top of page
Search

CASA Tier 2 & Tier 3 Security Review: Providers and Pricing

  • 4 days ago
  • 21 min read

Google’s Cloud Application Security Assessment (CASA) program requires certain Chrome extensions (and other apps) that access sensitive or restricted Google user data to undergo independent security reviews . These reviews are conducted by authorized labs in the App Defense Alliance, and are classified into Tier 2 and Tier 3 assessments. Tier 2 generally involves a lab-validated vulnerability scan of the extension (developer performs scans using approved tools, with the lab reviewing and validating results), whereas Tier 3 is a comprehensive, lab-conducted penetration test of the application (including its infrastructure)  . Successful completion yields a Letter of Validation (LOV) from the assessor, and Tier 3 also confers an “Independent Security Verification” badge for Google Workspace Marketplace listings .




Below is a comparison table of all Google CASA-authorized security assessors (as of November 2024 ) that offer Tier 2 and/or Tier 3 Chrome extension security assessments, followed by detailed provider profiles:



Comparison of CASA Assessment Providers (Tier 2 vs. Tier 3)


Provider (Authorized Lab)

Tier 2 Assessment

Tier 3 Assessment

Pricing (Tier 2 / Tier 3)

Turnaround Time

Contact / Process

Notable Services

Google-Preferred?

TAC Security (ADA Lab, India)

Yes – Functional scan validation 

Yes – Comprehensive audit 

$540/app (Tier 2 basic) ; Premium up to $1.8K; $4,500/app (Tier 3)

~1–3 weeks (Tier 2) ; ~2–4 weeks (Tier 3)

Online portal (CASA.tacsecurity.com) ; sign SOW & upload code

Guided remediation; 2–∞ re-scans included  ; fastest turnaround

Yes – Google’s preferred partner  

Leviathan Security (USA)

Yes – Lab-verified scan 

Yes – Lab-tested full assessment 

$3,000 (30-day start); $4,500 (10-day); $6,000 (2-day priority) – Tier 2  ; Tier 3 by quote (custom)

3–5 weeks (depends on plan; faster for priority Tier 2)

Web form or reserve online (Stripe payment for Tier 2)  

“White-glove” support fixing issues ; one free retest included

No (authorized lab, not specially endorsed)

Bishop Fox (USA)

No – (Tier 2 not offered)

Yes – Comprehensive pen-test

Custom quote (scope-based)

~2–3 weeks fieldwork + reporting

Online request form (response within 24h)

Deep manual testing by seasoned team; can provide extra assessment letters

No

KPMG (Global/UK)

Yes – (Authorized; likely on request)

Yes – Comprehensive audit

Not public (enterprise pricing on inquiry)

Varies (estimated ~4–6 weeks)

Contact KPMG cybersecurity consulting (email/website)

Big Four firm expertise; global resources for large apps

No

NCC Group (Global)

Yes – Lab-verified scan (supports Tier 2)

Yes – Full security assessment

Not public (quote-based)

~3–4 weeks (typical)

Contact via NCC Group’s assessment team (web/email)

Extensive app testing experience; supports annual re-tests

No

NetSentries (India/USA)

Yes – Lab-validated Tier 2 

Yes – Lab-conducted Tier 3 

Not public (case-by-case pricing)

3–4 weeks on average

Google Form to initiate  or direct contact

Post-assessment support and unlimited revalidation cycles  

No

Orange Cyberdefense (S. Africa)

Yes – (Available; not widely advertised)

Yes – Full security assessment

Not public (regional pricing)

~4 weeks (est.)

