Web security evidence that
speaks the auditor's language.
External, internet-facing technical security assessment combined with a structured internal-controls declaration and mapped compliance evidence.
Designed to be part of your compliance documentation — not the entire folder.
Enterprise Audit
€19,999/year
per domain · starting from
- 37+ automated security checks
- 4 compliance scanners
- Bilingual 24-question compliance questionnaire
- Evidence matrix with readiness scores
- Risk Register (NIS2 Art.21(2)(a) format)
- Remediation Roadmap (30/60/90 days)
- Executive Summary for management
- Incident Response Plan template
- 4 quarterly audits with certificates
- Unlimited post-fix re-scans
Audit + Support
Custom
tailored to your organization
- Everything in Enterprise Audit
- Technical remediation — we fix findings
- 4 structured GDPR & NIS2 advisory sessions
- Async email Q&A support included
- Remediation roadmap (30/60/90 days)
- Executive summary for management
- Policy pack review (5-7 key documents)
- Vendor coordination with your hosting/dev provider
- Volume pricing for multiple domains
Audit + Pentest
Custom
automated + manual assessment
- Everything in Audit + Support
- Manual penetration testing by certified expert
- Attack surface mapping with human verification
- Detailed pentest report with exploitation evidence
- Combined automated + manual assessment certificate
Less than 0.2% of the minimum NIS2 fine — documented evidence that pays for itself.
NIS2 compliance deadline: October 2026
EU entities classified as essential or important must demonstrate documented security measures, including regular vulnerability assessments. Institutions without documented evidence face regulatory risk.
What you get
37+ technical checks. 28 mapped controls.
Evidence-ready.
Automated external security assessment combined with a structured compliance questionnaire. Every finding is mapped to specific controls across NIS2, GDPR, and ISO 27001.
37+ automated security checks
SSL/TLS, security headers, DNS, email authentication, CMS vulnerabilities, exposed files, open ports, subdomain discovery, and 10,000+ CVE templates via deep scan.
Cookie consent evidence scanner
Detects 11 consent management platforms, pre-consent cookie loading, banner presence, and Romanian-specific consent patterns. Returns structured assessment.
Third-party script scanner
Identifies 30+ known trackers, analytics, and advertising scripts. Flags non-EU hosting as data transfer risk indicator — not a violation claim, an observable fact.
Exposed data scanner
Detects emails, API keys, debug information in page source. High-confidence and possible findings separated. Romanian phone and CNP-like patterns included.
Login surface scanner
Discovers admin panels, login pages, and authentication endpoints across 16 common paths including Romanian patterns. Observable checks only — no intrusion.
Bilingual compliance questionnaire
24 questions covering internal controls that scanners cannot observe: incident response plans, DPO appointment, encryption policies, access management. Available in both English and Romanian for clients.
Evidence matrix with readiness scores
Merges scan results + questionnaire answers into a per-framework readiness score. Shows which controls pass, which have gaps, and which are declared without observable evidence.
Contradiction detection
When a client declares a control as in place but scanner evidence contradicts it, we flag it explicitly. A unique differentiator — most assessments either trust declarations or ignore them. We reconcile both.
Assessment certificate
Numbered, dated PDF certificate documenting the scope, methodology, findings summary, and readiness scores. Designed for your compliance folder.
Risk Register (NIS2 Art.21(2)(a))
Structured risk register in standard format suitable for audit follow-up. Likelihood × Impact matrix, regulatory exposure per risk, clear mitigation and ownership. Key document at NIS2 inspections.
Remediation Roadmap
30/60/90-day action plan derived from findings + questionnaire. Each item has a type, severity, owner, effort estimate, and evidence-of-fix requirement. Split across technical fixes, control gaps, and validation actions.
Executive Summary
2-page PDF for non-technical decision-makers. Traffic-light status per framework, curated strengths and risks in business language, top 5 priority actions with suggested owners.
Incident Response Plan template
Editable DOCX covering NIS2 Art.21(2)(b). Pre-filled draft with the organization's external assets and suggested roles. Client completes, tests, and approves — we provide the framework, client retains ownership.
