NetSPI is the largest pure-play penetration testing provider in the world. Half a billion dollars in funding. 650+ employees. A client roster that reads like the Fortune 500. When you're comparing cybersecurity vendors, they're the name that comes up in every enterprise shortlist. So why would anyone look at an alternative? Because size isn't always the right fit, and the right vendor depends entirely on where your organization sits today.
Let's break down NetSPI and Lorikeet Security side by side, what each one does well, where they differ, and which type of organization each is built to serve.
Who They Are
NetSPI calls itself the "pioneer of modern Penetration Testing as a Service (PTaaS)," and they have the track record to back it up. Founded in 2001 and headquartered in Minneapolis, they've raised over $500 million in total funding, including a $410 million Series C led by KKR in 2022. They reported $128.5 million in revenue in 2023, employ 350+ full-time in-house pentesters, and serve 1,942 customers across 37 countries. Their client list includes 9 of the top 10 US banks, 4 of the top 5 cloud providers, and 3 FAANG companies. NetSPI is CREST accredited and SOC 2 Type II certified. They were named a Leader and Outperformer in GigaOm's 2025 PTaaS report. This is an enterprise security machine built for scale.
Lorikeet Security is a cybersecurity consulting firm with 170+ completed projects and a focus on hands-on offensive security. They serve enterprise clients, growth-stage companies, and startups shipping fast, especially teams building with AI-assisted coding tools. Lorikeet publishes transparent pricing, delivers findings through a real-time client portal, and includes free retesting with every engagement. They're not trying to be the biggest. They're built to be the right size for organizations that need expert security testing without the overhead of an enterprise procurement cycle.
Service Comparison
Penetration Testing
This is NetSPI's core business, and their coverage is massive. Their PTaaS platform covers web applications, APIs, mobile apps, desktop applications, network infrastructure, cloud environments (AWS, Azure, GCP), mainframes, hardware and embedded devices, and AI/ML systems. They also offer red teaming, social engineering, secure code review, and cybersecurity maturity assessments. All findings are human-validated by their 350+ in-house pentesters (not crowdsourced), and they guarantee zero false positives. To date, they've identified over 128 million vulnerabilities across their client base.
Lorikeet Security's offensive catalog is also deep: web application testing, API penetration testing (REST, GraphQL, SOAP), cloud security testing across AWS, Azure, and GCP, Active Directory assessments, red team operations, physical penetration testing, IoT and hardware testing, desktop application testing, and specialized engagements like ATM/banking terminal and kiosk security testing. They also offer security code reviews and vibe coding security reviews, a service designed specifically for applications built with AI coding assistants.
The distinction: NetSPI delivers pentesting at industrial scale through a unified platform with hundreds of full-time testers. Lorikeet delivers the same depth of manual testing with faster turnaround, transparent pricing, and direct access to the people doing the work.
Platform & Technology
NetSPI has invested heavily in building The NetSPI Platform, which unifies their PTaaS, External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM, via their Hubble acquisition), and Breach and Attack Simulation (BAS) capabilities into a single interface. This is a significant differentiator for large organizations that want programmatic, continuous security testing integrated with asset discovery and attack simulation. It's enterprise software for enterprise security teams.
Lorikeet Security's delivery model centers on their real-time client portal, which provides live vulnerability tracking as testing happens, direct communication with the testing team, remediation status tracking, and downloadable compliance-ready reports. It's built for speed and clarity rather than platform consolidation. You see findings the moment they're confirmed, not after a two-week reporting cycle.
Attack Surface Management
NetSPI offers enterprise-grade ASM through their platform, combining EASM (external-facing asset discovery) and CAASM (internal cyber asset visibility via Hubble). This gives large organizations a unified view of their entire attack surface, both external and internal, tied directly to their pentesting and BAS workflows.
Lorikeet Security offers attack surface management as a managed service starting at $476/month. It includes continuous asset discovery, automated vulnerability scanning, and ongoing monitoring. It's designed for organizations that need always-on visibility between point-in-time assessments without committing to a six-figure platform contract.
