Every security vendor will tell you that you need their product. Every compliance framework will tell you that you need their certification. Every breach headline will tell you that you are not doing enough. The reality is more nuanced: the right security program depends entirely on where your organization is today, where it is headed, and what risks actually matter at your current stage.
A five-person startup does not need a 24/7 security operations center. A 500-person enterprise cannot survive on annual vulnerability scans alone. The challenge is not whether to invest in security but knowing exactly what to invest in and when. Get this wrong and you either waste money on capabilities you do not need yet or leave critical gaps that attackers will find before your auditors do.
This guide breaks down security program maturity into three practical tiers, maps the key inflection points that signal when it is time to level up, and provides a framework for making security investment decisions that match your organization's actual risk profile and growth trajectory.
Why one-size-fits-all security does not work
The security industry has a standardization problem. Frameworks like NIST CSF and ISO 27001 provide excellent guidance, but they were designed for organizations with dedicated security teams, established budgets, and mature IT operations. When a twenty-person startup tries to implement the same controls as a Fortune 500 company, the result is either paralysis from the sheer scope of requirements or a superficial checkbox exercise that provides the illusion of security without the substance.
Conversely, when a growing mid-market company relies on the same security approach that worked when they were a startup, they accumulate risk debt that compounds with every new employee, every new application feature, and every new customer contract. The gap between their security posture and their actual risk exposure widens until a breach, a failed audit, or a lost enterprise deal forces a painful and expensive correction.
The maturity trap: Organizations that skip maturity stages pay a premium later. A company that jumps straight from no security program to enterprise-grade tooling wastes budget on capabilities they cannot operationalize. A company that lingers too long at the startup tier accumulates vulnerabilities and compliance gaps that cost three to five times more to remediate than they would have cost to prevent. The goal is right-sized security at every stage.
The three-tier model we outline below is not theoretical. It is based on hundreds of engagements with organizations ranging from pre-revenue startups to publicly traded enterprises. Each tier represents a distinct security operating model with specific capabilities, budget ranges, and organizational requirements.
Tier 1 - Startup and SMB: building the foundation ($5K-$20K annually)
Tier 1 is where every organization starts, and where many small businesses remain for years. The operating model is lean and outsourced: you do not have dedicated security staff, your IT function is handled by engineering or a small ops team, and your security budget is measured in thousands, not hundreds of thousands. That is fine. What matters is spending those thousands on the right things.
Core capabilities at Tier 1
- Automated vulnerability scanning. Continuous or weekly automated scans of your external attack surface and web applications. This catches the low-hanging fruit: known CVEs, misconfigurations, exposed services, outdated software, and default credentials. Tools like Lorikeet's ASM platform provide this at $29.99 to $299 per month depending on scope.
- Annual penetration test. Once per year, bring in professional testers to go beyond what automated scanners can find. A manual penetration test uncovers business logic flaws, authentication bypasses, authorization failures, and chained attack paths that no scanner will detect. Budget $7,500 to $15,000 depending on application complexity.
- Basic security policies. Acceptable use, access control, incident response, and data handling policies. They do not need to be fifty pages each. They need to exist, be relevant to your business, be communicated to your team, and be actually followed. Policy templates from compliance platforms or your security vendor can accelerate this.
- Security hygiene fundamentals. MFA on every account, a company password manager, encrypted laptops, endpoint protection, and centralized logging. These are not optional at any tier. They are the baseline that prevents the most common attack vectors.
- Compliance essentials. Identify which compliance framework your market requires and begin readiness activities. If your customers are asking for SOC 2, start the gap assessment. If you handle health data, understand your HIPAA obligations. You do not need to be certified yet, but you need a plan and a timeline.
What Tier 1 gets you: You can answer basic security questionnaires from prospects. You know what is exposed on your external attack surface. You have evidence of security testing for sales conversations and investor due diligence. You have policies that demonstrate organizational commitment to security. You have a foundation to build on when it is time to scale.
