CyberSecure Focused Risk Review

Know where you actually stand before you spend another dollar on security.

Who it’s for

Business owners and executive directors who suspect they have security gaps but can’t name them. Maybe the free website quiz flagged some concerns, maybe your insurance renewal got harder, or maybe a customer just sent you a security questionnaire. This is the paid starting point that comes after the free quiz and the free fit call, and before you commit to any bigger engagement.

The Why

Most small businesses make security decisions blind. They buy tools because a vendor called, they renew policies they’ve never read, and they hope the IT company has it covered. Nobody has ever looked at the whole picture and said “here are your ten biggest risks, in order, and here’s what to do about them.”

Guessing is expensive, but a focused review is not.

What’s included

A structured look at your environment, your accounts, your data, and your current safeguards. Findings are informed by the CIS Controls, a widely used set of security practices, and translated into plain English an owner can act on.

Let’s be clear about what this is: a focused diagnostic and a roadmap. It is not a full framework assessment, and it is not remediation. You get clarity and a plan. What to fix and who fixes it stays your decision, and you can take the roadmap to your own IT team, another vendor, or back to us.

Tiers and pricing

One-time project. All prices are direct and fixed. Delivery timelines: Protect 3 to 5 business days, Defend 5 to 10 business days, Fortify 10 to 15 business days.

Protect: $1,500 (one-time)

  • One focused discovery call, collecting only documents that affect the recommendation
  • Review of MFA, email security basics, backups, access control, payment workflow risk, and incident response basics
  • Plain-English findings summary that explains why each issue matters to the business
  • Top 10 priority list sorted by risk, cost, friction, and business impact
  • Quick wins the client can do immediately without a large project
  • 30-day roadmap with items labeled Fix Now, Fix Next, Can Wait, and Already Fine

Defend: $2,750 (one-time), everything in Protect, plus:

  • Vendor risk and payment workflow review covering third-party and fraud exposure
  • Cyber insurance readiness review identifying weak answers before application or renewal
  • Policy and evidence gap review, not just technical settings
  • Risk-ranked remediation roadmap with owner notes, suggested timelines, and effort levels
  • Leadership-ready summary the owner, CEO, board, or MSP can understand

Fortify: $4,500 (one-time), everything in Defend, plus:

  • Expanded review across Microsoft 365, endpoints, vendors, backups, policies, insurance, SaaS or client review needs, and AI usage concerns
  • Each gap mapped to a recommended service, business risk, urgency, and evidence needed
  • 90-day remediation roadmap with control owner, due date, dependency, and priority
  • Optional executive briefing with plain-English talking points and decision options
  • Service-fit recommendation: what to buy now, what to delay, and what not to buy

Not sure which tier fits? That’s what the Fit Call is for. Most businesses land on Defend.

Frequently asked questions

Is this a penetration test?

No. A penetration test tries to break in. This review looks at how you’re set up and where the gaps are, with no invasive testing and no exploitation. For most small businesses, this comes first and costs far less.

What do we walk away with?

A prioritized picture of your risk and a roadmap you can act on, written in plain English. It’s built to drive decisions, whether you fix things internally, hire us, or bring in someone else.

Will you try to upsell us at the end?

The roadmap stands on its own. The Fortify tier even includes a service-fit recommendation that tells you what not to buy. From my experience, being straight about that is exactly why people come back.

How much of our time does it take?

One focused discovery call plus some document gathering. Most of the work happens on our side. We know you have a business to run, and the process is built around that.

Scope, stated plainly

  • Final scope, timeline, users, systems, domains, vendors, meetings, and deliverables are confirmed before the statement of work is sent.
  • Tool licensing, taxes, travel, remediation labor beyond scope, legal review, engineering work, and pass-through vendor costs are excluded unless written into the SOW.
  • No service guarantees breach prevention, insurer approval, audit success, premium reduction, or a customer contract win.
  • The Focused Risk Review is a diagnostic and roadmap service: no invasive testing, no exploitation, no tool deployment.

The natural first engagement

Take the free quiz, book the free fit call, then start here. You get the review, you get the roadmap, and then you decide what to fix and who fixes it. No retainer required, no long commitment, and no pressure.