GUARDIAN SECUREAPP™ · ASSURANCE LEVELS
Compare Assurance Levels — Basic, Advanced, High-Risk / Critical
Guardian SecureApp™ certification is offered at three assurance levels — Level 1 (Basic), Level 2 (Advanced), and Level 3 (High-Risk / Critical) — across all three Modules. The level you choose determines evaluation depth, surveillance frequency, indicative fee and timeline. This page compares the three side-by-side and provides a decision framework for selection.
Three Levels
Three Levels — Because One Size Does Not Fit
Application security risk is not uniform. A marketing website that publishes only public information faces different threat actors, different attack motivations, and different breach consequences than a banking platform that holds customer financial data and initiates transactions on their behalf. Issuing a single certification level — at the depth of the most rigorous assurance possible — would price low-risk products out of certification entirely while still under-evaluating the very highest-risk products. Issuing a single low-depth certification — at the level of basic baseline assurance — would offer no meaningful additional signal to buyers of high-risk products beyond what they already get from organisational certifications such as ISO/IEC 27001.
Guardian SecureApp™ resolves this by offering three assurance levels that map directly to a graduated risk profile. Level 1 (Basic) provides the minimum baseline of accredited assurance — appropriate for products whose breach consequences are low and whose threat profile is non-targeted. Level 2 (Advanced) provides the depth that most production B2B and B2C products handling sensitive data require to satisfy customer due diligence and regulatory baselines. Level 3 (High-Risk / Critical) provides the depth required by products in regulated, financially-systemic, or critical-infrastructure sectors, where evaluation must include adversarial / threat-led methodology and the highest available rigour of source code and architecture review.
Importantly, the three levels are not three different schemes. They are three depths of evaluation under one accredited scheme (Guardian SecureApp™, scheme document GSA-PR-01) and one accreditation (UAF accreditation 52605385601 under ISO/IEC 17065). The procedural integrity, the certification decision discipline, the public directory listing, the surveillance regime and the certification mark are common across all three levels. What differs is the depth at which the technical evaluation is conducted and, accordingly, the strength of the assurance signal the certificate carries.
At Glance
A Quick Snapshot of Each Level
Level 1
Basic
$2,000
onwards
Indicative Starting Fee *
Evaluation depth: Automated scanning + targeted manual verification. Configuration review. Documentation review. No mandatory source code review.
Surveillance: Annual
Typical Timeline
4–7 weeks
For Internal tools, low-risk public sites, content portals, marketing websites with light forms.
Level 2
Advanced
$4,000
onwards
Indicative Starting Fee *
Evaluation depth: Automated scanning + comprehensive manual penetration testing + business-logic and abuse-case testing + sample-based source code review on critical components + detailed architecture review.
Surveillance: Annual + change-driven
Typical Timeline
6–12 weeks
For Customer-facing applications handling personal data, transactions, B2B SaaS dashboards, healthcare portals, payment-adjacent applications.
Level 3
High-Risk / Critical
$7,000
onwards
Indicative Starting Fee *
Evaluation depth: Comprehensive manual + threat-led / adversarial + abuse-case testing + comprehensive source code review across in-scope codebase + threat-modelled architecture review (STRIDE / PASTA).
Surveillance: Semi-annual + change-driven. Mandatory re-evaluation on major releases.
Typical Timeline
10–18 weeks
For Net-banking, UPI / payment platforms, EHR / health records platforms, trading platforms, identity providers, embedded-finance rails, critical infrastructure.
Choose Your Level
Five Questions That Determine Your Level
Level selection is a business decision. Where a regulator names a specific assurance level, that decision is made for you. Where it does not, the five questions below are the questions that, in our scoping experience, most reliably map a product to a proportionate level. None of them requires a security expert to answer; all of them require an honest reading of your product’s risk profile.
What’s the worst plausible breach consequence?
If the worst plausible consequence of a security breach in your product is reputational embarrassment, a small support ticket volume, or the disclosure of public information you intended to publish anyway — Level 1 is likely proportionate. If the worst plausible consequence is regulatory fine, customer attrition at scale, contractual liability, or material harm to identifiable customers — Level 2 is the floor. If the worst plausible consequence is systemic financial loss to customers, identity-theft-grade harm, regulatory enforcement action, or impact on critical infrastructure — Level 3 is the floor.
