◆Engagement models

Two ways to engage. Scoped to you.

Every engagement is advisor-led and built around your environment — run remotely through secure working sessions with your team, with an on-site visit when it adds value, so we serve small and mid-sized businesses across the U.S. and beyond. The models below are starting points; we set the exact scope together in a confidential conversation. See how an engagement works, step by step →

Assessment & Program

One-time · scoped to you

By engagementAssessment 3–5 weeks; full program 8–12 weeks

Full NIST CSF 2.0 assessment, sized to a scoping tier
Maturity scorecard & function-by-function breakdown
Risk register — likelihood × impact, with treatments
30/60/90 remediation roadmap
Technical task list for your IT team or MSP, with the evidence that confirms each is done
Full policy & procedure set, drafted
Board-ready executive report
Documented risk-acceptance decisions for your board or insurer
Cyber-insurance readiness summary (illustrative)
Delivered as finished, firm-branded documents — Word files plus one navigable web report
Tailored to your environment and walked through for adoption
Threat-informed defense report, technical action plan, breach pre-mortem & detection-gap analysis, mapped to MITRE ATT&CK® (where scoped)
Facilitated tabletop + after-action report (where scoped)

Scope an engagement

Retained vCISO

Ongoing · annual relationship

By engagementMonthly or annual retainer

Everything in Assessment & Program
Scheduled reassessment with a Posture Improvement Report
Policy upkeep & program management to closure
Quarterly threat briefings for your industry

Discuss a retainer

Indicative timelines assume timely access to your team and the information we request. Components are scoped per engagement — some, such as facilitated tabletops and threat briefings, are delivered only where included in your written engagement agreement. On-site visits, where arranged, are billed at reasonable travel-related expenses. Decision-support, not an audit, certification, or legal advice. Wherever practical the work runs inside your own environment; anything that must be shared is handled under strict confidentiality.

Questions about scope, timing, or what's included? See the FAQ →

◆Why advisor-led

You get an advisor, not an account.

The hard parts of this work are judgment calls — what actually reduces your risk, whether a control truly closes a gap, what to do first when something goes wrong. No dashboard can weigh those, and it shouldn't try. So we don't hand you something to figure out alone; we do the work alongside you — inside your own environment wherever practical, so your data largely stays with you.

A retained relationship

A fractional, virtual-CISO relationship: recurring assessments, living policies, facilitated tabletops, and a roadmap project-managed to closure.

An adversary's eye

An intelligence-trained threat lens few can credibly offer — social-engineering and ransomware drills, threat briefings, and the human attacker's perspective on your defenses.

Discretion by design

Built for clients who value privacy: nothing is published, every engagement is confidential, and we work inside your environment wherever practical. What we hold is minimized and returned or destroyed when we're done — and the AI that drafts your documents (Anthropic's Claude) sees assessment information only.

◆Illustrative scenarios

What an engagement changes.

Illustrative, hypothetical scenarios — not actual clients — that show the kind of change an engagement is designed to produce. Every real engagement is confidential, and nothing is published without written consent.

Professional-services firm

From "we think we're fine" to a real program

Situation: A 40-person firm moving money and client data on informal email approvals, with no written security program.

What we'd do: Full assessment, payment-authorization controls, an incident-response plan, and a business-email-fraud tabletop with staff.

1.4→2.8

Avg maturity

Unverified payment paths left

Healthcare clinic

Patient data, finally protected

Situation: A clinic handling patient records with unencrypted laptops and backups no one had ever tested.

What we'd do: Full assessment, MFA and full-disk encryption everywhere, immutable backups with a proven restore, and a tailored policy set.

Unencrypted devices left

1st

Successful test restore

Growing SaaS company

From SaaS sprawl to a managed program

Situation: A fast-growing company with dozens of SaaS tools and no written security program.

What we'd do: Full assessment, MFA enforced across every account, a vendor & data-handling policy, and a roadmap project-managed to closure.

High-risk gaps closed

100%

Accounts on MFA