Risk assessments that end with a plan, not just a score.
Most assessments produce a heat map and a PDF. Neither fixes anything. Ours produce a quantified risk register, a prioritized remediation roadmap tied to budget and timeline, and a board-ready executive summary — then the same MSSP can execute against it. Aligned to NIST CSF 2.0, ISO 27005, and FAIR, scoped to the regulations and cyber-insurance controls your business actually reports to.
Four deliverables. Zero shelfware.
Every engagement produces the same core outputs — sized to scope, but consistent in structure. Built so the CFO, the auditor, the insurer, and the IT director all see the same version of the truth.
Twelve assessments, three mandates.
Assess finds the exposure. Measure translates it into compliance, privacy, and insurance terms the business already reports on. Validate & Plan turns findings into action the organization can sequence and fund.
Assess
Where the exposure actually livesCybersecurity Risk Assessment
Enterprise-wide risk assessment aligned to NIST CSF 2.0 or ISO 27005. Covers governance, identify, protect, detect, respond, and recover functions with quantified findings and an actionable risk register.
Vulnerability Assessment
Authenticated and unauthenticated scanning across external surface, internal networks, endpoints, and servers. Findings triaged to business impact — not a 400-page CVSS dump.
Cloud Security Assessment
AWS, Azure, Google Cloud, and Microsoft 365/Entra configuration review against CIS Benchmarks and vendor-specific well-architected frameworks. Identity, data, and network posture in one report.
Application Security Assessment
Web and API security reviews aligned to OWASP Top 10 and ASVS. Architecture review, authenticated testing, and secure-SDLC recommendations tied to the development team’s actual workflow.
Third-Party / Vendor Risk
Vendor inventory, tiering, security questionnaire design, and individual vendor assessments. The weakest vendor is now an audit and breach-reporting concern — covered end to end.
Measure
Compliance, privacy, insurance, maturityCompliance Gap Assessment
SOC 2 Type II, ISO 27001, PCI-DSS 4.0, HIPAA readiness. Control-by-control evidence review, gap register, and a prioritized remediation plan aligned to your target audit window.
Privacy Impact Assessment
PIPEDA, Quebec Law 25, Alberta/BC PIPA, and Ontario PHIPA-scoped PIAs. Data inventory, cross-border flow mapping, and the regulator-facing documentation the law now assumes you have.
Ransomware Readiness Assessment
Focused review of the controls that actually move the needle on ransomware: identity hardening, endpoint coverage, backup immutability, recovery testing, and IR readiness. Maps directly to insurer questionnaires.
Security Posture & Maturity Assessment
CMMI-style maturity scoring against NIST CSF 2.0 functions and categories. Benchmark against sector peers, identify weakest links, and build a multi-year maturity glidepath.
Validate & Plan
From findings to actionTabletop Exercises & Scenario Simulation
Executive and technical tabletop exercises against ransomware, data-breach, insider, and third-party scenarios. Validates the assessment’s assumptions against how the organization actually behaves under pressure.
Remediation Roadmap & Prioritization
12- to 24-month remediation plan with cost modeling, dependencies, sequencing, and ownership. Quick wins called out for the first 90 days so momentum is visible before the first board review.
Board & Executive Risk Reporting
Executive briefing deck, board-committee narrative, and quantified KRIs that translate the assessment into the language boards, insurers, and auditors already use. Refreshable on a quarterly cadence.
Findings are table stakes. Sequenced, funded remediation is the product.
A traffic-light heat map is easy. The hard part is telling a CFO which two findings to fund this quarter, which six can wait until next year, and which one will keep the cyber-insurance carrier from raising a 40% premium. Our assessments end on the CFO’s desk — with cost, sequence, and dependencies — not on a SharePoint folder where last year’s PDF quietly expires.
- Every finding is scored on business impact, not just CVSS — and translated to dollars where the data supports it
- Quick wins separated from long-plays, so the first 90 days produce evidence the board can see
- Remediation mapped to insurer questionnaires and audit controls — one fix, multiple compliance wins
- Optional: the same MSSP delivers the remediation, so findings become closed tickets, not open RFPs
Four common scopes. Matched to the business driver.
Different pressures need different assessments. Most engagements start with one of these scopes, then expand or repeat on a program cadence. Scope is shaped by the driver — audit, insurance, M&A, or board mandate — not by a template.
