How to hire a cybersecurity company: a decision guide for managers
Direct answer
To hire a cybersecurity company, first assess the exact scope you need — pentest, SOC, incident response or compliance — and then verify the team's certifications (OSCP, CISSP, ISO 27001), documented methodology, client references in your sector, response SLA, an NDA clause and the format of the reports delivered. Ask for a proposal with detailed pricing and reject vendors that don't offer a retest at no extra cost or an executive report.
In short
- ›Define the scope before requesting proposals: different services (pentest, SOC, vCISO) answer completely distinct business questions.
- ›Individual team certifications (OSCP, CISM, CEH) matter more than generic company-level certifications.
- ›The SLA for communicating a critical incident should be ≤ 2 hours; require this in the contract, not just in presentations.
- ›Every cybersecurity contract needs a robust NDA, a limited-liability clause and explicit alignment with the LGPD.
- ›An abnormally low price, the absence of a retest and the lack of an executive report are the three biggest red flags in the market.
- ›Decripte serves companies from 1 to more than 100,000 employees with scalable plans — from sole proprietor to Enterprise — with a free assessment as the starting point.
Why hire a cybersecurity company — and when the right moment has arrived
Most managers only think about cybersecurity after an incident. The problem is that, by that point, the average cost of responding to ransomware in Brazil already exceeds R$ 1,4 million, according to a 2024 IBM Security study — not counting operational downtime, reputational damage and ANPD penalties for any breach of personal data.
The decision to hire should be made ahead of time. A few triggers signal the moment has come: your company has gone through rapid growth and controls haven't kept up; you're about to begin ISO 27001, SOC 2 or LGPD compliance; your sector is under specific regulation (Central Bank, ANVISA, SUSEP); a prior incident occurred or an external audit flagged vulnerabilities; or simply the board has started requiring a security posture report.
Outsourcing cybersecurity is not a sign of technological weakness — it's a strategic decision. Specialized firms have up-to-date threat intelligence, cutting-edge tools and multidisciplinary teams that an in-house team rarely manages to replicate with the same cost-benefit.
Service types × when to hire: a quick decision table
Before requesting a proposal, understand which service solves your problem. Confusion between service types is the main cause of poorly sized contracts — and of unhappy managers six months later.
| Service | What it delivers | When to hire | |---|---|---| | Pentest (penetration test) | Technical + executive report of exploitable vulnerabilities in systems, networks or applications | Before launching a product, after an infrastructure change, at a client/audit's request or annually | | SOC / MDR | Continuous 24×7 monitoring, detection and real-time response to alerts | When you process critical data or need permanent visibility into active threats | | Incident Response (IR) | Containment, eradication and recovery during an active crisis | As soon as you suspect a compromise — every hour counts | | Compliance (ISO 27001, LGPD, SOC 2) | Gap analysis, control implementation, audit preparation and certification | When starting a regulatory journey or renewing a certification | | vCISO | On-demand strategic security leadership, no employment contract | When governance maturity is lacking but there's no budget for a full-time CISO | | Threat Intelligence | IoC feed, dark web monitoring and attack surface | For mature companies that want to anticipate campaigns targeting their sector |
Each service type can — and generally should — be combined. An annual pentest without continuous monitoring creates a false sense of security: you know what was vulnerable on the day of the test, not what will be vulnerable tomorrow.
Request a free assessment from Decripte and find out, in under 48 hours, what your company's biggest risks are — no strings attached.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
What to evaluate in a cybersecurity company: objective criteria
**Technical team certifications.** Ask who will perform the service — not who signs the proposal. Pentest professionals should hold OSCP, OSCE or CEH. SOC analysts, CompTIA Security+ or CySA+. Governance leaders, CISSP or CISM. Compliance project managers, ISO/IEC 27001 Lead Implementer.
**Documented methodology.** Serious firms follow recognized frameworks: OWASP Testing Guide for web pentesting, PTES for infrastructure pentesting, NIST SP 800-61 for incident response, CIS Controls or ISO 27002 for compliance. If the vendor doesn't cite a methodology or says it has a 'proprietary methodology' without explaining the basis, run.
**Verifiable references in your sector.** Ask for contacts of clients with a profile similar to yours — size, segment, type of data processed. A healthcare company should not be a cybersecurity firm's first client in that sector.
**Contractual SLA, not a commercial one.** The SLA for responding to a critical incident should be in the service contract, not just in the sales deck. Require: maximum time for first contact after an alert (≤ 2 hours), initial containment time (≤ 4 hours for critical severity) and a minimum frequency of communication during a crisis.
**Confidentiality and NDA.** Every cybersecurity engagement involves access to sensitive information — network architecture, client data, unpatched vulnerabilities. Require a mutual NDA before any technical meeting and check that the main contract includes a confidentiality clause with a minimum term of 5 years after completion.