What threat profile does your product actually face?
Untargeted, automated, opportunistic threats (the background noise of the internet) require evaluation against the OWASP Top 10 baseline — Level 1 sets that baseline. Targeted threats from organised actors with budget — competitors, partner-ecosystem adversaries, motivated criminals — require Level 2. Sophisticated, well-resourced adversaries with persistence, custom tooling, and economic incentive to specifically attack your product — Level 3.
What do your customers ask for in vendor due diligence?
If your customers ask whether you do security testing — Level 1 satisfies this. If they ask for evidence of independent third-party application security testing against OWASP standards — Level 2 satisfies this. If they ask specifically for evidence of comprehensive source code review, architecture-level threat modelling, or ‘highest assurance’ attestation — Level 3 satisfies this, and is increasingly the floor for procurement at large enterprises and regulated buyers.
What regulatory or contractual baseline must you meet?
If you are not subject to specific regulatory mandates and have no specific contractual security commitments, Level 1 or Level 2 is most likely to be proportionate. If you are operating in a sector with active regulatory expectations on application security (banking, payments, healthcare, government, critical infrastructure) — Level 3 is the typical floor. Specific regulator expectations vary; we are happy to discuss your regulatory driver during scoping (without making the certification scheme regulator-specific, which would be incompatible with our accreditation scope).
What is your competitive positioning?
Where competitors hold no third-party security certification, even Level 1 is a meaningful differentiator. Where competitors hold ISO/IEC 27001 only, Level 2 is a credible differentiator (because product-level evidence is what 27001 does not provide). Where competitors hold equivalent product-level certifications, Level 3 is the only level that materially distinguishes your product on application security depth alone.
Detailed Comparison
Side-by-Side Comparison of Evaluation Depth
The table below is the canonical side-by-side comparison of the three assurance levels across the dimensions that buyers and engineering teams most commonly want to compare. Each row represents an evaluation dimension, with the per-level treatment listed in columns. This table is reproduced (in summarised form) on the Pillar page and (in module-specific form) on each Module page; here it is the complete general view.
| Evaluation Dimension | Level 1 (Basic) | Level 2 (Advanced) | Level 3 (High-Risk / Critical) |
|---|---|---|---|
Mapped ASVS verification level | ASVS Level 1. | ASVS Level 2. | ASVS Level 3. |
Automated scanning | DAST + SAST where source available. | DAST + SAST + SCA + secrets scanning. | DAST + SAST + SCA + secrets + config + IaC. |
Manual penetration testing | Targeted, scenario-based; OWASP Top 10 baseline. | Comprehensive ASVS Level 2 + business-logic. | Adversarial / threat-led, full ASVS Level 3 + chained-attack. |
Source code review | Not mandatory. | Sample-based on critical components, including authentication, authorisation, and payment. | Comprehensive across the in-scope codebase. |
Architecture review | High-level walkthrough. | Detailed review including data flow + trust boundaries. | Threat-modelled review, including STRIDE / PASTA. |
Business-logic / abuse-case testing | Limited. | Standard scope. | Extensive, with an adversarial mindset. |
Multi-role authenticated testing | Single role. | Multiple roles + privilege escalation paths. | All defined roles + chained-escalation. |
Configuration / hardening review | Spot-check. | Documented review against benchmarks. | Comprehensive against CIS / vendor benchmarks. |
Surveillance frequency | Annual. | Annual + change-driven. | Semi-annual + change-driven. |
Re-evaluation on major release | Notification only. | Targeted re-evaluation. | Mandatory re-evaluation. |
Indicative starting fee* | USD 2,000 onwards | USD 4,000 onwards | USD 7,000 onwards |
Typical timeline | 4–7 weeks. | 6–12 weeks. | 10–18 weeks. |
*Indicative starting fees apply to small organisations certifying a single, low-complexity product on a single technology stack in a single environment, under a single Module. Final fees depend on scope, technology, modules, evaluation man-days and complexity. Fees do not influence the certification decision (ISO/IEC 17065 Clause 4.2 — impartiality requirement).
