Managed service for organizations: we discover assets, prioritize by exposure and execute agreed remediation, with monthly reporting and an always-on channel with your team.
End-to-End
We don’t just identify issues: we implement agreed fixes and verify closure (change windows + change control).
Enterprise
Weekly/bi-weekly operating rhythm and a monthly steering committee: decisions, priorities and unblockers.
Exposure
Risk = asset criticality + exposure + exploit likelihood + business context.
Evidence
Executive/technical reporting with KPIs, trends, backlog and audit-ready evidence (NIS2/DORA/ENS/ISO 27001).
With many assets, hybrid environments and multiple teams (IT, Cloud, DevOps, Security), the challenge isn’t just “finding vulns” — it’s prioritizing, coordinating and closing without friction.
That’s why we run it with governance: defined cadence, SLAs, a monthly steering committee and a constant channel for follow-up and escalation. In end-to-end mode, Hard2bit executes agreed remediation and verifies closures.
Weekly/bi-weekly cadence + monthly committee with KPIs and decisions.
CAB/ITSM alignment, maintenance windows, testing and rollback when needed.
MTTR, SLA, reduced external exposure and domain-level indicators.
Continuous cycle with remediation execution, verification and monthly reporting.
We define environments (on-prem, cloud, identities, apps) and the enterprise operating model: SLAs, scan cadence, criticality criteria and change flows (ITSM/CAB).
Asset inventory and first baseline. We identify external/internal exposure and establish a prioritized backlog (quick wins + structural fixes).
Recurring cycle with triage of findings. In end-to-end mode we execute agreed remediation (patching/hardening/config) and coordinate change windows with your team.
We validate closure (re-scan), measure MTTR/SLA and publish a monthly report (executive + technical). Always-on channel for escalations.
Where a managed service with remediation and governance pays off.
We coordinate owners, change windows and priorities with governance and clear reporting.
True inventory across on-prem + cloud + identities + apps + containers.
We prioritize internet-facing risk and verify closure before it’s exploited.
Evidence, traceability and continuous metrics for NIS2/DORA/ENS/ISO 27001.
Monthly reporting for leadership and continuous operations to close vulnerabilities.
Actionable list with owner, impact, evidence and steps. Roadmap 0–30 / 30–90 / 90+ days.
Hard2bit executes fixes when applicable: patching, hardening, cloud/IAM updates, configuration changes and closure verification.
KPIs, exposure trend, top risks, critical assets and remediation status—ideal for security steering and audits.
Continuous communication (and control cadence) to prioritize, unblock and accelerate closure across teams.
Concepts from our cybersecurity glossary that connect directly with this service.
We propose a fast onboarding, an initial baseline and a monthly operating model with an always-on channel to ensure closure and reduce exposure.
Typical enterprise package:
Fast response · No commitment
Plans & pricing
Unmanaged assessment for a clear snapshot of current exposure, or continuous management of the vulnerability lifecycle with agreed remediation and auditable evidence.
Unmanaged
One-off or periodic evaluation. Identification, prioritization, recommendations and handover session. Ideal if your technical team executes remediation internally.
from €1,250
One-off · VAT not included
Managed by Hard2bit
Recurring service: discovery, analysis, prioritization, validation, remediation tracking, executive reporting and auditable evidence. Reduces real backlog, not just identifies it.
from €750/mo
Annual commitment · setup included · VAT not included
Provider's operating framework
We operate the service inside our own ISMS audited at ENS HIGH category and ISO/IEC 27001:2022, plus four additional ISOs (22301, 20000-1, 9001, 14001). That means documented procedures, auditable evidence and traceability a client subject to NIS2, DORA or ENS can leverage in their own audit. The ENS HIGH certification belongs to Hard2bit as a provider; it does not replace the certification the client must obtain for their own scope.
