Security Monitoring
Great way to temporarily mitigate hard to fix vulnerabilities, find the usual scripted attacks or even more if you know what exactly you are looking for.
Absolutely useless without proper understanding of the infrastructure, threat modeling and properly set up logging (also implemented in application layer). In that case you are just spending a ton of money SIEM software to correlate the useless logs nobody ever looks at anyway.
Red Teaming
Great way to test the actual overall security of the company, uncover unknown venues of attack, test the resilience of employees and security monitoring for whom it could be a great learning opportunity.
Absolutely pointless without advance security practices and if you know you have open, critical security issues and vulnerabilities. In that case you already know the answer to the question Red Teaming is meant to answer.
Penetration Testing
Great way to test for vulnerabilities in sensitive systems, in cases you want to make sure you don't have critical vulnerabilities before going online with new software, or if you have very specific questions about some aspects of the applications that require highly skilled people. Also you might be left without other options dealing with third party software.
Will become costly and the return diminishes really quickly if you use it broadly as an end baseline test instead of properly building security into your development lifecycle. Likely you will receive a lengthy report outlining all the theoretical attack scenarios and vague recommendations that will take the next 5 sprints to fix.
Bug bounties
You get thousands of people constantly looking at your things checking all the smallest details you never thought of and to make it better you only have to pay them if they find something!
Or the best footgun if you don't have a solid baseline security, not just because of the costs of having to deal with the swarm of submissions, but also the bad media attention because everybody will realise where your security is and eventually will be publicised by all the stunt hackers.
Security Automation
Pay once, get all the benefits until the end of time!
Unless you think it is a silver bullet that can answer all your security questions and able to uncover all types of vulnerabilities, in which case you are just wasting the time of your developers flooding them with useless lengthy reports of false positives that aren't even relevant to their applications threat model.
We believe the most powerful analogy to understand efficient security is: rock climbing.
Once you set out with your new business idea you start to see the top, you have a vision, and you have a rough idea of how you going to get there.
IT security is the safety, that you have to take care of on the way. This means additional weight that slows you down and the deep realisation:
placing safety equipment takes time and energy that you could have spent climbing.
You need to decide on a strategy from the spectrum "I'm never going to fall, no need for safety" to the I'm going to deconstruct the wall an drill anchors, bolts every meter" that transforms your climbing into something else even though you know the safety will never be 100%. And frankly compliance only tells you that you that you have to have some safety every 1.5 meters which might make sense in some circumstances, slows you down excessively or overly daring in others:
It lacks the context.
We do understand that your goal is to get up there and that you need to keep moving fast and able to change directions.
We know the tools you can use, the context that they are useful and the ways they break.
We strive to help you to find the right tools, when to use them and even place them for you or teach you how to do it.
Different tools have vastly different cost/return structure, possible coverage and usefulness, pros and cons.