Contact regional office (security assessment unit)

Part of Orange global security; local expertise in cloud apps

No

Prescient Security (USA)

Yes – Lab-verified Tier 2 

Yes – Lab-tested Tier 3 

Not public (flexible packages)

~4 weeks (est., expedited available)

Contact via website (consultation)

CREST-certified pen testers; supports ADA Accelerator prep  

No

GDS (Aon’s Cyber Labs) (USA)

Yes – (Offers Tier 2 validation)

Yes – Full Tier 3 assessments

Not public (custom engagement)

~4–6 weeks (varies by scope)

Contact via Aon Cyber Solutions (GDS Security)

Broad security services portfolio (Aon); can bundle with risk consulting

No

DEKRA (Germany)

Possibly – (Focus is Tier 3)

Yes – Comprehensive (self-initiated) Tier 3

Not public (engagement-based pricing)

~4–6 weeks (Tier 3)

Contact DEKRA Digital (security consulting)

Encourages proactive Tier 3 even without Tier 2 notice ; global testing labs

No

Table: CASA-authorized security assessment providers for Chrome extensions, showing availability of Tier 2 (lab-validated) and Tier 3 (lab-tested) reviews, pricing (if known), typical timelines, contact method, service highlights, and Google’s preferred partner status.



Provider Profiles and Details




TAC Security (Preferred Partner)



Tiers: Offers both Tier 2 and Tier 3 assessments. Google has explicitly partnered with TAC Security to provide Tier 2 “Lab Scan” validations, and TAC is the only Google-recommended preferred lab for CASA  . Tier 3 comprehensive audits are also available through TAC .


Pricing: Tier 2 assessments cost $540 per app under the basic plan (a special discounted rate negotiated by Google) . TAC also offers premium Tier 2 packages – for example, a $720 “Premium” plan with unlimited rescans, and an $1,800 “Enterprise Tier 2” plan supporting unlimited assessments for that app  . Tier 3 assessments cost around $4,500 per application for a one-time comprehensive review . (These prices are significantly lower than many competitors due to Google’s partnership.)


Turnaround Time: TAC boasts the fastest timelines. Tier 2 validations typically go from start to Letter of Validation in ~1–3 weeks  (or as fast as 1–2 weeks with the enterprise plan ). Tier 3 audits take ~2–4 weeks from kickoff to completion , given their broader scope. These estimates assume the developer promptly addresses any findings.


Contact & Process: Developers initiate the process via TAC’s online CASA portal . After signing up and providing project details, TAC will arrange a scope of work (SOW) and handle the assessment. The process includes submitting your extension’s source code and scan results (for Tier 2) or granting test access (for Tier 3). TAC’s team then conducts the necessary testing and works interactively with the developer. Google’s CASA program managers specifically direct developers to TAC for Tier 2 (though using TAC is optional) .


Service Inclusions: TAC provides step-by-step guidance and support throughout the assessment . All plans include assistance with remediation of any vulnerabilities and multiple revalidation cycles (e.g. the basic Tier 2 plan includes 2 re-scans, and higher plans allow unlimited re-testing until the app passes)  . TAC touts a 100% success rate in getting clients certified . As a preferred lab, TAC is very familiar with Google’s requirements, which can help streamline the review.


Google Preferred Partner: Yes. TAC Security is the only lab officially labeled a “preferred” partner by Google for CASA . Google worked with TAC to secure discounted pricing for developers , making it a popular choice for Tier 2. (Developers may still choose any authorized lab, but Google’s materials prominently recommend TAC for cost and speed.)



Leviathan Security



Tiers: Offers both Tier 2 and Tier 3 CASA assessments. Leviathan is an App Defense Alliance founding member that helped develop the CASA framework . It provides “lab-verified” Tier 2 assessments (developer-run scans validated by Leviathan) as well as full Tier 3 penetration tests conducted by their security engineers  .


Pricing: Tier 2 pricing is tiered based on desired start time: “No Rush” (assessment start within 30 days) for $3,000; “Standard” (start within ~10 days) for $4,500; and “Priority” scheduling (start within 2 business days) for $6,000  . Each Tier 2 package includes the full validation and one round of re-testing if needed. Tier 3 pricing is not publicly posted; Leviathan provides quotes case-by-case (given the more extensive scope). Tier 3 is expected to be more costly, reflecting a comprehensive audit of the extension’s code and cloud backend.