Plan details
"From" prices, VAT not included. Multi-site, authenticated scanning, complex cloud environments or integrations (SIEM, ticketing, GRC) are sized in the proposal. Setup included with annual contract.
| Plan | Assets | Mode | Includes | Price |
|---|---|---|---|---|
| VA-25 | Up to 25 assets | External or internal | Scan, review, technical and executive report, handover session. | from €1,250 |
| VA-75 | Up to 75 assets | External, internal or mixed | Scan, critical/high review, prioritization, report and handover session. | from €2,450 |
| VA-150 | Up to 150 assets | External, internal or mixed | Scan, prioritized review, remediation plan and executive/technical report. | from €3,950 |
| VA-300 | Up to 300 assets | Mixed | Scan, advanced prioritization, review of relevant findings and extended report. | from €6,500 |
| VA-Enterprise | More than 300 assets | Custom | Customized scope based on sites, segments, cloud, authentication and integrations. | Custom |
| Plan | Assets | Cadence | Includes | Price |
|---|---|---|---|---|
| MVM Essential | Up to 50 assets | Monthly scan + review | Review of critical, high and relevant medium findings, monthly report, basic backlog and monthly meeting. | from €750/mo |
| MVM Advanced Top | Up to 150 assets | Monthly + critical review | Contextual prioritization, technical validation, remediation tracking, executive/technical report and monthly meeting. | from €1,450/mo |
| MVM Professional | Up to 300 assets | Monthly + critical-CVE review | Managed backlog, auditable evidence, quarterly committee, trends, improvement plan and executive reporting. | from €2,750/mo |
| MVM Enterprise | More than 300 assets | Custom | Integration with SOC, ticketing, SIEM, GRC, executive reporting and regulatory requirements. | Custom |
All prices are shown excluding VAT. The applicable VAT will be added on the invoice according to current regulations. Indicative "from" amounts; final terms — scope, sizing, timelines and contractual conditions — will be set out in the signed commercial proposal.
Product vs managed service
If you need a passive external snapshot on demand, our SaaS scanner gives it to you in 60 seconds. If you need a continuous programme with an analyst, governance and evidence, the MVM model is the right fit. They're not substitutes: many clients use both.
| Feature | Hard2bit Scanner | Managed MVM |
|---|---|---|
| Model | Self-service SaaS | Managed service |
| Analysis | Passive, public domain | Active + internal + cloud + authenticated |
| Frequency | On demand | Recurring, per plan |
| Human analyst | No (self-service) | Yes, assigned to client |
| Contextual prioritization | Automatic score | By exposure + business impact |
| Closure tracking | No | Yes, with verification |
| Audit evidence | PDF report | Full traceability + committee |
| Indicative price | Free · from €19/mo | from €750/mo |
Scope and exclusions
The following exclusions can be contracted separately or combined with other Hard2bit services (pentesting, red team, hardening, SOC). Making them explicit avoids misunderstandings and allows the engagement to be sized correctly.
Public sector and ENS-bound entities
Specific page focused on the regulatory angle: applicable ENS controls, evidence and procedures adapted to the system's categorization.
See ENS-specific page →
Next level
If vulnerability management is the first line, the managed SOC is continuous detection and response. The two services share context and are commonly contracted as a package.
Learn about Managed SOC →
It depends on the agreed scope. Typically: managed/assisted patching, hardening, configuration changes, cloud/IAM adjustments and closure validation—always aligned with your ITSM/CAB and maintenance windows.
We triage findings and prioritize based on exposure and evidence, validating before escalation. The goal is an actionable backlog—not endless lists.
Yes. We can operate through your ITSM for assignment, evidence and closure, aligning with your change approvals and governance.
Based on risk. Typical: weekly external, bi-weekly/monthly internal, and app/cloud aligned with release cadence. We tune it by criticality, exposure and operational windows.
Yes. For systems in scope of Spain's National Security Framework, we run a dedicated programme aligned with RD 311/2022 measures (op.exp.4, op.exp.10, op.exp.11 and connected) with audit-ready evidence and traceability by category. See vulnerability management for ENS.
Yes. Run a free scan on your domain with Hard2bit Scanner — 25 automated checks on HTTP headers, TLS, DNS, email records (SPF/DKIM/DMARC/MTA-STS), forgotten subdomains and vendor breach exposure. It is fully passive, takes 30-60 seconds, and is free to start.
A managed service for larger organizations: exposure-based prioritization, remediation execution (when applicable), an always-on channel and monthly KPI reporting.
Talk to a specialistBefore you leave…
Quick 15-minute assessment and we'll tell you what to prioritise first: Microsoft 365, pentesting, vulnerability management, SOC, DORA, NIS2, ENS or ISO 27001.
No spam. Reply within 24h.
