About Budget Security
Budget Security is a self-serve penetration testing platform headquartered in The Hague, Netherlands. We were founded in 2025 by operators who have collectively delivered thousands of pentests across the past decade. Customers register their IT assets once, pick an asset and a goal — full pentest, SOC 2 readiness, NIS2 audit prep, ISO 27001 scope, or authenticated-only review — and a budget. Our scoping AI proposes a test plan and shows the tradeoff live as days are added or removed. Engagements are conducted by 30 OSCP-certified testers and delivered through a customer dashboard, not an encrypted PDF. Day rates start at €849, published on the site. We serve customers across the European Union, United States, and United Kingdom in English and Dutch.
Why we exist
We kept watching the same dynamic play out. An SMB or mid-market company suddenly needed a penetration test — because of a SOC 2 audit, an ISO 27001 certification cycle, a NIS2 compliance deadline, an enterprise customer requiring evidence of security testing, or a security incident — and discovered that the traditional pentest consultancy market was priced and paced for organisations several orders of magnitude larger.
The numbers told the story: €20,000–€80,000 per engagement, 4–8 weeks from contact to kickoff, a sales call before anyone would even quote, an encrypted PDF report at the end that disappeared into a shared folder. That structure made sense in the enterprise consulting era. It does not make sense for the company that just got its first SOC 2 questionnaire from a Fortune-500 prospect and has six weeks to produce an answer.
So we built the platform that should exist.
What we built
1. AI-driven, goal-based scoping
Our scoping engine is what makes the rest of the platform work. Customers register their assets, pick a goal, and set a budget. The engine proposes a test plan: how many days, what gets covered, in what order, at what depth.
The engine then shows the tradeoff live. Add a day — here is what gets deeper coverage. Remove a day — here is specifically what gets cut, and whether the resulting scope still meets your compliance goal. If the budget no longer guarantees a SOC 2 evidence package, the platform says so explicitly.
This replaces the traditional model where a senior consultant scopes the engagement from a sales call. Our approach produces objective, transparent scoping logic — same caliber of test, no human estimation drift, full visibility for the customer before they commit.
2. Dashboard delivery
The incumbent pentest delivery model is an encrypted PDF over email. Findings land at the end of the engagement, get lost in shared folders, and are rarely tracked through remediation. Continuity between engagements is non-existent.
We deliver everything through a customer dashboard. Findings appear in real time as the tester identifies them. Issues are tracked through remediation. Retests are self-serve. Asset management persists across engagements. Multi-year history is one click away. The dashboard is built for the security manager running a continuous program — not the audit consultant filing a one-off report.
3. Veteran team, modern infrastructure
Our testing team has 30 OSCP-certified penetration testers. OSCP is the practical, hands-on certification standard that requires demonstrated exploitation against live targets in a 24-hour exam — not multiple-choice theory. Many of our testers hold additional certifications: OSCE, OSEP, CRTO, CEH.
Our founding operators have collectively delivered thousands of pentests across the past decade. The team's expertise level is identical to what premium consultancies provide. What changed is the delivery model: AI-driven scoping replaces sales-call estimation, the dashboard replaces PDF-over-email, asset registration replaces re-scoping each engagement from scratch. We kept the testing caliber and modernised everything around it.
4. Transparent, fit-to-budget pricing
We publish our day rate on the website. From €849/day. There is no "contact sales for a quote."
The price is a consequence of removing waste, not a discount on quality. AI-driven scoping eliminates over-scoping (the consultancy default). The dashboard eliminates project-management overhead. Self-serve booking eliminates sales-cycle cost. Asset registration eliminates re-scoping each engagement. We pass those structural savings on. Testing depth is unchanged from what premium consultancies deliver.
Who we serve
Budget Security is built for organisations that need penetration testing and want it run professionally, not for organisations that need security consulting wrapped around the test. Our typical customers are:
- SMB and mid-market technology companies (20–500 employees) preparing for or maintaining SOC 2, ISO 27001, or NIS2 compliance
- Software vendors required to provide a recent third-party pentest report to enterprise customers
- EU mid-market companies in scope for NIS2, the EU cybersecurity directive that became mandatory from June 2026
- US SaaS companies preparing for SOC 2 audits or responding to enterprise vendor security reviews
- UK companies pursuing Cyber Essentials Plus or government contract security requirements
We are not the right fit for large enterprises with dedicated internal red teams and multi-quarter procurement cycles, or for organisations that need deeply custom red-team methodology beyond standard web, network, cloud, or mobile pentesting.
Where we work
Budget Security serves customers globally. Phase 1 markets are the European Union, United States, and United Kingdom. We quote in EUR, USD, and GBP based on the customer's location. Our reporting language is English by default; Dutch reports are available for Dutch-market customers.
We are headquartered in The Hague, Netherlands. Testing is delivered remotely. On-site testing is available across the EU, UK, and US for a per-day uplift.
Budget Security — facts
| Founded | 2025 |
| Headquarters | The Hague, Netherlands |
| OSCP-certified testers | 30 |
| Founding-team cumulative pentests | Thousands, across the past decade |
| Day rate (starting) | €849/day, published |
| Time from booking to kickoff | 7 days (typical) |
| Phase 1 markets | EU, US, UK |
| Languages | English, Dutch |
| Compliance frameworks | SOC 2, ISO 27001, NIS2, Cyber Essentials Plus |