RAPID COMPLIANCE PROGRAMME
Your biggest deal is gated by a security review you cannot answer.
Stand up every required control — identity, access, centralised logging, vulnerability scanning, secure SDLC, incident response — using our pre-built open-source security stack. We deploy Wazuh, Keycloak, Teleport, Velociraptor, SonarQube, and OpenVAS into an adjacent tenant connected to your production environment, write the policies, complete the buyer's questionnaire, and run the audit alongside you. You own the adjacent tenant and the stack forever. No per-user SaaS bill.
Just need the questionnaire answered to keep the deal alive? Start with Security Questionnaire Rescue — about three days.
The squeeze
What this looks like from your desk.
An enterprise prospect just asked for SOC 2.
The deal is gated on evidence you do not have, in a format you have never produced.
The questionnaire has 287 questions.
SIG, CAIQ, or a bespoke 300-row spreadsheet. The deadline is two weeks. There is no draft to copy from.
Procurement wants ISO 27001 evidence this quarter.
Your competitor has a Trust Centre page. You have a README, a status page, and a few policies in a Notion doc.
Your team is engineers — nobody owns security.
Founder-led security has carried you this far. It will not carry you through a Fortune-500 vendor review.
Who this is for
A sharp fit, not a broad one.
This engagement is built for one situation. If most of these apply, the programme is the fit. If they do not, we will tell you so on the call.
- Software product company, roughly 10–100 people.
- Engineering-led team — no full-time CISO or compliance lead.
- No formal control programme yet: policies ad-hoc, access reviews not run, evidence not collected anywhere central.
- A specific enterprise deal is gated on SOC 2, ISO 27001, HIPAA, or a 200+ question vendor questionnaire.
- Deadline measured in weeks, not quarters.
The stack
Six tools. Every required control.
We do not start from a blank slate. Each engagement deploys our pre-operationalised open-source security stack into an adjacent AWS, GCP, or Azure tenant — connected to your production environment, isolated from it, and owned by you. No per-user SaaS subscription. No vendor lock-in. No fight for your evidence the day you switch providers.
Wazuh
SIEM + XDRCentralised log collection, file integrity monitoring, configuration assessment, and threat detection across your fleet. The auditor's evidence trail for monitoring and incident detection.
Covers:SOC 2 CC4 + CC7 · ISO 27001 A.12.4 + A.16
Keycloak
Identity + SSO + MFASelf-hosted identity provider. SSO across employee and customer-facing apps, enforced MFA on every admin path, federation with your existing directory.
Covers:SOC 2 CC6 · ISO 27001 A.9
Teleport
Privileged access brokerJust-in-time access to production. Every SSH, kubectl, and database session brokered, audited, and recorded — no shared credentials, no standing access.
Covers:SOC 2 CC6.1 + CC6.2 · ISO 27001 A.9.2.3
Velociraptor
DFIR + endpoint visibilityEndpoint visibility and forensic readiness across your fleet. Runs the incident-response playbook when a real event hits — not a tabletop exercise.
Covers:SOC 2 CC7.3 · ISO 27001 A.16
SonarQube
SAST + secure SDLCStatic analysis and security-hotspot detection on every pull request. OWASP rule coverage, branch quality gates, and a paper trail for change management your engineers will not route around.
Covers:SOC 2 CC8 · ISO 27001 A.14
OpenVAS
Vulnerability scanningAuthenticated and unauthenticated vulnerability scans of internal and external infrastructure on a defined cadence, with SLA tracking against findings.
Covers:SOC 2 CC7.1 · ISO 27001 A.12.6
All six tools are open-source and licensed for commercial use. The engagement covers deployment, configuration, hardening, monitoring, and the runbooks your team operates from. The Managed Security Stack page covers what ongoing operation looks like after the audit.
The programme
Four steps, from zero to audit-ready.
Sequenced so the work compounds and nothing waits on the previous step to finish before it can start. We measure the engagement by the step, not by a calendar promise.
