on GitHub or GitLab. Tagged so you can filter for "security-reviewed" at audit time.
Incident write-ups
Post-incident reports with timeline, root cause, response evaluation, and recommendations. Audit-ready.
Quarterly security report
For the board, or for your security committee. What changed, what got better, what is still at risk.
Auditor packet prep
When the audit lands, we have already prepared the evidence. No 2-week scramble.
04. when
When teams hire us for this.
Common patterns that lead to a retainer.
You are too small for a full-time CISO
But too risk-sensitive to have nobody. A retainer fills the gap until you can justify a hire.
Your CISO is in place but stretched
You need senior hands for the work that does not fit on the head of security's plate. Threat models, code review, audit prep.
You are heading into SOC 2 Type 2
Continuous monitoring requires somebody answering questions every week, not once a year.
You ship fast and need feedback loops
Architecture decisions are happening every sprint. Sitting in those rooms is cheaper than fixing the bad ones later.
05. faq
Questions before the call.
Retainer logistics.
What does a retainer cost?
Tiered by monthly hours. Most teams start at 20 hours per month. The first call covers what tier matches your stack and team size.
Do hours roll over?
Within a quarter, yes. Across quarters, no. Predictable monthly availability is the point of a retainer.
Who do we get on the retainer?
A named senior engineer. Backup coverage is documented; you always know who is on call.
Can we combine a retainer with engagement work?
Yes. Retainer clients get priority scheduling on pentest and red team engagements, and a discount on per-engagement pricing.
Can we pause the retainer?
30 days notice to pause or cancel. We do not lock you in.
Need senior security without the hire?
A 60-minute discovery call tells us whether a retainer fits your team. If a one-off engagement makes more sense, we will say so.