What Tier 1 does not cover
Tier 1 is reactive by nature. You are scanning for known issues and testing annually, which means vulnerabilities introduced between tests may go undetected for months. You do not have continuous monitoring, threat detection, or incident response capability beyond basic logging. Your compliance posture is readiness-stage, not certification-stage. For many startups and small businesses, this is an acceptable risk profile. The key is knowing when it stops being acceptable.
Tier 2 - Growth and mid-market: operationalizing security ($30K-$100K annually)
Tier 2 is the most critical transition in security maturity. This is where organizations move from ad hoc security activities to a structured, recurring security program. The trigger is usually one or more of these: enterprise customers requiring compliance certifications, a security incident that exposed gaps in the Tier 1 approach, rapid headcount growth that expanded the attack surface faster than security controls could keep up, or a funding round that included security due diligence.
Core capabilities at Tier 2
- PTaaS or recurring penetration testing program. Move from annual to quarterly testing cadence. A Penetration Testing as a Service model provides continuous access to testers who know your application and can test new features as they ship. Lorikeet's Offensive Security Bundle at $37,500 per year includes two web application pentests, one network pentest, one API assessment, quarterly vulnerability scanning, and attack surface management.
- Vulnerability management program. Not just finding vulnerabilities but systematically tracking, prioritizing, and remediating them with defined SLAs. Critical vulnerabilities remediated within 48 hours. High within one week. Medium within 30 days. This requires tooling, process, and accountability.
- Compliance certification. SOC 2 Type I or Type II, ISO 27001, or the framework your market demands. At Tier 2, compliance moves from readiness to certification. This means formal audits, evidence collection, control implementation, and ongoing maintenance.
- Dedicated security ownership. This does not necessarily mean a full-time security hire. It means someone in the organization is accountable for security outcomes, whether that is an engineering lead with security responsibilities, a fractional CISO, or a managed security provider acting as your security team. The key change is that security has an owner rather than being everyone's part-time responsibility.
- Security awareness training. As your team grows past 30 to 50 people, the human attack surface becomes significant. Regular phishing simulations and security awareness training reduce the likelihood that a single employee action compromises the organization.
- Endpoint detection and response. EDR on every company device with centralized management and alerting. At Tier 1, basic antivirus might suffice. At Tier 2, you need the visibility and response capability that EDR provides.
The Tier 2 budget breakdown
| Investment | Annual Cost | What It Covers |
|---|---|---|
| Recurring pentesting | $30,000 - $45,000 | Quarterly web/API testing, annual network assessment, vulnerability scanning |
| Compliance | $15,000 - $30,000 | Audit fees, compliance platform, gap assessment, policy development |
| Security tooling | $10,000 - $20,000 | EDR, SIEM/logging, vulnerability scanner, ASM, password manager |
| Training | $2,000 - $5,000 | Security awareness platform, phishing simulations |
| Total | $57,000 - $100,000 | Complete Tier 2 security program |
For context, a single full-time security engineer costs $150,000 to $250,000 in total compensation. A Tier 2 outsourced program delivers broader capability coverage at a lower cost, which is why most organizations at this stage choose managed security services over their first security hire. The hire comes later, when the volume of day-to-day security work justifies a full-time embedded role.
Tier 3 - Enterprise: continuous security at scale ($75K-$150K+ annually)
Tier 3 organizations have outgrown the project-based security model. They have hundreds of employees, multiple product lines, a complex technology stack, and enterprise customers with contractual security requirements that go well beyond a SOC 2 report. At this tier, security is a continuous organizational function, not a periodic assessment.
Core capabilities at Tier 3
- Continuous penetration testing and red teaming. Beyond quarterly assessments, Tier 3 organizations implement continuous testing that aligns with their development lifecycle. Red team engagements simulate real adversaries across the full kill chain: social engineering, physical security, network exploitation, and application attacks. These engagements test not just technical controls but detection, response, and communication capabilities.
- Bug bounty program. Supplement internal and contracted testing with a managed bug bounty program that provides ongoing coverage from a diverse researcher community. Bug bounties are most effective when layered on top of a mature testing program, not as a replacement for it.