Turnaround Time: Depending on the package, Tier 2 assessments can be initiated quickly – e.g. within 2 days for Priority (useful if facing a deadline) , though the overall process may still take a couple of weeks for testing and reporting. With a standard scheduling, allow on the order of 3–5 weeks total for Tier 2 (including any fixes and revalidation). Tier 3 engagements similarly span a few weeks; Leviathan coordinates start dates with the client and recommends scheduling well before Google’s due date.


Contact & Process: Leviathan encourages clients to reserve Tier 2 assessments directly via their website – they even provide “Reserve Now” links for each pricing tier (integrated with Stripe for payment)  . This streamlines kicking off a Tier 2 review. For Tier 3 or more customized needs, a contact form or email inquiry is used. Once engaged, Leviathan’s team will guide the developer through providing necessary access (such as extension source code, test accounts, etc.), perform the security testing, and then deliver a detailed report and validation letter.


Service Inclusions: Leviathan prides itself on a “white-glove” experience  – handling many of the painful parts of the process on behalf of the client. They emphasize clear communication of results and remediation guidance. All Tier 2 packages include at least one free re-test (to validate fixes) and consultation on how to address any high-severity findings  . Their Tier 3 assessment will cover all 73 CASA/OWASP requirements in depth , and they offer to validate any applicable security certifications the client already holds to potentially skip certain checks (via the CASA Accelerator program).


Google Preferred Partner: No. Leviathan is a trusted authorized lab but not specifically singled out by Google as a preferred vendor. (Google’s documentation currently only names TAC Security in that role.)



Bishop Fox



Tiers: Tier 3 only. Bishop Fox is an ADA-authorized lab that exclusively offers Tier 3 CASA assessments (they do not perform Tier 2 validation scans) . Clients needing a full security review can choose Bishop Fox for the highest tier assessment.


Pricing: Custom quoted. Bishop Fox does not list flat prices; the cost depends on the scope and complexity of the extension/app. During initial scoping, they assess the size of the application, its features, and infrastructure to determine the effort required, then provide a quote . As a leading penetration testing firm, their Tier 3 assessment pricing is expected to be on the higher end (but with corresponding depth and thoroughness).


Turnaround Time: Once engaged and scoped, Bishop Fox indicates that active testing typically takes 1–2 weeks, followed by roughly 1 week for reporting and quality assurance on the deliverables . In total about 2–3 weeks for the initial assessment results. (Remediation time is not included—if critical issues are found, the developer must fix them before Bishop Fox can issue the final validation, which may extend the timeline.) They aim to schedule the start after the client provides necessary prep materials (like a completed security questionnaire and test accounts) to avoid delays .


Contact & Process: The process starts by submitting a CASA assessment request via Bishop Fox’s website. They have an online form specifically for CASA Tier 3 inquiries, and upon submission a team member typically responds within 24 hours to begin scoping the project . After that, a formal SOW is signed, and testing begins as per the agreed schedule. Throughout the engagement, Bishop Fox will communicate findings, and at the end they issue a Letter of Validation to Google once all requirements are met.


Service Inclusions: Bishop Fox brings deep expertise in manual penetration testing and red-team techniques. For CASA engagements, they focus on the extension’s security posture in a real-world attack context. They can also, upon request, provide a standard detailed assessment report in addition to the CASA-specific validation letter  (useful if the client wants a separate attestation or to leverage the results for other security improvements). Bishop Fox ensures all sensitive data shared for testing is handled securely (e.g., via secure file shares, etc.) . While they don’t explicitly include multiple re-tests in a fixed price, they will re-test after remediation as needed to verify fixes (as required by the CASA program).


Google Preferred Partner: No. Bishop Fox is an authorized assessor but is not a Google-“preferred” partner. Developers choose Bishop Fox for their reputation in security testing rather than for a Google-endorsed discount (indeed, smaller apps tend to use TAC for cost reasons, whereas Bishop Fox often serves enterprise-level clients).