**Reports: executive and technical.** The executive report should be readable by a director with no technical background and present risk in business language (financial impact, likelihood, remediation priority). The technical report should have reproducible evidence (screenshots, payloads, logs) so your team or another vendor can validate and remediate. Require both before signing.
Questions every manager should ask the vendor before hiring
The negotiation is the best time to assess a vendor's real maturity. Serious vendors answer without hesitation. The questions below reveal competence, processes and ethical posture:
1. **Who, specifically, will perform the service?** Ask for the résumé or LinkedIn profile of the lead consultant. Undisclosed subcontracting is a serious red flag in security.
2. **What methodology do you follow and how is it documented?** The answer should cite NIST, OWASP, PTES or ISO — and the vendor should be able to explain what each stage delivers.
3. **How do you handle a critical vulnerability found during the pentest?** The correct answer is: immediate notification to the client, with emergency mitigation guidance, before the final report.
4. **Is a retest after remediation included in the scope?** Any serious pentest includes at least one cycle of retesting the critical and high vulnerabilities at no extra cost.
5. **How do you ensure data collected during the service is destroyed at the end?** There should be a documented data retention and destruction policy, aligned with the LGPD.
6. **Do you carry professional liability (E&O) insurance?** Mature firms do. Its absence isn't disqualifying, but it needs a contractual counterpart.
7. **What's the escalation process if an incident occurs outside business hours?** The answer should describe a real flow — not 'we call the team'.
No card, no commitment — understand your real risk before you invest.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
Red flags: how to identify an unsuitable vendor
The cybersecurity market in Brazil has grown above 30% a year since 2021, which has attracted unprepared vendors alongside the specialized ones. Some signs demand immediate attention:
**Abnormally low price.** A full web application pentest costing R$ 500 doesn't even fund the time of a qualified professional. Too-low a price means an undisclosed reduced scope, the use of automated tools without human analysis (a vulnerability scan sold as a pentest) or subcontracting to unqualified professionals.
**No retest included.** A pentest without a retest is a snapshot: it shows the state at one moment, but doesn't confirm the fixes worked. Any serious vendor includes at least one retest cycle on the critical vulnerabilities.
**Absence of an executive report.** If the deliverable is only a technical report in English generated by an automated tool, the vendor isn't adding human analysis — it's reselling scanner output. An executive report in Portuguese, with business context, is mandatory.
**Resistance to an NDA before the technical meeting.** A vendor that refuses to sign an NDA before you share infrastructure or scope details lacks the legal maturity the service requires.
**Promises of 'total security' or '100% protection'.** Cybersecurity doesn't promise invulnerability — it promises measurable risk reduction and detection and response capability. Any vendor guaranteeing absolute protection is selling an illusion.
**No mention of the LGPD in the contract.** If the contract doesn't address how your company's data is processed, stored and destroyed during the engagement, the vendor lacks adequate privacy governance.
Contract, LGPD and governance: what the document must include
A cybersecurity services contract has peculiarities that generic IT contracts don't cover. Before signing, make sure the following points are explicitly addressed:
**Detailed technical scope.** IP addresses, domains, systems and authorized test types should be listed precisely. This protects both you (it limits what the vendor can test) and the vendor (it prevents claims of unauthorized access).
**Rules of Engagement clause.** Especially in pentests, it should describe the permitted window for intrusive tests, out-of-scope systems and the emergency procedure if something gets out of control.
**Data processing under the LGPD.** The vendor is a personal data processor during the engagement. The contract should include: the purpose of the processing, the retention period, the obligation to report incidents involving personal data within 72 hours and the obligation to delete data at the end of the service, per arts. 46 and 48 of the LGPD.
**Contractual SLA with penalties.** An SLA without a penalty for non-compliance is toothless. Set proportional fines for delays in delivering the report, in communicating a critical vulnerability and in incident response time.
**Intellectual property of the reports.** The reports, methodologies and evidence collected should be your property — not the vendor's. Guarantee this explicitly.
**Non-solicitation clause.** It protects both parties: it prevents the vendor from poaching your employees and you from directly hiring the project's consultants for a set period.
Key terms
- Pentest (Penetration Test)
- A controlled and authorized simulation of a real attack against an organization's systems, applications or infrastructure. The goal is to identify and exploit vulnerabilities before malicious actors do, producing technical evidence and remediation recommendations prioritized by risk.
- SOC / MDR (Security Operations Center / Managed Detection and Response)
- A security operations center that continuously monitors the IT environment for active threats. MDR adds managed response capability: the vendor's team not only detects but takes containment and mitigation actions on the client's behalf.
- vCISO (Virtual Chief Information Security Officer)
- A model of strategic information security leadership provided on demand, with no employment relationship. The vCISO sets policy, governance and roadmap and takes part in board meetings for the contracted time and frequency — usually 4 to 20 hours per month.
- Security SLA (Service Level Agreement)
- A formal agreement that defines maximum response times, incident severity criteria and penalties for non-compliance. In cybersecurity, the most critical SLAs are for notifying a critical vulnerability (immediate) and for responding to an active incident (≤ 2 hours for P1 severity).
