Case Studies

The perfect complement to a vCISO

Inside the ninety days that turned a Series B SaaS's security strategy into a running programme — with the vCISO still firmly at the wheel.

Secortex
Secortex Stack

At a glance


A UK-based Series B SaaS firm — 180 people, customers in financial services — had the right security strategy on paper. Their vCISO knew the risks, owned the roadmap, and chaired a monthly steering committee the board actually trusted.

What they did not have was a way to run the plan fast enough. Pentests came quarterly, through a different agency each time. Evidence lived in seven folders on three drives. The SOC was a Slack channel called `#alerts` and the hope that someone was watching it.


Secortex plugged in behind the vCISO. In ninety days, the plan stopped being a plan.



The challenge


Every good vCISO faces the same structural problem: strategy moves faster than procurement. Our client's vCISO could identify a new risk in a Tuesday meeting and want a targeted pentest commissioned by Friday. In the real world, that meant a statement of work, three quotes, a legal review, scheduling against the agency's calendar — and six weeks later, a report that was already out of date.


The consequences were the ones every Head of Risk will recognise:

  • Customer due-diligence questionnaires piling up because evidence was stale.
  • ISO 27001 surveillance audits consuming a week of the vCISO's time each cycle, stitching artefacts together by hand.
  • Detection gaps the vCISO knew about and had flagged, but could not close because Managed SOC procurement was a six-month project nobody had the bandwidth to run.
  • A vCISO spending sixty percent of her retained days on **the logistics of security work** rather than the leadership of it.


Coverage Gap



> A vCISO's job is to set direction, defend the programme and speak for it at the board.

> It is not to chase suppliers for quotes.



Why a traditional vCISO engagement wasn't enough on its own


The client had considered the obvious alternatives and ruled each one out.


A full-time CISO would have cost £200k+, taken nine months to hire at Series B, and still needed the same delivery infrastructure underneath them. The vCISO was the right shape of leadership.


Adding more vCISO days would have bought the same problem in bulk. More days of senior advice does not fix the execution gap — it makes it more expensive per instance.


Stitching together pentest vendors had been their strategy for two years. It gave them fragmentary visibility and a new onboarding process every quarter, and it did nothing for detection.


They needed something different: a delivery platform and service catalogue that sat behind their vCISO and let her run the programme at the speed it was designed for.



The Secortex partnership


We do not provide a vCISO. We make sure the one you already have can deliver.


The model is simple in shape and precise in execution:


Secortex Stack


The vCISO stays on top. She chairs the steering committee, holds the risk register, owns the board relationship and speaks for the programme to auditors. Nothing about her role changed.


Secortex Pentesting on Demand gave her a tokenised pool of expert-led assessments she could commission in a single working day. Web applications, APIs, cloud infrastructure, internal networks, mobile, phishing simulations — all delivered by UK-based, nationally-certified consultants, through a single platform.


Secortex Managed SOC went live in eight days, tuned to the client's stack and feeding alerts into a channel the vCISO and the engineering team both watched. The 100% UK team matched the data-sovereignty stance her financial-services customers were asking about.


The Secortex Platform became the programme's single pane of glass. Every finding, every retest, every piece of audit evidence in one place — not seven folders on three drives.




The first ninety days


A running programme has to show progress early, or the business stops believing in it. Our onboarding is deliberately front-loaded.


Ninety Days


Day 0 — Onboard. Platform provisioned. Token pool allocated against the client's annual budget. The vCISO joined the Secortex operations channel the same afternoon. We mapped her roadmap to the service catalogue.


Day 30 — First test. A priority pentest against the customer-facing web application was commissioned, scoped, run, reported and retested inside a calendar month. Managed SOC went live in parallel. The first findings landed in the vCISO's risk register automatically.


Day 60 — Cadence. A second wave of tests, this time targeted at areas the vCISO had been flagging for three quarters. The retest backlog was cleared. Auditor evidence for SOC 2 Type II began flowing straight from the platform rather than being assembled by hand.


Day 90 — Running. The vCISO's board pack for the April meeting was drawn from live platform data. She spent her retained days on risk-appetite conversations, regulator engagement and customer calls — not on chasing suppliers. The programme, for the first time, was moving at the speed she had designed it to move.



What we ran, on her behalf


Secortex covers the operational ground a vCISO would otherwise have to brief out across four or five suppliers.


Capability Wheel



Every engagement was commissioned by the vCISO, priced against her token budget, scheduled on the platform, executed by a UK-based team, and closed out with evidence ready for any auditor who asked.



Outcomes, ninety days in


  • Less than 24 hours from the vCISO requesting a test to the scoping call taking place — down from six weeks.
  • Retest backlog cleared in six weeks. Every high-priority finding from the previous twelve months had a closed-out retest on file.
  • 100% of SOC 2 Type II evidence for the control domains in scope was sourced directly from the Secortex Platform. No folder-stitching, no spreadsheet assembly.
  • Managed SOC live in eight days, tuned to the client's stack, feeding the same platform as the pentest findings.
  • Sixty percent of the vCISO's time reallocated from supplier logistics to board-level and customer-facing work.


I was running a programme on paper. Secortex turned it into something my board could see, my auditors could trust, and my engineers could actually close out. - Head of Risk, Series B SaaS (composite)



Why Secortex is the perfect complement to a vCISO


A vCISO is the right answer to the leadership question. They are rarely the right answer to the delivery question — and the best ones will tell you so.


What a vCISO needs, almost without exception, is:


  • Testing they can commission at the speed of the business, not the speed of a procurement cycle.
  • Detection running underneath them so incidents are not their first data point.
  • A platform of record that turns every engagement into auditor-ready evidence by default.
  • UK-certified delivery that answers the data-sovereignty question before the customer asks it.
  • One relationship, one invoice, one tone of voice instead of five agencies and a spreadsheet.


That is what Secortex is. Our platform, our pod and our tokenised commercial model sit beneath the vCISO, take the operational weight, and free them to lead.


We do not replace your vCISO. We make them unstoppable.



Ready to have the conversation?


If you retain a vCISO — or you are one — and the bottleneck is no longer strategy but execution, we should talk. Thirty minutes on the phone is enough to tell whether Secortex is the right fit for the programme you are running.


https://www.secortex.com/contact


_Secure faster with precision._



#vCISO#Penetration Testing#Managed SOC#Series B#Financial Services
← Back to all news