KPMG



Tiers: KPMG is an App Defense Alliance authorized lab (listed by Google)  and is qualified to perform both Tier 2 and Tier 3 CASA assessments. In practice, KPMG’s cybersecurity team typically focuses on Tier 3 comprehensive assessments (full audits), given the firm’s consulting orientation. Tier 2 validation services may be available on request, but KPMG has not advertised a self-service Tier 2 offering; developers would engage KPMG as a consultant to handle the entire process if chosen.


Pricing: Enterprise-scale, not publicly posted. As a Big Four firm, KPMG provides customized pricing based on the client and scope. Costs will depend on the complexity of the extension, the environments in scope, and any additional services bundled (such as broader cloud security reviews). Expect negotiated proposals rather than fixed fees. (For context, full security assessments from large firms can range from tens to hundreds of thousands of dollars, though an OAuth app review might be on the lower end of that spectrum.)


Turnaround Time: Variable, often 4–6 weeks or more. KPMG will align timing to Google’s deadlines, but scheduling a team and completing a thorough assessment can take several weeks. They typically require a project kickoff phase (for planning and info gathering), one or more weeks of testing, then reporting and remediation verification. KPMG’s involvement may extend if the client needs more help remediating issues (since they can offer advisory support). It’s advisable to engage KPMG as early as possible to accommodate their timeline.


Contact & Process: There is no instant sign-up; the process involves reaching out to KPMG’s Cyber Security Services or Consulting division. Often this starts with an inquiry on KPMG’s website or via email/phone, referencing the need for a Google CASA security assessment. KPMG will likely set up a consultation to gather details, then present a service proposal. Once agreed, KPMG’s security testers (possibly from its GRC or Penetration Testing practice) will perform the review. The engagement is handled like a professional consulting project, with defined deliverables (e.g., a security assessment report and the Letter of Validation for Google).


Service Inclusions: KPMG brings a broad set of capabilities. In a CASA assessment engagement, they can provide end-to-end service – not only testing the extension and its cloud backend against CASA/OWASP standards, but also helping the client with compliance and remediation. Being a large firm, they can assign specialists for application testing, cloud configuration review, code review, and even extend to privacy or process audits if needed. Post-assessment, KPMG can offer recommendations to improve overall security posture beyond the minimum requirements. (However, this full-service approach means KPMG is often overkill for small developers and is more suited to larger companies seeking a thorough audit or those who must use an internationally recognized assessor.)


Google Preferred Partner: No. KPMG is not specifically a preferred partner for this program. Developers typically choose KPMG for their global reputation or internal policy reasons. Google’s program does not provide any special pricing arrangements with KPMG.



NCC Group



Tiers: Both Tier 2 and Tier 3 services are offered. NCC Group is listed as an authorized CASA assessor  and has experience with a variety of third-party app security programs (Google, Meta, etc.) . They can validate a developer’s Tier 2 self-scan results or conduct a full Tier 3 penetration test depending on the needs. In practice, NCC Group frequently handles Tier 3 assessments (as many clients engaging NCC will opt for the comprehensive test for assurance purposes).


Pricing: Quote-based. NCC Group will scope the engagement and provide a price quote. The pricing depends on factors like the size of the application (lines of code, number of features), the complexity of the integration (APIs and cloud services involved), and the depth of testing required. As a large security firm, NCC’s pricing is competitive with other top-tier assessors. (They have not published fixed fees for CASA; anecdotal reports suggest costs in the low five figures for a typical app’s Tier 3 review, but each case varies.)


Turnaround Time: Approximately 3–4 weeks for most engagements. NCC Group’s own guidance notes that a standard CASA assessment takes about 3–4 weeks to complete . This includes planning, testing, and reporting. They may accommodate faster timelines if scheduling allows, but developers should plan for a few weeks of process. Annual re-testing (required by Google each year) can often be completed a bit quicker if the app has not changed significantly, though a full retest is still needed each year  .


Contact & Process: To start with NCC Group, developers typically reach out through NCC’s web contact form or local office. NCC Group has a dedicated page for “App Security for Google and Meta Platforms” where CASA is mentioned , and interested clients can request more info. After initial contact, NCC will assign a project manager to scope the assessment. The process involves providing NCC with your extension’s details, answering a security questionnaire (so they understand your app’s architecture and data flows), and setting up a testing window. The NCC consultants will then perform the security testing (for Tier 3, this is a rigorous penetration test; for a Tier 2 validation, they would review your provided scan results and possibly spot-check the app). Once testing is done, NCC delivers a report and submits the Letter of Validation to Google upon success.