How to decide and hire well
- Map your risk surface and define the scope. List your organization's critical assets: internet-exposed systems, personal data processed, third-party integrations and applicable regulations. This mapping defines which service you actually need and keeps you from buying unnecessary or insufficient scope.
- Set evaluation criteria before contacting vendors. Define your disqualifying criteria (mandatory NDA, executive report in Portuguese, retest included) and your scoring criteria (certifications, sector references, contractual SLA). Criteria set before the process keep a well-produced sales deck from distorting the decision.
- Request an RFP or technical briefing from at least three vendors. Send a document with the technical scope, your criteria and mandatory questions. Proposals received without answers to the technical questions should be discarded — they show a lack of attention or an inability to answer.
- Check references and validate certifications. Call the reference contacts provided. Ask specifically about meeting deadlines, report quality, behavior in a crisis and whether they would hire again. Validate technical certifications directly on the issuing bodies' portals (Offensive Security, (ISC)², ISACA).
- Negotiate and review the contract with specialized legal support. Don't use generic IT contract templates. Ensure the technical scope, Rules of Engagement, SLA with penalties, data processing under the LGPD, ownership of the reports and NDA term are explicitly covered. A lawyer experienced in digital law is highly recommended at this stage.
- Run the service with a designated internal point of contact. Assign an internal point of contact — ideally someone technical or the IT manager — to follow the project. Kick-off meetings and weekly status updates aren't a formality: they're the channel to clear up questions, adjust scope and ensure the vendor's team has the necessary access without delay.
- Validate the deliverables, run the remediation plan and schedule the retest. When you receive the report, verify that every vulnerability has reproducible evidence and actionable recommendations. Prioritize fixes by criticality, remediate within the contracted deadline and schedule the retest to confirm the effectiveness of the fixes before closing the engagement.
Frequently asked questions
How much does it cost to hire a cybersecurity company in Brazil?
The cost varies widely by service. A mid-scope web application pentest costs between R$ 8.000 and R$ 35.000. A SOC/MDR for an SMB starts at R$ 3.500/month. An on-demand vCISO, between R$ 5.000 and R$ 20.000/month depending on the dedication. Proposals well below these figures almost always indicate a reduced scope or the absence of qualified human analysis.
My company is small. Is it worth hiring cybersecurity?
Yes. SMBs are frequent targets precisely because they have fewer defenses. Ransomware attacks, corporate phishing and data breaches affect companies of any size. Vendors like Decripte offer scalable plans for companies from 1 to more than 100,000 employees — the starting point is a free assessment that already delivers immediate value.
What's the difference between a pentest and a vulnerability scan?
A vulnerability scan is automated: tools identify outdated versions, insecure configurations and known CVEs. A pentest is performed by professionals who manually exploit the vulnerabilities found to demonstrate real impact — including attack chains that automated tools don't detect. The two are complementary, but not interchangeable.
Could the cybersecurity company I hire leak my data?
It's a risk that must be mitigated contractually. Require a robust NDA, a documented data retention and destruction policy, confirmation that the vendor handles data as a processor under the LGPD and, ideally, professional liability insurance. Mature vendors have all of these elements ready to present.
How often should I commission a pentest?
The standard market recommendation is at least annually for critical systems. Beyond that, run targeted pentests after significant architecture changes, the launch of new digital products, mergers and acquisitions or when required by a client or regulation. Sectors like finance and health often require semiannual cycles.
What is the LGPD and why does it affect a cybersecurity contract?
The General Data Protection Law (Law 13.709/2018) regulates the processing of personal data in Brazil. When you hire a cybersecurity company, it accesses systems that frequently contain personal data of your clients and employees — making it a processor of that data. The contract must define the purpose, retention period, the obligation to notify incidents and the deletion of data at the end of the engagement, under penalty of joint liability before the ANPD.
References
- ›NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment — The technical guide from the U.S. National Institute of Standards and Technology for security testing and assessment, widely adopted as a global methodological reference for pentests.
- ›ISO/IEC 27001:2022 — Information Security Management Systems — The international standard for information security management systems. It defines requirements to establish, implement, maintain and continually improve an ISMS — the basis for certification and enterprise compliance.
- ›LGPD — General Data Protection Law (Law 13.709/2018) — The Brazilian legislation that regulates the processing of personal data by individuals and legal entities, with direct implications for technology and information security services contracts.
- ›NIST Cybersecurity Framework 2.0 — The NIST voluntary framework that organizes cybersecurity practices into six functions (Govern, Identify, Protect, Detect, Respond, Recover) — a reference for structuring security programs and assessing vendor maturity.
How Decripte solves this
From the free assessment to the managed service — pick the right entry point.
Request a free assessment from Decripte and find out, in under 48 hours, what your company's biggest risks are — no strings attached.
Start free with Threat Management and see what is already exposed. Move up to the managed plans when it makes sense — without building an in-house team.
