Service Line · 05 / 07 · Advisory · Retainer
Cyber Security Advisory
We are not a managed security services provider. We are the advisory layer above one. Our cyber work focuses on governance, risk posture, and the questions a board or insurer actually asks — not another tool recommendation.
— The difference
Most cyber advisory engagements end with a tool recommendation. Ours end with a risk-prioritized program that your board, your insurer, and your leadership team can actually act on — because it was written by practitioners who understand both the threat and the organization.
— Overview
Cyber security is the domain where mid-market organizations are most exposed and most oversold. The vendor ecosystem is enormous, the technical complexity is real, and the gap between what organizations are told they need and what they actually need is significant. Most mid-market companies without a full-time CISO have purchased security tools they don't fully utilize and lack the governance framework to prioritize what actually matters.
Our cyber advisory is governance-first. We help organizations understand their actual risk posture — not in the abstract, but in the specific context of their industry, their data, their vendors, and their adversary profile. We evaluate programs against recognized frameworks (NIST CSF, ISO 27001) and translate the findings into the language that boards, insurers, and senior leadership actually use when making decisions.
We are not a managed security services provider, a penetration testing firm, or a tool reseller. We are the advisory layer that helps an organization understand where it stands, what it needs to prioritize, and how to talk to the technical teams and vendors that execute on those priorities. For organizations without a full-time CISO, we can serve as that function on a retainer basis.
— How we work
The engagement from first call to final deliverable.
Four phases · scoped individually to the client
- — 01
Risk Assessment
We establish the threat context — the realistic adversary scenarios and risk scenarios relevant to your industry and data profile — and evaluate your current program posture against those risks. This is a governance-level assessment, not a technical penetration test.
- — 02
Framework Gap Analysis
We map your current program against a recognized framework (NIST CSF is most commonly requested for insurance and board purposes) and identify gaps, control weaknesses, and priority areas. The output is a maturity assessment that tells you where you stand relative to a recognized standard.
- — 03
Findings & Prioritization
We deliver a written findings report with executive summary, board-ready risk register, and a prioritized remediation roadmap organized by risk reduction impact. Recommendations are technology-agnostic — we tell you what capability you need, not which vendor to buy it from.
- — 04
Advisory Retainer
For organizations that need ongoing guidance — quarterly board briefings, insurance renewal support, vendor evaluation, incident response advisory — we provide a fractional CISO retainer. This gives you senior-level security judgment on demand without the cost of a full-time hire.
— Investment
Transparent pricing. Scope drives the number.
Ranges shown reflect single-location mid-market engagements. Multi-site, complex, or urgent engagements are scoped individually. A thirty-minute consultation is the fastest path to a written proposal.
Cyber Risk Assessment
Includes executive findings report and board briefing
$5,500 – $12,000
Framework Gap Analysis (NIST CSF / ISO 27001)
Maturity assessment, gap roadmap, and remediation prioritization
$7,500 – $18,000
Fractional CISO Retainer
Quarterly board briefings, insurance support, ongoing advisory
$3,500 – $6,500 / month
— Common questions
What clients ask before they engage.
What is the difference between a cyber risk assessment and a penetration test?
A penetration test is a technical exercise that identifies exploitable vulnerabilities in specific systems. A cyber risk assessment is a governance-level evaluation of the organization's overall security posture — controls, policies, vendor management, incident response readiness, and alignment with regulatory requirements. Most organizations need the assessment before a penetration test is useful, because the assessment tells you where to test.
Our insurer is asking for a SOC 2 report or NIST CSF assessment. Can you help?
Yes. SOC 2 attestation requires a licensed CPA firm — we are not that. But the NIST CSF assessment your insurer is asking for, the security documentation they want to see, and the narrative that explains your program are exactly what we provide. Many organizations engage us to prepare for the SOC 2 audit or to respond to insurer questionnaires with credible documentation.
What does a fractional CISO engagement look like in practice?
Typically 8–15 hours per month, delivered as a combination of scheduled advisory calls, written deliverables (board briefings, vendor assessments, policy reviews), and on-call availability for time-sensitive questions. The engagement is sized to the organization — a 50-person company has different needs than a 400-person one.
— Related capability
Often engaged alongside cyber security advisory.
— Engage
Let's talk about scope.
Pricing and timeline vary with the size of your organization, the maturity of the existing program, and the outcome you're engineering toward. A thirty-minute consultation is usually the fastest way to a written proposal.