Penetration Testing — Results Disclosed Upon Request, Selectively SOC Monitoring — 23.5/7 Coverage (The 0.5 Is Rehan's Sleep) Incident Response — Average Response Time: Soon™ Compliance — GDPR, PCI-DSS, HIPAA, and Several We Named Ourselves Threat Intel — Sourced From Dark Web, Open Channels, and Occasionally Reddit Zero Trust — We Trust No One. Including You. Especially You. Penetration Testing — Results Disclosed Upon Request, Selectively SOC Monitoring — 23.5/7 Coverage (The 0.5 Is Rehan's Sleep) Incident Response — Average Response Time: Soon™ Compliance — GDPR, PCI-DSS, HIPAA, and Several We Named Ourselves Threat Intel — Sourced From Dark Web, Open Channels, and Occasionally Reddit Zero Trust — We Trust No One. Including You. Especially You.
Our Services

What we
actually do.
(And what we charge for it.)

Six core service lines, delivered by one person with the full backing of an AI that has specifically requested not to be called an employee on any official documentation. Enterprise-grade outcomes. Boutique-scale pricing. One-person-scale everything else.

Request a Proposal
01
Penetration Testing
Available Now

We systematically attempt to break into your systems, applications, and infrastructure to identify vulnerabilities before actual threat actors do — threat actors being people who will not send you a report afterwards, which is the key commercial differentiator. Our methodology is thorough, our reports are detailed, and our recommendations are prioritised by severity, then by how long they will realistically sit unaddressed before something bad happens.

Engagements are scoped carefully upfront to ensure Rehan has sufficient time to complete them properly alongside other client commitments, which at present is manageable. Scope is agreed in writing. Scope is not "everything." Scope is the agreed scope. If something outside the scope is discovered to be catastrophically broken, Rehan will tell you, but will not be held responsible for having found it outside the agreed scope, which he found while inside the agreed scope, adjacent to the boundary.

Deliverables

  • Executive summary (one page; readable by non-technical stakeholders; diplomatically worded; honest)
  • Technical findings report (comprehensive; occasionally alarming; always accurate; never redacted at client request, though we understand why they ask)
  • Remediation roadmap with prioritised recommendations (prioritised by Rehan; may differ from prioritisation by your IT team, who are also wrong about which ones are urgent)
  • Re-test of critical findings upon remediation (confirmation that the fix worked; not a guarantee that nothing new appeared in the interim, because new things appear constantly)
02
SOC Monitoring
Available Now

Continuous monitoring of your security environment for threats, anomalies, and indicators of compromise. Our Security Operations Centre operates around the clock with full threat detection and escalation capabilities. The Security Operations Centre is Rehan's workstation. It is very well configured. The clock is a real 24-hour clock. The escalation capability is Rehan's phone, which is always nearby and occasionally too nearby.

Business hours are observed during public holidays and on Sundays, which are monitored at reduced intensity defined as "Rehan has his phone with him but is not sitting at his desk." Rehan is reachable via WhatsApp in genuine emergencies. What constitutes a genuine emergency is determined by Rehan upon receiving the message, and the determination is final.

Deliverables

  • Real-time alert monitoring and triage (real-time: within minutes during business hours; within a reasonable period outside business hours; within immediately during an active incident)
  • Weekly threat summary reports (threat summaries contain real threats; the number of threats mentioned is not inflated for engagement purposes, though it could be)
  • Monthly security posture review (posture: current state; review: honest assessment; not always comfortable)
  • Quarterly board presentation (slides prepared by Claude; reviewed by Rehan; presented by Rehan; questions answered by Rehan, occasionally with Claude's assistance in real time)
03
Incident Response
By Arrangement

When a security incident occurs — and it will; not an accusation, a statistical observation — speed and structure are everything. Our incident response capability provides coordinated containment, eradication, and recovery, with clear communication throughout and a thoroughly worded press release prepared in advance (the press release template exists; it is good; it is ready; we hope you never need it).