We do not pick frameworks by ambition; we pick the one your prospect actually requires. A working session sets the framework (SOC 2 Type I or II, ISO 27001:2022, HIPAA, or a vendor-specific control set), the deal context, and a written gap map before any build work begins.
Deliverables:
- 20-minute scoping call to align on framework, deadline, and the prospect's actual requirement
- Gap map: every required control, mapped to what already exists vs. what needs to be built
- Written engagement scope with a fixed price quoted before any build work starts
Wazuh, Keycloak, Teleport, Velociraptor, SonarQube, and OpenVAS deployed into an adjacent AWS, GCP, or Azure tenant — connected to your production environment, isolated from it, owned by you. Pre-hardened, pre-instrumented, pre-wired to the controls each one covers. We are not building from scratch; we are configuring tools we already operate at production scale, which is what compresses this step into a fraction of a founder-led build.
Deliverables:
- Six open-source tools deployed into an adjacent tenant, wired into your identity provider, production cloud accounts, and source control
- SSO and enforced MFA on every admin path; just-in-time privileged access via Teleport with full session recording
- Centralised logging and detection in Wazuh, vulnerability cadence in OpenVAS, SAST gates in SonarQube on every pull request
- Policy set written to what the stack actually does — not template language about hypothetical controls
Continuous-monitoring tooling configured against your real cloud accounts and identity provider. Evidence captured continuously — daily snapshots, ticket trails, access-review records — not screenshotted the week before the audit. Auditor selected from a firm we have worked with and briefed on your scope.
Deliverables:
- Continuous-monitoring tooling configured for AWS, GCP, Azure, GitHub, Okta, or Keycloak as applicable
- Evidence repository organised by control — auditor-ready, not last-minute
- Audit firm selected, scope agreed, kick-off scheduled
We run the audit alongside you, answer the auditor's evidence requests, and complete the prospect's security questionnaire in their format. The deal advances on evidence, not promises.
Deliverables:
- Audit fieldwork supported end to end — auditor questions answered, evidence served
- Prospect's security questionnaire completed in their format with citations to your controls
- Trust Centre page draft and a monthly compliance dashboard so the programme keeps running
What you get
Twelve artifacts. One programme that keeps running.
- Written policy set tailored to your stack
- Asset inventory that reflects production
- SSO + enforced MFA across employee and admin paths
- Centralised logging with retention you can prove
- Secrets management baseline — no more .env in repos
- Vendor risk register and review cadence
- Incident-response runbook your engineers will run
- Continuous-monitoring tooling configured to your cloud
- Completed enterprise security questionnaire (SIG, CAIQ, bespoke)
- Selected audit firm with kick-off scheduled
- Trust Centre page draft for your marketing site
- Monthly compliance dashboard for the executive team
Frameworks we cover
If a buyer named it, we have answered to it.
Most engagements anchor on SOC 2 or ISO 27001 with the prospect's bespoke questionnaire layered on top. Evidence collected for one framework supports the others — we do not redo the work.
Why ThinSky
DIY, platform-only, or programme-led.
Three honest columns. The right call depends on whether the controls, the questionnaire, and the auditor relationship are your job or someone else's.
| DIY, founder-led | Drata or Vanta alone | ThinSky Rapid Compliance | |
|---|---|---|---|
| Where the controls actually run | Bolted on case-by-case, partially missing | Monitored from a SaaS dashboard — covers what you have, not what you still need to build | Open-source stack deployed in an adjacent AWS, GCP, or Azure tenant — connected to your production environment, isolated from it |
| Pricing model | None visible — but the engineering hours add up to several headcount-quarters | Annual subscription priced per employee; scales with headcount and paid forever | Flat engagement fee. Zero per-user pricing on the stack — ever |
| Who owns the stack after the engagement | You — once you build it, if you finish | The platform vendor. Cancel and the monitoring leaves with them | You. Open-source, in an adjacent tenant you own, your engineers can read every line |
| Time to first deployed control | Weeks to months per control, as time allows | Hours for monitoring config — the controls themselves are still your job to build | Days from kick-off. The whole stack lands inside the deploy step, before evidence collection begins |
| Lock-in | The rebuild cost on the next audit is its own lock-in | Annual renewal — the longer you stay, the more your evidence lives in someone else's tenant | None. Walk away and the stack keeps running. Renewal is optional |
The platforms are good tooling. They are not a programme. If you already run Drata or Vanta, the engagement configures it correctly and brings the parts the platform does not own.
