The questions prospects actually ask.

The hard parts of this work are judgment calls — what actually reduces your risk, whether a control truly closes a gap, and what to do first when something goes wrong. A dashboard can't weigh those. So rather than hand you software and walk away, we work through each one with you, bringing the experience of someone who has done it before. You stay in control of every decision; our role is to make sure it's well-informed.

No. Securidigm provides decision-support and prepares draft documents. It is not an audit, a certification, or legal advice. Every finding is reviewed by the advisor before release, and where a regulation applies to your business, its applicability is confirmed with your own counsel before you rely on it.

Everything is confidential, and nothing is ever published. Wherever practical we work inside your own environment, so your data stays with you, and where we review your documents we do so live — keeping notes, not copies. One step is automated: to produce your draft documents, your assessment information is processed by our AI provider (Anthropic's Claude), under its confidentiality and data-use terms and used only to generate those drafts — and it is not used to train AI models. Discretion is a design requirement, not an afterthought.

An assessment is a sensitive picture of your controls, so it's handled that way end to end. There's no internet-facing questionnaire to attack — responses are recorded directly into a single, encrypted workstation; your documents are reviewed live rather than copied; video sessions aren't recorded by default; and the one automated step (AI drafting via Anthropic's Claude) processes your information only to generate drafts, never to train models. The full detail — collection, storage, retention, and return — is in our Client Data Handling Statement, which your security, procurement, or vendor-risk team can review before we start.

Primarily remotely — secure video working sessions with your team — which lets us serve businesses across the U.S. and beyond. When an on-site visit genuinely adds value, we can arrange one, with reasonable travel-related expenses reimbursed. Either way, you work with the same advisor throughout.

A maturity scorecard, a prioritized 30/60/90 roadmap, a tailored policy set (information security, incident response, backup & recovery, vendor and data handling), a risk register, a technical task list routed to your IT team or MSP, an executive report for leadership, and a cyber-insurance readiness summary (illustrative — not insurance advice). For our most thorough engagements, or where separately scoped, a threat-informed defense report, a prioritized technical action plan, a breach pre-mortem, and a detection-gap analysis mapped to MITRE ATT&CK®. Where scoped, a facilitated tabletop with an after-action report; and in a retained relationship, scheduled reassessments with a posture-improvement report showing your progress over time.

The framework spans 106 subcategory outcomes across six functions, and your scoping tier sets how much of it applies to a business your size. A Comprehensive engagement scores all 106; Essential and Enhanced focus on the outcomes that matter most at that size and complexity, broadening as the tier rises — and every tier reads across all six functions. Within that scope the questionnaire is deliberately right-sized: concrete questions tied to what drives your scorecard and roadmap, not an exhaustive checklist mirroring every illustrative NIST Implementation Example (which NIST itself calls illustrative, not mandatory). It’s an advisory assessment built to drive your remediation program — not a formal audit or certification.

On top of the framework score, we connect your specific gaps to real attacker behavior using MITRE ATT&CK® — the open, industry-standard catalog of how intrusions actually happen. You get a plain map of which attacker techniques your current posture leaves open, the kinds of attackers known to target businesses like yours, and whether your current logging would even catch an intrusion in progress — plus a prioritized technical action plan (the specific control-level moves that close those techniques, ranked by impact) and a short narrative of your most likely incident, written before it happens, ending in the fixes that prevent it. It's computed from your own answers through a published method, never AI guesswork, and built only on free, openly-licensed MITRE frameworks. “Exposure” means an attack path is less obstructed — it is never a prediction that an attack is coming. Part of our most thorough engagements, and available as a scoped add-on otherwise.

Yes — most of the risk is financial and operational, not regulatory. Ransomware, business-email fraud, account takeover, and vendor breaches don't care how big you are or whether a rule names you; small teams are targeted precisely because defenses are thinner. If a regulation does apply to you (HIPAA, PCI-DSS, state privacy, and the like), the program is simply tailored to reflect it.

No — we work with them. Securidigm is advisory: we assess your posture, decide what to fix and in what order, and hand your IT team or MSP a concrete, owned task list. We don't sell or manage the tools; we make sure the right things get done and verify they're actually working.

An assessment is typically 3–5 weeks; a full program build is usually 8–12 weeks, depending on the size of your environment and how quickly your team can get us the information we request. A retained relationship then keeps the program current month to month.