BleedWatch Labs
01 // SERVICES

Three engagement shapes. One methodology.

From a 3-day discovery brief to ongoing assurance. All engagements use the same AI-Alliance methodology and deliver the same evidence-grade artifact, sized to scope.

Methodology
AI-Alliance Challenging
Engagement starts at
€5,000
Refund policy
Clean engagement -> partial refund
References
Under reciprocal NDA
02 // ENGAGEMENT TIERS

Pick the assurance artifact your stakeholder needs.

Discovery Brief

3 business days

€5,000

Scope: One root domain + one related public artifact namespace. Up to one critical finding documented in full.

Deliverable: Executive Risk Memo, one Finding Detail with evidence pack, concise Business Impact note, Remediation Runbook, and AI-Alliance Challenge Log.

Best for: Pre-fundraise validation, board memo for an upcoming review, or testing the methodology before committing.

Book scoping call

Board-Ready Audit

5 business days, plus retest within 14 days

Most engaged

From €25,000

Scope: Full external surface — root domain, subdomains, Docker namespace, NPM scope, GitHub org, and adjacent public artifacts. Up to 15 findings documented in full.

Deliverable: Full six-document deliverable, 60-min restitution call, retest, and signed attestation on closure.

Best for: Board-mandated audits, cyber-insurance evidence, NIS2/DORA evidence chains, and customer due-diligence.

Book scoping call

Continuous Assurance

Initial Board-Ready audit + 90-day monitoring + quarterly retests for 12 months

From €50,000/year

Scope: Board-Ready audit plus ongoing monitoring of the agreed surface via bleedwatch.com SaaS. Includes 90 days of bleedwatch.com SaaS monitoring.

Deliverable: Board-Ready deliverable, quarterly delta reports, and bleedwatch.com SaaS continuous monitoring access for the engaged surface.

Best for: Organisations with regulatory continuous-monitoring requirements and companies bridging audit to monitoring.

Book scoping call

Discovery Brief

A constrained proof-of-method when you need one high-confidence answer quickly. No restitution call, no retest, no signed attestation at this tier.

Board-Ready Audit

The default buyer path. It packages discovery, evidence, impact, remediation, retest, and signed closure into a board-usable artifact.

Continuous Assurance

The bridge from point-in-time assurance to monitored surface drift. Includes 90 days of bleedwatch.com SaaS monitoring for the engaged surface.

03 // BOUNDARIES

What's not in scope.

We do not run active exploitation or credential testing against your infrastructure.

We do not perform internal pen testing or red team operations.

We do not provide code-level security review. We audit your external surface, not your codebase.

We do not handle incident response post-breach. We are pre-emptive only.

04 // FIT

Which path fits the pressure?

Labs tiers are not a maturity ladder. They map to stakeholder pressure. A startup preparing a fundraise does not need the same artifact as a regulated company answering an underwriter.

Choose Discovery when

You need a narrow answer before a fundraise, customer security review, or internal budget request.

Choose Board-Ready when

A board, underwriter, regulator, or enterprise customer needs evidence, closure, and an attestation.

Choose Continuous when

The surface will keep drifting and you need quarterly evidence plus monitoring after the first audit.

Do not choose Labs when

You need internal pen testing, post-breach incident response, compliance gap remediation, or source-code review.

05 // DELIVERABLES BY TIER

Same evidence standard. Different packet size.

The tiers do not change the proof standard. They change how much surface is reviewed, how many findings can be documented, and whether closure is retested and attested.

Discovery deliverable

Executive Risk Memo, one finding detail, concise business impact note, remediation runbook, and challenge log for the single finding.

Board-Ready deliverable

Six-document packet, restitution call, retest evidence, and signed closure attestation.

Continuous deliverable

Initial Board-Ready packet, quarterly delta reports, monitoring summary, and closure notes for newly discovered drift.

Shared rule

Every tier documents confirmed findings only. Watch-list signals remain separate so the executive artifact stays clean.

Engineering handoff

Runbooks are written for the team that will ship the fix: exact change, expected side effect, and retest signal.

Executive handoff

Memos are written for decision-makers: breach scenario, business impact, evidence confidence, and closure status.

Legal handoff

Attestations identify the scoped surface, retest date, and residual limits so the document can survive review.

Security handoff

Evidence packs show what was public, how it was classified, and which exposure path the fix removed.

Procurement handoff

The scope and price are fixed before work starts, so the commercial review has clear boundaries.

Monitoring handoff

Continuous engagements translate the audit surface into watch rules for the sister SaaS.

Buyer handoff

The final packet names what changed, who needs it, and what decision it supports.

06 // TIMELINE

Engagement timeline.

01

Scope agreement

T-0

02

Adversarial discovery

T+1 to T+3

03

AI-Alliance Challenge

T+3

04

Remediation drafting

T+3 to T+4

05

Report assembly

T+4

06

Delivery + retest

T+5

T-0

Scope

Surface, authorization, mutual NDA, and final tier recommendation.

T+1-3

Discovery

OSINT across agreed domains, registries, packages, repos, and artifacts.

T+3

Challenge

AI-Alliance independent review, steel-man pass, and founder verdict.

T+3-4

Runbook

Exact remediation steps challenged for closure and side effects.

T+4-5

Report

Executive memo, evidence pack, impact analysis, and challenge log.

T+5-19

Retest

Board-Ready and Continuous receive retest and signed attestation.

07 // FAQ

Frequently asked.

Will the audit reveal real findings, or "we found nothing concerning"?

About 7 in 10 engagements surface at least one critical exposure. We do not invent findings to justify the fee. If the audit comes back clean, you receive an executive memo saying so, and we refund 30% on Discovery / 20% on Board-Ready as a courtesy.

How do you ensure my data is not exposed during the audit?

Hashes, truncated previews, no plaintext secret persistence, no external sharing, AES-256-GCM encrypted artifacts, deleted at engagement close + 30 days.

Are you a single person or a team?

Founder-led. The founder is the auditor of record. AI-Alliance methodology is the force multiplier.

Can I get a sample report before I sign?

Yes, anonymized sample available on request after the discovery call.

Why is the price "from €25k" and not a fixed price?

Surface size and complexity vary 4x. We give you a fixed quote during the discovery call, with no devis surprises.

Do you offer payment plans?

50% upfront / 50% on delivery for Board-Ready and Continuous. Flat on completion for Discovery.

VALUE

You are not paying for the two-hour fix.

You are paying for the six months it would have taken your team to find it — or never. The fact that the fix takes two hours is the proof we found exactly the right thing.

You are paying for diagnosis, proof, judgment, liability transfer, and validated closure.

Medical diagnostics, incident response, and structural engineering price the scarce judgment.

The deliverable proves value before the appendix reaches the exact configuration change.

Not sure which tier fits?

The discovery call is free and takes 30 minutes. We will recommend a tier in writing within 24h.

Book a discovery call