Prescient Security is one of the fastest-growing compliance and security testing firms in the market. Founded in 2018, they have scaled to 5,000+ customers, ~238 employees across four continents, and roughly $15 million in annual revenue. They hold CREST accreditation, FedRAMP 3PAO designation, and support 25+ compliance frameworks. If you are shopping for a security vendor and your primary driver is compliance auditing with pentesting bundled in, Prescient will show up on your shortlist.
But there is a meaningful difference between a firm that does compliance auditing and also offers pentesting, and a firm that does offensive security and also supports compliance. That difference shapes the quality of testing you receive, the depth of findings, and ultimately whether the engagement makes you more secure or just more compliant. Let's break down how Prescient Security and Lorikeet Security compare.
Who They Are
Prescient Security is a cybersecurity firm headquartered in the United States with employees across the US, Europe, Australia, and Asia-Pacific. Their core business is compliance auditing and attestation: SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27701, ISO 9001, ISO 22301, ISO 27017, ISO 27018, ISO 42001, HITRUST, FedRAMP, PCI DSS, CMMC, and GDPR assessments. They also offer penetration testing (web, mobile, IoT, cloud, social engineering, API), vulnerability scanning subscriptions, cloud security assessments, and open-source security reviews. Their pentesting is delivered through Cacilian, a dedicated PTaaS platform they launched in 2023. They are CREST accredited, a FedRAMP 3PAO, a CyberAB RPO for CMMC, and integrate natively with GRC platforms like Vanta, Secureframe, Drata, and Paramify.
Lorikeet Security is a cybersecurity consulting firm with 170+ completed projects and a focus on hands-on offensive security. They serve enterprise clients, growth-stage companies, and startups shipping fast, especially teams building with AI-assisted coding tools. Lorikeet publishes transparent pricing, delivers findings through a real-time client portal, and includes free retesting with every engagement. Their service catalog spans web application pentesting, API testing (REST, GraphQL, SOAP), cloud security (AWS, Azure, GCP), Active Directory assessments, red team operations, physical penetration testing, IoT and hardware testing, and specialized engagements including vibe coding security reviews for AI-generated codebases.
The Compliance Factory vs. the Offensive Security Firm
This is the fundamental difference between these two vendors, and it shapes everything else.
Prescient Security's business model is built around compliance volume. At 5,000+ customers and approximately $15 million in revenue, that works out to roughly $3,000 in average revenue per customer. This is the economics of a compliance factory: high volume, standardized processes, efficient delivery. That model works extremely well for straightforward SOC 2 and ISO 27001 audits where the process is well-defined and the deliverable is an attestation letter.
Lorikeet Security's model is different. With 170+ completed projects, the focus is on depth over volume. Every engagement involves direct access to the security researchers doing the work, manual testing that goes beyond automated scanning, and real-time findings delivery that lets your engineering team start fixing issues while testing is still in progress. The economics favor fewer clients and deeper engagements.
The question to ask yourself: Do you need a vendor who can efficiently process your compliance audit, or do you need a vendor who will find the vulnerabilities that a compliance-driven assessment would miss? The answer determines which firm is the right fit.
Service Comparison
Penetration Testing
Prescient Security offers pentesting through their Cacilian platform. The platform supports authenticated, unauthenticated, and automated testing across web applications, mobile apps, IoT devices, cloud environments, social engineering, and APIs. Testing is backed by Prescient's CREST accreditation, which provides a baseline quality standard. The Cacilian platform integrates with GRC tools like Vanta and Drata, making it straightforward to pipe pentest results into your compliance workflow.
Lorikeet Security's offensive catalog goes significantly deeper. Beyond standard web and network testing, they offer API penetration testing across REST, GraphQL, and SOAP, cloud-native security testing for AWS, Azure, and GCP, Active Directory attack chain assessments, red team operations, physical penetration testing, IoT and hardware testing, desktop application testing, and specialized engagements like ATM/banking terminal security testing. They also offer security code reviews and vibe coding security reviews for AI-generated codebases.
The distinction: Prescient's pentesting is compliance-adjacent, designed to satisfy audit requirements and feed results into GRC platforms. Lorikeet's pentesting is offensive-security-first, designed to find what attackers would find, not just what auditors ask about.
Compliance & Audit Capabilities
This is Prescient Security's strongest suit, and it is not close. They support 25+ compliance frameworks under one roof, including SOC 1/2/3, ISO 27001 and its family of extensions (27701, 9001, 22301, 27017, 27018, 42001), HITRUST, FedRAMP, PCI DSS, CMMC, and GDPR. Their FedRAMP 3PAO accreditation is a relatively exclusive designation that allows them to conduct official FedRAMP assessments for cloud service providers seeking government authorization. If you need FedRAMP, HITRUST, or CMMC assessments, Prescient is one of the firms that can actually do them.
