Quality & Security · GUARDIAN + CITADEL
Application security, penetration testing, secure SDLC, and compliance evidence — engineered as continuous practice, not as a quarterly audit scramble. SOC 2, ISO 27001, HIPAA, PCI-DSS evidence collected as a side-effect of operating the system.
The problem
The pattern: a SOC 2 audit that consumes the engineering organization for six weeks; an annual pen-test report nobody acted on between executive summary and the next test; SAST findings filed as Jira tickets that age out of relevance; security review treated as a milestone gate rather than a continuous discipline; and compliance evidence assembled from screenshots taken during the audit week. Security stops being a discipline when it lives in a separate calendar from engineering.
CITADEL operates security as continuous engineering. SAST / SCA / DAST / secrets scanning in CI as deployment gates, not advisory tickets. Penetration testing on a quarterly cadence with explicit scope and remediation tracking. Threat modeling on every new service. Compliance evidence collected as a side-effect of operating the system — not as a quarterly fire drill. SOC 2, ISO 27001, HIPAA, and PCI-DSS programs that auditors pull from in days, not weeks.
Where it ships
Specific applications we’ve built and operated. Not speculative — every example below is grounded in a real shipped engagement.
−68%
high-severity findings YoY
SAST / SCA / DAST / secrets scanning integrated in CI as deployment gates. Threat modeling on new services, security review on architectural change, and the operating cadence that prevents regressions rather than detecting them.
94 days
to SOC 2 audit-ready
Control set design, evidence pipeline, gap remediation, and audit support. Continuous evidence collection through Vanta / Drata or custom pipelines. Audit pass rate on first attempt: 100%.
HIPAA Security Rule and Privacy Rule program build. Risk analysis, incident response, workforce training, and the audit-defensible evidence pipeline. BAA template authoring and subprocessor governance.
Web, API, mobile, and cloud-infrastructure pen tests. Internal red-team exercises, external third-party coordination with reputable firms, and remediation tracking with explicit ownership.
Threat-modeling cadence on new features, security review on architectural change, security champions program, and the operating discipline that makes security a continuous practice rather than a milestone gate.
How we engage
Each phase has a deliverable, an owner, and an acceptance criterion. Not slogans — operating rules.
Discovery: regulatory frame, attack surface, current security posture, gap analysis. Output is a prioritized risk roadmap — not a generic audit checklist. We calibrate scope to the specific risk surface, not to a universal questionnaire.
SAST (Semgrep, CodeQL), SCA (Snyk, GitHub Advanced Security), DAST (OWASP ZAP, Burp), secrets scanning (gitleaks, trufflehog) — all in CI as deployment gates. Findings tracked to closure with explicit ownership and SLAs by severity.
Compliance evidence — control activity logs, change-management artifacts, access reviews, vendor risk records, training records — produced as a side-effect of operating the system. Vanta / Drata integration where appropriate, custom pipelines where it isn't.
Quarterly penetration testing, monthly review of CI security signals, semi-annual control efficacy reviews, and IR plan rehearsed quarterly. Security as a continuous practice, not a project.
Capabilities
Stack
Selected work
Common questions
We don't perform the audit (independence rules). We build the program, evidence pipeline, and controls — then we engage a reputable third-party auditor (we maintain working relationships with several) for the actual audit. We support you through the audit and maintain the evidence pipeline afterward. Audit pass rate on first attempt across our SOC 2 / ISO 27001 engagements is 100%.
Tools without ownership are noise. We design the AppSec program around (1) which findings are gating and which are advisory, (2) explicit ownership and SLAs by severity, (3) regression-prevention rather than tool-output dashboards, (4) the threat-modeling cadence that catches the bugs tools miss. Tooling is a means, not the practice.
Both. Internal red-team exercises by CITADEL provide continuous adversarial pressure. External third-party penetration tests by reputable firms (we maintain working relationships) provide the independence audit committees and customers expect. We don't position ourselves as the only auditor of work we shipped — independent third-party testing is part of the discipline.
Yes — control mapping across SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR / CCPA, NIST CSF, and FedRAMP (where applicable). We design the control set so a single piece of evidence satisfies multiple frames where the controls overlap, reducing audit overhead. Mappings documented and maintained as part of the program.
CSPM (Wiz / Prisma Cloud / Defender for Cloud) integrated with the existing cloud accounts, IAM hygiene reviews, network segmentation audit, and the continuous-monitoring frame that catches drift. We design cloud security around your specific cloud topology, not against a generic CIS Benchmark dump.
SOC 2 / ISO 27001 readiness and audit support: 4–6 months, $200K–$500K. AppSec / SecOps program with continuous testing: 6–12 months, $400K–$1.5M. Pen testing engagement: $40K–$150K depending on scope. HIPAA program build: 4–8 months, $250K–$700K. Managed Services for ongoing security operations: $25K–$100K monthly retainer. Brackets published honestly so visitors self-qualify before the first call.
Within Quality & Security
Talk to us
A senior engineer plus the GUARDIAN + CITADEL department lead joins the first call. No discovery gauntlet, no junior reps.
