Loading…
Quality & Security · GUARDIAN + CITADEL
Quality & Security.
Test automation, performance and accessibility engineering, application security, and secure SDLC — staffed by senior engineers, not by an offshore QA pool. Compliance evidence collected continuously rather than scrambled at audit time.
- Sub-services
- 2
- Department
- GUARDIAN + CITADEL
The problem
Most QA and security work is outsourced to where it can’t fail loudly — until it does, in production.
The familiar shape: a QA team in a different time zone running scripted regression cycles that miss the architectural changes; a security review that's a checkbox at the end of the SDLC instead of a continuous discipline; an audit that takes the engineering organization six weeks to produce evidence for; an accessibility test report that the design team has never read; and a penetration test report that nobody acted on between the executive summary and the next audit.
GUARDIAN (quality engineering) and CITADEL (security and compliance) operate as senior practices, not commodity services. Our engineers participate in architecture reviews from day one, write test code alongside application code, run continuous security scanning in CI, and produce audit evidence as a side-effect of operating the system rather than as a quarterly scramble. We will tell you honestly when 'add more QA' is the wrong answer — usually the right answer is fix the test architecture, not staff against it.
What we deliver
2 capabilities, one bench.
Test automation, performance, accessibility, application security, secure SDLC.
How we engage
4 phases, in writing.
The methodology shows up in the statement of work — not as slogans, but as deliverables, owners, and acceptance criteria.
- 01
Risk and posture model
Every engagement starts with a risk model: what could go wrong, what does it cost, and which controls actually move that risk. We don't run generic test suites or generic security questionnaires — we calibrate scope to the specific risk surface and regulatory frame the workload sits in.
- 02
Engineering, not contracting
Senior QA and security engineers (G6+) embedded into your engineering cadence, not handed scripts to execute. Test code lives in the same repo as application code, runs in the same CI, and is reviewed under the same code-review standard. Security review is continuous, not a milestone gate.
- 03
Continuous evidence collection
Audit evidence — control activity logs, change-management artifacts, access reviews, vendor risk records, security training records — is produced as a side-effect of operating the system. SOC 2, ISO 27001, HIPAA, and PCI-DSS auditors pull what they need in days, not weeks.
- 04
Operating cadence after handoff
Quarterly penetration tests against named scopes, monthly SLA-backed review of CI security signals, semi-annual control efficacy reviews, and an incident response plan rehearsed at least quarterly. The discipline compounds over time — security and quality are operating practices, not project deliverables.
Capabilities
What’s in scope.
- Test automation: unit, integration, contract, end-to-end, visual regression
- Performance engineering: load testing, capacity planning, observability under stress
- Accessibility: WCAG 2.2 AA conformance, assistive-technology testing, audit reports
- Application security: SAST, DAST, IAST, SCA, secrets scanning in CI
- Penetration testing: web, API, mobile, and cloud-infrastructure scopes
- Secure SDLC: threat modeling, security review, architecture risk assessment
- Compliance evidence: SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR / CCPA / PIPEDA
- Incident response: tabletop exercises, runbook authoring, breach simulation
Stack
Tools we use in production.
- Test automation
- PlaywrightCypressVitestJestK6Pact
- Performance
- K6GatlingLocustJMeterLighthouse CI
- Accessibility
- axe-corePa11yLighthouseWAVENVDA / VoiceOver
- AppSec
- SemgrepCodeQLSnykGitHub Advanced SecurityBurp
- Cloud security
- WizPrisma CloudAWS GuardDutyDefender for CloudFalco
- Compliance & governance
- VantaDrataTugboat LogicOneTrustCustom evidence pipelines
Selected work
Quantified outcomes, not adjectives.
- 01Healthcare
94 days
to SOC 2 audit-readySOC 2 Type II readiness and HIPAA evidence program for a clinical-AI startup.
Stood up the full SOC 2 control set, HIPAA evidence library, and continuous monitoring in 94 days. Vanta integration, custom evidence pipelines for application-level controls, and a documented incident response plan with tabletop validation.
5 months
- 02Financial Services
−68%
high-severity findings YoYApplication security and pen-test program for a regional bank.
Implemented continuous SAST / SCA / DAST in CI, quarterly external penetration testing, and a formal threat-modeling cadence on every new service. Findings tracked to closure with explicit ownership; high-severity counts dropped 68% year-over-year.
12 months
- 03B2B SaaS
8x
deploy frequencyEnd-to-end test automation rebuild for a Series C platform.
Replaced a 90-minute Selenium suite with a 6-minute Playwright + Vitest matrix. Restored deploy confidence, enabled trunk-based development, and freed the QA team to engineer rather than babysit a flaky CI.
4 months
Common questions
Asked before the first call.
- 01
Do you replace our QA team or augment it?
Both depending on the engagement, but augment is the most common pattern. We embed senior QA and security engineers alongside your team, share the same backlog, and ship test code through the same review process. Where we do greenfield work end-to-end (e.g., standing up a SOC 2 program from scratch), we hand off with documentation and a 90-day shadowing period so your team owns operations after we leave.
- 02
How do you handle compliance audits?
Continuous evidence collection is the discipline. We design controls so the evidence (control activity logs, change-management artifacts, access reviews) is produced as a side-effect of operating the system, not assembled in a sprint before the auditor visits. CITADEL has shipped SOC 2 Type II, ISO 27001, HIPAA, and PCI-DSS programs for clients across financial services, healthcare, and SaaS. Audit pass rate on first attempt is 100%.
- 03
Do you do penetration testing?
Yes — both internal red-team exercises and external third-party pen tests. For external testing we coordinate with reputable firms (we maintain working relationships with several) and manage scope, findings, and remediation. We don't position ourselves as the only auditor of work we shipped — independent third-party testing is part of the discipline.
- 04
What's your accessibility approach?
WCAG 2.2 AA conformance as the default target, with EN 301 549 and Section 508 mappings where applicable. Automated checks (axe, Pa11y, Lighthouse) in CI, manual assistive-technology testing on every release gate, and explicit accessibility acceptance criteria in the SOW. We publish accessibility statements that include known limitations rather than claiming conformance we can't defend.
- 05
How do you handle secrets and credential management?
Secrets scanning in CI (gitleaks / trufflehog), secret managers as the only legitimate storage path (Vault, AWS Secrets Manager, Azure Key Vault), and short-lived credentials wherever the platform supports them. We treat any committed secret as compromised regardless of repo visibility — rotate first, investigate after.
- 06
What's the typical engagement?
SOC 2 readiness and audit support: 4–6 months, $200K–$500K. AppSec / SecOps program build with continuous testing: 6–12 months, $400K–$1.5M. QA automation rebuild: 3–6 months, $200K–$700K. Penetration testing: $40K–$150K per engagement (scope-dependent). Managed Services for ongoing security operations: $25K–$100K monthly retainer. Brackets published honestly so visitors self-qualify before the first call.
Related practices
Often paired with Quality & Security.
Talk to us
Bring a quality & security problem. We’ll bring a senior engineer.
A senior engineer plus the GUARDIAN + CITADEL department lead joins the first call. No discovery gauntlet, no junior reps, no obligation.