Skip to main content
Vantyris

For agencies

The 30-minute monthly playbook for an agency's client portfolio.

Published 2026-05-25 · Approx. 12-minute read · Designed for portfolios of 5-50 sites

An agency owner running ten retainer clients doesn't have a SOC analyst on staff. They have themselves and maybe a junior who handles WordPress updates on Tuesday afternoons. The security situation across the portfolio looks like this: half the sites are on WordPress with whatever plugin stack the original brief specified, two are on Shopify, one is on a custom Node app the previous developer wrote, three are static sites someone migrated from Squarespace last year. Nobody has scanned any of them since launch.

The honest answer for that agency is not to hire a security person. It's to set up a repeatable 30-minute monthly process that catches the configuration drift before it becomes an incident. This is that process.

You can run it with Vantyris (one workspace covering every client domain, weekly continuous monitoring, the portfolio dashboard, white-label PDFs for retainer reports). You can run it with a stack of free tools (SSL Labs + Security Headers + manual SPF/DMARC checks per domain). The Vantyris workflow is faster because it's one tab instead of four; the free-tools workflow saves you the credit cost. Pick what fits your retainer math.

Before the first month: the one-time setup

One workspace, every client target, all verified

Open a Vantyris workspace. Add every client domain as a target. Each one verifies with a DNS TXT record (or a file you upload via the client's existing FTP if you have it). The verification is the legal foundation: you're confirming you have permission to scan. Keep the client's written authorisation in your CRM for the file.

Verification takes 5-15 minutes per target on average, less if you have direct DNS access. Front-load it: do all ten on day one of the setup month and you're done with the gating step forever.

Run the baseline scan on every target

Once each target verifies, run a verified scan. Cost: 1 credit per target (€10 buys 5 credits, €100 buys 100). The first scan establishes the baseline. Read the report, decide which findings are real, mark anything you've already known about (a deliberate decision to not enable HSTS because the client uses a legacy subdomain, for example) as "Accepted as known risk" with a written reason. Suppressions expire after 90 days so they won't silently hide forever.

For each client, file the full editorial PDF in the project folder. This is your baseline. Every subsequent scan compares to it.

Enrol every verified target in weekly monitoring

Continuous-monitoring tier costs €5 per endpoint per month. For 10 retainer clients, that's €50/month. Set the cadence to weekly and the notify email to the agency owner's address (or a dedicated `security@agency.com` mailbox you actually check).

The three default alert triggers are the only ones that matter: a new high or critical finding, a security-score drop of 10 points or more compared to the previous scan, or a TLS certificate within 14 days of expiry. No daily noise.

Set up the white-label PDF and trust page for each retainer client

Pro and Agency tiers let you set display name (your agency's brand instead of Vantyris), logo URL, and accent colour. White-labelling stays on for shared report views and the trust page. Each client gets their own trust page at /trust/<client-slug>; the client's procurement team can verify the security posture without an account.

The 30-minute monthly process

Block the first Monday of every month, 9:00-9:30 AM. Coffee, dashboard, decisions. The process:

Minutes 0-5: open the portfolio dashboard

/app/portfolio shows every target ranked worst-first. Read the headline stats: target count, average score, total criticals and highs across the portfolio. If the average score moved more than 5 points from last month, you have a portfolio-wide change to understand.

Scan the per-target list. Anything with critical or high findings sits at the top. Anything labelled "stale" (no scan in over 30 days) needs your attention.

Minutes 5-10: read the week's monitoring alerts

Open the alert inbox. Each alert maps to one of: new high/critical finding, score drop of 10+, certificate expiry within 14 days. For each, decide:

Minutes 10-20: triage anything still on the worst-first list

Some clients won't have alerts this month but will still have unresolved findings from previous months. Open the top three sites on the worst-first list. For each:

Minutes 20-25: hand off to your team

For each assigned finding, send a one-line message to the team member or contractor responsible. Most agencies do this via Slack or Asana. The audit-trail link in Vantyris (each finding has a permalink) goes in the message so the receiver can read the context.

Minutes 25-30: client communication

For each retainer client, decide whether anything from the month warrants a heads-up. Three patterns:

Quarterly: the retainer review

Every three months, run a portfolio CSV export (workspace-wide, all history). Open in a spreadsheet. Look at:

Use the data in your client retainer reviews. "Your security posture has improved from B to A over the past quarter" is a concrete win you can put on the slide deck.

The annual move: insurance + Cyber Essentials

Once a year, the retainer client renews PI or business cover. The insurer asks about external vulnerability scanning. You give the client the trust page URL. The underwriter checks it themselves. Premium discount applies. Client thanks you.

If a retainer client is going for Cyber Essentials this year, every verified Vantyris report includes the CE alignment section mapping each finding to the five NCSC control areas. That's the starting checklist for their CE submission; the actual certification still requires an accredited certification body (you can sub-contract that or refer to IASME).

If you want to run this without Vantyris

You can. The structure of the process is what matters, not the tooling. Here's the free-tools equivalent:

That's roughly 90-120 minutes a month for ten clients instead of 30, plus the workflow + trust-page + audit-trail evidence is in your spreadsheet rather than in a tool your client could verify directly. If your retainer rate per client per month is <€50, the free-tools path makes financial sense. Above that, Vantyris pays for itself in the time saved.

Try the portfolio dashboard with your own client list.

Open a workspace, verify one or two client domains, run a verified scan, see what the report and portfolio view look like with your data. €10 for the starter pack.

Editorial

Vantyris editorial team · methodology v1.0.0