Why Ongoing Beats One-Off
A one-time audit tells you where you were exposed on one day. But your environment changes constantly — new employees, new tools, new vulnerabilities. Without ongoing oversight, today's fixes become tomorrow's blind spots.
As your Security Partner, we own making sure the risks we identified don't turn into incidents over the next 6-12 months.
You're not hiring another IT person or another SOC. You're hiring someone to run the security risk program — track exposure, prioritize remediation, coordinate with your team, and report to leadership. That's what $2K–$8.5K/month buys.
Tiers
Artifacts: Monthly vulnerability summary, quarterly executive risk memo (2 pages)
Monitoring: External attack surface scan (weekly automated), cloud config check (monthly)
Response: Security questions answered within 2 business days
Scope: Up to 1 cloud tenant, 1 external domain, 75 endpoints
Artifacts: Monthly KPI dashboard, vulnerability backlog tracker, quarterly executive memo + board slide
Monitoring: Weekly external scan, biweekly internal vuln scan, continuous cloud posture checks
Compliance: Evidence collection support for one active framework (NIST, HIPAA, SOC 2, etc.)
MSP Coordination: Direct collaboration with your MSP/IT team on remediation priorities
Response: Incident advisory within 4 hours during business hours
Scope: Up to 3 cloud tenants, 3 domains, 250 endpoints
Artifacts: Security roadmap, risk register, monthly KPI dashboard, quarterly board package, vendor security review
Monitoring: Continuous vulnerability management, external + internal + cloud posture
Compliance: Multi-framework evidence support, policy review, audit preparation coordination
vCISO Outputs: Tabletop IR exercises (2x/year), security policy lifecycle, vendor risk reviews
Response: Incident advisory within 2 hours, priority escalation path
Scope: Up to 5 cloud tenants, 5 domains, 500 endpoints, multi-location
What You Get Every Month
- Vulnerability Triage — We scan, prioritize by real exploitability, and track remediation to closure. Your IT team or MSP executes changes; we validate they're done.
- Attack Surface Monitoring — We watch your external exposure and alert you when something changes — new services, expired certs, exposed ports.
- Compliance Evidence Support — We help you collect and organize evidence for your active framework. We prepare you for audits; the auditor makes the final determination.
- Executive Reporting — Leadership gets clear, plain-English updates with risk trends and remediation progress — not 50-page scanner dumps.
- Incident Advisory — When something happens, we're your first call. We advise on containment and coordinate with your team on response.
How We Work With Your Team
- We advise and validate. Your MSP or IT team executes changes. Clear ownership, no turf wars.
- We don't replace your MSP or manage your infrastructure. We focus on security risk — finding exposure, prioritizing fixes, and verifying they happened.
- We don't run a SOC. If you need 24/7 monitoring, we'll help you evaluate and select the right MDR provider.
- Time from your team: Expect 2–4 hours/month for triage calls + remediation execution, depending on tier.
Your First 30 Days
- Week 1 — Kickoff + Discovery — 60-minute kickoff call. We collect asset inventories, network diagrams, cloud tenant access (read-only), and current tool list. You sign the mutual NDA and rules of engagement.
- Week 2 — Baseline Assessment — Initial vulnerability scan (external + internal + cloud). We establish your baseline risk posture and identify critical/high items for immediate triage.
- Week 3 — First Triage + Roadmap — First triage call with your IT team or MSP. We deliver the prioritized vulnerability backlog and 90-day remediation roadmap with owners assigned (Client IT / MSP / RMA advisory).
- Week 4 — First Executive Report — Leadership receives their first executive risk summary: current posture, critical findings, remediation progress, and next-month priorities. Ongoing cadence begins.
Minimum Commitment
6 months. This isn't negotiable. Security is a process, not a project. Six months gives us time to actually reduce your risk — and it filters out companies who aren't serious.
How Most Clients Start
Most clients start with a Security Risk Review ($4,500–$7,500). After we identify the risks, the question becomes: who owns making sure they get fixed and stay fixed?
That's when most clients keep us on as their Security Partner.