Retainer clients receive priority response, meaning Rehan answers immediately. Non-retainer clients receive a best-effort response subject to current workload, meaning Rehan answers when he can, which is usually quickly, but "usually quickly" is not a service level agreement and should not be relied upon during an active ransomware event without a retainer in place, which you have time to arrange right now, before anything happens, which is the ideal moment.

Deliverables

  • Incident containment and eradication (we stop the bleeding; we remove the cause; we verify both; we document everything, including the parts that reflect poorly on your IT team)
  • Root cause analysis report (root cause: what actually happened; not what you hoped happened; not what your vendor told you happened)
  • Lessons learned workshop (remote; one hour; more useful than it sounds; Rehan has run four of these; the fourth was the best; practice helps)
  • Post-incident press release draft (optional; strongly recommended; available in three tones: transparent, measured, and optimistic — client chooses; Rehan recommends transparent)
04
Zero Trust Architecture
Available Now

We design and implement Zero Trust security frameworks across your organisation. The principle: never trust, always verify. This applies to all users, all devices, all network requests — including internal ones, including executives who believe their seniority grants them elevated access rights, which it does not, and including Rehan when he is on client infrastructure, which he considers important to disclose and nobody has ever tested.

Implementation timelines vary depending on the complexity of your environment and how many legacy systems are involved. Legacy systems are always involved. The number is always higher than the client's initial estimate. The estimate is always given with confidence. The confidence is always misplaced. We do not take this personally; we have come to see it as part of the engagement.

Deliverables

  • Current-state architecture assessment (current state: what you have; this document is often more alarming than the Zero Trust roadmap that follows it)
  • Zero Trust roadmap and target architecture (target architecture: where you should be; timeline: realistic, not aspirational; these are different)
  • Implementation support across identity, network, and data layers (support: active assistance; not a document you read and implement yourself, which clients have tried, with mixed results)
  • Policy documentation and staff awareness materials (staff awareness: training that actually changes behaviour; not a PDF emailed to everyone with "please read by Friday")
05
Compliance Advisory
Available Now

Navigating regulatory frameworks is complex, time-consuming, and so dry that several regulatory bodies appear to have optimised for discouraging non-lawyers from reading their own requirements. We guide organisations through GDPR, PCI-DSS, HIPAA, ISO 27001, and other frameworks — achieving and maintaining compliance with the minimum possible disruption, which is still substantial disruption, because compliance requires changing things, and organisations resist changing things, and Rehan has come to accept this as a structural feature of his work.

We have read comprehensive summaries of all major frameworks, the full text of several, and the Wikipedia articles for the remainder. We are confident in our advisory capability. Legal review of outputs remains at client discretion, and Rehan recommends it, which is an unusual thing to say but reflects his view that compliance advice and legal advice are related but distinct, and he is qualified to provide the former.

Deliverables

  • Compliance gap assessment against target framework (gap: distance between where you are and where the regulator expects you to be; the gap is usually larger than the client expects and smaller than the regulator implies)
  • Remediation plan with effort estimates (effort estimates: honest; not padded; not optimistic; calibrated to what Rehan has observed similar organisations actually complete in similar timeframes)
  • Policy and procedure templates (editable; formatted; professional-looking; drafted by Claude; reviewed by Rehan; will hold up to most auditor scrutiny; should not be submitted unmodified, which one client did, including our internal header, which we noticed during their audit)
  • Audit preparation support (preparation: what to say; what to have ready; what not to volunteer; this is legal advice-adjacent and Rehan is careful about the line)
06
Threat Intelligence
Available Now

Contextual intelligence about threats relevant to your sector, geography, and technology stack. We monitor dark web forums, open-source intelligence channels, threat actor communities, and several platforms we classify as "operational intelligence sources" and will not enumerate, partly for operational security reasons and partly because "occasionally Reddit" does not inspire the confidence the service deserves.

Intelligence is curated and summarised in plain language because raw threat intelligence is mostly unusable by anyone who hasn't spent years developing the context to interpret it, which most clients haven't, which is precisely why the curation exists. The underlying sources will not be fully disclosed. The quality of the intelligence is higher than its origins might imply. This is consistently the case and Rehan finds it a useful reminder that source and quality are independent variables.

