CSCF Research · Independent Analyst Ratings · February 2026
Independent research and analyst ratings for cybersecurity consulting firms.
We evaluate cybersecurity consulting firms across five service domains and assign a CSCF Analyst Rating™ — a 0–100 composite score based on technical capability, specialization depth, client scale fit, value transparency, and market presence. The goal is to give buyers a clear, comparable basis for selection.
Ratings updated Feb 2026
All Rated Firms
All profiles →| Firm | Tier | Score | Primary Focus | Team Size | Typical Pricing | |
|---|---|---|---|---|---|---|
| Coalfire | 88 | Compliance & Risk Management | 250+ | $100k+ | Profile → | |
| NetSPI | 86 | Penetration Testing | 250+ | $50k-$100k | Profile → | |
| GuidePoint Security | 85 | vCISO / MDR | 250+ | $100k+ | Profile → | |
| Schellman | 84 | Compliance Auditing | 250+ | $50k-$100k | Profile → | |
| TrustedSec | 82 | Penetration Testing | 50-100 | $25k-$50k | Profile → | |
| Tevora | 78 | Compliance / vCISO | 100-250 | $50k-$100k | Profile → | |
| CynergisTek | 76 | Healthcare Cybersecurity | 100-250 | $50k-$100k | Profile → | |
| Praetorian | 75 | AppSec / Cloud Security | 50-100 | $50k-$100k | Profile → | |
| Clearwater Compliance | 73 | Healthcare Compliance | 100-250 | $25k-$50k | Profile → | |
| Black Hills Information Security | 72 | Penetration Testing | 10-50 | $25k-$50k | Profile → | |
| Blumira | 65 | Managed Security (SMB) | 10-50 | $10k-$25k | Profile → | |
| Cycurity | 62 | vCISO | 10-50 | $100k+ | Profile → |
Coalfire
Compliance & Risk Management
Cybersecurity advisory and assessment services for compliance and risk management
NetSPI
Penetration Testing
Penetration testing and attack surface management at enterprise scale
GuidePoint Security
vCISO / MDR
Cybersecurity solutions focusing on detection, response, and security transformation
Schellman
Compliance Auditing
Independent compliance assessment and certification for SOC, ISO, HITRUST, and more
TrustedSec
Penetration Testing
Offensive security and penetration testing specialists
Tevora
Compliance / vCISO
Cybersecurity consulting specializing in compliance, risk management, and vCISO services
Research Domains
Five service areas. Each with distinct evaluation criteria and buyer considerations.
Compliance & Audit Consulting
5 frameworks coveredSOC 2, HIPAA, PCI DSS, ISO 27001, CMMC. Which firms have genuine audit depth versus checkbox compliance?
Explore →
Penetration Testing
4 rated firmsNetwork, web application, cloud, and red team engagements. Methodology matters more than certification counts.
Explore →
vCISO & Security Leadership
3 rated firmsFractional CISO services for companies that need executive security leadership without a full-time hire.
Explore →
Healthcare Cybersecurity
4 rated firmsHIPAA, HITRUST, medical device security, and OCR audit readiness. Healthcare demands domain-specific expertise.
Explore →
Small Business Security
2 rated firmsRight-sized security programs for organizations under 500 employees with limited dedicated security staff.
Explore →
What is CSCF Research?
CSCF Research is an independent analyst publication covering the cybersecurity consulting services market. We evaluate firms across five service domains — compliance, penetration testing, vCISO services, industry specialization, and incident response — and publish structured ratings based on a defined methodology.
Our CSCF Analyst Rating™ is a 0–100 composite score built from five equally weighted dimensions: technical capability, specialization depth, client scale fit, value and transparency, and market presence. Phase 1 ratings are based on publicly available information. Phase 2 will incorporate vendor interviews and client references.
We don't accept payment to inflate ratings. Firms with featured listings are identified as such; their ratings are determined independently by the same criteria applied to all firms.
Rating Dimensions
Rating Tiers
Exceptional across most dimensions. Clear market authority in their primary service area.
Strong in core area. Reliable choice with competitive value and track record.
Competent but with gaps or narrow focus. Suitable for specific buyer needs.
New or limited track record. Potential upside, but less data to evaluate.