MANAGED SECURITY SERVICES

Ongoing security advisory,
delivered as a retainer.

Recurring vulnerability management, continuous external monitoring, and security advisory, delivered as a monthly retainer, not a one-time project. The same practitioner relationship between engagements, for banks, fintechs, telecoms, government, ministries and healthcare across Africa.

Book a Free Call Assess your posture

What we deliver

External perimeter review

Recurring review of your external attack surface. Domain and subdomain discovery, exposed service detection, certificate tracking, and prioritised alerting on new exposures each cycle.

Vulnerability management

Monthly authenticated vulnerability scanning of all in-scope assets. Findings prioritised by exploitability and business impact. Patch tracking and remediation verification.

Cybersecurity advisory

Cybersecurity advisory between engagements. Risk posture briefings, regulatory alignment, and practical technical guidance for leadership teams. This is advisory, not a standing in-house CISO function.

SAST / DAST integration

Integrate static and dynamic application security testing into your development pipeline. Findings surfaced in your existing ticketing system. Weekly reports for development teams.

Security reporting & compliance

Monthly executive dashboard. BNR-aligned compliance reporting. Evidence packages for ISO 27001 and SWIFT CSP audits. Board-ready summaries each quarter.

Threat context

Contextualised threat briefings relevant to African financial institutions. Early warning on new vulnerabilities affecting your technology stack, surfaced each reporting cycle alongside credential-leak checks.

Why a retainer instead of ad-hoc testing?

A one-time annual penetration test is a snapshot. It tells you your security posture on a single day. But your attack surface changes every time you ship software updates, configuration changes, or new deployments, and a vendor relationship that only exists once a year is not the one you want when the next finding lands.

A managed-security retainer keeps the same practitioner engaged between projects:

  • New vulnerabilities are surfaced each cycle, not once every 12 months
  • Your board gets regular cybersecurity posture briefings between engagements
  • Your security posture is reviewed on a recurring cadence, not once a year
  • Compliance reporting is kept current, not assembled in a rush before an inspection
  • You have a named practitioner you can call, without the recruitment cost of a full-time hire

To be clear about scope: this is a managed advisory retainer, not a staffed 24/7 managed-SOC and not a vCISO retainer. We deliver recurring assessment, continuous external monitoring, and advisory at the scale we can do well.

For BNR-supervised institutions: A managed-security retainer supports BNR's requirements for ongoing vulnerability management and security review. We provide the evidence-led compliance documentation your inspection team needs.

Service tiers

The tiers below are illustrative scopes, not fixed packages. Every retainer is tailored per engagement and sized to what a senior practitioner can deliver well for your environment. We scope cadence and depth with you before any quote.

ESSENTIALS

Monitor

Illustrative scope for SMEs and early-stage fintechs
  • Recurring vulnerability scanning
  • External asset review each cycle
  • Written security report each cycle
  • Email/WhatsApp point of contact
  • Periodic security posture review
  • Annual pentest (included)
EXTENDED

Defend

Illustrative scope for larger or multi-country operations
  • Everything in Professional
  • Board-level advisory each cycle
  • Threat-context briefings each cycle
  • Credential-leak checks each cycle
  • On-site reviews by arrangement
  • SWIFT CSP technical-testing support
  • ISO 27001 evidence support
  • Custom scope and cadence

All tiers include a kickoff assessment, asset discovery, and onboarding. Pricing is on request. We scope engagements to your specific environment and provide a fixed monthly quote with no surprises.

Who we work with

Retainer engagements are built for banks and MFIs supervised by BNR, payment service providers, mobile money operators, telecoms, insurers, government bodies, ministries, healthcare institutions, fintechs, and technology companies serving the financial sector across Africa. We are based in Kigali and available for on-site work when required.

Compliance alignment

Ongoing vulnerability management and security review feature in the frameworks that govern financial institutions in Rwanda and across Africa. A managed-security retainer supports your compliance with these frameworks by supplying recurring assessment and evidence-led documentation. Where a control covers incident response, logging, or continuous monitoring, that obligation sits with you; our retainer does not deliver it.

  • BNR Regulation N°50/2022 on cyber security: requires supervised institutions to implement ongoing vulnerability management and security review. A managed-security retainer supplies the recurring assessment and evidence that support these obligations (incident response and forensics remain outside our current scope)
  • PCI DSS v4.0: Requirement 11.3 (vulnerability scanning) is the area a managed-security retainer directly supports. Requirement 5 (anti-malware) and Requirement 10 (logging and monitoring of access) remain your operational obligation, not part of our delivery
  • ISO 27001:2022: Control 8.8 (Management of technical vulnerabilities) is the control a managed-security retainer directly supports. Control 8.16 (Monitoring activities) and Control 5.24 (Incident management planning) are your obligation; our retainer does not provide monitoring or incident response
  • Rwanda Data Protection Law No 058/2021: Article 47 requires data controllers and processors to adopt appropriate technical measures to ensure the security of personal data. Recurring vulnerability assessment supports this obligation

Related services: penetration testing and security awareness training. For the full picture of what we cover, see our guide to penetration testing in Rwanda.

Frequently asked questions

What does a managed security retainer include?
Recurring vulnerability assessment of your in-scope assets, continuous external monitoring of your perimeter, and security advisory between engagements, delivered on a monthly retainer with BNR-aligned reporting. To be clear about scope: this is a managed advisory retainer, not a staffed 24/7 SOC and not a vCISO retainer.
How is a retainer different from a one-off penetration test?
A one-time annual penetration test is a snapshot of your security on a single day. Your attack surface changes every time you ship software updates, configuration changes, or new deployments. A retainer keeps the same practitioner engaged between projects, surfacing new vulnerabilities each cycle rather than once every 12 months, and keeping your compliance evidence current instead of assembled in a rush before an inspection.
Who is managed security for?
Retainer engagements are built for banks and MFIs supervised by BNR, payment service providers, mobile money operators, telecoms, insurers, government bodies, ministries, healthcare institutions, and fintechs across Africa. It suits organisations that need ongoing security review without the recruitment cost of a full-time in-house team.
How does continuous external monitoring fit into the retainer?
Continuous external monitoring is part of every retainer. We review your external attack surface on a recurring cadence: domain and subdomain discovery, exposed service detection, certificate tracking, and prioritised alerting on new exposures each cycle, alongside the scheduled vulnerability assessment work.
Does a managed security retainer support BNR compliance?
Yes. BNR Regulation N°50/2022 on cyber security requires supervised institutions to implement ongoing vulnerability management and security review. A retainer supplies the recurring assessment and evidence-led documentation your inspection team needs. Incident response and forensics remain outside our current scope.
How do we get started?
Every retainer begins with a kickoff assessment, asset discovery, and onboarding. Tell us about your environment and we reply within 24 hours and scope a proposal within 48 hours of the scoping call, with a fixed monthly quote and no surprises.

Get a managed security quote

Tell us about your environment and we reply within 24 hours and scope a proposal within 48 hours of the scoping call. No obligation, no sales pressure.

Book a Free Call Assess your posture first