For agencies
The 30-minute monthly playbook for an agency's client portfolio.
Published 2026-05-25 · Approx. 12-minute read · Designed for portfolios of 5-50 sites
An agency owner running ten retainer clients doesn't have a SOC analyst on staff. They have themselves and maybe a junior who handles WordPress updates on Tuesday afternoons. The security situation across the portfolio looks like this: half the sites are on WordPress with whatever plugin stack the original brief specified, two are on Shopify, one is on a custom Node app the previous developer wrote, three are static sites someone migrated from Squarespace last year. Nobody has scanned any of them since launch.
The honest answer for that agency is not to hire a security person. It's to set up a repeatable 30-minute monthly process that catches the configuration drift before it becomes an incident. This is that process.
You can run it with Vantyris (one workspace covering every client domain, weekly continuous monitoring, the portfolio dashboard, white-label PDFs for retainer reports). You can run it with a stack of free tools (SSL Labs + Security Headers + manual SPF/DMARC checks per domain). The Vantyris workflow is faster because it's one tab instead of four; the free-tools workflow saves you the credit cost. Pick what fits your retainer math.
Before the first month: the one-time setup
One workspace, every client target, all verified
Open a Vantyris workspace. Add every client domain as a target. Each one verifies with a DNS TXT record (or a file you upload via the client's existing FTP if you have it). The verification is the legal foundation: you're confirming you have permission to scan. Keep the client's written authorisation in your CRM for the file.
Verification takes 5-15 minutes per target on average, less if you have direct DNS access. Front-load it: do all ten on day one of the setup month and you're done with the gating step forever.
Run the baseline scan on every target
Once each target verifies, run a verified scan. Cost: 1 credit per target (€10 buys 5 credits, €100 buys 100). The first scan establishes the baseline. Read the report, decide which findings are real, mark anything you've already known about (a deliberate decision to not enable HSTS because the client uses a legacy subdomain, for example) as "Accepted as known risk" with a written reason. Suppressions expire after 90 days so they won't silently hide forever.
For each client, file the full editorial PDF in the project folder. This is your baseline. Every subsequent scan compares to it.
Enrol every verified target in weekly monitoring
Continuous-monitoring tier costs €5 per endpoint per month. For 10 retainer clients, that's €50/month. Set the cadence to weekly and the notify email to the agency owner's address (or a dedicated `security@agency.com` mailbox you actually check).
The three default alert triggers are the only ones that matter: a new high or critical finding, a security-score drop of 10 points or more compared to the previous scan, or a TLS certificate within 14 days of expiry. No daily noise.
Set up the white-label PDF and trust page for each retainer client
Pro and Agency tiers let you set display name (your agency's brand instead of Vantyris), logo URL, and accent colour. White-labelling stays on for shared report views and the trust page. Each client gets their own trust page at /trust/<client-slug>; the client's procurement team can verify the security posture without an account.
The 30-minute monthly process
Block the first Monday of every month, 9:00-9:30 AM. Coffee, dashboard, decisions. The process:
Minutes 0-5: open the portfolio dashboard
/app/portfolio shows every target ranked worst-first. Read the headline stats: target count, average score, total criticals and highs across the portfolio. If the average score moved more than 5 points from last month, you have a portfolio-wide change to understand.
Scan the per-target list. Anything with critical or high findings sits at the top. Anything labelled "stale" (no scan in over 30 days) needs your attention.
Minutes 5-10: read the week's monitoring alerts
Open the alert inbox. Each alert maps to one of: new high/critical finding, score drop of 10+, certificate expiry within 14 days. For each, decide:
- New high/critical: open the affected target's latest scan, read the finding, decide whether you're going to fix it or assign it to the client's IT contractor. If you assign, set a due date and post the relevant remediation guidance as a comment.
- Score drop: a regression. Compare against the previous scan, identify the new finding, decide whether it was caused by something the client did (a plugin update, a DNS change) or external (a CA being mis-trusted, a CVE being newly listed in KEV). Fix or accept.
- Cert expiring: message the client's web host to confirm auto-renewal is working. If it isn't, this is the most preventable client-outage scenario; act today.
Minutes 10-20: triage anything still on the worst-first list
Some clients won't have alerts this month but will still have unresolved findings from previous months. Open the top three sites on the worst-first list. For each:
- Sort findings by priority (the composite score blending severity, KEV listing, and history state). Anything > 80 priority is acute.
- For each acute finding, check the workflow status. If it's "Assigned" but stale (assigned 3+ weeks ago with no comment activity), follow up with the assignee. If "Open" with no movement, decide whether to mark "Accepted with reason" or escalate.
- For each "Open" finding you decide to act on, post a comment with the next-action and an owner.
Minutes 20-25: hand off to your team
For each assigned finding, send a one-line message to the team member or contractor responsible. Most agencies do this via Slack or Asana. The audit-trail link in Vantyris (each finding has a permalink) goes in the message so the receiver can read the context.
Minutes 25-30: client communication
For each retainer client, decide whether anything from the month warrants a heads-up. Three patterns:
- Everything clean: no email. The trust page URL is the asynchronous "things are fine" signal.
- Findings handled internally: brief monthly note. "We resolved two medium findings this month; full report attached." Attach the executive PDF (one page). Single email, three minutes per client.
- Client action required: the rare case where you need the client to do something (renew a certificate they manage, approve a hosting change, etc). Direct email with the single-issue work-order PDF attached so the client can forward it to their host without context-switching.
Quarterly: the retainer review
Every three months, run a portfolio CSV export (workspace-wide, all history). Open in a spreadsheet. Look at:
- Trend: is the workspace average score going up or down over the quarter?
- By-client breakdown: which clients are improving, which are regressing?
- Time-to-fix: for findings you marked "Fixed" this quarter, how long did they sit "Open" before resolution?
- Acceptance rate: what fraction of findings are being marked "Accepted with reason"? If it's climbing, you're either accepting too liberally or your client mix is shifting toward legacy stacks.
Use the data in your client retainer reviews. "Your security posture has improved from B to A over the past quarter" is a concrete win you can put on the slide deck.
The annual move: insurance + Cyber Essentials
Once a year, the retainer client renews PI or business cover. The insurer asks about external vulnerability scanning. You give the client the trust page URL. The underwriter checks it themselves. Premium discount applies. Client thanks you.
If a retainer client is going for Cyber Essentials this year, every verified Vantyris report includes the CE alignment section mapping each finding to the five NCSC control areas. That's the starting checklist for their CE submission; the actual certification still requires an accredited certification body (you can sub-contract that or refer to IASME).
If you want to run this without Vantyris
You can. The structure of the process is what matters, not the tooling. Here's the free-tools equivalent:
- SSL Labs for TLS (ssllabs.com/ssltest), one URL per client
- Security Headers for HTTP headers (securityheaders.com), one URL per client
- MX Toolbox for SPF/DMARC/DKIM (mxtoolbox.com), one lookup per client
- UptimeRobot for certificate expiry monitoring (free tier covers 50 monitors)
- A spreadsheet for tracking findings across clients
That's roughly 90-120 minutes a month for ten clients instead of 30, plus the workflow + trust-page + audit-trail evidence is in your spreadsheet rather than in a tool your client could verify directly. If your retainer rate per client per month is <€50, the free-tools path makes financial sense. Above that, Vantyris pays for itself in the time saved.
Try the portfolio dashboard with your own client list.
Open a workspace, verify one or two client domains, run a verified scan, see what the report and portfolio view look like with your data. €10 for the starter pack.
Vantyris editorial team · methodology v1.0.0