Module-Level
How Levels Apply Across Modules
Each Guardian SecureApp™ Module (A — Web Application Security; B — SaaS / Multi-tenant Platforms; C — API / Microservices Security) is available at all three assurance levels. The matrix below names the typical applicant profile at each Module–Level intersection. Note that Module B engagements include the underlying Module A scope — a Level 2 Module B engagement, for example, evaluates both the multi-tenant platform’s tenant-aware controls AND the underlying web application’s ASVS Level 2 controls.
| Module | Level 1 (Basic) | Level 2 (Advanced) | Level 3 (High-Risk / Critical) |
|---|---|---|---|
Module A – Web Application | Internal tools, low-risk public sites, content portals. | Customer-facing portals, e-commerce, B2B SaaS dashboards. | Net-banking, payment apps, EHR portals, trading platforms. |
Module B – SaaS / Multi-Tenant | Internal multi-tenant tools, low-criticality B2B SaaS. | B2B SaaS serving enterprise customers, regulated buyers. | Banking SaaS, healthcare SaaS, identity platforms, payment platforms. |
Module C – API / Microservices | Internal-service APIs, low-criticality partner APIs. | Public REST / GraphQL APIs, partner integrations, B2B platforms. | Open-banking APIs, payment APIs, embedded-finance rails, AI inference platforms. |
Surveillance and Recertification
How Long Each Level Stays Valid — and What Maintains It
Certification under any level is issued for a defined cycle (typically 3 years) and remains valid through the cycle subject to successful surveillance and absence of material non-conformity. The cadence of surveillance, however, varies materially by level — and so does the response to product change.
| Surveillance Aspect | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
Scheduled surveillance frequency | Annual. | Annual. | Semi-annual. |
Surveillance scope | Targeted re-test of high-priority controls. | Targeted + change-area review. | Substantial re-test + threat-model refresh. |
Major-release re-evaluation | Notification only. | Targeted re-evaluation. | Mandatory re-evaluation. |
Recertification cycle | 3 years. | 3 years. | 3 years, with semi-annual surveillance. |
Recertification scope | Full evaluation against current scheme criteria. | Full evaluation against current scheme criteria. | Full evaluation against current scheme criteria. |
Detailed surveillance and recertification information is at /process/surveillance and in GSA-PR-01.
Pricing and Timeline
Indicative Investment by Level
Pricing is published as indicative starting figures for small organisations, applicable when the engagement is scoped to a single, low-complexity product on a single technology stack in a single environment under a single Module. Outside this envelope — multi-product, multi-module, multi-environment, complex architectures, expedited timelines — pricing is quoted on request and reflects the actual evaluation man-days required.
Level 1
Basic
$2,000
onwards
4–7 weeks
Level 2
Advanced
$4,000
onwards
6–12 weeks
Level 3
High-Risk / Critical
$7,000
onwards
10–18 weeks
*Indicative starting fees in USD, exclusive of applicable taxes (e.g., GST in India). Fees do not include surveillance fees (billed annually in advance), recertification fees (billed at start of recertification engagement), or out-of-pocket expenses. Fees do not influence the certification decision (ISO/IEC 17065 Clause 4.2 — impartiality requirement).
Full fee structure, basis of fees, surveillance fee policy and payment terms at /process/fees. Quotations on request at /quote.
Levels
Moving Between Levels
Level selection is not a one-time, irrevocable decision. Products evolve — they enter higher-stakes contexts, take on more sensitive data, or expand into regulated buyer segments — and the appropriate certification level evolves accordingly. The mechanics of moving between levels are documented below.
Upgrading (Level 1 → Level 2, Level 2 → Level 3)
Upgrading is the natural lifecycle path for a successful product. The upgrade engagement is scoped to the additional evaluation depth required between the existing level and the target level. It is not a full re-evaluation from zero; the existing certification’s documentation review and historical findings are taken into account. Pricing for an upgrade is calculated based on the evaluation man-days required for the depth gap (typically a fraction of a fresh engagement at the target level, but specifics depend on the product and the time elapsed since initial certification). On successful upgrade, a new certificate is issued at the higher level, and the public directory entry is updated.
