Company Facts

SpyderSec is a Cyber Security Consulting organization
We provide security services (such as Penetration Testing, Red Teaming, Purple Teaming, vCISO, OSINT)
Organizations partner with SpyderSec to assess their cyber security strengths and weaknesses, and identify risk
SpyderSec was founded by Serge Borso (CEO) in 2015, and is headquartered in Denver Colorado
Serge Borso is a SANS Certified Instructor, and Course Author
Our clients include startups, as well as enterprises on the fortune 500 list
SpyderSec provides services to companies across all industries
SpyderSec Team Members typically have 7-30 years of experience, and multiple industry certifications
Some certifications held by Team Members include: GXPEN, OSCP, GPEN, CISSP, GWAPT, GCLD, GCFA, GWEB GREM, GDAT, GCIH, GEVA

FAQs

What types of organizations does SpyderSec work with?
SpyderSec works with large enterprises, including Fortune 500 companies and organizations with significant regulatory and compliance requirements such as NIST, HIPAA, SOC 2, PCI DSS, and HITRUST.
Does SpyderSec only serve clients in Denver?
No. SpyderSec is headquartered in Denver, Colorado, but serves enterprise clients across the United States through both remote and on‑site engagements.
How long has SpyderSec been in business?
SpyderSec has been operating for more than 11 years, providing offensive security testing and strategic cyber security leadership to regulated organizations.
What makes SpyderSec different from other cyber security consulting firms?
SpyderSec combines deep offensive security expertise with executive‑level security leadership. Our work is formal, professional, and designed to withstand scrutiny from auditors, regulators, and internal stakeholders.
Does SpyderSec work with organizations that have multiple compliance requirements?
Yes. SpyderSec routinely supports organizations that must align with multiple frameworks, including NIST, HIPAA, SOC 2, PCI DSS, ISO, HITRUST and more.
How does SpyderSec ensure confidentiality during engagements?
SpyderSec follows strict confidentiality practices, including secure communication channels, controlled access to sensitive data, and adherence to NDAs, BAAs, and client‑specific security requirements.
Can SpyderSec support both offensive security and strategic leadership?
Yes. SpyderSec provides penetration testing and red teaming as well as vCISO services, enabling clients to address both technical vulnerabilities and long‑term governance needs.
What is the typical engagement process with SpyderSec?
Engagements typically include scoping, execution, reporting, and a review session. Each phase is structured to align with business objectives and regulatory expectations.
Does SpyderSec work with internal audit or external assessors?
Yes. SpyderSec’s deliverables are designed to support internal audit teams, external assessors, and regulatory examinations.
How does SpyderSec price its services?
Pricing is based on scope, complexity, regulatory requirements, and the size of the environment. SpyderSec provides clear, fixed‑scope proposals for most engagements.
SpyderSec hosts lock picking villages... why is that and what does that have to do with cyber security?
SpyderSec runs these type of events mainly for community engagement and as a means for newcomers to learn something in a hands-on way that resonates, is fun, challenging, and rewarding.