Service Inclusions: NCC Group offers deep expertise in application security. For CASA Tier 3, they will examine not just the Chrome extension’s code, but also any associated cloud services or APIs the extension uses. They often uncover logic flaws or complex vulnerabilities thanks to their experienced team. NCC can also provide broader security guidance as an add-on – for example, advising on improving DevSecOps, or testing other aspects of the application beyond the CASA scope if the client desires. As part of their deliverables, they provide a detailed breakdown of any findings (mapped to OWASP categories/CWEs) and remediation advice. NCC also highlights that these assessments must be repeated annually and helps clients plan for yearly re-testing so there are no surprises  .


Google Preferred Partner: No. NCC Group is a well-known authorized lab but not singled out by Google for the CASA program. They are one of the larger options among the authorized vendors, chosen for their expertise and global presence.



NetSentries



Tiers: Offers both Tier 2 and Tier 3 assessments. NetSentries (headquartered in India with global clients) explicitly advertises that as an ADA Authorized Lab they provide Tier 2 validation and Tier 3 assessments for CASA . This means they can validate your self-scan results for Tier 2 or conduct a full security test for Tier 3, depending on what Google requires or what level of assurance you want.


Pricing: Not public. NetSentries has not published set prices on their site for CASA services, preferring to discuss scope and provide a quote. Their services are generally considered more affordable than large global firms (NetSentries is boutique in size), but likely more expensive than the TAC Security discounted Tier 2. For budgeting, one can expect Tier 2 validation to cost a few thousand USD and Tier 3 to be higher, but exact figures require contacting them for a proposal.


Turnaround Time: Standard ~3–4 weeks. NetSentries states that the “standard estimated time to complete a CASA assessment is 3–4 weeks,” though faster turnarounds may be possible in special cases . They work with the developer to schedule a start date after the Google notification. The 3–4 week timeline would cover the initial testing and reporting; if remediation is needed, an additional cycle of fixes and verification could add some time (NetSentries is flexible in coordinating re-tests promptly).


Contact & Process: Starting a CASA review with NetSentries is straightforward. They provide a “Start Your Google CASA” intake form on their website (which links to a Google Form) for interested developers . After submission, their team will reach out to set up the engagement. The process involves NetSentries assigning a security team to your project, who will request necessary materials (source code, test environment, etc.). For Tier 2, you’ll run the recommended scans (if not done already) and send them the results for verification. For Tier 3, NetSentries will perform penetration testing on the extension and its cloud endpoints. Throughout, they maintain communication and may use conferencing to discuss findings. Once all tests are passed, NetSentries will issue the Letter of Validation and can directly coordinate with Google’s portal.


Service Inclusions: Personalized support and flexibility. NetSentries emphasizes a tailored approach, recognizing that each app has unique context and risks  . They do not take a one-size-fits-all mentality; instead, they adapt their testing to the application’s technologies and threat profile. Importantly, NetSentries offers post-assessment support – for example, if a developer has questions after the assessment or needs guidance on new features, NetSentries can provide ongoing advice . They also allow developers to switch labs for revalidation (e.g., if you used another lab last year, you can use NetSentries this year) , and they handle the required annual re-tests as a continued service. Included with their assessment is at least one remediation cycle (they will re-test fixes and help ensure all CASA requirements are met).


Google Preferred Partner: No. NetSentries is an authorized lab, but not a Google-designated preferred partner. It competes as an alternative to the larger U.S. and global firms, often appealing to developers who want a more customized and potentially cost-effective solution.