Downgrading (Level 3 → Level 2, Level 2 → Level 1)
Downgrading is unusual but supported. A product may shift to a lower-stakes context (a regulated product moved into an internal-only deployment, for example) where the higher level is no longer cost-justified. The downgrade engagement primarily addresses any scope changes; the evaluation depth at the lower level is necessarily a subset of the existing evaluation, so re-evaluation activity is limited. Surveillance frequency at the lower level applies from the date of the new certificate.
Adding a Module at the Same Level
Adding a Module to an existing certificate (a Module A-only certificate adding Module B for a multi-tenant product migration; or adding Module C as the platform exposes a public API) is scoped to the additional Module’s evaluation. The level remains the same; the scope expands.
All level changes (upgrade, downgrade, scope change) are reflected in the Public Directory at /directory in real time, with the previous certificate’s history retained for audit-trail purposes.
Use Cases
Typical Level Mappings by Industry
Below is the typical level distribution we observe by industry. These are typical, not prescriptive — your specific risk profile, regulatory baseline and customer expectations may indicate a different level. Each industry has a dedicated page under /industries with deeper context.
| Industry | Typical Level 1 Use | Typical Level 2 Use | Typical Level 3 Use |
|---|---|---|---|
Banking & NBFC | Internal staff portals. | Customer self-service portals, non-transactional. | Net-banking, mobile banking, payment platforms. |
Fintech / Payments | Marketing sites, info portals. | Customer dashboards, KYC platforms. | UPI apps, payment gateways, embedded-finance APIs. |
SaaS / Cloud | Internal SaaS tools. | Mid-market customer-facing SaaS. | Enterprise SaaS to regulated buyers, identity platforms. |
Healthcare IT / HealthTech | Internal admin portals. | Patient self-service portals. | EHR / EMR systems, telemedicine, lab information systems. |
E-commerce / Retail | Marketing / blog sites. | Customer-facing storefronts, account portals. | High-volume payment-processing platforms, marketplaces with card-on-file. |
Government / PSU | Static information portals. | Citizen self-service portals, limited PII. | Tax, identity, social benefit and inter-agency systems. |
Insurance / InsurTech | Internal admin tools. | Customer self-service, digital onboarding. | Underwriting platforms, claims processing, broker portals. |
Industry-specific guidance is at /industries/banking, /industries/fintech, /industries/saas, /industries/healthtech, /industries/ecommerce, /industries/government, /industries/insurance.
Frequently Asked Questions
Common Questions, Answered
Level selection should follow your risk profile, regulatory baseline and customer expectations. Use the five-question framework in Section 3.3 above. As a default heuristic: Level 1 for low-risk internal or public-information products; Level 2 for customer-facing products handling personal data, transactions or sensitive workflows; Level 3 for products handling financial transactions, regulated data, or that are part of critical infrastructure. Where in doubt, scoping conversation maps your specifics to a proportionate level — but the decision remains a business decision, not a recommendation we make on your behalf.
Yes. Upgrade is the natural lifecycle path. The upgrade engagement is scoped to the additional evaluation depth required between your existing level and the target level — not a full re-evaluation from zero. The existing certification’s documentation review and historical findings are taken into account. Pricing reflects the evaluation man-days for the depth gap.
Yes — within a single combined-module engagement. A combined Module A + B + C engagement is conducted at one assurance level (typically Level 2 or Level 3). However, you can hold separate certificates at different levels for different products: a Level 2 certificate on your customer-facing SaaS and a Level 3 certificate on your payment API, for example, are two distinct certificates with two distinct levels.
Guardian SecureApp™ Levels map directly to OWASP ASVS verification levels. Level 1 (Basic) corresponds to ASVS Level 1; Level 2 (Advanced) to ASVS Level 2; Level 3 (High-Risk / Critical) to ASVS Level 3. The procedural framing (ISO/IEC 17065-accredited issuance, public directory listing, surveillance, complaints and appeals) is added on top of the ASVS technical content.
