06/05/2026
โFreeโ open source software is the most expensive mistake your cybersecurity budget will ever make.
In the cybersecurity world, we have three areas:
๐ด Red Team: the attackers.
๐ต Blue Team: the defenders.
๐ฃ Purple Team: where Red works with Blue to improve security.
Most companies rely on a manual pentest once a year. It costs โฌ50 to โฌ250 per hour, gives you a snapshot of one moment in time, and leaves you blind for the other 11 months.
Some however will build a more continuous validation open source stack, moving towards either continuous pentesting or continuous Purple Team with free tools like Atomic Red Team, MITRE Caldera, PurpleSharp, VECTR, DeTTECT. We love open source, but sometimes it creates a โMad Scientistโ trap. Your best engineer spends most of the year just building and maintaining the plumbing of the tools instead of actually securing your company.
And it is an expensive trap: in the Baltics for continuous red or purple teaming, โfreeโ actually costs from โฌ45,000 to โฌ210,000 over 3 years if you truly measure the TCO (Total Cost of Ownership).
No wonder your local pentest company is charging you anywhere from โฌ4,000 (10-day pentest) to โฌ250,000 (12-week TLPT). The latter is a DORA requirement, by the way.
The alternative is BAS (Breach and Attack Simulation) or Continuous Security Validation.
It basically provides โResearch as a Service.โ They push thousands of real-world attack simulations to you daily with remediation advice.
โBut we cannot afford a platform like that!โ
Do not be so sure.
Let us look at a 3-year TCO for Purple Teaming in Latvia:
๐ Open Source Stack:
โข Licence: โฌ0
โข Effort: 1.0 FTE
โข 3-year cost: โฌ210,000
โข Coverage: ~10%
๐ Ready-to-use BAS:
โข Licence: โฌ25,000 - โฌ80,000
โข Effort: 0.1 FTE
โข 3-year cost: ~โฌ72,000 - โฌ250,000
โข Coverage: 90% plus
For a 50-person company in Latvia, the average employee generates roughly โฌ6,500 to โฌ7,000 in net profit per year. The entry point commercial BAS option costs around โฌ40 per employee per month โ roughly 7 to 8% of what each person contributes to the bottom line annually. The open source alternative costs more than 3x that, delivers a fraction of the coverage, and ties up your best engineer full time.
And you do not need to go full automated purple teaming straight away. There are continuous pentesting and attack surface management solutions, too.
By choosing a ready-to-use product you stop paying for โWorking on a solutionโ and start paying for โSecuring your organisationโ.
Our advice:
1. Value your engineerโs time at its true cost to the company.
2. Gather your requirements, and consider carefully if โfreeโ open source is truly what is best for you.
3. Build a roadmap to transition from annual pentest to continuous security validation. ๐
PS: we offer consultancy to assess your situation & requirements, and build you a fully customised roadmap.
And unless you want us to build it with you, it will be all for free.
Really free. โ