Cyber security assessment that gives you a board-ready answer in 14 days
Independent risk and compliance assessment for SMB and mid-market. We map every finding to your insurer's questionnaire, your auditor's framework, and your board's risk register — in plain English, with a remediation runbook you can actually act on.
Mutual NDA + BAA signed before kickoff. You own the deliverables. No requirement to engage us for remediation.
across SMB and mid-market
board-ready report
premium reduction at renewal
identity to governance
Three lanes. Pick by deadline, framework depth, and whether this is one-time or continuous.
All three tiers run on the same senior assessors and the same evidence-based methodology. The difference is depth, framework rigor, and whether you want a snapshot or an ongoing posture program.
- External attack-surface scan (DNS hygiene, exposed services, expired certs)
- Identity posture review (MFA coverage, privileged accounts, dormant identities)
- Endpoint coverage check (EDR sweep, patch latency, local admin sprawl)
- Email defense check (SPF, DKIM, DMARC, anti-phishing posture)
- Backup posture check (3-2-1, immutability, test-restore evidence)
- Insurer-questionnaire-ready evidence packet
- 60-min readout with executive summary deck
- Everything in Quick Snapshot, plus:
- Control-by-control scoring across 8 domains (identity, endpoint, network, cloud, data, IR, vendor, governance)
- Authenticated configuration review of M365 / Google Workspace, AD / Entra ID, EDR, firewall, backup
- Cloud posture review (AWS, Azure, GCP, M365 SaaS) where applicable
- Document review (policies, runbooks, vendor contracts, IR plan)
- Structured interviews with IT, HR, finance, ops leads
- Prioritized remediation runbook sequenced by risk-reduction-per-dollar
- Board deck + technical findings PDF + control-mapping spreadsheet
- Free 30-day Q&A window for clarifying questions
- Initial baseline assessment (Full CIS / NIST scope)
- Monthly external attack-surface scans with diff reports
- Quarterly control re-review against drifted configurations
- Continuous evidence collection for SOC 2 / ISO 27001 audit
- Board-ready dashboard updated monthly
- Cyber insurance renewal packet refresh on demand
- Vendor risk re-scoring as your supplier list changes
- Direct line to a named senior assessor
Eight control domains. Every finding scored, evidenced, and tied back to a framework reference.
No vague findings. Every gap is scored Critical / High / Medium / Low, mapped to the control it violates (e.g. CIS 5.2, NIST PR.AC-1, ISO A.5.16), tied to the asset or process it lives in, and given a fixed remediation owner suggestion.
What the executive readout actually looks like.
Every assessment ends with a one-page executive summary you can hand to your board, your insurer, and your auditor — the same straight answer to all three. Below is a redacted sample from a real engagement.
Scope: 8 control domains, 153 sub-controls, 4-week engagement. Methodology: external scan + authenticated config review + 6 stakeholder interviews + document review.
Above is one slide from a 24-slide deck. Full deliverable also includes the control-mapping spreadsheet (153 rows), technical findings PDF, prioritized 90-day runbook, and the insurer-questionnaire evidence packet.
180-employee accounting firm. CIS v8 IG2 readiness in 14 days. Premium dropped 22%.
A regional accounting firm with offices in Charlotte and Raleigh needed a defensible answer for two pressures hitting in the same quarter: a cyber insurance renewal asking 60+ technical questions, and a board that had read about ransomware in their industry trade press. They picked the Full CIS / NIST tier, compressed to 14 days for the renewal deadline.
"Carolina Ledger Group" · 180 employees · CIS v8 IG2 readiness
- Day 1 Kickoff + scope lock. Mutual NDA signed. Asset list shared, M365 read-only access provisioned, AD audit role granted, EDR console read access added. Senior assessor + cloud specialist + identity specialist assigned.
- Day 2-3 External attack-surface enumeration. 142 subdomains, 38 exposed services, 4 expired certs, 1 RDP host on the public internet. Authenticated config review against M365 hardening baseline started in parallel.
- Day 4-6 Stakeholder interviews completed: IT director (3 hr), HR director (45 min), CFO (45 min), ops manager (30 min), managing partner (kickoff context). Document review of 18 policies and the 2024 IR plan. Backup posture verified by attempting a test-restore on a non-production VM — restore worked at hour 6.
- Day 7-9 Control-by-control scoring against CIS v8 IG2: 153 sub-controls evaluated, scored, evidenced. 94 controls fully in place, 33 partial, 26 not in place. Findings cross-referenced to insurer-questionnaire taxonomy (Coalition + Travelers).
- Day 10-12 Remediation runbook drafted — 47 prioritized actions, sequenced by risk-reduction-per-dollar. 7 P1 actions estimated at 14 days of cumulative effort. Executive deck written. Insurer-evidence packet assembled.
- Day 13 Internal QA review of all artifacts. Three findings re-tested after IT lead reported overnight remediation activity — updated scores reflected before delivery.
- Day 14 Delivery: 24-slide executive deck, 153-row control spreadsheet, 38-page technical findings PDF, 47-action remediation runbook, insurer evidence packet. 90-min readout with managing partner, CFO and IT director.
- Day 75 Outcome: All 7 P1 items closed within 60 days using the runbook. Updated questionnaire submitted to broker. Premium dropped 22% at renewal, two exclusions removed (ransomware sub-limit raised, social engineering sub-limit removed). Board pre-read landed cleanly.
Mapped to the frameworks your auditor, insurer and regulator actually use.
