"We need a security audit" is one of the most common requests — and one of the most ambiguous. A technical audit, penetration test, and compliance check are completely different engagements with different outputs and price ranges. Choosing the wrong type means spending ₽500,000 to get something you didn't need.
Five Types of Security Assessment
Technical Security Audit
1–3 weeks₽150,000 – ₽500,000
Scope: Infrastructure, configurations, policies
Output: Report with vulnerabilities by severity
Best for: Most companies; good starting point
Penetration Testing
1–4 weeks₽300,000 – ₽2,000,000
Scope: Specific systems or full scope
Output: Exploited vulnerabilities, attack chains, recommendations
Best for: Companies with mature IS; regulated industries
152-FZ Compliance Audit
2–4 weeks₽200,000 – ₽800,000
Scope: Personal data processing systems
Output: Compliance gaps, remediation roadmap
Best for: All companies processing personal data
CII / 187-FZ Assessment
3–6 weeks₽500,000 – ₽3,000,000
Scope: Critical infrastructure systems
Output: Categorisation, GOSSOPKA readiness, security requirements
Best for: CII subjects (13 regulated sectors)
Red Team Assessment
4–8 weeks₽1,500,000 – ₽5,000,000+
Scope: Full organisation (technical + physical + social)
Output: Full attack scenario, response gaps
Best for: Mature security programmes; banks, critical infra
How to Choose: Decision Flowchart
Never had an audit before?
→ Start with Technical Security Audit. Establishes baseline before deeper testing.
Process personal data of customers or employees?
→ 152-FZ Compliance Audit is mandatory — not optional. Fines can exceed ₽15M.
Operate in healthcare, energy, transport, or other regulated sector?
→ CII / 187-FZ Assessment. Criminal liability for non-compliance.
Want to test your defences against a realistic attacker?
→ Penetration Testing with black-box scope. Requires mature baseline security first.
Need to demonstrate security to enterprise clients or investors?
→ ISO 27001 implementation + Technical Audit as supporting evidence.
How to Choose a Provider: 8 Criteria
01FSTEC TZKI license— Mandatory for legally recognised audits in regulated industries
02Named senior consultant for your engagement— Not just a junior assigned last minute
03Fixed-price contract with defined scope— Avoid open-ended time-and-materials for audit work
04Report format preview— Ask for a sample report from a past engagement (anonymised)
05Remediation support included— A good provider helps fix what they find, not just list issues
06Independence— The auditor should not sell you the specific products they recommend
07Experience in your industry— Healthcare audits require different expertise than manufacturing
08NDA and data handling policy— Auditors see your infrastructure — they must be contractually bound
Red Flags That Should Stop You
✗Audit scope described as "full security audit" without specifics — this means nothing
✗No FSTEC license for regulated industry work
✗Price dramatically lower than market (₽50,000 for a "comprehensive audit") — you get a checklist, not an audit
✗No reference clients willing to be contacted
✗Results promised within 3 days for any significant scope
✗Provider also sells specific vendor products with high margins