Find out what is
actually open.
A two-week structured assessment of your environment. We look at identity, endpoints, email, network, backups, and people. You get a scored report, a prioritized fix list, and a clear conversation about risk.
Most small businesses find out too late.
Ransomware in BC and Alberta is no longer a big-city problem. We see law firms, accounting firms, manufacturers, and First Nations administrations hit every month. The cheap insurance policies stopped covering it. The cleanup runs five to six figures. An assessment is a fraction of that.
You cannot fix what you cannot see
Most owners genuinely do not know whether MFA is enforced everywhere or just suggested. The assessment ends the guessing.
- VISIBILITY
Prioritize the right work
There are always 30 things you could do. We sort them by likelihood of attack and cost to fix, so you do the right five first.
- PRIORITIZED
Talk to the board
A scored report in plain English you can hand to your owner, partners, or governance committee. No jargon.
- BOARD READY
What we look at across the environment.
Six domains, scored on a five-point scale. Each domain is a section in the report with findings, risk level, and recommended action.
Identity and access
Microsoft Entra or Google Workspace identity. MFA coverage. Conditional access. Privileged accounts. Shared logins. Stale accounts.
- MFA
- CONDITIONAL
Endpoints
Workstations and laptops. EDR coverage. Patch status. Disk encryption. Removable media policy. Admin rights.
- EDR
- PATCH
Email and communications
Spam filtering, anti-phishing, DMARC, link protection, attachment sandboxing. Plus the actual user training history.
- DMARC
- PHISH
Network
Firewall posture, segmentation, guest Wi-Fi, VPN, remote access tooling. Exposed services on the public IP.
- FIREWALL
- VPN
Backup and recovery
Backup coverage, frequency, immutability, off-site copy, restore testing. We will actually do a restore.
- BACKUP
- RESTORE
People and process
Onboarding/offboarding, incident response plan, vendor list, written policies, last training session.
- IR
- POLICY
Two weeks from kickoff to read-out.
Most of the work happens on our side using read-only access. You and your team will spend roughly four to six hours total across the engagement.
Kickoff
Sixty-minute call. Confirm scope, get read-only access to Microsoft 365 or Google Workspace, schedule interviews.
Technical collection
We pull configuration from your tenant, EDR, firewall, and backup tool. No agents installed. Nothing changed.
Interviews
Thirty minutes each with the owner, the person who runs IT day-to-day, and one or two staff. We are listening for habits, not testing.
Analysis
Scoring, gap analysis, risk weighting. We benchmark against CIS Controls Implementation Group 1, the standard for SMBs.
Read-out and report
Ninety-minute session walking through findings live. Then a written report in your hands by end of week two.
A report you can actually act on.
Not a 200-page PDF that sits on a shared drive. A clear scored report, a prioritized fix list with costs, and a quarterly check-in to make sure the work happens.
Scored summary
Each of the six domains scored one to five, with the business risk explained in one paragraph. First page of the report.
Findings register
Every issue we found, with severity, evidence, and a specific fix. Sortable. Linkable. Trackable.
- REGISTER
Fix roadmap
What to do this month, this quarter, this year. Estimated hours and dollars beside each item.
- ROADMAP
Executive one-pager
For the board, partners, owner, or buyer of the business. Plain English. No jargon.
- EXEC
Compliance crosswalk
Map of findings to PIPEDA, PIPA BC, and cyber insurance requirements. Saves you from doing this twice.
- PIPEDA
- PIPA
Quarterly check-in
Ninety days after the read-out we re-score the high-priority items to confirm fixes stuck.
- FOLLOW UP
Fixed price. Sized to you.
The assessment is a fixed-price engagement based on user count. Remediation is quoted separately and is yours to keep, in-house, or with another provider.
1 to 15 users
One office, one tenant, simple environment. Two-week engagement.
- $1,950
- SCORED REPORT
16 to 50 users
Multiple offices or remote workers. Some on-prem gear, mixed environment.
- $3,650
- SCORED REPORT
- EXEC ONE-PAGER
51 to 200 users
Multi-site, regulated industry, in-house servers, more vendors. Quoted after a scoping call.
- FROM $5,950
- FULL REPORT PACK
Things people ask us.
If your question is not here, ask. We answer email within a business day.
Is this a penetration test?
Will you install anything?
Can my insurance carrier accept this?
We already have an MSP, is this awkward?
What happens after?
Do you sign an NDA?
Find out where you actually stand.
Most assessments uncover one issue the owner did not know about that is bigger than every other issue combined. Better to find it on a Tuesday than a Saturday at 2 a.m.