- Full security team. A dedicated security function with defined roles: security engineering, security operations, GRC (governance, risk, and compliance), and application security. The team size depends on organizational scale but typically starts at three to five people for a 200 to 500 person company.
- 24/7 security operations. A security operations center, whether in-house or outsourced as SOC-as-a-Service, providing around-the-clock monitoring, detection, and response. Alert triage, threat hunting, and incident response at any hour.
- Custom SLAs and executive reporting. Security metrics reported to the board and executive team. Custom SLAs with enterprise customers that define testing frequency, incident notification timelines, remediation commitments, and evidence of compliance. Security is now a business function with measurable KPIs.
- Advanced compliance portfolio. Multiple concurrent certifications: SOC 2 Type II, ISO 27001, and industry-specific frameworks like PCI DSS, HIPAA, or FedRAMP. Continuous compliance monitoring rather than annual scrambles before audit season.
- Third-party risk management. A formal vendor security assessment program that evaluates the security posture of every vendor with access to your data or systems. Questionnaires, evidence review, and ongoing monitoring of vendor risk.
- Incident response retainer and capability. A tested IR plan with tabletop exercises, an external forensics retainer for major incidents, and the internal capability to contain and investigate common incidents without external support.
The Tier 3 investment
Tier 3 programs range from $75,000 to well over $150,000 annually for external security services, on top of internal security team compensation. Lorikeet's Full Stack Bundle at $99,000 per year covers the external services component: offensive testing (pentests, red teaming, vulnerability scanning, ASM), defensive operations (24/7 SOC, SIEM, EDR, IR retainer), and compliance support (compliance pentesting, gap assessments, policy templates, auditor-ready reporting). This serves as the external security capability that complements an internal security team, or as a complete security program for organizations that prefer to keep their security function outsourced.
The complete tier comparison
This table summarizes the key differences across all three maturity tiers. Use it to identify where your organization sits today and what the next tier requires.
| Capability | Tier 1: Startup/SMB | Tier 2: Growth/Mid-Market | Tier 3: Enterprise |
|---|---|---|---|
| Annual budget | $5K - $20K | $30K - $100K | $75K - $150K+ |
| Testing cadence | Annual pentest + automated scans | Quarterly pentests + continuous scanning | Continuous testing + red teaming + bug bounty |
| Security ownership | Engineering team (part-time) | Dedicated owner or fractional CISO | Full security team (3-5+ people) |
| Compliance | Readiness and planning | SOC 2 or ISO 27001 certified | Multiple certifications, continuous compliance |
| Monitoring | Basic logging and alerts | EDR + centralized logging + ASM | 24/7 SOC + SIEM + threat hunting |
| Incident response | Basic IR plan on paper | Tested IR plan + external retainer | IR team + forensics + tabletop exercises |
| Vulnerability mgmt | Ad hoc remediation | SLA-driven remediation program | Continuous tracking with executive reporting |
| Lorikeet package | Individual assessments + ASM | Offensive Security Bundle ($37.5K/yr) | Full Stack Bundle ($99K/yr) |
Key inflection points: when to level up
Knowing when to graduate from one tier to the next is the most important decision in security program management. Move too early and you waste budget. Move too late and you accumulate risk that becomes expensive to remediate. Here are the concrete signals that indicate it is time to level up.
When to graduate from automated to manual testing
Automated scanning should be your first security investment, but it has hard limits. Scanners cannot understand your application's business logic. They cannot test whether a regular user can access another user's data by changing an ID in the URL. They cannot chain together a series of low-severity findings into a critical attack path. They cannot test authentication flows, payment logic, or multi-step workflows.
Level up when: Your application handles sensitive data (PII, financial data, health records). You are pursuing enterprise customers who will ask for pentest reports. You are preparing for compliance certification. Your application has grown beyond basic CRUD operations into complex business logic. Any one of these signals means automated scanning alone is insufficient.