Orange Cyberdefense (South Africa)



Tiers: Provides both Tier 2 and Tier 3 assessments (implicitly available). Orange Cyberdefense SA is listed among the authorized labs . As the cybersecurity arm of Orange (the telecom company) in South Africa, it has the capability to perform the required validation scans and full security audits. While Orange Cyberdefense has not widely marketed its CASA service online, being on the authorized list means they can handle Tier 2 validations (should a client request it) and Tier 3 penetration testing for Chrome extensions.


Pricing: Not publicly disclosed. Pricing would be determined upon request. Orange Cyberdefense typically works with enterprise clients in Africa and Europe, so costs are likely similar to other consultative firms, adjusted for local market rates. They would provide a quote after understanding the project’s scope. (Expect Tier 2 to have a fee for a few days of consultant time, and Tier 3 to be higher since it involves a deeper, multi-week analysis.)


Turnaround Time: Estimated ~4 weeks. With a skilled but smaller team in South Africa, Orange Cyberdefense can probably complete CASA engagements within a month’s time, assuming scheduling availability. They will ensure to meet Google’s deadlines, but developers should initiate early. If a client from abroad engages them, time zone differences might play into coordination. Expedited timelines would depend on resource availability.


Contact & Process: To utilize Orange Cyberdefense, one would contact their security consulting/services department – likely through the Orange Cyberdefense website or via email/phone to their South African office. Since they may not have a dedicated web form for CASA, it’s best to reference the need for an App Defense Alliance CASA assessment in the inquiry. Orange Cyberdefense will then arrange a meeting to scope the work. The engagement process will be similar to others: sign a service agreement, provide the extension code and environment details, then allow their assessors to perform testing. Communication would be maintained for any findings that need fixing. They will issue the final validation letter when the app meets all requirements.


Service Inclusions: As part of a global security organization, Orange Cyberdefense brings strong technical expertise and knowledge of cloud security. They likely approach CASA assessments by not only checking compliance against the OWASP-based checklist, but also leveraging their experience in real-world threats. They can offer insights into improving security beyond the minimum. Given their regional focus, they might also be more accessible to companies based in EMEA. While specifics aren’t published, Orange Cyberdefense can presumably provide on-site support if the client is local, and possibly more hands-on collaboration. After the assessment, they can connect clients with other Orange services (like continuous monitoring or managed security) if needed. However, for the CASA review itself, the core inclusion is the testing and one cycle of revalidation.


Google Preferred Partner: No. Orange Cyberdefense is an authorized lab but not specially endorsed by Google. It’s one of the options developers have, perhaps chosen by those who are existing Orange customers or those in nearby time zones.



Prescient Security



Tiers: Offers both Tier 2 and Tier 3 CASA assessments. Prescient Security (based in the USA) explicitly mentions a “tiered assessment model” covering Tier 1, Tier 2, and Tier 3 in their CASA service description . Tier 2 is described as Developer Tested / Lab Verified (indicating Prescient will validate your scans), and Tier 3 as Lab Tested/Lab Verified Comprehensive (Prescient conducts a full test) .


Pricing: Not disclosed publicly. Prescient Security likely prices engagements flexibly, possibly offering different packages. As a smaller firm, they may be competitive on price. They also mention “tailored assessments” and subscription-based security services on their site, so they might integrate CASA assessments into a broader package. For an indication, Prescient’s related “Verified” security scanning plans start around $2,500/month for continuous services , but for a one-off CASA audit, one would request a custom quote.


Turnaround Time: Roughly 4 weeks is a safe expectation for a full Tier 3 with Prescient, with Tier 2 potentially shorter. They likely align with the standard timeline (3–6 weeks). Being a smaller outfit, Prescient might be able to start quickly and focus on your project, potentially delivering faster if no major issues are found. They also note the importance of timely engagement once you get the Google notice , implying they try to make the process efficient and accurate. They can probably accommodate urgent timelines on a case-by-case basis.


