The firm was closing larger enterprise customers. Each new customer arrived with a two-hundred-question security questionnaire and a five-business-day turnaround. The firm's IT lead — a competent generalist wearing three other hats — was spending evenings filling in questionnaires from a working document that contradicted itself across vendors. Two prospective customers had been delayed in procurement; the firm was not sure how many had walked away without telling them.
A written security posture before procurement asked
A six-week NIST CSF-scoped assessment for a mid-market services firm fielding enterprise security questionnaires faster than its IT lead could answer them.
- Client
- Professional services firm, ~600 employees, multi-office, US.
- Duration
- Six weeks
- Practice
- Cybersecurity
- Identity, access, and authentication posture, including the firm's M365 tenant and the production SaaS stack
- Data-handling review for customer material, with a written threat model written for the firm — not for generic enterprise IT
- Vendor and sub-processor mapping against the data each vendor actually touches
- Incident-response readiness, including a tabletop exercise against an insider-threat scenario
- A bound security posture document calibrated to enterprise procurement questions
Week 0 was a thirty-minute scoping call with the VP of engineering and the firm's IT lead, producing a signed scope document the same day. Weeks 1–4 were quiet, structured review against NIST CSF, calibrated to the firm's actual threat model. Findings were ranked by exploitability with a remediation cost estimate for each. Week 5 was the tabletop — three hours, the leadership team in one room, working through a scenario that exposed two assumptions the firm had been operating under without realising it. Week 6 delivered a thirty-six page bound posture document the firm could hand to procurement on a Tuesday morning.
The next enterprise questionnaire the firm received — 187 questions — was answered in a half-day of administrative time by referencing the bound document. The firm now keeps the posture document on a quarterly review cadence with a named owner. Three of the eight remediation items have been closed in-house; the other five are scoped for a follow-on implementation engagement, on the firm's timeline, not under deal pressure.
The argument that wins inside a firm is rarely "what does a breach cost." It is "what are we paying right now to operate without this in place." In this engagement, the answer was three lost evenings per questionnaire and an unknown number of deals that quietly went elsewhere.
Short excerpts representative of the actual documents shipped in this engagement. Anonymised to preserve client confidentiality; faithful to the structure and substance of what we delivered.
Out of scope: penetration testing, red team activity, code review of customer-facing applications. The engagement is a posture assessment, not an offensive exercise. If findings reveal a gap that warrants offensive validation, we will scope that separately.
The firm's M365 conditional-access policy excludes service accounts from MFA. Two of those service accounts have global-admin equivalents. An attacker who obtains the password for either account — through phishing, credential stuffing, or a leaked dev environment — has unconstrained tenant access. Severity: High. Effort to remediate: 2–4 hours.
The leadership team had assumed that a ransomware event would be detected by the firm's EDR within minutes. The exercise revealed that the EDR's alerts route to a shared inbox monitored business-hours only. Median detection on a Friday evening incident: 38 hours.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.