Full NIST CSF 2.0
Organization-wide maturity assessment across all six functions. First-time programs, post-incident rebuilds, and CISO-transition baselines.
Compliance Gap
SOC 2, ISO 27001, PCI-DSS 4.0, or HIPAA readiness. Control-by-control evidence review against a target audit framework.
Ransomware Readiness
Focused on the controls insurers now underwrite against: identity, endpoint, backup immutability, recovery testing, IR readiness.
Cyber Due Diligence
Buy-side or sell-side cyber DD, expedited to the transaction timeline. Material findings, hold-back modeling, and integration readiness.
Findings today. Remediation ready to go tomorrow.
A risk assessment that surfaces gaps in detection, identity, recovery, or program leadership is more useful when those gaps can be closed by the same team. Every finding can route into an existing service line with a named owner — or cleanly to your own team or incumbent, if that’s the preference. Either way: no vendor matchmaking the week after the readout.
MDR & SOC
Detection and response gaps surfaced in the assessment closed by a 24/7 SOC with a defined runbook.
Penetration Testing
Validates exploitable paths identified by the assessment — or feeds new findings back in to the register.
Virtual CISO
Assessment output becomes the vCISO’s program charter, roadmap, and board narrative on day one.
GRC Advisory
Gap findings feed directly into the control framework, evidence library, and audit operation.
From kickoff to board-ready in four phases.
Every engagement follows the same sequence so stakeholders know what they’re getting, when, and at what level of effort. Tight scope up front; quantified output on the other side; optional remediation lane from day one.
-
01Weeks 1–2
Scope & Context Crown-jewel identification, threat modeling, regulatory driver mapping, and a written scope statement signed off by the exec sponsor before fieldwork begins.
-
02Weeks 2–6
Discover & Analyze Stakeholder interviews, control-evidence review, technical scans, configuration reviews, and documentation analysis. Evidence captured in a structured workpaper — not inferred.
-
03Weeks 6–8
Quantify & Prioritize FAIR-aligned scoring, business-impact translation, remediation cost modeling, and dependency mapping. Every finding gets an owner, a target quarter, and a defensible ranking.
-
04Weeks 8+
Report & Remediate Executive readout, board-ready summary, technical workpaper, and a prioritized roadmap. Optional lane: remediation delivered by the same MSSP on agreed cadence.
Every engagement is led by a named senior consultant — not a rotating pool — with a technical lead and a project coordinator so the engagement runs on a visible cadence from kickoff to readout.
Standard deliverables: scope statement, evidence workpaper, risk register, maturity score (where applicable), remediation roadmap, executive briefing deck, and technical appendix. All provided in editable formats so they feed straight into audit, board, and insurance cycles.
Assessments are re-runnable: the risk register becomes the tracked artifact, so next year’s refresh is a delta — not another six-week engagement starting from zero.
Three shapes, same rigor.
How you consume the work depends on the driver. Point-in-time for a specific milestone; continuous for an organization that needs a living risk register; transaction-driven for M&A. Every model produces the same deliverables — scale adjusts, rigor doesn’t.
Point-in-Time Assessment
Single engagement against a defined scope — enterprise-wide, compliance-framework, ransomware-readiness, cloud, or application. Produces all four core deliverables plus technical workpaper.
Continuous Risk Program
Annual full assessment plus quarterly delta reviews, risk register maintenance, and refreshed board reporting. Assessment stops being an event and becomes a living artifact the program runs against.
M&A Cyber Due Diligence
Buy-side or sell-side cyber DD compressed to the transaction timeline. Material findings, representations & warranties mapping, integration cost modeling, and a post-close remediation plan.
Where the assessment has teeth.
Risk assessments for sectors where findings feed a regulator, an auditor, an underwriter, or a client’s procurement office — not just an internal file.
Legal Firms
Law Society obligations, client-panel security questionnaires, and professional-liability carrier risk reviews now require a formal assessment on file.
Financial Services
OSFI cyber expectations, FINTRAC and IIROC compliance, and registration audits now assume an annual risk assessment against a named framework.
Aerospace & Defense
Controlled Goods Program governance, ITAR/EAR cross-border flow mapping, and prime-contractor security flowdown scored against the right framework.
Know what to fix, and in what order.
A 30-minute scoping call with a senior consultant — not a sales rep. We’ll walk through the business driver, the audit or insurance window that matters, and which assessment scope actually fits. A fixed-price proposal follows inside a week.