Your annual package includes:
4 quarterly full audits with assessment certificates
37+ automated security checks per audit
4 compliance scanners (cookie, scripts, data, login)
Bilingual 24-question internal controls questionnaire
Evidence matrix with per-framework readiness scores
Contradiction detection between scan and declarations
Risk Register (NIS2 Art.21(2)(a) format)
Remediation Roadmap (30/60/90 days)
Executive Summary for management
Incident Response Plan template
NIS2 + GDPR + ISO 27001 mapped evidence
Post-fix verification re-scans (unlimited)
Dedicated audit workspace with discussion thread
Compliance evidence
3 frameworks. 28 mapped controls. Real evidence.
Each finding is mapped to specific control IDs with structured evidence. We cover the externally observable technical controls — your compliance team sees exactly which controls are met, which have gaps, and which require internal organizational measures beyond our scope.
Mapped evidenceNIS2
Article 21 · 10 controls mapped
Risk analysis, vulnerability scanning, incident detection, encryption verification, access control, supply chain security
Essential & important entities across the EU
Mapped evidenceGDPR
Articles 5, 7, 25, 32, 44 · 11 controls mapped
Encryption in transit, cookie consent compliance, lawful basis documentation, data breach detection, international transfer risk, privacy by design
Any organization processing EU personal data
Mapped evidenceISO 27001
Annex A controls · 7 controls mapped
Communications security, operations security, cryptography, access control, vulnerability management
Organizations pursuing or maintaining ISO certification
Findings additionally tagged against: DORA • OWASP Top 10 • PCI DSS v4.0 • HIPAA • NIST CSF 2.0 • Cyber Essentials • eIDAS 2.0 • ENISA Guidelines • BSI IT-Grundschutz
These frameworks receive automatic finding tags for additional context. Structured evidence mapping with control registry is available for NIS2, GDPR, and ISO 27001 above.
What enterprise includes
- All Pro security checks + 4 dedicated compliance scanners
- Cookie consent evidence with CMP detection and pre-consent analysis
- Third-party script inventory with non-EU hosting risk indicators
- Exposed data detection (emails, API keys, sensitive patterns in source)
- Login surface analysis (admin panels, authentication endpoints)
- Bilingual 24-question compliance questionnaire covering internal controls
- Evidence matrix merging scan data + declarations per framework
- Contradiction detection between scanner evidence and client declarations
- Risk Register in NIS2 Art.21(2)(a) format
- Remediation Roadmap with 30/60/90-day action buckets
- Executive Summary for management decision-makers
- Incident Response Plan template (NIS2 Art.21(2)(b))
- Assessment certificate with scope, methodology, and readiness scores
- Quarterly re-assessments with trend tracking
What is out of scope
- -Internal network infrastructure (firewalls, VPN, LAN)
- -Physical security of data centers or offices
- -Source code review or manual exploit development
- -Social engineering or phishing tests
- -Employee background checks or HR procedures
- -Business continuity testing (DR exercises)
- -Internal identity and access management (IAM)
Our assessment covers the external, internet-facing technical security posture of your domain, combined with a structured internal controls declaration. Designed to complement your broader compliance program — not replace it.
How we compare to traditional consulting
Traditional consulting engagements often include broader scope (internal infrastructure, governance workshops, implementation support). We focus specifically on external web security evidence with compliance mapping.
Traditional engagements may include broader scope (internal networks, physical security, governance consulting). Choose based on your organization's specific compliance needs.
Built for institutions
Who uses enterprise audits
Municipalities & city halls
Official websites, citizen portals, online payment systems, e-government platforms. NIS2 essential entities.
Hospitals & healthcare
Patient portals, appointment systems, medical record access points. NIS2 + GDPR sensitive data requirements.
Universities & schools
Student portals, research platforms, LMS systems, faculty websites. Public institution compliance obligations.
Financial institutions
Online banking portals, fintech platforms, payment processors. DORA + NIS2 regulatory overlap.
Mid-size companies
E-commerce, SaaS platforms, corporate websites. Companies handling EU personal data or operating in regulated industries.
Critical infrastructure
Energy, water, transport, telecommunications — all classified as NIS2 essential entities requiring documented security measures.
NIS2 deadline is 6 months away.
Every week without documented security evidence is a week closer to non-compliance. Start with a single domain — see the evidence before committing to a full deployment.