Lorikeet Security offers compliance-driven penetration testing for SOC 2, PCI-DSS, ISO 27001, and HIPAA with audit-ready reports. They partner with Accorp Partners CPA LLC for formal audit attestations, Anchorpoint Partners for compliance consulting, and are a Vanta MSP Partner for compliance automation. This gives clients a coordinated path from pentest findings to audit completion through a single point of contact, though the audit itself is delivered through the partnership rather than in-house.
Managed & Continuous Services
Prescient Security offers vulnerability scanning subscriptions at three tiers: Tier 1 at $150/month plus $4 per target for scheduled monthly scans, Tier 2 at $250/month plus $5 per target for unlimited on-demand and cloud scans, and Tier 3 at $2,500/month plus $5 per target which adds manual verification by certified pentesters. Beyond vulnerability scanning, they do not offer managed security services like SOC operations, incident response, or ongoing security monitoring.
Lorikeet Security offers a broader managed services catalog: attack surface management starting at $476/month with continuous asset discovery and automated vulnerability scanning, vulnerability management, SOC as a Service, and patch management. For organizations that need always-on security operations between point-in-time assessments, this is a significant differentiator.
Delivery & Client Experience
Prescient's pentesting delivery runs through the Cacilian platform, which is purpose-built for ordering and managing pentest engagements. You submit your scope, the test runs, and results are delivered through the portal. The platform integrates with Vanta, Secureframe, Drata, and Paramify, which is a genuine advantage for teams already using those GRC tools. Communication with testers happens through the platform.
Lorikeet Security's client portal delivers live vulnerability tracking as testing happens. Findings appear in real-time with severity ratings, proof-of-concept evidence, and step-by-step remediation guidance. You communicate directly with the security researchers doing the work, not through an intermediary. Free retesting is included with every engagement so you can verify your fixes without paying for another round.
At a Glance
| Lorikeet Security | Prescient Security | |
|---|---|---|
| Focus | Offensive security consulting | Compliance auditing + pentesting |
| Best For | Companies that need deep manual testing | SMB SaaS companies needing compliance audits |
| Founded | Startup-stage, 170+ projects | 2018, 5,000+ customers, ~238 employees |
| Frameworks | SOC 2, PCI-DSS, ISO 27001, HIPAA (via partners) | 25+ frameworks including FedRAMP, HITRUST, CMMC |
| Pentesting | Deep manual testing, broad offensive catalog | Via Cacilian platform, CREST accredited |
| Delivery | Real-time portal, direct tester access | Cacilian platform, GRC integrations |
| Managed Services | ASM, SOC, vuln mgmt, patching | Vulnerability scanning tiers only |
| Pricing | Published, from $2,500 | Scanning published ($150-$2,500/mo), pentesting not public (~$20-25K) |
| Retesting | Free, included | Not specified |
| Accreditations | Manual expert testing, methodology-driven | CREST, FedRAMP 3PAO, CyberAB RPO |
Pricing
Prescient Security publishes pricing for their vulnerability scanning subscriptions: Tier 1 at $150/month, Tier 2 at $250/month, and Tier 3 at $2,500/month, each with additional per-target fees. Their penetration testing pricing is not published. Based on publicly available data from procurement platforms, their pentesting engagements average around $20,000 to $25,000, with an average annual spend of approximately $23,000. Compliance audit pricing requires custom quotes.
Lorikeet Security publishes all pricing on their website. Web application pentests start at $7,500, compliance testing at $7,599, attack surface management at $476/month, and vibe coding security reviews start at $2,500. Free retesting is included. No sales calls required to get a number.
On pricing: At $7,500 for a web application pentest vs. an estimated $20,000-$25,000 from Prescient, the cost difference is significant. But the comparison is not purely about price. If you need a FedRAMP 3PAO assessment or a HITRUST certification that Prescient can deliver in-house, the premium may be justified. If you need hands-on offensive testing and compliance is a secondary output, Lorikeet delivers more testing depth per dollar.
The Offshoring Question
At approximately $15 million in revenue across ~238 employees, Prescient Security's revenue per employee is roughly $63,000. This is notably low for a professional services firm, and publicly available employee reviews reference aggressive offshoring of positions from the US to lower-cost regions. This is not inherently bad. Many successful security firms use distributed global teams. But it is worth asking your vendor where the people doing your actual testing and auditing are based, what certifications they hold, and whether you have visibility into team composition.
Lorikeet Security's model is different. You communicate directly with the security researchers doing your engagement. There is no intermediary layer, no account manager relaying questions to offshore teams. When you ask a question about a finding, the person who found it answers you. When you need clarification on a remediation step, the tester who wrote it is the one you talk to.
