Service Line · 05 / 07 · Advisory · Retainer
We are not a managed security services provider. We are the advisory layer above one. Our cyber work focuses on governance, risk posture, and the questions a board or insurer actually asks — not another tool recommendation.
— The difference
Most cyber advisory engagements end with a tool recommendation. Ours end with a risk-prioritized program that your board, your insurer, and your leadership team can actually act on — because it was written by practitioners who understand both the threat and the organization.
— Read this first
Run our Cyber Governance Readiness Assessment on your current posture. It's a 50-point review of board oversight, documentation, regulatory alignment, and insurer-facing evidence — not a technical security audit. The gaps it surfaces are the ones regulators, underwriters, and plaintiffs’ counsel identify first.
PDF · emailed immediately · 16 pages · Board & Audit Committee edition
— Overview
Cyber security is the domain where mid-market organizations are most exposed and most oversold. The vendor ecosystem is enormous, the technical complexity is real, and the gap between what organizations are told they need and what they actually need is significant. Most mid-market companies without a full-time CISO have purchased security tools they don't fully utilize and lack the governance framework to prioritize what actually matters.
Our cyber advisory is governance-first. We help organizations understand their actual risk posture — not in the abstract, but in the specific context of their industry, their data, their vendors, and their adversary profile. We evaluate programs against recognized frameworks (NIST CSF, ISO 27001) and translate the findings into the language that boards, insurers, and senior leadership actually use when making decisions.
We are not a managed security services provider, a penetration testing firm, or a tool reseller. We are the advisory layer that helps an organization understand where it stands, what it needs to prioritize, and how to talk to the technical teams and vendors that execute on those priorities. For organizations without a full-time CISO, we can serve as that function on a retainer basis.
— How we work
Four phases · scoped individually to the client
We establish the threat context — the realistic adversary scenarios and risk scenarios relevant to your industry and data profile — and evaluate your current program posture against those risks. This is a governance-level assessment, not a technical penetration test.
We map your current program against a recognized framework (NIST CSF is most commonly requested for insurance and board purposes) and identify gaps, control weaknesses, and priority areas. The output is a maturity assessment that tells you where you stand relative to a recognized standard.
We deliver a written findings report with executive summary, board-ready risk register, and a prioritized remediation roadmap organized by risk reduction impact. Recommendations are technology-agnostic — we tell you what capability you need, not which vendor to buy it from.
For organizations that need ongoing guidance — quarterly board briefings, insurance renewal support, vendor evaluation, incident response advisory — we provide a fractional CISO retainer. This gives you senior-level security judgment on demand without the cost of a full-time hire.
— Investment
Ranges shown reflect single-location mid-market engagements. Multi-site, complex, or urgent engagements are scoped individually. A thirty-minute consultation is the fastest path to a written proposal.
Cyber Risk Assessment
Includes executive findings report and board briefing
$5,500 – $12,000
Framework Gap Analysis (NIST CSF / ISO 27001)
Maturity assessment, gap roadmap, and remediation prioritization
$7,500 – $18,000
Fractional CISO Retainer
Quarterly board briefings, insurance support, ongoing advisory
$3,500 – $6,500 / month
— Common questions
A penetration test is a technical exercise that identifies exploitable vulnerabilities in specific systems. A cyber risk assessment is a governance-level evaluation of the organization's overall security posture — controls, policies, vendor management, incident response readiness, and alignment with regulatory requirements. Most organizations need the assessment before a penetration test is useful, because the assessment tells you where to test.
Yes. SOC 2 attestation requires a licensed CPA firm — we are not that. But the NIST CSF assessment your insurer is asking for, the security documentation they want to see, and the narrative that explains your program are exactly what we provide. Many organizations engage us to prepare for the SOC 2 audit or to respond to insurer questionnaires with credible documentation.
Typically 8–15 hours per month, delivered as a combination of scheduled advisory calls, written deliverables (board briefings, vendor assessments, policy reviews), and on-call availability for time-sensitive questions. The engagement is sized to the organization — a 50-person company has different needs than a 400-person one.
— Related capability
— Engage
Pick the path that matches where you are. Most prospects work the first option, then move to a call. Some skip directly to scope.
— Read first
The Board & Audit Committee edition. Oversight evidence, regulatory alignment, insurer-facing documentation — the governance layer that sits above the controls. Not a technical security audit.
PDF · emailed immediately · 16 pages
— Talk it through
Direct line to a principal. Bring your situation; leave with a written read on what the engagement could look like and whether we’re the right firm for it.
Free · 30 minutes
— Move
Already know the scope you need? Send the situation in writing and we'll respond with a written proposal, timeline, and investment range — usually within one business day.
Scope · timeline · investment
