Two offers built around one outcome: the evidence your auditor, your underwriter, and your largest customer all want to see — that a finding was real and that it got fixed. Pricing is on request, scoped to your estate. Start with a free exposure check; we'll quote a number that matches what your organisation actually needs.
The right comparison isn't another tool's sticker price — it's the cost of an auditor finding, a cyber-insurance renewal question, or a customer security review where you can't produce evidence on demand. Both offers below are priced as a small fraction of that risk.
Before the price list
Auditors are asking harder questions. Underwriters want proof, not promises. Enterprise customers want to see the receipts. We deliver that evidence — runnable, signed, on a daily cadence — so the next time someone asks, the answer is a file you can hand them, not a meeting you have to schedule. Talk to us about scope and we'll give you a number that matches the estate.
Most teams choose this
For organisations that take Find. Prove. Fix. Verify. seriously every day.
Monthly or annual billing. Cancel any month from the dashboard.
What's included in Sentinel:
| Daily Find — Asset Discovery and attack-surface mapping: one protected domain, full external coverage, every weekday before your team sits down. |
| Prove on every finding — the Proof Capsule: signed, sealed, runnable on your laptop. Triage shrinks from a sprint to a meeting. |
| Fix path baked in: patch citation, remediation guidance, controls pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS. Engineering closes from a starting line. |
Verify with one command: re-run the capsule, see fix-confirmed. Wire into CI so a regression fails the build. |
| Engineering integrations: Slack, Jira, GitHub PR comments, webhook for everything else. Findings show up where engineering already works. |
| Founder-direct onboarding: the founder runs your first capsule with you. No SDR. No hand-off. |
| Quarterly transparency report: sub-processors, key rotations, incident summary. You see the supply chain. |
The maths: less than the daily cost of a single junior security engineer, against a category whose worst outcome wipes balance sheets. Scope the offer, we quote the figure.
Start with a free scanFirst, see what we find. Request pricing when ready.
For complex estates & partner programs
When ten domains, residency, or white-label is the requirement.
Annual contract. Custom MSA. Procurement-friendly invoicing.
What's included in Fortress:
| Up to 10 protected domains — subsidiaries, brands, marketing properties, the whole estate — daily. |
| Internal-network agent — coverage past the perimeter. Lateral-movement and privilege-escalation chains, capsule-confirmed. |
| White-label reports — your brand on the dashboard and the export. We disappear; the work shows up under your name. |
| Regional data residency — EU, US, APAC, or your own VPC. Data lives where your compliance team needs it to live. |
| Dedicated success contact — named human, monthly review, quarterly posture report. Not a queue. |
| Priority response — capsule-confirmed P0/P1 escalation paged within the hour during business hours. |
| Everything in Sentinel — Find, Prove, Fix, Verify across the whole estate. |
The maths: less than the cost of a single line item in most breach-response retainers, with continuous coverage across the estate. Procurement bundles available on request.
Contact salesProcurement bundle on request.
Before either offer
One scan on one domain. One Proof Capsule in your inbox. No credit card. No sales call. The first thing we ask you to do is verify the product works against your own asset — before we ask anything else.
The cost-of-inaction frame
Industry research consistently puts median dwell time before detection well past six months. The cost-of-inaction question isn't "is verifiable security worth the monthly fee?" — it's "if a real exploit lands today, does your team find it in week one or month seven?"
Verifiable security closes that window. Not by promising perfection; by giving your engineers a runnable artifact for every issue we find, on a daily cadence, signed in a way anyone can verify. The discipline starts with knowing what's broken before someone else does.
What we don't do (and won't pretend to)
We're honest about scope so you don't pay us for work we shouldn't be doing. None of these are weaknesses; they are deliberate edges of the offer.
Annual deep-dive engagements still belong on the calendar. We sit between those moments, providing daily verifiable evidence the auditor and the underwriter both want to see. Many customers run both, and we are happy when they do.
Phishing simulations, voice and physical-access testing belong with specialists who do that work full-time. We focus on the technical attack surface where signed, runnable proof actually moves the needle.
Every payload we generate is reversible by classification. The platform refuses to ship anything with a non-reversible side-effect. We make sure the AI never makes a change it can't undo — ever.
Procurement questions, answered straight
Decision fatigue is the enemy of action, and action is the entire point of verifiable security. Sentinel covers the eighty percent of teams who want a single domain protected daily with capsule-backed findings. Fortress covers the twenty percent who need ten domains, internal network coverage, white-label, residency, or a dedicated contact. If neither fits, talk to us — we'll tell you honestly whether we're the right answer.
Both offers are billed monthly or annually, scoped against the protected estate. We quote on request once we understand the domain count, residency requirements, and the integration surface. Annual commits include a meaningful discount over month-to-month. Request pricing.
Sentinel: monthly billing, cancel any month from the dashboard, no auto-renew traps. Annual saves meaningful spend over month-to-month. Fortress: annual contract with cancel-for-cause provisions in the MSA; we don't lock teams into a service that isn't working for them.
Findings live in your dashboard for the lifetime of your subscription plus ninety days. Proof Capsules retain by default for ninety days; you can extend, shorten, or delete on demand. Customer-deletion is one click, logged as a signed event so you have a receipt. Sub-processor list is public; quarterly transparency report covers handling stats and any incidents.
Default deployment is global, with data-plane processing in the region closest to where your scans originate. EU, US, APAC, or your own VPC available on request, with the matching data-processing addendum. Sub-processor list is named on the Trust Center.
An annual pentest is a snapshot. Sentinel is a moving record. The pentest still has a place — many of our customers run both, with the pentest as the periodic deep-dive engagement and Sentinel as the daily Find. Prove. Fix. Verify. coverage between. The two complement each other; we are not asking you to choose.
SOC 2 Type II is in observation with a named auditor, target issue Q4 2026. A Type I bridge letter is available now if a deal needs one. ISO 27001 readiness work begins after the Type II report ships. We won't put a badge on the site for something we haven't earned. The Trust Center has the dated detail.
Yes. Fortress includes white-label reports, and we run a partner program with named-contact onboarding. See the partner page.
Just your domain and your work email. We'll handle the rest.
CELVEX Group