Security Review — Sales Kit

Landing page hero copy

Fast, pragmatic security reviews for startups and small teams. Actionable reports, prioritized fixes, and hands-on remediation help — no jargon, no endless compliance boxes. Get an expert review in 2–4 weeks.

One-paragraph pitch

We help bootstrapped teams and early-stage companies reduce security risk quickly and affordably. Our reviews combine automated scanning with human-led testing focused on web apps, APIs, and VPS-hosted services. We deliver prioritized findings, reproducible proof, and a clear remediation roadmap so engineering teams can fix the right things fast.

Discovery call script (10–15 minutes)

1. Intro (30s): Quick intro, who we are, and objective: "Fast, actionable security review to reduce risk and unblock shipping." 
2. Scope check (2m): Ask which domains, hosts, CI/CD, and cloud provider they want reviewed.
3. Risk context (2m): "What would be the worst outcome you worry about—data leak, downtime, RCE, etc.?"
4. Timing & constraints (2m): Confirm staging vs prod, availability for access, and NDA needs.
5. Deliverables & expectations (2m): Explain report, re-test policy, turnaround, and price tier recommendation.
6. Next steps (1m): Send engagement agreement, intake form, and calendar for kickoff.

Email / DM outreach templates

Cold outreach (short)

Subject: Quick security review for [company]

Hi [Name],

I run focused security reviews for startups. I can assess your main web app + VPS and deliver prioritized fixes within 2–3 weeks. Pricing starts at $1.5k. Interested in a 10-minute call to see if this helps? 

Thanks,
Ted

Warm outreach (referral or prior contact)

Subject: Security review to close gaps before launch

Hi [Name],

Following up — if you'd like an affordable review before launch, I can run a focused web/API + VPS review with a clear remediation plan. Typical turnaround 2–3 weeks, sample finding format included. Can I send available times for a quick call?

Proposal template (short)

[Client Name]
Project: Security Review — [Tier]
Scope: [domains, hosts, CI/CD provider]
Deliverables: Executive summary, full findings, remediation roadmap, re-test (if included)
Price: $[Amount]
Timeline: Start date + duration (e.g., 3 weeks)
Payment: 50% upfront, remainder on delivery
Assumptions: Client provides access within 48 hours; one review window; communication via Matrix or email
Acceptance: Reply with approval or sign and return

Collateral to include when sending

- Sample report excerpt (one sample finding)
- Short FAQ about access and safety
- Link to calendar/bookings

Rules & negotiation checklist for sales

- Verify assets: confirm exact domains, subdomains, IP ranges, CI/CD provider and cloud account/project included
- Confirm environment: recommend staging environment if testing in production is likely to cause issues
- NDA: offer mutual NDA before sharing credentials; ensure vendor's liability & data handling clauses are acceptable
- RoE & evidence handling: ensure client signs and understands the Rules of Engagement and evidence retention policy before testing
- Out-of-scope cost estimate: clarify hourly rate for additional work, travel, or emergency retesting
- Payment terms: 50% up-front; include cancellation policy (see below)

Cancellation & scheduling policy

- If client cancels before testing starts: full refund of deposit minus administrative fee ($100)
- If client cancels after testing starts: deposit non-refundable; outstanding work invoiced pro-rata
- Rescheduling: allowed once without fee if notified >72 hours before kickoff; within 72 hours, a $200 reschedule fee applies

Pricing objections & rebuttals

- "Too expensive": emphasize speed, prioritized remediation, and developer-friendly output that reduces long-term costs
- "We have automated scans already": explain value of human verification, business logic testing, and prioritized remediation
- "We can't provide staging creds": offer guidance on minimal safe production testing and require explicit sign-off and backups

Sales collateral checklist

- One-page brochure (Tier summary and sample finding)
- Sample report (sanitized) and a 1-page executive summary
- FAQ about access, disruption risk, timeline, and evidence handling
- Standard engagement agreement, RoE, and intake form

Comms templates

- Kickoff email: include scope, RoE, technical contact, test window, and credentials delivery instructions
- Daily standup message (template) for active testing: short summary of progress, blockers, and next steps
- Draft report delivery: include link to draft, instructions for review, proposed review call times
- Final delivery: include artifact link, retest instructions (if included), and suggested remediation priority list

Legal & commercial red flags (what to watch for in contracts)

- Unlimited liability clauses: insist on capping liability to fees paid for the engagement or other reasonable cap
- Broad indemnity requirements: avoid clauses that require indemnifying the client for third-party claims beyond tester's control
- Overly broad data retention clauses: ensure retention is limited and covered by the evidence handling policy
- Requirements to perform destructive or social-engineering tests without separate compensation and explicit RoE
- Vague acceptance criteria for deliverables: define what constitutes delivery and acceptance (report, walkthrough call)

Operational checklist for delivery

- Pre-engagement: NDA signed (if requested), RoE signed, intake form completed, creds received
- Kickoff: confirm test window, monitoring contact, and emergency contact
- Scanning: run automated tools, document findings and false positives
- Manual testing: focus on OWASP Top 10, auth flows, session management, business logic
- Reporting: generate draft, include evidence package, schedule review call
- Handoff: final report, artifact package, retest if included, and checklist for remediation

Notes specific to Ted's setup

- Use Ted's VPS for demo/setup if client needs a staging target
- Use Matrix rooms for client communications (room templates available)

Appendix — Sample report outline (for sales/clients)

1. Cover page: client, engagement type, dates, reviewer
2. Executive summary: high-level risk posture, top 3 issues, ESR (estimated severity reduction) if fixes applied
3. Scope & assumptions: assets tested, exclusions, RoE reference
4. Methodology: automated tools, manual testing approach, credentials used, test windows
5. Findings (detailed): ID, title, severity, affected assets, description, impact, reproduction steps, evidence references, recommendation, remediation difficulty, retest notes
6. Remediation roadmap: 30/60/90 day plan with owners (recommended role), rough effort estimates
7. Artifact bundle: description and delivery method
8. Limitations & disclaimers: testing constraints, liability disclaimer (plain language)
9. Appendix: tools used, CVE references, contact and support info

Changelog & next steps

- Added RoE, evidence handling, communications cadence, and liability summary to offering and sales kit
- Next action (sales): attach sanitized sample report and one-page brochure to outbound templates
- Next action (ops): add artifact packaging and secure delivery process to SOPs