Why is Scale the recommended main package?

Scale balances foundational SDLC work with the DevSecOps automation and supply-chain controls most growing teams need. It supports recurring retainer models for sustained secure engineering.

What does the Secure Engineering retainer include?

A embedded secure engineering pod: ongoing SDLC coaching, pipeline tuning, PR review support, and monthly progress reporting — without hiring a full internal team.

How do we choose between Scale and Enterprise?

Choose Enterprise if you have multiple product lines, AI-native products, regulated compliance needs, or require program-level governance and dedicated secure AI engineering.

Scale

Automated security for growing engineering organizations

For growing engineering organizations automating security in delivery.

Scale Secure Engineering Book a Build Secure Workshop

What's included

Everything in Launch, expanded org-wide
Advanced DevSecOps and CI/CD pipeline security
Software supply chain program (SLSA, SBOM, signing)
IaC and container build security
AI-assisted development security and AI coding policy
Security champions program design
Secure Engineering as a Service retainer option
Monthly dashboard and quarterly maturity review

Included services

Secure SDLC Implementation

Implement secure software development lifecycle practices

View service

DevSecOps Setup & Integration

Setup and integrate security into DevOps pipelines

View service

CI/CD Pipeline Security

Integrate security testing and checks into CI/CD pipelines for automated security feedback

View service

Software Supply Chain Security

Secure dependencies, SBOM, provenance, signing, and build integrity across the software supply chain

View service

IaC & Container Build Security

Harden infrastructure-as-code and container build pipelines with policy-as-code and image security controls

View service

AI-Assisted Development Security

Validate AI-generated code and secure AI-assisted development workflows with expert-led, AI-augmented review

View service

AI Coding Policy & Governance

Define policies and guardrails for safe use of AI coding tools across engineering teams

View service

Security Champions Program

Embed and scale secure engineering practices inside development teams through a structured security champions program

View service

Secure Engineering as a Service

Dedicated secure engineering pod delivering ongoing SDLC, DevSecOps, supply-chain, and AI-native development security on a managed program basis

View service

Package comparison

Capability	Launch	Scale	Enterprise
Secure SDLC baseline	Included	Included	Enterprise-wide
Architecture review	Light	Priority systems	Architecture board support
Threat modeling	Light	Product-level	Program-level
Secure code review process	Basic	Full workflow	Enterprise standard
Developer security enablement	Basic	Role-based	Champions + continuous enablement
DevSecOps setup	Basic	Advanced	Enterprise standard
CI/CD pipeline security	Basic	Advanced	Enterprise policy
Software supply chain security	Basic	Included	Full governance
AI-assisted development security	Optional	Included	Advanced
AI coding policy	Basic	Included	Enterprise governance
Secure AI SDLC	Optional	Optional	Included
Security champions	Intro	Program design	Program operation
Secure Engineering as a Service	Optional	Retainer	Dedicated model
Reporting	Summary	Monthly dashboard	Executive dashboard
Maturity review	Optional	Quarterly	Quarterly + annual roadmap

Compare all packages

Good fit if you

Scale-ups with multiple squads and active CI/CD pipelines
Organizations adopting AI coding tools at scale
Teams needing ongoing secure engineering without a full internal AppSec org

Not included (consider upgrading)

Enterprise-wide secure AI SDLC and agentic engineering (see Enterprise)
Dedicated multi-team governance board and executive scorecards

Explore Enterprise

Typical scope for Scale

Scale fits growing organizations automating security across multiple squads — more repositories, several pipelines, and broader developer enablement with optional retainer.

Number of applications

Typical: 6–20 applications

Customer-facing apps, internal tools, APIs, and microservices in scope for secure SDLC and release controls.

Number of repositories

Typical: 11–50 repositories

Active code repositories that need SAST, SCA, secrets scanning, and secure PR workflows.

Developers contributing code

Typical: 26–150 developers

Engineers who commit code regularly — including contractors and platform teams touching application repos.

CI/CD pipelines

Typical: 6–25 CI/CD pipelines

Build and deploy pipelines across environments (dev, staging, production) and products.

AI coding tools in use

Typical: Active AI coding tool adoption

Copilot, Cursor, ChatGPT, Claude Code, or internal AI assistants used by developers.

Engagement model

Typical: Setup + monthly retainer (recommended)

One-time implementation, ongoing retainer, or dedicated secure engineering pod.

What affects pricing

We do not publish fixed prices. Your proposal depends on scope and complexity.

Engineering team size

Number of developers, squads, and products in scope affects enablement depth and coaching cadence.

Repository and application count

More repos and apps require broader toolchain integration and governance models.

CI/CD pipeline complexity

Platform choice, number of pipelines, and release frequency drive DevSecOps and release security effort.

AI adoption scope

Use of AI coding tools and AI-powered products determines AI governance and secure AI SDLC depth.

Compliance and evidence requirements

Regulated industries and audit cycles increase reporting, evidence packs, and maturity program scope.

Engagement model

One-time setup vs ongoing retainer vs dedicated pod — each maps to a different commercial structure.

Extend your package

Extend your Build Secure package with specialized services.

Annual Penetration Testing Bundle

Recurring assessment coverage aligned with your release cadence and risk profile.

Learn more

AI Systems Security Assessment

Independent testing of LLM applications, agents, and AI workflows.

Learn more

Dedicated AppSec Engineer

Embedded specialist for high-velocity teams needing daily secure engineering support.

Learn more

Developer Security Workshops

Hands-on secure coding labs tailored to your stack and threat model.

Learn more

Secure AI SDLC Add-on

Extend your package with AI-specific SDLC controls, model governance, and RAG security.

Learn more

Software Supply Chain Deep Dive

SLSA maturity uplift, SBOM program design, and artifact signing hardening.

Learn more

Red Team Readiness Review

Validate detection and response readiness before adversary simulation.

Learn more

Security Champions Advanced Program

Scale your champions network with advanced playbooks and executive reporting.

Learn more

Vulnerability Management Integration

Connect pipeline findings to your VM workflow with SLA-based triage.

Learn more

Frequently asked questions

Not sure which package fits?

Book a Build Secure Workshop. We will map your team to Launch, Scale, or Enterprise in a focused scoping session.

Book a Build Secure Workshop