top of page
  • LinkedIn

What we do — and how we decide what you actually need.

Security services get sold the same way to every kind of organization: a catalog of line items with vague scopes, priced for buyers with full security teams. That's not how we work.The five services below are the work we take on. The bigger thing we do — underneath all of them — is help you decide which ones you actually need right now, which can wait, and which you can honestly skip.If you're not sure where to start, that's fine. The first conversation is about figuring that out.

Security Readiness Assessment

An honest look at where you stand, scoped to an organization your size.

WHEN THIS MAKES SENSE:

  • You've been handed a cyber insurance questionnaire with questions no one's prepared to answer.

  • A funder, grant-maker, board, or client is asking about your security posture and you need a real answer.

  • You've inherited security responsibility and want to know what shape things are in.

  • You've never had an outside set of eyes look at your environment, and it's time.


WHAT YOU GET:

  • A clear picture of your current security posture — what's in place, what's exposed, what's missing.

  • A prioritized view of what's worth addressing first, second, and later. Not a 100-item spreadsheet.

  • Plain-language explanations of each finding — what it means, why it matters at your scale, and what a realistic fix looks like.

  • A document you can share with your board, your insurance carrier, or your funder without needing a security translator in the room.


SHAPE OF THE WORK:

A few weeks of discovery and review, not a multi-quarter consulting engagement. We scope to match the size and complexity of your environment, not to maximize hours. And we stay in the conversation after the assessment, so you're not alone with the findings.

Penetration Testing & Security Validation

Testing your defenses the way an attacker would — sized to your environment

WHEN THIS MAKES SENSE:

  • You need to test something specific — your website, your cloud environment, a critical application.

  • A contract, grant, or insurance policy requires a third-party penetration test.

  • You've recently made a significant change (migration, new system, new integration) and want to validate it before something goes wrong.

  • You want proof of what's real — not just a vulnerability scan that flags everything but tells you nothing.


WHAT YOU GET:

  • Hands-on testing by a practitioner, not a scanner with a report generator attached.

  • A report that distinguishes real risk from noise, written for a human reader.

  • A walkthrough of what was found, why it matters, and what fixing it actually looks like.

  • A follow-up check on the fixes, so you know the issues you paid to find actually got resolved.


SHAPE OF THE WORK:

Engagements are scoped to the specific system or environment being tested. We're clear up front about what's in scope, what's not, and what the test will and won't tell you. No open-ended scopes and no surprise change orders.

Vulnerability Management

Knowing what's exposed, what's worth fixing, and what you can safely live with — on an ongoing basis.

WHEN THIS MAKES SENSE:

  • You've been told you need "vulnerability management" and you're not sure what that means in practice for an organization your size.

  • You're running some form of scanning already, but the results either overwhelm you or get ignored.

  • You want someone watching for emerging issues (a new critical CVE, a new exposure) without hiring a full-time internal resource.

  • You need to show a carrier, funder, or regulator that vulnerability management is in place — and have it actually be true.


WHAT YOU GET:

  • Regular visibility into what's exposed across your environment.

  • A filter between the noise and the signal — we triage findings so your team doesn't drown in a weekly 400-item report.

  • Clear guidance on what needs to be fixed this week, what can wait, and what you can defer indefinitely with good reason.

  • A written record of decisions — so when a questionnaire asks "how do you manage vulnerabilities," you have an actual answer.


SHAPE OF THE WORK:

Ongoing, at a cadence that fits your environment. Monthly for most small organizations; more frequent only where the environment actually warrants it. We don't push a higher cadence than the work calls for.

Incident Response Support

Help before, during, and after something goes wrong — at a scale that makes sense for organizations without a full security team.

WHEN THIS MAKES SENSE:

  • You want a plan in place before anything happens — so if something does, you're not deciding what to do in the middle of a crisis.

  • Something is happening right now and you need a practitioner in the room.

  • You've had an incident recently and want an honest postmortem — what happened, how to reduce the chance of it happening again, and what to tell stakeholders.

  • Your insurance or contract requires an incident response plan, and you want one that actually means something.


WHAT YOU GET:

  • Before: A right-sized incident response plan — one that fits your team, your tools, and your reality. Not a 50-page template you'll never use.

  • During: A practitioner you can call, who will work the problem with you — not hand you off to a queue.

  • After: A clear-eyed review of what happened and a short list of concrete changes that reduce the likelihood and impact of a repeat.


SHAPE OF THE WORK:

Varies by phase. Plans and postmortems are scoped engagements. During-incident support can be a retainer (for organizations that want a call option) or handled ad-hoc. We'll be honest about which arrangement fits your situation.

Practical Security Awareness Programs

Helping your team build the habits that actually reduce risk — without selling you a platform.

WHEN THIS MAKES SENSE:

  • You need to show you have a security awareness program in place, for a funder, an insurer, or a client audit.

  • You've tried a platform-based training product and found it generated completion certificates without changing behavior.

  • Your team is small enough that a per-seat-priced tool doesn't make economic sense, and you want something designed around actual people instead.

  • You want phishing simulations or tabletop exercises run in a way that teaches, not shames.


WHAT YOU GET:

  • A program shaped around your team, your risks, and the specific behaviors worth practicing.

  • Phishing simulations that are realistic for your environment, delivered with a debrief that actually teaches something — not a leaderboard.

  • Short, focused training content for the situations your team actually encounters — not a library of generic modules.

  • Tabletop exercises for leadership and key operational roles, so the first time your team thinks about an incident isn't during one.


SHAPE OF THE WORK:

Can be a one-time engagement to establish the program, or an ongoing cadence if the organization wants to keep it active. We don't charge per seat, and we don't resell training platforms.

How engagements get scoped.

Three things are worth saying plainly, because they're not how most security firms operate:

1

Scope matches the organization.

A fifty-person nonprofit and a five-thousand-person enterprise should not have the same engagement shape. We don't run a fixed playbook and scale it down; we scope to what the environment calls for.

2

Price matches the scope.

Engagements are priced on the work, not on what the industry thinks security consulting "should" cost. We give you a real number before we start, and we honor it.

3

We'll tell you if the work doesn't make sense.

If a readiness assessment would serve you better than the penetration test you asked for, we'll say so. If the smart move is to wait six months and address something foundational first, we'll say that too. Our job is to help you decide — not to close whatever engagement is easiest to close.

A few things we won't try to sell you. 

We don't resell security tools or products. No commissions, no kickbacks, no hidden incentives behind a recommendation.

We won't steer you toward services you don't need. If the right answer for your organization is simpler or smaller than what you're being quoted elsewhere, we'll tell you — even when it means a smaller engagement for us.

We're not trying to become permanent. Most engagements have a clear beginning and end, by design — the goal is to leave you more capable, not more dependent on us.

Not sure which of these you need? That's usually the right question to start with.

A first conversation isn't a pitch. It's thirty to forty-five minutes to understand what you're responsible for, what's already in place, and what's actually prompting this. By the end of it, you'll have a clearer picture of what — if anything — makes sense for you to act on next.

bottom of page