Assessment.
Find out what is actually wrong before deciding what to fix. Each ends in a written report a senior person at the client can act on without an interpreter.
Discuss an engagementSecurity assessment
Two-to-four-week scoped review of identity, access, network posture, and data handling. The report ranks findings by exploitability, not by checkbox.
NIST CSF gap analysis
Structured posture review against the framework, calibrated to the client's environment and threat model. The framework is the structure; the report is the deliverable.
Secure architecture review
Threat modelling, trust-boundary analysis, and cryptography review on systems before they hit production. Design-doc phase, not retrofit phase.
Document architecture review
DMS configuration, retention defaults, ethical-wall enforcement, audit-trail design. The boring decisions that decide privilege exposure for law firms.
Vendor & third-party risk
DPA review, sub-processor mapping, and questionnaires calibrated to the data each vendor actually touches — not the standard 200-question matrix.

