How long does Build Secure Launch typically take?

Most Launch engagements run 8–12 weeks: baseline assessment, SDLC design, pilot rollout, and developer enablement. Timelines depend on team size and existing process maturity.

Can we upgrade from Launch to Scale later?

Yes. Launch deliverables become the foundation for Scale. We map your pilot artifacts to org-wide DevSecOps and supply-chain programs without restarting from scratch.

Do you show public pricing for Launch?

No. We provide custom proposals based on team size, scope, and timeline. Request pricing or book a Build Secure Workshop to get a tailored quote.

Launch

Security foundations for startups and single-product teams

For startups and single product teams getting security right from day one.

Start With Launch Book a Build Secure Workshop

What's included

NIST SSDF-aligned secure SDLC baseline and pilot rollout
Light architecture review and threat modeling for priority systems
Basic secure code review process and developer training
Introductory DevSecOps and CI/CD security setup
Basic AI coding policy guidance
Executive summary reporting and optional maturity snapshot

Included services

Secure SDLC Implementation

Implement secure software development lifecycle practices

View service

Developer Security Training

Comprehensive security training for development teams

View service

Code Review Process Setup

Establish secure code review processes and practices for development teams

View service

Threat Modeling & Abuse-Case Design

Threat modeling and abuse case analysis for secure design

View service

Secure Architecture Review

Comprehensive security architecture review and recommendations

View service

Package comparison

Capability	Launch	Scale	Enterprise
Secure SDLC baseline	Included	Included	Enterprise-wide
Architecture review	Light	Priority systems	Architecture board support
Threat modeling	Light	Product-level	Program-level
Secure code review process	Basic	Full workflow	Enterprise standard
Developer security enablement	Basic	Role-based	Champions + continuous enablement
DevSecOps setup	Basic	Advanced	Enterprise standard
CI/CD pipeline security	Basic	Advanced	Enterprise policy
Software supply chain security	Basic	Included	Full governance
AI-assisted development security	Optional	Included	Advanced
AI coding policy	Basic	Included	Enterprise governance
Secure AI SDLC	Optional	Optional	Included
Security champions	Intro	Program design	Program operation
Secure Engineering as a Service	Optional	Retainer	Dedicated model
Reporting	Summary	Monthly dashboard	Executive dashboard
Maturity review	Optional	Quarterly	Quarterly + annual roadmap

Compare all packages

Good fit if you

Pre-Series B startups shipping their first production product
Single squad needing a pragmatic 90-day security uplift
Teams with no dedicated AppSec function yet

Not included (consider upgrading)

Org-wide DevSecOps automation and supply-chain program (see Scale)
Secure AI SDLC and agentic controls (see Enterprise)
Dedicated secure engineering retainer

Explore Scale

Typical scope for Launch

Launch fits a single product team establishing secure engineering basics — typically one primary application, a modest repository set, and a small group of contributing developers.

Number of applications

Typical: 1–5 applications

Customer-facing apps, internal tools, APIs, and microservices in scope for secure SDLC and release controls.

Number of repositories

Typical: 1–10 repositories

Active code repositories that need SAST, SCA, secrets scanning, and secure PR workflows.

Developers contributing code

Typical: 5–25 developers

Engineers who commit code regularly — including contractors and platform teams touching application repos.

CI/CD pipelines

Typical: 1–5 CI/CD pipelines

Build and deploy pipelines across environments (dev, staging, production) and products.

AI coding tools in use

Typical: Emerging or limited AI tool use

Copilot, Cursor, ChatGPT, Claude Code, or internal AI assistants used by developers.

Engagement model

Typical: Setup-focused; optional light retainer

One-time implementation, ongoing retainer, or dedicated secure engineering pod.

What affects pricing

We do not publish fixed prices. Your proposal depends on scope and complexity.

Engineering team size

Number of developers, squads, and products in scope affects enablement depth and coaching cadence.

Repository and application count

More repos and apps require broader toolchain integration and governance models.

CI/CD pipeline complexity

Platform choice, number of pipelines, and release frequency drive DevSecOps and release security effort.

AI adoption scope

Use of AI coding tools and AI-powered products determines AI governance and secure AI SDLC depth.

Compliance and evidence requirements

Regulated industries and audit cycles increase reporting, evidence packs, and maturity program scope.

Engagement model

One-time setup vs ongoing retainer vs dedicated pod — each maps to a different commercial structure.

Extend your package

Extend your Build Secure package with specialized services.

Annual Penetration Testing Bundle

Recurring assessment coverage aligned with your release cadence and risk profile.

Learn more

Developer Security Workshops

Hands-on secure coding labs tailored to your stack and threat model.

Learn more

Secure AI SDLC Add-on

Extend your package with AI-specific SDLC controls, model governance, and RAG security.

Learn more

Software Supply Chain Deep Dive

SLSA maturity uplift, SBOM program design, and artifact signing hardening.

Learn more

Frequently asked questions

Not sure which package fits?

Book a Build Secure Workshop. We will map your team to Launch, Scale, or Enterprise in a focused scoping session.

Book a Build Secure Workshop