Picking a cybersecurity vendor isn't just about checking a box. It's about understanding what you're actually getting, how the work gets done, and whether the vendor's model fits how your organization operates. In this comparison, we're looking at two vendors approaching pentesting from very different angles: Lorikeet Security, a hands-on offensive security consulting firm, and Cacilian, a platform-driven pentesting portal backed by compliance heavyweight Prescient Security.
Who They Are
Cacilian is a pentesting platform created by Prescient Security Management LLC, a CREST-accredited security firm ranked as a Top-20 CREST security testing organization. Cacilian was founded in 2023 and operates with a small team of around 6 employees, though it draws on Prescient's broader workforce of 51-200 employees. The platform is led by CEO Fabrice Mouret and CPO Sammy Chowdhury, who holds CISSP, PCI-QSA, CISA, CISM, and CRISC certifications. Cacilian's model is straightforward: order pentesting through a portal, get results delivered through the same portal.
Lorikeet Security is a cybersecurity consulting firm with 170+ completed projects across enterprise clients and fast-growing companies. They deliver hands-on manual testing through a real-time client portal with live vulnerability tracking, and their service catalog extends well beyond pentesting into managed services, code reviews, and specialized offensive security engagements. Their focus is on companies shipping fast, including teams building with AI-assisted coding tools, who need security that keeps pace without unnecessary overhead.
Service Comparison
Pentesting Approach
Cacilian offers three flavors of pentesting: authenticated, unauthenticated, and automated. Everything runs through their platform, which is built for organizations that want to order, manage, and receive pentesting results in one place. The parent company's CREST accreditation gives their testing credibility, and their integration with GRC platforms like Vanta, Secureframe, and Drata makes it easy to pipe results directly into your compliance workflows.
Lorikeet Security's offensive catalog is significantly broader. Beyond standard web application and network testing, they cover API penetration testing (REST, GraphQL, SOAP), cloud security testing across AWS, Azure, and GCP, Active Directory testing, red team operations, physical penetration testing, IoT and hardware testing, desktop application testing, and specialized engagements like ATM/banking terminal and kiosk security testing. They also offer vibe coding security reviews starting at $2,500, a service built for teams shipping AI-generated code.
The core difference: Cacilian is a pentesting portal, purpose-built for ordering and managing pentest engagements through a platform. Lorikeet is a full-service offensive security firm that delivers a much wider range of hands-on testing.
Compliance & Audit Capabilities
This is where Cacilian's lineage matters. Prescient Security, Cacilian's parent company, is a full-service compliance firm offering audits and attestations across SOC 2, ISO 27001, PCI DSS, and other major frameworks. If you're already working with Prescient for compliance, adding Cacilian's pentesting creates a one-stop shop. You get your audit and your pentest from the same family of companies, which simplifies vendor management and can streamline the compliance process.
Lorikeet Security offers compliance-driven penetration testing (SOC 2, PCI-DSS, ISO 27001, and more) with audit-ready reports. They also partner with trusted compliance firms to deliver full-stack cybersecurity packages including audits and attestations, giving clients a single point of contact for both offensive testing and compliance needs. Compliance testing starts at $7,599 with published pricing.
Managed & Continuous Services
This is a clear gap in Cacilian's offering. They don't provide managed services, incident response, SOC operations, or ongoing vulnerability management. Their model is project-based pentesting, full stop.
Lorikeet Security offers a full suite of managed services: attack surface management at $476/month with continuous asset discovery and automated vulnerability scanning, vulnerability management, SOC as a Service, and patch management. For organizations that need always-on monitoring between point-in-time assessments, this is a significant differentiator.
Delivery & Client Experience
Both vendors use portal-based delivery, but the experience is different. Cacilian's platform is built around ordering and managing pentesting engagements. You submit your scope, the test runs, and you get results through the portal.
Lorikeet Security's client portal provides live vulnerability tracking as testing happens, real-time findings with remediation guidance, direct communication with the testing team, remediation status tracking, and downloadable compliance-ready reports. Free retesting is included with every engagement, so you can verify your fixes without paying for another round.
At a Glance
| Lorikeet Security | Cacilian | |
|---|---|---|
| Focus | Full-service offensive security consulting | Platform-based pentesting portal |
| Best For | Enterprise clients, SaaS, VC-backed companies | Startups to enterprises needing compliance-driven pentesting |
| Delivery | Real-time client portal with live tracking | Platform-based portal |
| Compliance | SOC 2, PCI-DSS, ISO 27001 + partner audits | Parent company (Prescient) offers full audit services |
| Managed Services | ASM, vuln mgmt, SOC, patching | Not offered |
| Pricing | Published, from $2,500 | Not public, consultative / subscription |
| Retesting | Free, included | Not specified |
Pricing Transparency
Lorikeet Security publishes pricing directly on their site: web application pentests start at $7,500, compliance testing at $7,599, and attack surface management at $476/month. They also offer vibe coding security reviews starting at $2,500 for teams building with AI coding tools.
Cacilian doesn't publish pricing. Their model appears to be consultative and subscription-based. A $500 discount offered through their Drata partnership suggests engagements run in the several-thousand-dollar range, but without published numbers it's hard to compare directly. If budget predictability matters to you, that's worth noting.
Which One Should You Choose?
Choose Cacilian if:
- You want a streamlined portal to order and manage pentesting engagements
- You're already working with Prescient Security for compliance audits and want to consolidate vendors
- Your primary need is authenticated or unauthenticated pentesting, not broader offensive security
- You value CREST accreditation from a Top-20 CREST security testing organization
- You're using Vanta, Secureframe, or Drata and want native GRC integration
Choose Lorikeet Security if:
- You need penetration testing that goes beyond standard web and network assessments
- You want real-time visibility into your engagement through a live client portal
- You need specialized offensive testing (API, cloud, red team, physical, IoT, Active Directory)
- You're shipping AI-generated code and need right-sized security reviews
- You want transparent, published pricing without a sales call
- You need ongoing managed services like ASM, SOC, or vulnerability management
Different Tools for Different Jobs
Cacilian and Lorikeet Security are solving different problems. Cacilian is a platform play, built for organizations that want pentesting delivered through a clean portal with compliance integrations baked in. The Prescient Security backing gives them audit credibility and a built-in pathway from pentest findings to compliance remediation. If your security needs start and end with pentesting for compliance, that's a solid model.
Lorikeet Security is built for organizations that need more than just a pentest. If you're looking for deep offensive testing across a broad attack surface, ongoing managed services, transparent pricing, and free retesting, that's a different conversation entirely. The two vendors can even work alongside each other: Cacilian for compliance-aligned pentesting tied to Prescient's audit work, and Lorikeet for the hands-on offensive work that falls outside a compliance checklist.
The worst decision isn't picking one over the other. It's not picking either. Every month you delay security testing is another month your applications run with unknown vulnerabilities. Whether you go with a platform or a consulting firm, the important thing is that the testing actually gets done.
Need help deciding what your organization needs?
Book a free consultation. We'll walk through your security requirements, your compliance obligations, and recommend the right engagement, even if it's not with us.
