Every SaaS company needs a security baseline — before enterprise customers ask for it, before investors review it, before an incident forces it.
Most SaaS companies at the 50–100 person stage have informal security practices, not a baseline. Things work because of individual habits and organisational memory — not because of repeatable, documented, enforced controls. That's a gap that compounds over time.
When someone leaves, access gets revoked manually — sometimes days later, sometimes never. That departing engineer still has access to your production database. That contractor still has a Slack invite. MFA exists in some tools but isn't enforced everywhere — which means your Okta is protected but your AWS console isn't.
There's no policy, no audit trail, and no repeatable process. When something goes wrong — a phishing attack, a breach, a data request from a customer — you're operating from memory and goodwill rather than documented procedure.
You're one incident, one enterprise prospect, or one investor due-diligence call away from that mattering. The baseline is not a compliance exercise — it is the minimum standard of operating a responsible software business.
Baseline coverage
This is not a framework document or a gap analysis. These are the controls we implement in your environment, verified, and maintain on an ongoing basis. All 47 of them.
Identity & Access
Endpoint
Backup & Operations
Logging & Policies
The baseline can be implemented as a one-time project or as an ongoing managed service — depending on whether you need speed or continuity. Here are both paths.
Security Assessment
€2,500 · credited toward Sprint
Maps your current state across all baseline domains — identity, endpoint, backup, logging, and policy. Tells you exactly what's missing, what's partial, and in what order to fix it. Delivered in two weeks. The assessment fee is credited toward the Sprint if you proceed.
Learn about the AssessmentThe Security Baseline™
from €85/user/mo · ongoing
If you prefer ongoing management over a one-time sprint, we deploy the baseline and maintain it as your managed security function from day one. We handle implementation, configuration, monitoring, and reporting. Minimum 30 users, 12-month commitment.
Learn about The Security Baseline™Need to implement rapidly for an audit or enterprise deal?
The 90-Day Accelerator (€28,000) covers the full baseline implementation plus all documentation in a single fixed-price project. If you need to be security-ready for a specific deadline — a customer review, an audit kickoff, a fundraising round — the Sprint gets you there in 90 days. You can then transition to managed services for ongoing maintenance.
Yes — unequivocally. Both ISO 27001 and SOC 2 are built on top of a functioning technical baseline. You cannot document what doesn't exist, and auditors are trained to distinguish between controls that are operational and controls that exist only in a policy document.
Getting the baseline right first makes certification faster, significantly cheaper, and more credible. Companies that attempt certification without a solid baseline typically fail their first audit attempt, delay their timeline by 6–12 months, and spend more overall. Start with the fundamentals — then layer compliance on top.
Most companies at your stage have 30–50% of baseline controls partially implemented. MFA exists in Okta but not AWS. MDM is deployed on some devices but not all. Backup runs nightly but nobody has tested a restore in two years.
The Security Assessment maps exactly where you are against the full 47-control baseline. We start where you are and fill the gaps — no rework of things that are already right, no credit for things that aren't. The assessment tells you precisely what's solid, what's partial, and what's missing entirely.
They deliver the same 47 technical controls and documentation. The difference is the engagement model. The 90-Day Accelerator is a time-bounded implementation project with a fixed price and a defined end date. The Security Baseline™ is an ongoing managed service — we deploy, configure, monitor, and maintain everything continuously.
If you want the controls implemented immediately and then maintained permanently, the typical path is Sprint first, then transition to the managed service. You're paying for implementation speed up front, then switching to a recurring model for long-term maintenance. We'll advise the right sequencing based on your specific situation.
Book a 30-minute Fit Call. We'll assess where you are against the full baseline and give you a clear, honest picture of what it takes to get there.