Every finding in the deliverable carries a control reference for at least one framework you're already accountable to. Pick one as the primary mapping at scoping — we cross-walk to the others as needed at no extra fee.
Cyber security assessment, answered honestly.
How long does a cyber security assessment take?
The Quick Risk Snapshot is 5 business days end-to-end, including kickoff, evidence collection, scanning, scoring and a 60-minute readout. The full CIS v8 or NIST CSF 2.0 assessment runs 4 weeks: week 1 kickoff and document review, week 2 technical scanning and interviews, week 3 control-by-control scoring and gap analysis, week 4 remediation runbook and executive readout. We can compress to 14 days for an insurance-renewal deadline by parallelizing scanning and interviews.
What deliverables do we get?
Five artifacts: (1) Executive summary slide deck written for non-technical board members, (2) control-by-control gap analysis spreadsheet mapped to your chosen framework, (3) technical findings report with severity, exploitability and asset context, (4) prioritized remediation runbook sequenced by risk-reduction-per-dollar, (5) evidence packet ready for cyber insurance renewal or auditor review. All five are delivered as both PDF and source format (PPTX, XLSX, DOCX) so you can edit and re-use internally.
Who from our side needs to be on the calls?
Five roles, total time commitment ~6 hours across 4 weeks for the full assessment: IT lead (kickoff + 3 technical interviews, ~3 hours total), HR lead (1 interview on identity, onboarding, offboarding, ~45 min), finance lead (1 interview on vendor risk and approvals, ~45 min), operations lead (1 interview on physical security and BCP, ~30 min), and an executive sponsor (kickoff + readout, ~1 hour). For a Quick Snapshot, IT lead alone is enough — ~2 hours across 5 days.
Will the assessment find everything an attacker would?
No assessment finds everything. We're explicit about this in the deliverable. The full CIS v8 IG2 assessment combines: external attack-surface scanning (Shodan-class enumeration, exposed services, expired certs, DNS hygiene), authenticated configuration review of identity, endpoint and cloud, document review of policy and process, and structured interviews. We do not perform exploitation or social engineering unless you specifically engage us for a penetration test — that's a separate scope. The assessment finds the controls gaps that lead to incidents; a pen test demonstrates exploitability of specific paths.
Can the report be used for cyber insurance renewal?
Yes. We map every finding to the standard insurance questionnaire taxonomy used by Coalition, At-Bay, Chubb, Travelers, AIG, CNA and Beazley — MFA coverage, EDR coverage, backup posture, privileged access, email filtering, awareness training, vendor management. The evidence packet is what your broker needs to negotiate premium and remove exclusions. Customers in the last 12 months have averaged a 14-22% premium reduction at renewal after acting on the prioritized runbook.
What frameworks do you assess against?
CIS Controls v8 (Implementation Group 1 or 2), NIST Cybersecurity Framework 2.0, ISO/IEC 27001:2022, SOC 2 Trust Services Criteria, HIPAA Security Rule (45 CFR 164.308-318), PCI-DSS 4.0, NYDFS 23 NYCRR 500 (for licensed financial entities in New York), and FTC Safeguards Rule (for non-banking financial institutions). We can also run a custom framework mapping if you're certifying against a customer-specific control set (Microsoft SSPA, AWS WAF, Salesforce ISVForce).
Are you also the people who will fix the findings?
You decide. Some clients run remediation entirely in-house using our prioritized runbook as the work-plan. Some retain us for the highest-impact items only (typically MFA enforcement, EDR rollout, backup hardening, privileged access cleanup). Some move into our Continuous Risk Program for ongoing managed remediation with monthly attestation. There is no requirement to engage us for remediation — the assessment deliverable is yours regardless. We will tell you honestly which findings are best handled by your existing MSP or in-house team versus where outside specialist help moves faster.
What does pen test readiness mean?
It means the assessment surfaces the issues a pen test would find — before you pay $25-50K for a pen test that comes back full of low-effort findings. We do this by running authenticated configuration review against the same control families a pen tester probes: identity (MFA, privileged accounts, service accounts), endpoint (EDR coverage, patch latency, local admin sprawl), network (segmentation, lateral movement risk, exposed services), and data (sensitive data location, encryption at rest). After remediation, the pen test that follows finds harder, higher-value issues — not the obvious ones.
Do you sign NDAs and BAAs before kickoff?
Yes. Mutual NDA signed before any documents are exchanged. For HIPAA-covered entities or business associates, we sign a Business Associate Agreement (BAA) before any PHI-adjacent system is touched. Standard Master Services Agreement covers liability, IP ownership of deliverables (you own them), data handling, and post-engagement data destruction. All three documents are reviewed and returned within 48 hours of request.
What happens after the assessment is delivered?
Three options: (1) take the deliverables and run remediation in-house — we offer a free 30-day Q&A window for clarifying questions, (2) engage us for prioritized remediation projects on a fixed-fee basis — typically MFA rollout, EDR deployment, backup hardening, identity cleanup, (3) move into the Continuous Risk Program for monthly attestation, quarterly re-assessment, and audit-ready evidence collection. Roughly 60% of full-assessment clients move to option 2 or 3 within 90 days because the runbook makes the next step concrete.
Get a defensible answer in 14 days.
Tell us the goal, the framework and the headcount — we'll send a fixed-fee scope, a kickoff date inside the same week, and a deliverable date you can put on the board calendar. Mutual NDA on request.