FAQ
Common questions.
What is in the open-source stack?
Wazuh for SIEM and XDR (centralised logging, file integrity, threat detection), Keycloak for identity and SSO with enforced MFA, Teleport for privileged-access management with audited session recording, Velociraptor for endpoint visibility and incident-response forensics, SonarQube for SAST and secure-SDLC gates on every pull request, and OpenVAS for vulnerability scanning on a defined cadence. All six are open-source and licensed for commercial use. We deploy them into an adjacent AWS, GCP, or Azure tenant connected to your production environment, and configure them against the controls your framework actually requires.
How fast can you actually move?
The engagement runs as four sequenced steps: scope the framework, deploy the stack into an adjacent connected tenant, collect evidence and prepare for the audit, then run audit fieldwork and complete the prospect's questionnaire. Steps overlap deliberately — stack deployment starts as soon as the adjacent tenant is stood up and connected, not after scoping wraps. We do not promise a fixed calendar because the pace depends on the size of your production environment, the framework, and how responsive your team can be — but the deploy step is measured in days, not quarters. If a prospect's deadline is tight, we sequence the questionnaire-rescue work in parallel so the deal advances while the full programme runs.
Which framework should we start with?
Whichever one your prospect requires. We do not start with the most ambitious framework; we start with the one that unblocks the deal. SOC 2 Type I is the fastest path to audit-grade evidence for North American buyers. ISO 27001:2022 is often the right call for European or multinational buyers. HIPAA is the answer if the data is health-related. We confirm in the scoping call, not before.
Do you replace Drata or Vanta?
Two different products. Drata and Vanta monitor controls you already have — they do not deploy the controls themselves. Our engagement deploys the controls: an open-source stack that lives in an adjacent connected tenant you own, instrumented for the same evidence Drata or Vanta would collect. If you already pay for one of those platforms and want to keep it, we configure it alongside the stack. If you do not, you do not need to start — the stack produces the evidence directly.
What happens to the stack if we stop working with you?
It keeps running. Every component is open-source, deployed in an adjacent tenant you own, with documentation and runbooks left in your repo. We will hand off to your engineers in a structured way. The whole point of the open-source-into-an-adjacent-tenant model is that the evidence engine is not held hostage by us, by Drata, or by any other vendor.
What if the prospect's deadline is tighter than the full programme can land in?
Run the deal-blocking questionnaire through our Security Questionnaire Rescue service in about three days, and start the full programme in parallel. The questionnaire bridges the gap until the audit evidence catches up.
Do we need to hire a CISO after this?
Not immediately. The programme ships with a monthly review cadence and a compliance dashboard so the founder or CTO can stay in control without becoming the security organisation. Most clients add a fractional security lead in the 12–18 month window, after the second annual audit.
How is this priced?
Flat engagement fee, quoted from the scoping call before any build work starts. The scope drives the number — framework, in-scope systems, audit firm fees — and we publish the breakdown in writing. We do not bill hourly, we do not charge change orders for controls that were always going to be required, and the stack carries zero per-user pricing — your headcount can grow without your compliance bill following it.
Do not lose this deal.
30-minute scoping call. We map the framework, the deadline, and what is actually in scope. You walk away with a plan even if you do not hire us.
Book a 30-min scoping call →