When to hire your first security person
The decision to hire is about workload, not headcount thresholds. Your organization needs a dedicated security person when security tasks are consuming more than 20 hours per week of engineering time, when you are managing multiple compliance frameworks simultaneously, when enterprise customer security requirements demand a named security contact, or when your security vendor relationships have grown complex enough to need internal coordination.
For most organizations, this happens between 50 and 150 employees. The first hire should be a security generalist who can manage vendor relationships, own compliance, triage vulnerabilities, and interface with engineering. Specialists come later.
The hybrid model: Your first security hire does not replace your external security providers. They complement them. The internal person provides context, coordination, and day-to-day operations. External providers deliver specialized capabilities (penetration testing, forensics, compliance auditing) that no single hire can replicate. The most effective Tier 2 and Tier 3 programs combine internal ownership with external execution.
When to move to continuous testing
Annual or even quarterly testing assumes that your application changes slowly enough that point-in-time assessments are representative of your security posture. For most modern software organizations shipping daily or weekly, this assumption breaks down quickly. A critical vulnerability introduced on a Monday is not detected until the next quarterly pentest three months later.
Level up when: Your development team ships features weekly or more frequently. Your application has grown to include multiple services, APIs, or microservices. You have experienced a security incident that was introduced between testing cycles. Your enterprise customers require evidence of continuous security validation rather than periodic reports.
The compliance driver: SOC 2 to ISO 27001 to PCI DSS
Compliance certifications are the most common external driver of security program maturity. Each framework represents a step up in rigor, scope, and investment, and the progression typically follows a predictable path tied to market expansion and customer requirements.
SOC 2: the entry point
SOC 2 is where most B2B SaaS companies start. North American enterprise buyers have standardized on SOC 2 as the baseline security certification they require from vendors. Type I validates that controls are designed appropriately at a point in time. Type II validates that controls operated effectively over a period (typically six to twelve months). Most companies complete Type I first, then progress to Type II within a year.
SOC 2 is flexible in its trust service criteria: you choose which criteria (security, availability, processing integrity, confidentiality, privacy) to include based on your business. This flexibility makes it accessible for smaller organizations while still being meaningful to enterprise buyers.
ISO 27001: international expansion
ISO 27001 becomes relevant when you expand into European or international markets. While SOC 2 is an attestation (an auditor's opinion), ISO 27001 is a certification (formal accreditation to an international standard). European enterprises and government agencies often require ISO 27001 specifically. The good news is that 60 to 70 percent of SOC 2 controls map directly to ISO 27001 requirements, so companies that start with SOC 2 have a significant head start.
PCI DSS: payment card data
PCI DSS is required when your organization stores, processes, or transmits payment card data. Many SaaS companies avoid PCI DSS entirely by offloading payment processing to Stripe, Braintree, or similar processors. If your architecture keeps card data off your systems, PCI DSS may never be necessary. If you handle card data directly, PCI DSS compliance is both legally required and technically demanding, with specific requirements for network segmentation, vulnerability scanning, and penetration testing.
| Framework | When You Need It | Typical Timeline | Annual Cost |
|---|---|---|---|
| SOC 2 Type I | First enterprise customers in North America | 3 - 6 months | $15,000 - $40,000 |
| SOC 2 Type II | Enterprise customers requiring operational evidence | 6 - 12 months after Type I | $20,000 - $50,000 |
| ISO 27001 | European/international market expansion | 6 - 12 months | $25,000 - $60,000 |
| PCI DSS | Handling payment card data directly | 6 - 18 months | $30,000 - $100,000+ |
Building versus buying: when to outsource versus build in-house
The build-versus-buy decision in security is not binary. Most mature security programs combine internal capabilities with external services. The question is which capabilities to keep internal and which to outsource at each maturity stage.
Always outsource
Some security functions should remain external regardless of your maturity tier. Penetration testing must be performed by independent parties to be credible. Compliance auditing requires third-party attestation by definition. Forensic investigation requires specialized expertise and tooling that cannot be justified for occasional use. These functions benefit from the independence, breadth of experience, and specialized tooling that external providers bring.
