Ongoing security advisory,
delivered as a retainer.
Recurring vulnerability management, continuous external monitoring, and security advisory, delivered as a monthly retainer, not a one-time project. The same practitioner relationship between engagements, for banks, fintechs, telecoms, government, ministries and healthcare across Africa.
Book a Free Call Assess your postureWhat we deliver
External perimeter review
Recurring review of your external attack surface. Domain and subdomain discovery, exposed service detection, certificate tracking, and prioritised alerting on new exposures each cycle.
Vulnerability management
Monthly authenticated vulnerability scanning of all in-scope assets. Findings prioritised by exploitability and business impact. Patch tracking and remediation verification.
Cybersecurity advisory
Cybersecurity advisory between engagements. Risk posture briefings, regulatory alignment, and practical technical guidance for leadership teams. This is advisory, not a standing in-house CISO function.
SAST / DAST integration
Integrate static and dynamic application security testing into your development pipeline. Findings surfaced in your existing ticketing system. Weekly reports for development teams.
Security reporting & compliance
Monthly executive dashboard. BNR-aligned compliance reporting. Evidence packages for ISO 27001 and SWIFT CSP audits. Board-ready summaries each quarter.
Threat context
Contextualised threat briefings relevant to African financial institutions. Early warning on new vulnerabilities affecting your technology stack, surfaced each reporting cycle alongside credential-leak checks.
Why a retainer instead of ad-hoc testing?
A one-time annual penetration test is a snapshot. It tells you your security posture on a single day. But your attack surface changes every time you ship software updates, configuration changes, or new deployments, and a vendor relationship that only exists once a year is not the one you want when the next finding lands.
A managed-security retainer keeps the same practitioner engaged between projects:
- New vulnerabilities are surfaced each cycle, not once every 12 months
- Your board gets regular cybersecurity posture briefings between engagements
- Your security posture is reviewed on a recurring cadence, not once a year
- Compliance reporting is kept current, not assembled in a rush before an inspection
- You have a named practitioner you can call, without the recruitment cost of a full-time hire
To be clear about scope: this is a managed advisory retainer, not a staffed 24/7 managed-SOC and not a vCISO retainer. We deliver recurring assessment, continuous external monitoring, and advisory at the scale we can do well.
Service tiers
The tiers below are illustrative scopes, not fixed packages. Every retainer is tailored per engagement and sized to what a senior practitioner can deliver well for your environment. We scope cadence and depth with you before any quote.
Monitor
- Recurring vulnerability scanning
- External asset review each cycle
- Written security report each cycle
- Email/WhatsApp point of contact
- Periodic security posture review
- Annual pentest (included)
Protect
- Everything in Essentials
- Recurring perimeter review
- Scheduled penetration testing
- SAST/DAST setup and findings review
- Cybersecurity advisory session each cycle
- BNR compliance evidence package
- Executive report each cycle
- Direct practitioner point of contact
Defend
- Everything in Professional
- Board-level advisory each cycle
- Threat-context briefings each cycle
- Credential-leak checks each cycle
- On-site reviews by arrangement
- SWIFT CSP technical-testing support
- ISO 27001 evidence support
- Custom scope and cadence
All tiers include a kickoff assessment, asset discovery, and onboarding. Pricing is on request. We scope engagements to your specific environment and provide a fixed monthly quote with no surprises.
Who we work with
Retainer engagements are built for banks and MFIs supervised by BNR, payment service providers, mobile money operators, telecoms, insurers, government bodies, ministries, healthcare institutions, fintechs, and technology companies serving the financial sector across Africa. We are based in Kigali and available for on-site work when required.
Compliance alignment
Ongoing vulnerability management and security review feature in the frameworks that govern financial institutions in Rwanda and across Africa. A managed-security retainer supports your compliance with these frameworks by supplying recurring assessment and evidence-led documentation. Where a control covers incident response, logging, or continuous monitoring, that obligation sits with you; our retainer does not deliver it.
- BNR Regulation N°50/2022 on cyber security: requires supervised institutions to implement ongoing vulnerability management and security review. A managed-security retainer supplies the recurring assessment and evidence that support these obligations (incident response and forensics remain outside our current scope)
- PCI DSS v4.0: Requirement 11.3 (vulnerability scanning) is the area a managed-security retainer directly supports. Requirement 5 (anti-malware) and Requirement 10 (logging and monitoring of access) remain your operational obligation, not part of our delivery
- ISO 27001:2022: Control 8.8 (Management of technical vulnerabilities) is the control a managed-security retainer directly supports. Control 8.16 (Monitoring activities) and Control 5.24 (Incident management planning) are your obligation; our retainer does not provide monitoring or incident response
- Rwanda Data Protection Law No 058/2021: Article 47 requires data controllers and processors to adopt appropriate technical measures to ensure the security of personal data. Recurring vulnerability assessment supports this obligation
Related services: penetration testing and security awareness training. For the full picture of what we cover, see our guide to penetration testing in Rwanda.
Frequently asked questions
What does a managed security retainer include?
How is a retainer different from a one-off penetration test?
Who is managed security for?
How does continuous external monitoring fit into the retainer?
Does a managed security retainer support BNR compliance?
How do we get started?
Get a managed security quote
Tell us about your environment and we reply within 24 hours and scope a proposal within 48 hours of the scoping call. No obligation, no sales pressure.
Book a Free Call Assess your posture first