We've never had a breach. Do we need this?

Most of our work is preventive. The customers and insurers asking for proof of controls are not waiting for an incident. If you sell to enterprises, accept payment cards, store regulated data, or carry cyber insurance, the security baseline is no longer optional.

Are you a SOC 2 auditor?

No. We're the firm that gets you ready and supports you through the audit. The actual audit is done by a separate, independent CPA firm — we'll recommend ones we've worked with successfully.

Can you respond to an incident at 2 a.m.?

Retainer clients get a 24/7 phone number with a guaranteed response time. Non-retainer clients are best-effort. Either way, the response is U.S. staff.

Can you do an onsite security review in NYC or NJ?

Yes. Physical walkthroughs of the office, executive controls, server rooms, point-of-sale equipment — onsite is often where the real findings are. We're NYC-headquartered (same-week onsite across the five boroughs) and routinely in Northern New Jersey for in-person work.

How much does SOC 2 readiness cost?

It depends on how mature your controls already are. A typical SMB engagement runs 3-9 months and is priced as a fixed-fee project plus the ongoing operational cost. We'll give you a written proposal after the assessment.

№ 005

Cybersecurity & Compliance for NYC & Northern NJ Businesses

We help SMBs and professional firms in New York City and Northern New Jersey meet the security expectations their customers, insurers, and regulators set — without selling the panic. Our work is the unglamorous middle: hardening what you already have, documenting what you do, and being on call when something goes wrong.

Start a project Service area & locations

§ 01 — What We Build

What we actually build.

SOC 2, HIPAA, NY SHIELD, NYDFS Readiness

The frameworks your bank, your insurer, or your enterprise customer actually asks about. We map what's required to what you do, identify the real gaps, and produce the policies and evidence in plain English.

Threat Monitoring & Endpoint Detection

Modern EDR on every endpoint, log collection, and 24/7 monitoring with documented response playbooks. Alerts that lead somewhere instead of being ignored.

Incident Response & Recovery

If you've been breached, ransomwared, or had data exfiltrated: a written response runbook, coordinated forensics, communication with insurance and counsel, and a real human on the phone. Retainer arrangements available.

Vendor & Customer Security Questionnaires

The 200-question Excel sheets your enterprise customers send. We answer them once, well, and maintain the answer set so future ones take an hour instead of a week.

§ 02 — How We Work

The process.

01
Assessment
Written assessment against a real framework (CIS Top 18, NIST CSF, or SOC 2 — your choice based on what you need to demonstrate). The output is a prioritized list of gaps, not a sales document.
02
Harden
Fix the high-impact gaps first: MFA everywhere, EDR rolled out, backups verified, privileged access controlled, sensitive data identified.
03
Document
Policies, procedures, and evidence — written for your business, not lifted from a template. The documentation is what an auditor or customer security review actually needs.
04
Operate
Ongoing monitoring, vulnerability management, periodic tabletop exercises, annual assessment refresh. Incident response retainer if you need a guaranteed phone number.

§ 03 — Local Delivery

NYC & Northern NJ in person.

Onsite security work in NYC and Northern NJ: physical security walkthroughs, executive office controls, M&A due diligence visits, and post-incident response when remote-only doesn't move fast enough. We're headquartered in NYC and available for kickoff onsite anywhere in the five boroughs same-week. We're in Northern New Jersey roughly twice a week for scheduled onsite work — Bergen, Hudson, Essex, and adjacent counties — and we'll travel for incident response in person when severity warrants it regardless of day. The compliance work itself is largely remote, but the trust we build by sitting at your conference table for the kickoff is what makes the rest go faster.

See full service area →

§ 04 — Tech & Tooling

The stack.

Crowdstrike / SentinelOne
Microsoft Defender
Sumo Logic / Datadog
1Password / Bitwarden
Vanta / Drata
KnowBe4

We're tool-agnostic and pick what fits the budget and existing stack. SOC 2 automation via Vanta or Drata for firms pursuing certification; manual evidence collection where the spend isn't justified. EDR is non-negotiable — choice is yours among the credible vendors.

§ 05 — Who This Is For

Who we work with.

Firms pursuing SOC 2 to win a contract

An enterprise prospect won't sign without SOC 2. We get you to readiness, support the audit, and stay on for the operational requirements.

Healthcare, legal, and financial services

Industries where regulators (HIPAA, NYDFS) and insurance carriers ask specific questions. We answer them properly the first time.

Companies after an incident

Post-breach work, ransomware recovery, lessons-learned engagements. Calm, methodical, and aimed at making sure it doesn't repeat.

§ 06 — FAQ

Common questions.

We've never had a breach. Do we need this?: Most of our work is preventive. The customers and insurers asking for proof of controls are not waiting for an incident. If you sell to enterprises, accept payment cards, store regulated data, or carry cyber insurance, the security baseline is no longer optional.
Are you a SOC 2 auditor?: No. We're the firm that gets you ready and supports you through the audit. The actual audit is done by a separate, independent CPA firm — we'll recommend ones we've worked with successfully.
Can you respond to an incident at 2 a.m.?: Retainer clients get a 24/7 phone number with a guaranteed response time. Non-retainer clients are best-effort. Either way, the response is U.S. staff.
Can you do an onsite security review in NYC or NJ?: Yes. Physical walkthroughs of the office, executive controls, server rooms, point-of-sale equipment — onsite is often where the real findings are. We're NYC-headquartered (same-week onsite across the five boroughs) and routinely in Northern New Jersey for in-person work.
How much does SOC 2 readiness cost?: It depends on how mature your controls already are. A typical SMB engagement runs 3-9 months and is priced as a fixed-fee project plus the ongoing operational cost. We'll give you a written proposal after the assessment.

§ 07 — Other Services

The other eight.

Start a conversation.

Direct reply from the founder. NYC & Northern NJ in person; U.S. clients remotely.

Get in touch →