Security Sparring Partner

Practical security expertise working alongside your team

duration
Monthly Subscription
Kind
Support
where
Remote
language
German or English

Your external security expert on retainer

Most security engagements are project-based: you book a pentest, a training, or consulting days when a specific need arises. That works well for defined tasks. But it leaves a gap — the ongoing stream of architecture decisions, design questions, and security trade-offs that your teams face between those engagements.

The Security Sparring Partner fills that gap. It’s a monthly retainer that gives your teams continuous access to an experienced security practitioner. I’m the person they bounce things off before committing to an approach — not after a problem has already shipped.

I don’t replace your internal security function — I work alongside it. Think of it as having someone on speed dial who’s seen enough architectures and attack surfaces to spot the things your team might miss.

Why a retainer instead of hourly booking?

With hourly booking, your teams call when they have a specific problem. That’s reactive, and there’s more friction than you’d think. I’ve seen it repeatedly: people hesitate to “burn an hour” on a quick question about an architecture approach or a dependency choice. So they don’t ask, and the question goes unanswered.

A retainer flips this dynamic. Your teams know the time is already allocated, so they actually use it. They ask about the architecture decision before it’s final. They loop me in on the new feature before it ships. The small questions that prevent expensive problems later actually get asked.

In practice, retainer customers engage two to three times more frequently than hourly customers, and the conversations shift from firefighting to prevention.

Three tiers

This engagement comes in three levels of depth and time commitment:

  • Scheduled monthly review call where we go through what’s on your plate, what’s coming up, and anything that’s been bugging your team security-wise
  • Remaining hours for ad-hoc questions of your team via email or chat. No need to book a call just to ask “Is this session config safe?” or “Should we worry about this dependency?”
  • Proactive security monitoring for your tech stack: I keep an eye on the security ecosystem around the technologies your team actually uses and ping you when something needs attention, whether that’s a critical vulnerability, an emerging supply chain attack campaign, or a breaking change in how a framework handles security.
  • Priority scheduling and rebates when you book project work (pentests, trainings, workshops) separately
  • Everything in Sparring, plus:
  • Bi-weekly (instead of monthly) review calls, so there’s less time for bigger architectural decisions to pile up and decisions to drift
  • Findings triage: when your scanners or tools spit out results, send them over. I’ll sort the noise from the real issues and tell you what to fix first, all within the retainer hours
  • AI coding security guidance: your teams are adopting AI coding assistants and agentic workflows, and the security implications are shifting fast. I’m the person they ask when they’re not sure whether that agent’s suggestion is actually safe, whether an AI-generated architecture pattern makes sense, or what new risks these tools bring as they evolve
  • Quarterly architecture or security posture deep-dive: we take a closer look at what changed since last quarter, new components, anything that feels off. If you have a threat model, we check whether the controls still match reality. If you don’t have one yet, this is where we start building it.
  • Optional DNS and domain monitoring: I periodically check for newly registered lookalike domains targeting your brand and keep tabs on your DNS subdomains. Forgotten staging subdomains, dangling CNAMEs ripe for takeover, someone registering your-company-login.com, that kind of thing is easy to miss until it shows up in an incident report.
  • Everything in Advisory, plus:
  • Weekly (instead of bi-weekly) review calls. At this cadence I know what your team is working on well enough to spot problems early, not just react to them
  • I join design reviews for security-critical features. Your team invites me to specific meetings when they’re building something sensitive, and I already have enough context to be useful without a long briefing first
  • Ongoing threat model maintenance: if you have an Attack Tree or Threagile model, I keep it current as your architecture evolves. New components get new attack paths, retired parts get cleaned up, control mappings stay honest. The model stays a living artifact, not a PDF collecting dust.
  • Quarterly control review: I walk through all mapped security controls and check whether they’re actually still doing what we think they’re doing. Results feed straight into the improvement roadmap below.
  • Structured security improvement roadmap: I maintain a prioritized list of recommended improvements based on everything we work on together, and we review progress each quarter
  • Optional external attack surface monitoring: if you give me your network ranges, I periodically scan for services reachable from the outside and flag anything unexpected. New port open after a deployment? Forgotten test instance still running? You’ll hear about it from me before someone less friendly finds it.
  • Hands-on support during security incidents. When something goes wrong, I’m available within the retainer to help figure out what happened, what’s still at risk, and what to do next.

How it works in practice

  1. We start with a scoping call to understand your team structure, tech stack, and where external security input would help most.
  2. You choose a tier based on how deeply you want to integrate the retainer into your workflow. Minimum commitment is usually 6 months.
  3. We set up a cadence (depending on tier): weekly, bi-weekly, or monthly calls, quarterly deep reviews, and communication channels for ad-hoc questions.
  4. Your teams start using it: architecture questions, design reviews, scan result triage, quick checks on security trade-offs — whatever comes up.
  5. Monthly hours are use-it-or-lose-it: no rollover, so your team is motivated to actually engage rather than accumulate unused hours.

Choosing your focus areas

During the scoping call, we define one or two focus areas that shape what we spend most of our time on. This keeps the retainer targeted instead of spreading thin across everything security-related.

General security architecture is the classic setup: your teams bring architecture decisions, design questions, and security trade-offs, and I help them think those through. Dependency choices, authentication patterns, API design, infrastructure hardening — the everyday security decisions that add up over time.

Agentic AI security is for organizations that are deploying AI agents and need ongoing advisory as that landscape evolves. New agent deployments get ad-hoc threat modeling sessions, existing agents get periodic attack surface reviews, and your team has someone to ask when they’re unsure whether a new MCP integration or tool chain introduces risk they haven’t thought about. If you’ve done an Agentic AI Security assessment with me, the retainer is the natural way to keep that threat model alive and current as your AI architecture changes. If you haven’t, we can build the initial threat model elements as part of the retainer.

Secure development lifecycle focuses on embedding security into how your team builds software: CI/CD pipeline hardening, dependency management, secure coding practices, and making sure AI-assisted coding tools don’t quietly introduce the vulnerabilities your team just spent effort fixing.

Cloud and infrastructure security covers IaC reviews, cloud configuration assessments, and supply chain hardening for your deployment pipeline.

These aren’t rigid tracks. Most customers start with one or two and adjust as priorities shift. Someone might begin with general architecture and add AI security six months later when their first agent goes to production. These areas just make sure we’re both clear on where the retainer focuses most.

What this is not

This is an advisory relationship. It does not include:

These services are complementary, and retainer customers receive priority scheduling and rebates for all of them.

Relation to other offerings

The retainer often evolves naturally from project-based engagements. For example, a customer might book a Web Security Bootcamp, then an Application Pentest, and then realize they want ongoing input and oversight — the Security Sparring Partner formalizes that ongoing relationship.

It also pairs well with the Attack Tree Quickstart for initial threat landscape modeling, which can then be maintained and evolved as part of the ongoing retainer. The same applies to the Agentic AI Security assessment — the one-time threat model becomes the baseline, and the retainer keeps it current as your AI deployment grows.

That said, you don’t need to have booked previous projects first. Many organizations start with the retainer directly.

Interested in discussing which tier fits your team? Let’s talk