What types of penetration testing does SpyderSec offer?
SpyderSec provides network, application, API, cloud, mobile, wireless, IoT, and physical penetration testing tailored to enterprise environments.
How often should an enterprise perform penetration testing?
Most enterprises conduct penetration testing annually, with additional testing after major system changes or when required by compliance frameworks.
What information is needed to scope a penetration test?
SpyderSec typically requires an understanding of the target environment, business objectives, regulatory drivers, and any constraints such as blackout periods or testing windows.
How long does a typical penetration test take?
Most engagements range from one to four weeks depending on scope, complexity, and the number of systems or applications involved.
Does SpyderSec perform manual testing or rely on automated tools?
SpyderSec performs primarily manual testing, using tools only to support discovery and validation. Manual testing ensures accuracy and reduces false positives.
Will penetration testing disrupt production systems?
SpyderSec uses controlled testing methods designed to minimize risk. Testing is coordinated with client teams to avoid operational impact.
Can SpyderSec test cloud environments such as AWS, Azure, or GCP?
Yes. SpyderSec performs cloud penetration testing across major cloud platforms, including IaaS, PaaS, and SaaS environments.
How does SpyderSec validate and prioritize findings?
Findings are validated manually and prioritized based on exploitability, business impact, and regulatory relevance.
Are SpyderSec’s penetration testing reports suitable for auditors and regulators?
Yes. Reports are structured to support internal audit, external assessors, and compliance programs such as SOC 2, PCI DSS, HIPAA, and HITRUST.
Does SpyderSec provide remediation guidance after testing?
Yes. SpyderSec provides clear, actionable remediation recommendations and can perform retesting upon request.
How is red teaming different from penetration testing?
Penetration testing identifies vulnerabilities, while red teaming focuses on achieving specific objectives such as accessing sensitive data or testing detection and response capabilities.
What makes an organization ready for a red team engagement?
Organizations are typically ready when they have established monitoring, logging, and incident response processes. SpyderSec can help assess readiness.
What attack scenarios does SpyderSec emulate?
SpyderSec emulates realistic threat actors using techniques such as phishing, credential harvesting, lateral movement, privilege escalation, and data exfiltration.
Does SpyderSec perform purple team exercises?
Yes. SpyderSec offers collaborative purple team engagements that pair offensive testing with defensive team training.
How does SpyderSec measure detection and response effectiveness?
SpyderSec evaluates alerting, response time, containment actions, and the effectiveness of security controls throughout the engagement.
Can red team engagements be conducted remotely?
Yes. Many red team operations can be performed remotely, with on-site components added when necessary.
How long does a red team engagement typically last?
Red team engagements typically last four to eight weeks depending on objectives and scope.
Does SpyderSec provide post-engagement workshops or debriefs?
Yes. SpyderSec conducts detailed debriefs and can provide workshops to help improve detection and response capabilities.
Can SpyderSec tailor red team operations to specific threat actors?
Yes. SpyderSec can emulate threat actors relevant to your industry, regulatory environment, or risk profile.
How does SpyderSec ensure red team activities remain safe and controlled?
SpyderSec uses strict rules of engagement, communication protocols, and safety controls to ensure testing does not disrupt business operations.
What is a vCISO and how does it differ from a full-time CISO?
A vCISO provides executive-level security leadership on a fractional basis, offering strategic guidance without the cost of a full-time executive hire.
What responsibilities can a SpyderSec vCISO take on?
SpyderSec’s vCISO services include strategy development, governance, risk management, compliance support, policy creation, and executive reporting.
Can a vCISO help prepare for audits or certifications?
Yes. SpyderSec’s vCISO services support readiness for SOC 2, HIPAA, HITRUST, PCI DSS, and NIST-based programs.
How does SpyderSec integrate with existing IT and security teams?
SpyderSec works collaboratively with internal teams, providing leadership, structure, and guidance while respecting existing processes and responsibilities.
What industries benefit most from vCISO services?
Industries with regulatory requirements—such as healthcare, financial services, and technology—benefit significantly from vCISO leadership.
How is a vCISO engagement structured?
Engagements typically include an initial assessment, roadmap development, recurring governance meetings, and ongoing advisory support.
Can SpyderSec support board-level reporting and presentations?
Yes. SpyderSec’s vCISO services include executive and board-level communication on cyber risk and program maturity.
Does SpyderSec help build or improve security policies and procedures?
Yes. SpyderSec develops and refines policies, standards, and procedures aligned with regulatory and business requirements.
Can a vCISO assist with vendor risk management?
Yes. SpyderSec can help evaluate vendor security, review third-party risk, and improve vendor management processes.
How long do vCISO engagements typically last?
Most vCISO engagements last six to twelve months, with many clients extending for ongoing leadership support.
Which compliance frameworks does SpyderSec support?
SpyderSec supports NIST CSF, NIST 800-53/171, HIPAA, HITRUST, SOC 2, PCI DSS, and other regulatory frameworks.
Can SpyderSec map findings to specific regulatory requirements?
Yes. SpyderSec can map findings and recommendations to relevant controls and compliance requirements.
Does SpyderSec help organizations prepare for SOC 2 audits?
Yes. SpyderSec provides readiness assessments, control reviews, and remediation guidance for SOC 2 compliance.
Can SpyderSec support HIPAA or HITRUST readiness?
Yes. SpyderSec assists with HIPAA Security Rule alignment and HITRUST readiness activities.
Does SpyderSec provide evidence or documentation for auditors?
Yes. SpyderSec’s deliverables are structured to support audit evidence requirements.
How does SpyderSec handle sensitive data during engagements?
SpyderSec uses secure storage, encrypted communication, and strict access controls to protect sensitive information.
Can SpyderSec help build a risk register or risk management program?
Yes. SpyderSec’s vCISO services include risk register development and ongoing risk management support.
Does SpyderSec provide guidance on NIST CSF or NIST 800-53/171 alignment?
Yes. SpyderSec helps organizations align with NIST frameworks and implement required controls.
Can SpyderSec assist with PCI DSS 4.0 requirements?
Yes. SpyderSec supports PCI DSS readiness, testing, and remediation planning.
Does SpyderSec provide ongoing compliance support?
Yes. SpyderSec offers ongoing advisory services through vCISO engagements or recurring consulting.
How far in advance should we schedule an engagement?
Most clients schedule engagements four to eight weeks in advance, especially for large or complex scopes.
Does SpyderSec offer fixed-scope or retainer-based engagements?
SpyderSec offers both fixed-scope projects and ongoing retainer-based advisory services.
Can SpyderSec work with distributed or remote teams?
Yes. SpyderSec regularly works with distributed teams and can conduct engagements fully remotely when appropriate.
What tools or access does SpyderSec require during testing?
Requirements vary by engagement but may include test accounts, network access, architecture diagrams, or cloud environment permissions.
Does SpyderSec provide follow-up testing after remediation?
Yes. SpyderSec offers retesting to validate remediation efforts.
Can SpyderSec sign NDAs, BAAs, or security agreements?
Yes. SpyderSec routinely signs NDAs, BAAs, and client-specific security agreements.
How does SpyderSec handle communication during engagements?
SpyderSec provides structured communication, including kickoff meetings, status updates, and post-engagement reviews.
What deliverables should we expect at the end of an engagement?
Deliverables typically include a detailed report, executive summary, remediation guidance, and a review session with stakeholders.