Outsource first, build later
Security operations (monitoring, detection, response), vulnerability management, and security engineering are functions that most organizations outsource at Tier 1 and Tier 2, then gradually bring in-house at Tier 3 as scale justifies dedicated staff. The transition typically happens capability by capability rather than all at once. You might bring vulnerability management in-house first while keeping SOC operations outsourced, then add internal detection engineering while maintaining an external IR retainer.
Build from the start
Security culture, secure development practices, and access management are internal responsibilities from day one. No external provider can instill security awareness in your engineering team, enforce code review standards, or manage day-to-day access provisioning. These capabilities scale with your team and must be embedded in your organizational DNA rather than outsourced.
The cost reality: A single senior security engineer costs $180,000 to $250,000 in total compensation. A comprehensive managed security program from Lorikeet costs $37,500 to $99,000 per year and provides multiple specialists across offensive testing, defensive operations, and compliance. The math favors outsourcing until your internal security workload consistently exceeds what a managed provider covers.
How Lorikeet's packages map to each tier
We built our service packages around this maturity model because we have seen what works at each stage. Rather than offering a single enterprise-grade product and telling startups to figure it out, we provide right-sized security services that grow with your organization.
Tier 1 organizations start with individual assessments and our ASM platform. A web application penetration test at $7,500+, an API security assessment at $7,500+, or a network penetration test at $8,000+ provides the focused testing needed before a fundraise, a major customer onboarding, or a compliance milestone. ASM at $29.99 to $299 per month provides continuous external monitoring between manual tests.
Tier 2 organizations graduate to the Offensive Security Bundle at $37,500 per year. This replaces ad hoc testing with a structured annual program: two web pentests, one network pentest, one API assessment, quarterly vulnerability scanning, attack surface management, and client portal access. It is the complete offensive security program that growth-stage companies need, delivered as a single annual engagement.
Tier 3 organizations adopt the Full Stack Bundle at $99,000 per year. This combines everything in the Offensive Security Bundle with the Defensive Security Bundle (24/7 SOC, SIEM, EDR, managed detection and response, incident response retainer) and the Compliance Package (compliance pentesting, gap assessments, policy templates, auditor-ready evidence). It is the comprehensive security program that enterprises and Series B companies need, at a fraction of the cost of building every capability internally.
Every engagement includes access to our client portal for real-time tracking, findings management, and reporting. And because we work across all three tiers, we understand the transition points and can help you plan your graduation from one tier to the next before the business need becomes urgent.
Getting started: assess your current tier
Before you can plan where to go, you need an honest assessment of where you are. Ask yourself these questions to determine your current maturity tier.
- Do you have a penetration test report from the last 12 months? If no, you are at or below Tier 1. If yes, is it from the last 6 months? Last 3 months? Recency indicates whether you have moved to a recurring program.
- Is someone accountable for security outcomes? If security is everyone's responsibility and no one's job, you are at Tier 1. If someone owns the security function, even part-time, you are approaching Tier 2.
- Do you have a compliance certification? If you are in readiness mode, Tier 1. If you have SOC 2 Type I or II, Tier 2. If you maintain multiple concurrent certifications, Tier 3.
- How do you handle vulnerabilities? If remediation is ad hoc and untracked, Tier 1. If you have SLAs and a tracking system, Tier 2. If you have continuous tracking with executive-level reporting, Tier 3.
- What happens if you have a security incident at 2 AM? If no one would know until morning, Tier 1. If EDR would alert your team, Tier 2. If a 24/7 SOC would detect, triage, and begin response, Tier 3.
Most organizations find they are solidly in one tier for some capabilities and lagging in others. That is normal. The priority is addressing the gaps that present the most risk given your current business context: your customer requirements, your regulatory obligations, and the sensitivity of the data you handle.
Find Your Security Maturity Tier
Whether you are building your first security program or scaling to enterprise-grade coverage, we will help you invest in the right capabilities at the right time. Book a free consultation to assess your current tier and plan your next move.
