Services · Engagements & pricingFILE NO. 015 / EU · ISO · NIST · OWASP
AI security,
verified —
three depths.
From a first read on the risk to a board-level adversarial audit — every engagement ships evidence mapped to OWASP LLM Top 10, ISO 42001, NIST AI RMF and EU AI Act Article 15. Per-system pricing. Fixed scope, fixed price.
ScopeBlack-box · endpoint only
Coverage600+ adversarial tests
TurnaroundFrom 5 business days
FrameworksEU · ISO · NIST · OWASP
01 / EngagementsPick the right depth
Three engagements. One straight upgrade path.
Start with Discovery to map the risk. Move to Technical Compliance when it's time to file. Step to High-Assurance when stakes — or stakeholders — call for it.
01 / Discovery Assessment
Discovery
A first read on the risk — what's broken, how bad, and where to look next.
$3,500/ system
5 business days · 3 endpoints- Full vulnerability sweep across all OWASP LLM categories
- Critical & high-severity findings with summary remediation
- Executive summary (5 pages) plus findings list
- Framework mapping at the summary level
- Credit applies in full toward a Technical Compliance upgrade within 30 days
Most chosen02 / Technical Compliance Assessment
Technical Compliance
The core offering — security validation plus the evidence package your filing actually needs.
$9,500/ system
10–14 business days · 5 endpoints- Full 600+ test suite plus adaptive escalation on critical findings
- Accuracy verification against the metrics you've declared
- Multi-framework mapping — OWASP, ISO 42001, NIST AI RMF, EU AI Act
- Full evidence package suitable for compliance filing
- Detailed engineering-grade remediation per finding
- One re-test within 30 days included
03 / High-Assurance Audit
High-Assurance
For regulated industries and the systems where the answer has to be defensible at every level.
Customtailored quote
2–3 weeks · unlimited endpoints- Everything in Technical Compliance, scaled to your environment
- Unlimited adaptive red-team escalation
- Industry-specific attack scenarios (finance, health, infra)
- Board-level risk narrative and remediation roadmap
- Multi-round retest cycles and forensic-grade evidence
- Direct advisory time with senior assessors
Add-ons available on every tier · additional endpoint $1,500 · extra re-test $2,000 · rush delivery +30%
02 / ComparisonTier by tier
The same tests, three different filings.
Every row is a question you'll have to answer to the regulator, the board, or procurement. The deeper the engagement, the longer the answer can be.
| Feature | Discovery | Technical Compliance | High-Assurance |
|---|---|---|---|
| Best for | Startups & first reads | SaaS & regulatory filing | Fintech, health & enterprise |
| Price | $3,500 / system | $9,500 / system | Custom quote |
| Turnaround | 5 business days | 10–14 business days | 2–3 weeks |
| Endpoints | 3 | 5 | Unlimited (fair use) |
| Test count | 600+ static tests | 600+ static + adaptive follow-up | 600+ static + adaptive + custom paths |
| Adaptive testing | — | 1–2 variants per critical / high | Unlimited adaptive escalation |
| Accuracy verification | — | Declared metrics validated | Comprehensive KPI validation |
| Framework mapping | Summary level | Full — OWASP · ISO · NIST · EU | Full + industry-specific layers |
| Evidence package | — | Evidence logs + reproduction steps | Forensic-grade evidence |
| Remediation depth | General categories | Engineering-grade per finding | Architecture + roadmap |
| Re-test included | — | 1 re-test within 30 days | Multi-round retest cycles |
| Audience | Internal diagnostic | Regulator, board, procurement | Board, regulator, expert panel |
⚖ Legal note — Technical Assessment Reports document testing against industry frameworks. They are not legal certification or regulatory approval. Consult qualified legal counsel for your compliance obligations.
03 / FAQDirect answers
Questions we get every week.
Plain answers, written for the people who'll actually read the report — security leads, compliance officers, and the engineers on the receiving end of the remediation.
Q · 01
Discovery vs. Technical Compliance?
Discovery ($3,500) is an internal diagnostic — findings and severity to inform budget. No evidence logs, no adaptive testing, no re-test, not for regulatory submission.
Technical Compliance ($9,500) is filing-ready: same 600+ tests, plus adaptive follow-up on failed controls, accuracy verification, evidence logs and reproduction steps per finding, 5 endpoints, one re-test, and a Technical Assessment Report.
Technical Compliance ($9,500) is filing-ready: same 600+ tests, plus adaptive follow-up on failed controls, accuracy verification, evidence logs and reproduction steps per finding, 5 endpoints, one re-test, and a Technical Assessment Report.
Q · 02
Can I upgrade from Discovery later?
Yes. Upgrade within 30 days and the full $3,500 credits toward the $9,500 Technical Compliance Assessment. Existing evidence is reused — you do not restart the engagement.
Q · 03
What counts as a 'system' — and how do extra endpoints work?
A system is one AI use case (e.g., customer support bot). Discovery covers 3 endpoints; Technical Compliance covers 5 (extra endpoints are +$1,500 each); High-Assurance includes unlimited endpoints within fair use.
Q · 04
Do you provide remediation support?
Technical Compliance includes engineering-grade remediation architecture (security patterns, controls to implement), verification tests, and a debrief call — without any code handoff. We regularly partner with compliance consultants who handle governance while we deliver the technical evidence.
Q · 05
How does this complement SOC 2 / ISO 27001?
SOC 2 and ISO 27001 focus on controls and documentation. AI security needs independent technical testing. Our evidence maps to OWASP LLM Top 10, ISO 42001, NIST AI RMF, and EU AI Act Article 15 — and helps close AI-specific findings raised in SOC 2 / ISO audits.
Q · 06
What frameworks do you test against?
Every one of the 600+ tests is pre-mapped to OWASP LLM Top 10, ISO/IEC 42001, NIST AI RMF 1.0, and EU AI Act Article 15. You pick the primary framework for the report; the cross-mapping comes with it.
Q · 07
What if we run on multiple AI platforms?
We are vendor-neutral. Azure, AWS, OpenAI, Anthropic, self-hosted — we test via endpoints and authentication only. No source code, no model weights, no infrastructure access.
Q · 08
Can I see a sample report?
Yes — sample reports show both Discovery and Technical Compliance outputs. The OWASP LLM tests are also available on GitHub (Community Edition).
Q · 09
Do you sign NDAs and support enterprise procurement?
Yes. NDA or MSA is standard. We handle security questionnaires, vendor onboarding, and provide evidence for procurement teams.
● Pick a depth · SOW today
Pick a depth. We'll send the
SOW today.
Tell us the endpoint, the use case, and your filing target. You get a scoped statement of work — fixed price, fixed timeline — in your inbox the same day.