AI and ML Security
NetSPI has made AI security a strategic priority. They developed the open-source LLM Benchmarking Framework and partnered with Microsoft to pioneer standardized AI security testing methodologies. Their pentesters test AI/ML systems as part of the core PTaaS offering. For organizations deploying large language models or machine learning pipelines in production, NetSPI brings both tooling and methodology that few other firms can match.
Lorikeet Security approaches AI security from a different angle. Their specialization is in testing applications built with AI coding tools, the "vibe coding" wave of AI-generated codebases that are shipping to production at an accelerating pace. Their vibe coding security reviews start at $2,500 and focus on identifying the security gaps that AI coding assistants routinely introduce. It's less about testing AI models themselves and more about securing the code AI produces.
Managed Services
NetSPI's model is platform-centric. Their continuous testing, BAS, and ASM capabilities are designed to run as ongoing programs within an enterprise security stack. This is ideal for organizations with dedicated security teams that want continuous visibility and testing integrated into their existing workflows.
Lorikeet Security offers a broader managed services catalog: attack surface management, vulnerability management, SOC as a Service, and patch management. These are bundled as cybersecurity packages designed for organizations that may not have a full in-house security team and need a partner to handle day-to-day security operations.
At a Glance
| Lorikeet Security | NetSPI | |
|---|---|---|
| Focus | Offensive security consulting | PTaaS platform + ASM + BAS |
| Best For | Growth-stage companies, startups, fast-shipping teams | Fortune 500, large enterprises, regulated industries |
| Team | Boutique, direct access to testers | 350+ full-time in-house pentesters |
| Delivery | Real-time client portal, fast turnaround | Unified enterprise platform (The NetSPI Platform) |
| Pricing | Published, from $2,500 | Not public, starting ~$7K/yr, $200-300/hr |
| ASM | Managed service, $476/mo | Enterprise EASM + CAASM (Hubble) |
| AI/ML Security | Vibe coding reviews, AI-generated code testing | LLM Benchmarking Framework, Microsoft partnership |
| Retesting | Free, included | Included in PTaaS engagements |
Pricing
NetSPI does not publish pricing. Based on publicly available data, their engagements start around $7,000 per year, with typical projects running $5,000+ and hourly rates in the $200-300 range. For large enterprises with complex, multi-scope programs, this is standard. But for smaller organizations, the lack of pricing transparency means you're looking at a consultative sales process before you know what anything costs.
Lorikeet Security publishes pricing directly on their site. Web application pentests start at $7,500, compliance testing at $7,599, attack surface management at $476/month, and vibe coding security reviews start at $2,500. Free retesting is included with every engagement. No sales calls required to get a number.
Which One Should You Choose?
Choose NetSPI if:
- You're a Fortune 500 or large enterprise with a dedicated security team
- You need programmatic, continuous pentesting at massive scale
- You want a unified platform combining PTaaS, ASM, and BAS
- You're deploying AI/ML models and need specialized model-level testing
- You require CREST accreditation or CBEST certification for regulatory compliance
- Budget is secondary to depth and breadth of coverage
Choose Lorikeet Security if:
- You need expert penetration testing without enterprise overhead
- You want transparent pricing and fast turnaround without a sales cycle
- You need specialized offensive testing (API, cloud, red team, physical, IoT)
- You're shipping AI-generated code and need right-sized security reviews
- You want real-time visibility into findings through a modern client portal
- You need managed services like ASM or SOC at a predictable monthly cost
Both Are Legitimate - Pick the Right Fit
This isn't a case where one vendor is good and the other isn't. NetSPI is the largest pure-play pentesting provider in the world for a reason. They've built an enterprise platform that serves the biggest companies on the planet, and they do it well. If you're running a security program at that scale, they belong on your shortlist.
But not every organization needs that scale. If you're a growth-stage company, a startup that just closed a funding round, or a team shipping product fast and looking for a security partner that moves at your speed, Lorikeet is built for that. Transparent pricing, direct access to testers, real-time delivery, and no enterprise procurement theater.
The wrong choice is no choice at all. Every week you delay security testing is another week your applications run with vulnerabilities you don't know about. Whether you go with an enterprise platform or a right-sized consulting firm, the important thing is that you start.
Not sure which type of vendor fits your needs?
Book a free consultation. We'll assess your security requirements, your budget, and your timeline, and recommend the right engagement, even if it's not with us.