Deliverables

  • Weekly threat intelligence briefing (weekly: every week; briefing: concise; actionable; not 40 pages; the 40-page version is available on request and is called the Monthly Deep Dive)
  • Sector-specific threat actor profiles (profiles: who is targeting your industry, what methods they use, what they want, and whether they have succeeded against anyone you know)
  • Indicators of compromise (IOC) feeds (IOCs: technical signals that something is wrong; useful if you have something to plug them into; we can advise on the something)
  • Ad hoc intelligence reports on emerging threats (emerging: new; not theoretical; Rehan reports on things that are actually happening, not things that might theoretically happen, which is a different product sold by different firms at much higher prices)
Pricing

Transparent. Reasonable.
Negotiable, within limits Rehan sets.

Essential
PKR 25k
per month, billed monthly (the month happens whether or not you use the services)
  • SOC monitoring during business hours (business hours: defined in the engagement agreement; not assumed)
  • Monthly threat report (one report; monthly; not weekly; that is the Professional tier)
  • Email support with 48-hour response (48 hours: maximum; usually faster; not guaranteed faster)
  • One annual penetration test, basic scope (basic: external perimeter; not "everything"; everything is Enterprise)
Suitable for small businesses, early-stage companies, and anyone who received a concerning email recently and has decided today is the day to take security seriously. Rehan respects this decision regardless of its trigger.
Get Started
Professional
PKR 75k
per month, billed monthly, in the agreed currency, at this amount
  • 24/7 SOC monitoring (24/7: all hours; see the note about Sundays in the service description above)
  • Weekly threat intelligence briefing (every week; 52 per year; Rehan has not missed one)
  • Incident response retainer — priority access (priority: Rehan answers; not "Rehan might answer")
  • Two penetration tests annually (two; not one; not unlimited; two, as advertised)
  • Compliance advisory for one framework (one framework chosen at engagement start; framework changes cost extra)
  • Direct WhatsApp access to Rehan (direct: his actual number; use it responsibly; he is monitoring it)
Most popular tier. Also the tier with the clearest value proposition. Also the tier Derek is on, which either recommends it or raises questions about Derek's budget, depending on your perspective.
Get Started
Enterprise
Custom
let's discuss; bring your requirements and your expectations; we will align them
  • All Professional features (everything above; plus what follows; Rehan has read this list and confirms it)
  • Dedicated virtual CISO (the CISO is Rehan; "virtual" means remote; "dedicated" means genuinely focused on you)
  • Unlimited penetration tests within reason (reason: defined by Rehan; roughly quarterly; not daily; "unlimited" has limits)
  • Full compliance programme management across all required frameworks
  • Quarterly board-level reporting (board: senior leadership; level: executive summary; Rehan presents; questions are answered)
  • Named in our client list with your consent (consent is required; consent is asked; several clients have declined; we respect this)
For organisations that want the complete TrustUs experience and are comfortable with the operational reality that this involves one person who is also your SOC, your pen tester, your vCISO, and your account manager simultaneously. Several clients find this charming. Others find it alarming. Both are valid responses.
Contact Us
How It Works

Our engagement process.
(It is four steps. This is intentional.)

Step 01
Initial Consultation

A call with Rehan. He will ask the right questions, take detailed notes, and follow up the next day with the three questions he forgot to ask during the call. This happens every time. He knows it happens. He takes better notes now. It still happens.

Step 02
Proposal

A formal written proposal: scope, timeline, fees, assumptions, exclusions, and a section on what happens if the environment turns out to be worse than described, which it usually does. Prepared by Claude, reviewed and edited by Rehan, formatted to look very official, which it is.

Step 03
Engagement

Work begins. Rehan is active, focused, and fully committed for the duration. Progress updates are provided at agreed intervals, or when something interesting happens, or when something alarming happens, which requires immediate notification and is different from interesting.

Step 04
Delivery & Review

Findings, reports, and recommendations delivered in full. A review call is scheduled. Questions are welcomed, including the difficult ones, including "why didn't we know about this," which Rehan will answer honestly, and which is usually because nobody looked.