Take your vulnerability management program from 0 -> 1

Tame the security vulnerability chaos.
Earn customer confidence.
Close enterprise deals.


Vulnerability overload is real.

40,000. 130,000. Even 1,000,000.
These are actual vulnerability counts from modern networks.
The noise can seem impossible to sort through.
The industry-standard CVSS is broken.
And the stakes were never higher.


So is cyber risk.

60% of breaches are due to software flaws that were known but not patched ahead of time.
Ransomware gangs have "favorite" CVEs they keep coming back to.
Cyber insurers are looking at vulnerability management practices when setting rates.
Customers are subjecting their vendors to enhanced security due diligence.


You need a plan.

What do we fix and when?
What do we disclose, and to whom?
What are the right tradeoffs to make?
How do we communicate internally and externally?
These are all common questions...
...that often get sorted out during an emergency.
On top of reducing your risk of a breach, a comprehensive vulnerability management program will save you enormous amounts of time, pain, and confusion.But you need one in place ahead of time.

Sound like you?

Are you a software company with $50 million ARR or less?
Are you selling to enterprise customers with heavy duty security needs?
Have the beginnings of a security team that is getting crushed by their intense due diligence?
Overwhelmed by thousands of "high and critical" vulnerabilities and don't know where to start?
I've built security programs at companies ranging from a venture-backed startup to publicly-traded enterprise vendor with $1B in revenue.So I know both sides of the problem.And I've already accelerated security programs for many software entrepreneurs.

Let me build your program

$4,975 / month for 3 months

Tame the vulnerability madness in 90 days with:

  1. Custom policies / procedures

  2. Financial risk analysis

  3. Security status page

  4. Questionnaire completion

  5. Training and tabletop exercise

  6. Private Slack channel

  7. Weekly strategy meeting

  8. Discounted advisory retainer

  9. Early StackAware app access

  10. Premium technical support

How do you do it?

  1. Onboard: outline business objectives and identify key internal/external stakeholders.

  2. Gather information: review existing documentation, interview (live or written) key stakeholders, and conduct business impact analysis.

  3. Refine/develop processes: customize policies based on maturity, regulatory requirements, and business goals. Launch security status page.

  4. Train: conduct stakeholder education sessions, test via tabletop exercise, and onboard to StackAware platform.

  5. Maintain: transition to advisory capacity or assist in vetting full-time hire.

What do I get?

Customized policies and proceduresConcise and actionable written policies and playbooks for vulnerability management, scanning, release criteria, and disclosure. Development includes identification of areas for automation (can be follow-on service).
Financial risk analysisUsing the Factor Analysis of Information Risk (FAIR) method, we design and implement a methodology for you to measure security vulnerability risk in business terms. The Common Vulnerability Scoring System (CVSS) is a broken method for prioritization that is hampering your business. Let me show you another way.
Security status pageBe proactive in communicating with prospects and customers by setting up a publicy-facing security center, like this.
Questionnaire completionLet me deal with the headache of security questionnaires by completing them on your behalf based on the information gathered while building your security status page.
Training and tabletop exerciseGet all of your stakeholders trained on your policies and procedures. Record it to re-use again. And then drill your team to make sure the plan is sound.
Private Slack channelGet 24 hour turnaround for your written questions.
Weekly strategy meetingA 30-minute session to address questions, make course corrections, and align on next steps along the way.
Discounted advisory retainerKeep your program going strong through a reduced subscription rate for StackAware's Vulnerability-Management-Advisor-as-a-Service (VMAaaS) offering
Early StackAware app accessSystematize and automate your vulnerability management program even more effectively using the StackAware platform to measure and communicate about risk.
Premium technical supportGet white-glove treatment as you roll out StackAware to your company and security team.

What do you need from me?

- Accountable business leader.- Designated security advisor (cannot be same as business leader).- Customer-facing point(s) of contact (can be same person as previous two).- Completed questionnaire or 60-minute interview with all of the above.- Asset inventory (not required, but preferred).- Access to vulnerability scanning and other security tool outputs.- Company email address during course of engagement (to configure security status page).

Frequently asked questions

Scope of services
Question: Do your vulnerability management service encompass evaluating the risk from third-party code, either commercial or open source?
Answer: Yes. StackAware helps to manage vulnerabilities throughout your digital dependencies, and can assist in vetting vendors, evaluating open source code, and similar tasks.
Question: We are a software product company that provides software partially or exclusively for customers to run in their own environments (i.e. not -as-a-Service). Do you have experience working in these types of situations?
Answer: Yes. We have experience at multiple companies that have offered both customer-managed (e.g. on-premises) and vendor-managed (e.g. SaaS) products and know how to handle both models.
Question: Are you a penetration testing or scanning company?
Answer: No. We do not scan for vulnerabilities in your network. We help you prioritize them and mature your processes and procedures for handling them.
Question: Will you patch or fix vulnerabilities for us?
Answer: No. We are not an IT service provider but rather a specialized vulnerability management and prioritization firm.
Question: We think we have been hacked. Do you do incident response or forensics?
Answer: No. StackAware is focused entirely on preventing cybersecurity incidents. We do not manage incident responses or post-breach investigations. We do, however, have referral partners whom we can recommend.
Preparing for an engagement
Question: Why do I need to designate a business leader who is accountable for the organization’s security? Shouldn’t that be a security person?
Answer: While security might be everyone’s responsibility, only one person should be accountable for it, at the end of the day. Ensuring a leader with holistic responsibility for your business and all the risks it faces is the one who makes risk management decisions is key to having an effective and coherent security program.
Question: Why do I need to designate a single security advisor in our contract? Isn’t that you?
Answer: StackAware enables your security program to succeed by applying not only technical but organizational best practices. Ensuring that you have a single, full-time individual responsible giving security advice and implementing business decisions is the best way to set you up for success. If we do our job right and allow your business to scale, eventually you won’t need our consulting services anymore. Grooming a leader to take over when that happens is the best way to prepare for this.
Question: Do I need to have an asset inventory in place to build out an effective risk-based vulnerability management program?
Answer: Yes. Since determining risk in financial terms requires understanding the impact of the exploitation of a given vulnerability, we will need to understand the assets in your network and their relative business value to you.
Question: What if my organization doesn’t have a complete asset inventory?
Answer: We can still work with you and will use the existing information you have to the best of our ability. With that said, the resulting business impact analysis will be far less granular than if we had an accurate inventory.
Question: Will you conduct an asset inventory for us?
Answer: No. Conducting an asset inventory is an ongoing, IT-centric process that we are not equipped to manage. We can make recommendations on what to do but cannot run the process ourselves.
About StackAware
Question: Is StackAware a product or a services company?
Answer: Both. As part of our strategy for building a market-leading software supply chain risk platform, StackAware is offering services to firms seeking to improve their vulnerability and third-party risk management efforts.

© StackAware. All rights reserved.

Legal and Privacy | Security