Contact & Process: To initiate, you would contact Prescient Security via their website (they have a CASA page but with no direct sign-up; a “Get a Quote” or contact button is provided). After making contact, Prescient will gather information about your extension and the Google requirements. The process involves Prescient’s team working closely with you – they pride themselves on a transparent, auditable process where you’re informed at every step . For Tier 2, they might assist you in performing the scans (or run their own tools) and then validate the results. For Tier 3, they will conduct a thorough penetration test. Prescient also mentions supporting the ADA Accelerator program , meaning if you have prior certifications (ISO27001, SOC 2, etc.), they help leverage those to possibly skip duplicate checks. Once testing is done and any issues resolved, Prescient will provide the Letter of Validation.


Service Inclusions: Prescient Security emphasizes an “end-to-end” approach to CASA. They can handle everything from initial self-assessment guidance (Tier 1) to the final audit. Their team includes CREST-certified penetration testers , which is a notable credential. In addition to the core CASA testing, they offer to help with employee security training, documentation, and evidence collection as part of preparation  – this thoroughness helps ensure you meet all requirements. They also advertise other security services (like general pentesting and compliance audits), so a client could use Prescient as a one-stop shop to improve security posture while getting CASA certified. After the CASA, Prescient can remain on-call for future re-certifications or any new security assessments needed.


Google Preferred Partner: No. Prescient is an authorized lab but not a Google-preferred partner. They are one of the newer boutique players in this space, offering personalized service.



GDS (Aon’s Cyber Labs)



Tiers: Supports both Tier 2 and Tier 3 assessments. GDS is the former Global Digital Security group, now part of Aon’s Cyber Solutions. GDS (Aon) is listed by Google as an authorized lab . As such, they can validate Tier 2 scan reports and conduct Tier 3 audits. Given Aon’s clientele, they likely focus on Tier 3 comprehensive assessments for enterprise cloud applications, but they have the capability for Tier 2 as well if a smaller app required it.


Pricing: Not public; tailored. Aon’s services are typically custom engagements. If you approach Aon/GDS for a CASA assessment, they will consider the scope and likely price it similar to a specialized penetration test engagement. The cost might be influenced by Aon’s stature (their assessments could be on the higher end, comparable to other large firms). No official price ranges are published for this service.


Turnaround Time: Estimate 4–6 weeks. Aon’s team would schedule the assessment after some planning. Large firms sometimes have slightly longer lead times due to resource scheduling and rigorous internal processes. They will ensure the assessment is done within Google’s required timeframe, but it’s advisable to allow a comfortable margin. Once started, the actual testing might occur over 1–2 weeks, with additional time for reporting and any retesting. Being an annual requirement, Aon can set up a recurring schedule for re-assessment each year.


Contact & Process: To engage GDS (Aon), one would typically start through Aon’s Cyber Labs or Penetration Testing services. This could mean contacting them via the Aon website (they have a penetration testing services page) or through an Aon account manager if your company already works with Aon. Mention that you need an App Defense Alliance CASA security assessment for a Google-integrated app. Aon will likely assign a project lead to discuss scope. The process will involve an agreement on services, after which the GDS security engineers will perform the assessment. Aon/GDS might require you to fill out a detailed questionnaire or provide architecture documents up front, given their methodical approach. During testing, Aon will keep communications professional and might not expose partial findings until the end (firms like these often prefer to deliver vetted results). Once the extension meets all criteria, they will issue the validation letter.


Service Inclusions: Aon’s strength lies in its comprehensive risk perspective. In addition to the technical testing of the extension (per OWASP ASVS standards), GDS can provide insight into broader risk management. They might, for instance, evaluate your cloud deployment against best practices or highlight process improvements. Because Aon offers services from insurance to incident response, they bring a holistic mindset – but for CASA specifically, the core service is ensuring your app meets Google’s security requirements. Aon likely provides a detailed report of findings and recommendations, and if needed, can involve their risk consultants to advise on any remediation strategy (especially for complex issues). They also have experience with similar programs (possibly having done audits for other platforms), so they understand the balance between compliance and security. Post-assessment, Aon can remain as a partner for other cyber needs (like insurance attestations, etc.), but those are beyond the CASA scope.


Google Preferred Partner: No. Aon/GDS is not a special preferred partner; it’s one of the authorized labs available. Companies might opt for Aon if they already trust Aon for other security services or need a top-tier name on their security validation.



