One continuous CTEM service built around one outcome: the evidence your auditor, your underwriter, and your largest customer all want to see, proving that a finding was real and that it got fixed. Pricing is on request, scoped to your estate. Start with a free exposure check; we'll quote a number that matches what your organisation actually needs.
The right comparison isn't another tool's sticker price. It's the cost of an auditor finding, a cyber-insurance renewal question, or a customer security review where you can't produce evidence on demand. The service is priced as a small fraction of that risk.
Before the number
Auditors are asking harder questions. Underwriters want proof, not promises. Enterprise customers want to see the receipts. We deliver that evidence, runnable, signed, on a daily cadence, so the next time someone asks, the answer is a file you can hand them, not a meeting you have to schedule. Talk to us about scope and we'll give you a number that matches the estate.
One continuous CTEM service
Find. Prove. Fix. Verify. Every weekday, across your estate, with a runnable artifact for every finding.
Monthly or annual billing. Scoped to your estate. Cancel any month from the dashboard.
What's included:
| Daily Find: Asset Discovery and attack-surface mapping: continuous external coverage, with new assets detected and added to scope automatically as they appear. |
| Prove on every finding: the Proof Capsule: signed, sealed, runnable on your laptop. Triage shrinks from a sprint to a meeting. |
| Fix path baked in: patch citation, remediation guidance, controls pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS. Engineering closes from a starting line. |
Verify with one command: re-run the capsule, see fix-confirmed. Wire into CI so a regression fails the build. |
| Engineering integrations: Slack, Jira, GitHub PR comments, webhook for everything else. Findings show up where engineering already works. |
| Founder-direct onboarding: the founder runs your first capsule with you. No SDR. No hand-off. |
| Internal-network coverage, past the perimeter, when you need it. Lateral-movement and privilege-escalation chains, capsule-confirmed. |
| Data residency and a dedicated contact, for complex estates and partner programs: Canadian, US, EU, APAC, or your-own-VPC data residency, partner commissions and co-sell, and a named success contact. Partners deliver as partner of record, powered by Celvex, standing behind signed, replayable proof. Scoped on request. |
| Quarterly transparency report: sub-processors, key rotations, incident summary. You see the supply chain. |
The maths: less than the daily cost of a single junior security engineer, against a category whose worst outcome wipes balance sheets. Scope the estate, we quote the figure.
First, see what we find. Request pricing when ready.
Before either offer
One scan on one domain. One Proof Capsule in your inbox. No credit card. No sales call. The first thing we ask you to do is verify the product works against your own asset, before we ask anything else.
The cost-of-inaction frame
Industry research consistently puts median dwell time before detection well past six months. The cost-of-inaction question isn't "is verifiable security worth the monthly fee?" It's "if a real exploit lands today, does your team find it in week one or month seven?"
Verifiable security closes that window. Not by promising perfection; by giving your engineers a runnable artifact for every issue we find, on a daily cadence, signed in a way anyone can verify. The discipline starts with knowing what's broken before someone else does.
What we don't do (and won't pretend to)
We're honest about scope so you don't pay us for work we shouldn't be doing. None of these are weaknesses; they are deliberate edges of the offer.
Annual deep-dive engagements still belong on the calendar. We sit between those moments, providing daily verifiable evidence the auditor and the underwriter both want to see. Many customers run both, and we are happy when they do.
Phishing simulations, voice and physical-access testing belong with specialists who do that work full-time. We focus on the technical attack surface where signed, runnable proof actually moves the needle.
Every test we run is non-intrusive by design. The platform observes and proves what is exposed the way an external attacker would, without changing, disrupting, or damaging anything in your systems. It behaves more like a continuous privacy and exposure probe than an invasive test. Any action it takes is reversible by design, and it refuses to run anything that could leave a lasting change. When the work is done, your environment is exactly as we found it.
Procurement questions, answered straight
Decision fatigue is the enemy of action, and action is the entire point of verifiable security. One continuous CTEM service, scoped to your estate, whether that's a single domain or ten domains with internal-network coverage, in-region data residency, and a dedicated contact. Celvex is Canadian-built and Canadian-owned, with credible coverage in Canada, the United States, and Europe, and data kept resident in your region. We scope what you need rather than asking you to pick a box. If we're not the right answer, we'll tell you honestly.
Billed monthly or annually, scoped against the protected estate. We quote on request once we understand the domain count, residency requirements, and the integration surface. Annual commits include a meaningful discount over month-to-month. Request pricing.
Monthly billing means you can cancel any month from the dashboard, with no auto-renew traps. Annual commits save meaningful spend over month-to-month and ship with a custom MSA carrying cancel-for-cause provisions. We don't lock teams into a service that isn't working for them.
Findings live in your dashboard for the lifetime of your subscription plus ninety days. Proof Capsules retain by default for ninety days; you can extend, shorten, or delete on demand. Customer-deletion is one click, logged as a signed event so you have a receipt. Sub-processor list is public; quarterly transparency report covers handling stats and any incidents.
Default deployment is global, with data-plane processing in the region closest to where your scans originate. Canadian, US, EU, APAC, or your-own-VPC residency is available on request, with the matching data-processing addendum, aligned to PIPEDA for Canadian data, GDPR for EU and UK data, and CCPA/CPRA for California. Sub-processor list is named on the Trust Center.
Yes. Celvex is Canadian-built and Canadian-owned, and Canadian data residency is available so findings and Proof Capsules stay resident in Canada under PIPEDA. We believe Canadian organizations deserve a credible Canadian security partner, and we intend to win that market. We serve US and European customers the same way: in-region residency in the United States or the EU/UK, with the matching addendum. Wherever you operate, your data stays where it should.
An annual pentest is a snapshot. Our service is a moving record. The pentest still has a place. Many of our customers run both, with the pentest as the periodic deep-dive engagement and our daily Find. Prove. Fix. Verify. coverage between. The two complement each other; we are not asking you to choose.
SOC 2 Type II is in observation with a named auditor, target issue Q4 2026. A Type I bridge letter is available now if a deal needs one. ISO 27001 readiness work begins after the Type II report ships. We won't put a badge on the site for something we haven't earned. The Trust Center has the dated detail.
Yes. We run a partner program with founder-led, named-contact onboarding, partner commissions, co-sell, and multi-tenant operations. You deliver as partner of record, powered by Celvex, standing behind signed, replayable proof your clients can trust, not hiding the work behind a blank label. See the partner page.
Just your domain and your work email. We'll handle the rest.
CELVEX Group