Schellman

Schellman is the largest CPA-licensed cybersecurity and compliance assessor in North America, headquartered in Tampa, Florida and founded in 2002. The firm holds the unusual combination of FedRAMP 3PAO, PCI QSA, PCI SSF, HITRUST Authorized External Assessor, ISO 27001 certification body, and SOC 1/2/3 CPA attestation authority. That portfolio makes Schellman one of only a handful of providers who can assess and attest under nearly every major US framework through a single statement of work.

Schellman's penetration testing practice is structured around the requirements of the frameworks it attests to, PCI DSS 4.0 segmentation and scoping tests, FedRAMP annual assessments, HITRUST and SOC 2 supporting tests, and ISO 27001 Annex A.14 validations. Services include web, API, mobile, external and internal network, cloud, and social engineering tests. Engagements are delivered under heavy documentation, evidence, and traceability controls suitable for regulator-facing reporting.

Schellman is the right choice for US enterprises and cloud providers that want pen testing scoped specifically to drive a clean attestation report. Its culture is evidence-first and CPA-disciplined, which is a strength for regulated buyers and a mis-fit for buyers wanting adversary simulation or deep exploit research.