Products
Continuous Security Assurance.
Point-in-time testing creates gaps. CSAS delivers a managed monthly testing cadence that proves what's exploitable, helps prioritise what matters, and validates improvement over time - across three tiers from external visibility to programme-level governance.
Why CSAS
An annual pen test isn't enough. An enterprise platform isn't necessary.
Your annual pen test is a snapshot. The day after it ships, your external estate keeps changing - new services, expired certificates, drifted configs, forgotten subdomains. Customers, auditors, and insurers want continuous evidence, not yearly snapshots. CSAS sits between annual point-in-time pen tests and full enterprise security programmes, with three tiers tuned to where you are.
Your team has visibility of the entire penetration process from scope to the final report. What's more, assessments can be configured to your specific schedule and frequency. So, you get complete deployment control to suit the requirements of your business.
Lewis Warner
Chief Hacking Officer
Three tiers
Visibility. Resilience. Assurance.
Each tier increases test coverage, cadence, and Pentiq consultant involvement. All three start with the same onboarding so the platform reflects your environment and risk appetite from day one.
External Exposure Validation
Visibility
External exploitable exposure evidence on a monthly cadence.
Ideal for
- - Organisations that need clear, repeatable proof of external exposure with minimal operational overhead.
- - Teams who already know how to fix issues and simply need credible evidence to prioritise and track improvement.
Key features
- • External penetration testing + asset discovery
- • Vulnerability Management Hub access
- • 1 scheduled test per month
- • 50 IP minimum
- • Standard reports, MITRE ATT&CK mapping
Human touch
Pentiq onboarding and technical guidance on risk appetite and configuration setup. Autonomous after that - no ongoing human review of findings.
POA - get a quote.
Talk to us about Visibility →Hybrid Exposure Reduction
Resilience
Faster risk reduction across hybrid estate with monthly expert review.
Ideal for
- - Teams ready to move from finding issues to closing exposure faster, with a structured monthly rhythm.
- - Hybrid estates (internal + cloud) where change is constant and you need guided prioritisation and verification planning.
Key features
- • All pentest types - external, internal, cloud, kubernetes
- • Active Directory audit, phishing impact testing
- • 1-click verify, fix actions
- • 100 IP minimum, 2 scheduled tests/month
- • Monthly Operation Review with Pentiq
Human touch
Everything in Visibility, plus one Review Credit per month - a contiguous four-hour Pentiq consultant block used to review findings, prioritise remediation, and provide guidance. Plus a Monthly Operation Review.
POA - get a quote.
Talk to us about Resilience →Continuous Assurance & Governance
Assurance
Programme-level assurance: governance with trends and executive evidence.
Ideal for
- - Organisations that must demonstrate cyber resilience to boards, auditors, insurers, or investors.
- - Mature security functions that need trend and KPI evidence of improvement, not just point findings.
Key features
- • Everything in Resilience
- • 4 manual penetration tests/year (consultant-led)
- • 4 scheduled platform tests/month
- • Quarterly Executive Review + Monthly Operation Review
- • Comprehensive reports + ISO 27001, CIS, CE+ compliance mapping
Human touch
Everything in Resilience, plus four manual penetration tests per year, debrief calls, an open communication channel with your Pentiq team, and a Quarterly Executive Review.
POA - get a quote.
Talk to us about Assurance →Compare tiers
What's included where.
| Feature | Visibility | Resilience | Assurance |
|---|---|---|---|
| Autonomous testing | |||
| Pentest types covered | External | External, Internal, Cloud, Kubernetes | External, Internal, Cloud, Kubernetes |
| External Asset Discovery | ✓ | ✓ | ✓ |
| Active Directory Audit | - | ✓ | ✓ |
| Phishing Impact Testing | - | ✓ | ✓ |
| Fix Actions with 1-click Verify | - | ✓ | ✓ |
| Minimum IPs | 50 | 100 | 100 |
| Scheduled tests / month | 1 | 2 | 4 |
| Pentiq consultant time | |||
| Manual penetration tests / year | - | - | 4 |
| Review Credits (4-hr consultant block / month) | - | 1 | 1 |
| Monthly Operation Review | - | ✓ | ✓ |
| Quarterly Executive Review | - | - | ✓ |
| Open communication channel | - | - | ✓ |
| Reporting & framework mapping | |||
| Reports | Standard | Standard | Comprehensive |
| Adversary-behaviour mapping | MITRE ATT&CK | MITRE ATT&CK | MITRE ATT&CK |
| Compliance framework mapping | - | - | ISO 27001, CIS, Cyber Essentials Plus |
A dash (-) means the feature is not part of that tier. Most can be added as separately scoped add-ons - talk to us if you need something mid-tier.
Every tier includes
The baseline you get at any tier.
- Onboarding with technical guidance on risk appetite and configuration setup.
- Vulnerability Management Hub access.
- MITRE ATT&CK adversary-behaviour mapping.
- 12-month minimum commitment.
What CSAS isn't
To be straight with you, here's what CSAS doesn't cover.
- Bespoke manual penetration tests where one is required for compliance, certification, or customer assurance - those are scoped separately (see Penetration Testing services).
- Authenticated web application or API testing - outside platform scope; scoped separately.
- Bespoke red team operations and social engineering campaigns - separate services.
- Cyber Essentials and Cyber Essentials Plus certification - POA, separate engagement.
Common questions
Frequently asked questions.
What's the difference between CSAS Visibility and a typical scanning tool?
A scanner gives you a list of vulnerabilities. CSAS Visibility gives you exploitable findings - the platform actually attempts attacks, validates impact, and shows attack chains. You get evidence of what could happen, not just what could in theory be wrong.
Can I move between tiers later?
Yes. The platform configuration carries forward. You can up-tier when you're ready for more consultant involvement, or move down if your needs change. Configuration changes are limited to one per year at Visibility, four per year at Resilience, and unlimited at Assurance.
Is there a minimum commitment?
Yes - 12 months. CSAS is built around a continuous monthly cadence; shorter commitments don't deliver enough signal to be useful.
Does CSAS replace my annual pen test?
At the Assurance tier, the four included manual pen tests usually replace your annual point-in-time engagement. At Visibility and Resilience, CSAS complements rather than replaces - most clients keep their annual manual test alongside.
What happens at onboarding?
A Pentiq consultant works with you to define scope (IP ranges, domains), agree risk appetite, and configure the platform appropriately. Onboarding is included in every tier. After that, ongoing human involvement depends on tier - see the comparison table.
Talk to us about CSAS
Which tier fits your situation honestly?
Most enquiries get a same working day response from a Pentiq consultant. We'll talk through which tier fits your situation - and tell you when an annual pen test alone is the right answer.