Drowning in cyber due diligence?
I help startup CTOs meet enterprise security demands and close B2B deals faster.
Evidence-led security that earns trust and drives growth.
Enterprise buyers now expect credible security evidence
But that doesn't mean you have to run your startup like a bank.
I help startup CTOs and SaaS teams:
- • Decode what enterprise questionnaires really mean
- • Focus effort where it matters most
- • Present security evidence with confidence and clarity
You'll gain practical assurance, faster deals, and a stronger product story — without layers of bureaucracy.
How I Can Help You
I'm Craig Balding, founder of CTOsec and former Barclays Group Security CTO and Incubator mentor.
I provide practical, senior-level security expertise — aligned with your commercial goals.
Choose the level of support that fits your stage — Sprint, Tactical, or Retainer.
Sprint Engagements (2—3 weeks)
Structured, outcome-driven projects that deliver visible progress fast.
Due Diligence Fast-Track
Transform a 200-question security questionnaire into a clear, defensible response.
Deliverables:
- • Completed responses
- • Polished "security one-pager"
- • Prioritised remediation backlog
Full Money-Back Guarantee — Pass due-diligence or your money back
ISO 27001 Readiness Sprint
Accelerate certification readiness on startup timelines.
Deliverables:
- • Pragmatic gap analysis & roadmap
- • Draft policies tuned to your culture
- • Evidence pack aligned to risk appetite
Full Money-Back Guarantee — Achieve certification readiness or your money back
Internal Auditor Coaching
Equip your nominated auditor to plan and run credible ISO 27001 internal audits that fit your startup's pace, culture, and tooling.
Includes:
- • Practical coaching on audit planning and evidence collection
- • Templates and lightweight tools to streamline audit work
- • Guided use of AI for reporting and analysis
On-Call / Tactical Services
Fast, focused security support when you need it most.
Feature Security Review
A focused design review + mini-pentest of a key feature or workflow in your application — targeted where risk and impact are highest (not a full-platform test).
Includes:
- • Developer video: findings, fixes, prevention
- • One-page Evidence Note (PDF) — shareable
- • Complimentary retest within 30 days
- • Turnaround: 3 business days from access & sign-off
Flat price: EUR 3,000 per key feature
Book Intro CallSidechannel Advisory (Retainer)
Your private channel to seasoned security leadership.
Ongoing, on-demand access to independent CISO-level advice — from due-diligence blockers to board questions and cloud security decisions.
Includes:
- • Weekly calls plus rapid private messaging for quick answers
- • Strategic and technical guidance across application, cloud, and platform security
- • Support on B2B prospect questions, security frameworks, and risk communication
- • Practical input on metrics, talent, and vendor management
EUR 2,000 per month
Learn MoreWhy Startup CTOs Choose CTOsec
Aligns security work with commercial goals — not red-tape
Decodes enterprise requirements into plain, achievable actions
Evidence-based, proportionate, and fast delivery
Delivered by a practitioner who's built and led global security programs
What Clients Say
"Thanks for all your help, Craig! 🙏 Your assistance has been incredibly valuable. We've gained insights and guidance on how to approach the audit and enhance security awareness at a management level."
- CTO at a leading Swedish startup
"To be honest I didn't know what to expect from the Pentest, but I don't think the experience could have been any better. You have added huge value to the overall solution and given us a high level of confidence before going live."
- Lead Developer at a SaaS startup
Did Cyber just become critical path?
You're months deep into a promising sales process with a major B2B prospect.
The demos have gone well, the technical fit is perfect.
You're on the verge of closing the deal.
Then, it happens:
"We just need you to fill in our security teams cyber questionnaire."
BAM! A 200-question security questionnaire lands in your inbox.
Suddenly, your path to closing this crucial deal is blocked by a daunting cybersecurity assessment.
You realize that your product's security story—something you've always seen as primarily a technical matter—is now the key to unlocking this B2B revenue opportunity.
But here's the challenge...
You're now getting asked questions you never had to think about and you're unsure how to answer them.
Not only that, but the questions seem to assume you have a dedicated team of people just to complete them.
And after you've reworded your answers for the nth time you wonder: what's important here and what's not?
Navigating B2B cybersecurity can be confusing, time-consuming, and fraught with uncertainty.
Does this sound like you?
- > This crucial B2B deal now hangs on your response to a complex cybersecurity due diligence questionnaire
- > You're struggling to translate your product security story into "corporate risk speak"
- > While you trust your developers, they are struggling to satisfy B2B control evidence expectations
- > Deep down, you know your security posture leans more reactive than proactive
- > You're comfortable with technical questions but unsure about other aspects of the security assessment
- > You want to present your platform's cybersecurity in the best light without overstepping or lacking evidence
Ready to earn enterprise trust without the enterprise baggage?
Independent cybersecurity advisory for SaaS founders and CTOs.
Led by Craig Balding — former Barclays Security CTO & Fortune 5 Red Team lead.