Security Consulting

Security work that
actually gets implemented.

Practical security grounded in what changes behavior, not what looks good in a report. Assessments, identity hardening, and policies your team will actually follow.

Start a conversation

Who this is for

You're probably a fit if…

Security problems tend to surface in one of a few predictable ways. If any of these sound familiar, it's worth a conversation.

✓

Nobody actually owns security

Your IT is handled by an MSP or a generalist. Conditional Access, admin account hygiene, MFA enforcement, nobody's looked at these deliberately. That's normal. It's also fixable.

✓

You just had an incident

A phishing hit, a compromised account, a ransomware near-miss. Something happened and now it's time to close the gaps, before you have to explain it to clients or regulators.

✓

You're facing compliance pressure

Cyber insurance renewal requirements tightened, a client sent a security questionnaire, or a vendor is asking about your posture. You need documentation and actual controls, not just a policy PDF.

✓

Your M365 is still on default settings

The defaults aren't secure. Conditional Access, MFA enforcement, admin role separation, and legacy authentication, these require deliberate configuration that most MSPs skip.

Scope

What's included in a security engagement.

Scope is confirmed during a discovery call. Engagements can focus on a specific area or cover the full posture review.

Security & risk posture assessment
MFA deployment & admin account hygiene
Microsoft Secure Score improvement plan
Security policy & procedure documentation
Entra ID hardening & Conditional Access design
Incident response plan
Email security review (SPF, DKIM, DMARC, anti-phishing)
Prioritized findings report

Not included

24/7 SOC or managed detection & response
Penetration testing or red team exercises
Compliance certification (SOC 2, ISO 27001, HIPAA)
Ongoing security monitoring

Ongoing security posture oversight, quarterly reviews, tracking against baseline, and vendor accountability: that's part of the Fractional IT Director retainer.

The process

How a security engagement works.

Most security assessments produce a long list. This one produces a short, prioritized list, and then we work through it.

Assessment

Review of your environment: identity management, MFA posture, admin practices, email security configuration, endpoint state, and backup and recovery. I look at what's actually configured, not what the policy says.

Gap analysis & prioritization

Findings sorted by risk and effort, not alphabetically, not by severity score alone. You get the 5–10 things that actually matter right now, not a 200-item laundry list that nobody acts on.

Remediation

I work through priority items with you or alongside your MSP. Writing the Conditional Access policies, configuring the settings, closing the gaps, not just documenting them.

Documentation & baseline

Security policies, admin procedures, and a security baseline you can measure against going forward. The engagement closes with something your team can actually use, not just a PDF to file away.

Let's talk about your security posture

The first conversation costs nothing.

Tell me where you are and what prompted the question. I'll tell you honestly whether it's a problem worth addressing right now, and what addressing it actually looks like.