Methodology
How we work.
Every engagement follows the same structured, repeatable delivery model. No ambiguity about what happens when, who owns what, or what you'll receive.
Delivery Model
Five phases. No surprises.
Kickoff & Discovery
2–5 days
Confirm scope, align success criteria, issue pre-engagement questionnaire, and provision access. Every engagement begins with a clear understanding of what success looks like.
Active Analysis
1–4 weeks
Core technical work — automated scanning, manual expert analysis, stakeholder interviews, and configuration review. Minimal client disruption required.
Findings & Recommendations
3–5 days
Internal synthesis of findings. Every finding is risk-rated, prioritized by actual business impact, and paired with actionable remediation guidance.
Draft Review
5 business days
Client reviews draft deliverables. One consolidated feedback cycle included. Feedback must be submitted in a single pass to maintain engagement velocity.
Final Delivery & Closeout
2–3 days
Final deliverables transmitted, executive readout session conducted, recommended next steps documented, and all access securely revoked.
Maturity Framework
Where you are. Where you need to be.
Assessments score each control domain against a 5-level maturity model. Most organizations score 1.5–3.0 on initial assessment. A score of 3.0 (Defined) across all domains represents strong maturity.
Initial
Ad hoc, reactive, undocumented
Developing
Partially documented, inconsistently applied
Defined
Documented, standardized, consistently followed
Managed
Measured, monitored, continuously improved
Optimized
Predictive, automated, industry-leading
Typical Assessment Range
Most initial assessments land between 1.5 – 3.0. The bordered range shows where the majority of organizations fall.
Engagement Principles
How we protect both sides.
The Pause Clause
If required access, credentials, or approvals are not available within 5 business days of request, the engagement timeline is formally paused. Paused time does not count against the engagement period or fee. You are never billed for delays that are not within your control.
Fixed-Fee Certainty
Scope is defined before work begins. Fees are fixed for the agreed scope. If a scope gap is discovered mid-engagement, it is documented and addressed through a formal Change Order — never silently expanded or billed without agreement.
Single Revision Cycle
Draft deliverables are provided with a 5 business day review window. Feedback must be consolidated in a single pass. One revision cycle is included. This keeps engagements focused and prevents scope drift through iterative revision.
Confidentiality-First
Security findings belong to you. Client data is never used in marketing, case studies, or benchmarks without explicit written consent. All client data is retained for 90 days post-engagement and then securely deleted.
Deliverable Standards
What you receive.
Risk-Rated Findings
Every finding is classified Critical through Informational with remediation SLAs, business impact translation, and technical detail.
Phased Remediation Roadmap
Recommendations prioritized into Immediate (0–30 days), Short-term (30–90), Mid-term (90–180), and Long-term (180+) horizons.
Dual-Audience Reports
Executive summaries for leadership with business context. Technical appendices with configuration-level detail for engineers.
Editable Artifacts
All deliverables provided in editable formats. Policies, standards, and frameworks are yours to maintain and evolve.
Framework Mapping
Findings mapped to relevant compliance frameworks — NIST CSF, ISO 27001, PCI DSS, SOC 2, CMMC, HIPAA — with control-level traceability.
Executive Readout
60-minute live briefing walking through findings, priorities, and recommended next steps. No report dropped in a folder and forgotten.
See it in practice.
Every discovery call includes a walkthrough of how this methodology applies to your specific environment and requirements.
Schedule a Discovery Call