No. No certification level is a guarantee against future compromise. Level 3 means the product has been evaluated at the highest depth available under the scheme — comprehensive manual + threat-led methodology, comprehensive source code review, threat-modelled architecture review — and met the certification criteria at evaluation. Surveillance and recertification exist precisely because security is dynamic. What Level 3 provides is the highest available assurance signal under our scheme, not a guarantee of impregnability.
Yes. Some regulators mandate specific assurance levels for products in their jurisdiction. Where a regulator names a level, that level is your minimum. Where the regulator names criteria but not a specific level, scoping conversation helps map regulatory criteria to a Guardian SecureApp™ level. We discuss specific regulatory drivers at scoping; the certification scheme itself is regulator-agnostic, which is essential to maintaining our accreditation scope.
Change-driven surveillance is surveillance triggered by significant changes to the certified product — major releases, architecture changes, new authentication paths, new authorisation models, breach incidents — outside the routine surveillance schedule. The Certification Agreement requires the certified client to notify Guardian of significant changes; Guardian determines whether the change requires Stage 2 re-evaluation or can be addressed through routine surveillance. Levels 2 and 3 include change-driven surveillance; Level 1 is notification-only for changes.
Different Modules have different evaluation surface and methodology. Module A (Web) and Module C (API) are typically faster than Module B (SaaS / multi-tenant) at the same level, because Module B includes the underlying Module A scope plus the six tenant-aware evaluation areas. Combining modules on a single engagement extends the timeline further but is more efficient than running them serially as separate engagements.
Yes. Level 1, Level 2 and Level 3 are all accredited under ISO/IEC 17065 by UAF — accreditation is at the scheme level, not at the level granularity. A Level 1 certificate carries the full procedural integrity of accredited issuance: independent decision-making, public directory listing, surveillance, complaints and appeals rights, and recognition through the international accreditation infrastructure. What differs across levels is the depth of technical evaluation — not the procedural integrity of the certification.
It’s possible, but not recommended as a workflow. Level 1 requires committed evaluation by competent evaluators and an independent certification decision; it is not a ‘pilot’ of the full process. If your goal is to validate scoping and process before committing to Level 2, scoping conversation and a pre-application enquiry at /quote provides that orientation more efficiently than an actual Level 1 engagement.
Levels are scheme-defined and not parameterisable. There is no ‘Level 2.5’. If your product needs more depth than Level 2 but does not justify Level 3, the practical answer is to scope a Level 2 engagement with explicit scope expansions in defined areas (e.g., comprehensive source code review on a specified module, even though Level 2 baseline is sample-based). This is captured in the Scope Statement and reflects in the Evaluation Report. The certificate is still issued at Level 2 — but the underlying evaluation reflects the expanded scope. Discuss specifics at scoping.
The Guardian SecureApp™ certification mark is the same across all levels. The certificate itself names the level; mark display rules per the Use of Mark Policy do not require the level to be visually distinguished in mark usage. However, your certificate (and the public directory listing) clearly names the level — a customer who clicks through to verify the certificate sees the level immediately.
Yes. The certificate names the level; the public directory entry names the level; any procurement-grade verification will show the level. There is no ‘private’ certification level — transparency about level is part of what makes the scheme procurement-grade.
No. Surveillance fees scale with surveillance depth and frequency, which scale with level. Level 1 surveillance is annual with targeted depth; Level 2 is annual with broader depth; Level 3 is semi-annual with substantial depth and threat-model refresh. Surveillance fees are billed annually in advance and are quoted as part of the initial engagement quotation. Full fee detail at /process/fees.
Recertification is a comprehensive re-evaluation against the current version of the scheme criteria, regardless of how much the product has changed. If the product has changed materially, the recertification engagement is scoped to evaluate the current state of the product — not to compare against the prior certified state. New findings may emerge that did not exist at initial certification. Recertification is required for continued certification beyond the cycle expiry; it is not optional.
Accreditation under ISO/IEC 17065 by UAF applies to the certification scheme as a whole, not to specific levels within it. UAF is a member of the IAF and a signatory to the IAF MLA; the MLA scope varies by accreditation type. To check the current scope of UAF’s IAF MLA recognition for product certification, please verify directly on the IAF portal at www.iaf.nu. International recognition through the MLA, where applicable, applies at the accreditation level — not differently for different scheme levels.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us