DEKRA



Tiers: Primarily offers Tier 3 assessments. DEKRA (known for product safety and certification services worldwide) is an authorized CASA lab . Their CASA service is focused on Tier 3 “self-initiated” assessments – DEKRA encourages developers who haven’t been explicitly told by Google to do Tier 2 to proactively do a Tier 3 with them to get all the benefits of CASA . It’s not clearly advertised whether DEKRA will handle Tier 2 validation; however, as an authorized lab they technically could. All of DEKRA’s messaging points to comprehensive Tier 3 testing as their specialty (they assume if a client comes to them, they want the full security certification).


Pricing: Not published. DEKRA likely follows a consultative pricing model. They will set a price depending on the application’s complexity and the extent of testing needed. As an organization historically centered on audits and certifications, DEKRA might structure pricing as a fixed project fee. Developers will need to contact them for a quote. (No community data on DEKRA’s typical charges for CASA is readily available; expect it to be in line with other professional security assessments.)


Turnaround Time: Roughly 4–6 weeks for Tier 3. DEKRA hasn’t given exact timelines publicly, but a full Tier 3 assessment involves comprehensive testing of the app and its cloud environment, which usually takes a few weeks at minimum. DEKRA likely aligns with the standard expectation that a CASA Tier 3 will be completed within about a month once started (plus scheduling lead time). If a developer voluntarily opts for a DEKRA Tier 3 (without Google forcing a deadline), it can be planned at the developer’s convenience. DEKRA will schedule the work once an agreement is in place.


Contact & Process: DEKRA’s website has a section for Cloud Application Security Assessment where they invite interested parties to contact them to arrange an assessment . To proceed, a developer would reach out through that contact (or via email/phone to DEKRA’s digital division). DEKRA will discuss the scope – they might be particularly thorough in defining what parts of the application and infrastructure will be tested. Once that’s done, their security testers (likely part of DEKRA Digital’s cybersecurity team) will conduct the Tier 3 assessment. The process will involve an in-depth review of the extension’s code, testing for OWASP ASVS requirements, and checking cloud storage or servers for vulnerabilities. DEKRA might also perform some manual code review given their background in certification. After testing, they’ll provide a report and the validation letter. DEKRA’s pitch is that even if Google only asked for Tier 2, doing Tier 3 with them provides greater assurance, so their process might slightly exceed the minimum requirements to give a more robust evaluation.


Service Inclusions: DEKRA brings a certification-style rigor. They treat CASA assessments akin to an audit, ensuring all 14 categories of the OWASP ASVS 4.0 are evaluated (as per CASA standards)  . One benefit of using DEKRA is their independence and reputation in compliance – the DEKRA validation might carry weight with enterprise customers or regulators beyond just Google. They offer clear documentation of what was tested and any gaps found. While details are scant, DEKRA’s services likely include a consultation on the outcome (what to fix, how to maintain compliance). Since they mention “self-initiated Tier 3 provides all the benefits of CASA,” they focus on how Tier 3 gets you the maximum trust (like the marketplace security badge and knowing your app is thoroughly vetted). DEKRA can also leverage their global network of experts if an app has unusual technology, ensuring specialists are involved. After completion, they would remind the developer that the CASA validation must be renewed annually and presumably offer to handle that as well.


Google Preferred Partner: No. DEKRA is not a Google-preferred partner. It’s one of the authorized labs available, chosen often for its strong audit background. Developers might choose DEKRA if they are familiar with DEKRA’s certification services or if they want a particularly formal review.


Sources: Official Google documentation on the CASA program and tiering  , the App Defense Alliance’s list of Authorized Assessors , and information from each provider’s website or published materials (e.g. TAC Security’s CASA portal pricing  , Leviathan Security’s service page  , Bishop Fox’s FAQ  , NetSentries FAQ , Google group discussions , etc.). Each assessor’s details (pricing, timelines, services) have been compiled from these sources to provide an up-to-date comparison as of 2024–2025.

 
 
 
bottom of page