Where Prescient Wins
It would be dishonest not to acknowledge what Prescient does well. There are scenarios where they are clearly the right choice:
- FedRAMP authorization. If you are a cloud service provider seeking FedRAMP authorization, you need a 3PAO. Prescient holds that accreditation. Lorikeet does not.
- HITRUST and CMMC. If you need HITRUST certification or CMMC assessment, Prescient is an authorized assessor for both. These are specialized compliance frameworks that require specific accreditations to deliver.
- Framework breadth. If you need audits across ISO 42001 (AI management systems), ISO 27701 (privacy), ISO 22301 (business continuity), or other niche frameworks, Prescient's 25+ framework coverage is hard to match with any single vendor.
- GRC platform integration. If your compliance program runs on Vanta, Secureframe, Drata, or Paramify, Prescient's native integrations create a streamlined workflow from assessment to evidence collection. Lorikeet is a Vanta MSP Partner, but Prescient's integration breadth across multiple GRC platforms is wider.
- Volume and speed. At 5,000+ customers, Prescient has clearly built efficient processes for standardized compliance work. If you need a straightforward SOC 2 Type II and want a firm that has done thousands of them, that operational maturity matters.
Where Lorikeet Wins
- Depth of offensive testing. If your primary need is finding real vulnerabilities that attackers would exploit, not just satisfying an audit requirement, Lorikeet's manual testing goes deeper. Red teaming, physical penetration testing, Active Directory attack chains, IoT hardware testing, ATM security, and specialized API testing (GraphQL, SOAP) are not services you will find in a compliance-first vendor's catalog.
- Transparent pricing. Every service Lorikeet offers has a published price. You know what it costs before you talk to anyone. This saves weeks of back-and-forth that the consultative sales process requires.
- Real-time findings. Lorikeet delivers findings as they are discovered, not in a report after the engagement ends. This means your engineering team can start fixing critical issues on day one, not three weeks later.
- Direct tester access. No account managers, no offshore relay chains. You talk to the person doing the work.
- Managed security services. If you need ongoing ASM, SOC as a Service, vulnerability management, or patch management, Lorikeet provides those. Prescient's continuous offering is limited to vulnerability scanning subscriptions.
- AI-generated code security. Lorikeet's vibe coding security reviews are purpose-built for applications created with AI coding assistants. This is a rapidly growing attack surface that traditional compliance-driven testing does not address.
Which One Should You Choose?
Choose Prescient Security if:
- You need FedRAMP 3PAO assessments for government cloud authorization
- You need HITRUST or CMMC certification from an authorized assessor
- You need audits across multiple specialized ISO frameworks
- Your primary driver is compliance attestation, not vulnerability discovery
- You run your compliance program on Vanta, Secureframe, Drata, or Paramify and want native integration
- You need a high-volume, efficient audit process for standardized SOC 2 or ISO 27001
Choose Lorikeet Security if:
- You need deep manual penetration testing that goes beyond compliance requirements
- You want transparent pricing without a sales cycle
- You need specialized offensive testing (API, cloud, red team, physical, IoT, AD)
- You are shipping AI-generated code and need security reviews tailored to that
- You want real-time findings with direct access to the researchers doing the work
- You need managed services (ASM, SOC, vulnerability management) between assessments
- You want free retesting included to verify your fixes
Different DNA, Different Outcomes
Prescient Security and Lorikeet Security are built on different foundations, and that shapes the outcome you get. Prescient's DNA is compliance. They are an audit firm that added pentesting. Their processes, their team structure, their integrations, and their client base all reflect a compliance-first worldview. For organizations where the audit attestation is the primary deliverable and penetration testing is a line item within a broader compliance program, that model works.
Lorikeet's DNA is offensive security. They are a pentesting firm that supports compliance. The testing comes first, the compliance-ready report is an output of real security work, not the other way around. For organizations that want to understand their actual security posture, not just satisfy an auditor, that distinction matters.
The two approaches can even be complementary. Use Prescient for your FedRAMP authorization or HITRUST certification where their specific accreditations are required. Use Lorikeet for the offensive security work that finds what compliance-driven testing misses: the business logic flaws, the API authorization bypasses, the attack chains that no automated scanner will ever catch.
The real risk is not choosing the wrong vendor. It is confusing compliance with security. A SOC 2 attestation means your controls were audited. It does not mean your application is secure. The organizations that get breached are often fully compliant. Make sure at least one of your vendors is actually trying to break in.
Need security testing that goes beyond the compliance checkbox?
Book a free consultation. We will scope your engagement, give you a transparent price, and show you what real offensive security testing looks like. No sales pitch, just a straightforward conversation about your security posture.
