Continuous Security Assurance from Razorthorn Security
Most security testing happens once a year. An annual pentest, a compliance audit, maybe a vulnerability scan. The problem is that your attack surface changes constantly, and a point in time assessment only tells you where you stood on the day it was carried out.
Razorthorn’s Continuous Security Assurance service gives mid-market organisations the ongoing security oversight they need without the cost and complexity of building an internal security function. You get continuous threat exposure management, annual penetration testing, identity and supplier security reviews, architecture advisory, incident support and monthly reporting, all in a single monthly retainer.
Book a free consultation
Please leave a few contact details and one of our team will get back to you.
Why organisations choose Continuous Security Assurance
Our penetration testing service delivers comprehensive vulnerability assessments through a structured, efficient process designed to minimise disruption whilst maximising security insights.

Continuous visibility of your external attack surface, not just a snapshot from last year’s pentest

Seven security services bundled into one monthly retainer with a single point of contact

Monthly reporting that gives senior stakeholders a clear view of security without the jargon

Independent validation that your security controls are actually working as intended
What is included in Continuous Security Assurance?
Continuous threat exposure management (CTEM)
Ongoing monitoring of your external attack surface through Razor’s Edge. New vulnerabilities, exposed services, misconfigurations and emerging weaknesses are identified as they appear rather than waiting for the next scheduled assessment. Every finding is reviewed by an analyst before it reaches your team.
Annual penetration testing
CREST certified penetration testing covering your website, apps, perimeter infrastructure and internal network. This provides the structured, in depth assessment that CTEM complements but does not replace. You get a full report with prioritised remediation guidance.
Identity and authentication security review
Dedicated review of your identity and access management controls. This covers authentication mechanisms, password policies, multi-factor authentication, privileged access management and Active Directory security. Identity based attacks are one of the most common ways organisations get compromised, so this is not a box ticking exercise.
Third party and supplier security assessment
Assessment of the cyber security risks in your supply chain. We evaluate your key suppliers against recognised frameworks to identify weaknesses that could compromise your organisation. This is increasingly important for compliance with ISO 27001, DORA and NIS2.
Security architecture advisory
Expert input on key design decisions to reduce structural risk in your environment. Whether you are migrating to the cloud, redesigning your network or deploying new systems, your Razorthorn consultant provides security architecture guidance to make sure it is done right.
Incident advisory support
When something goes wrong, you have a team to call. Incident advisory support helps you respond quickly and effectively to security incidents, with guidance on containment, investigation and recovery. This is not a 24/7 SOC service but it gives you access to experienced incident responders when you need them.
Monthly security posture report
A clear, jargon free report delivered monthly that gives senior stakeholders visibility of your security status. Covers findings from CTEM, progress on remediation, upcoming testing activity and any incidents or concerns. Designed to be read by people who are not security specialists.
How much does Continuous Security Assurance cost?
How much does Continuous Security Assurance cost?
Pricing is based on the size of your organisation. All packages include every service listed above. There are no add-ons or hidden extras.

Small Business
Under 50 seats
£4,495 per month
Everything listed above. Continuous threat exposure management, annual penetration testing, identity review, supplier assessment, architecture advisory, incident support and monthly reporting.

Medium Business
50 to 200 seats
£6,495 per month
Everything listed above, scoped to a larger environment with broader attack surface coverage and more complex infrastructure.

Large Business
200+ seats
Everything listed above, scoped to your specific environment. Pricing depends on the size and complexity of your infrastructure, number of external facing assets and supplier base.
Frequently asked questions about Continuous Security Assurance
What is Continuous Security Assurance?
Continuous Security Assurance is a managed security service from Razorthorn Security that bundles continuous threat exposure management (CTEM), annual penetration testing, identity and authentication review, supplier security assessment, security architecture advisory, incident support and monthly reporting into a single monthly retainer.
How much does Continuous Security Assurance cost?
Pricing starts at £4,495 per month for organisations with under 50 seats. The Medium Business package for 50 to 200 seats is £6,495 per month. Large Business pricing for 200+ seats is available on application. All packages include every service with no add-ons or hidden extras.
What is the difference between CTEM and penetration testing?
CTEM (continuous threat exposure management) monitors your external attack surface on an ongoing basis, flagging new vulnerabilities and changes as they appear. Penetration testing is a structured, in depth assessment carried out at a specific point in time. CTEM tells you what has changed since your last pentest. The annual pentest provides the depth that CTEM does not. You need both, and this service includes both.
Do I still need a separate penetration test if I have CTEM?
Yes, and the service includes one. CTEM monitors your external attack surface continuously but it does not replace the depth of a full penetration test. The annual pentest included in Continuous Security Assurance covers your website, perimeter and internal infrastructure, which goes well beyond what external monitoring can assess.
What does the monthly report cover?
The monthly security posture report covers findings from CTEM monitoring, progress on remediation from previous assessments, upcoming testing activity and any incidents or concerns. It is written in plain language for senior stakeholders and does not require a technical background to understand.
Is the incident support a 24/7 service?
No. This is incident advisory support rather than a 24/7 security operations centre. When a security incident occurs, you have access to experienced incident responders who can advise on containment, investigation and recovery. If you need round the clock monitoring, speak to us about our managed SIEM service.
Why should I bundle security services instead of buying them separately?
Three reasons. You get a consistent team who knows your environment across every piece of work. You get a coordinated programme where findings from one service feed into the next rather than a collection of disconnected engagements. And you get one monthly bill, one point of contact and one report instead of chasing three different suppliers for updates.
What is the difference between Continuous Security Assurance and CISO as a Service?
CISO as a Service provides strategic security leadership: setting direction, managing risk, reporting to the board. Continuous Security Assurance provides the operational programme: testing, monitoring, reviewing and reporting. One tells you what to do, the other does it. Some organisations use one or the other. Some use both for a complete outsourced security function.
Does Continuous Security Assurance help with ISO 27001 compliance?
Continuous Security Assurance supports several ISO 27001 control areas, particularly around vulnerability management, supplier security, incident response and security monitoring. Having a structured ongoing security programme in place also provides evidence of continuous improvement, which auditors want to see. It does not replace dedicated ISO 27001 consultancy but it covers a significant portion of the operational requirements.
What size organisation is Continuous Security Assurance designed for?
Mid-market organisations typically with 20 to 500 staff that have outgrown the point where security can be managed by IT on the side but are not large enough to build an internal security team. Common triggers include clients or insurers asking about your testing programme, a compliance requirement like ISO 27001 or Cyber Essentials that demands ongoing monitoring rather than a one-off assessment, or realising that annual pentesting alone is not keeping up with how quickly your environment changes. Pricing tiers cover under 50 seats, 50 to 200 seats and 200+ seats.
How long is the contract?
Speak to us about contract terms during the scoping call. The service is designed as an ongoing engagement and works best over 12 months or more, as the value builds over time as your consultant develops a deeper understanding of your environment and your risk profile evolves.





