Field notes from the work.
Written from the practitioner seat. Pentest stories, SOC 2 reality checks, and the incident response plan everyone writes and no one tests.
SOC 2 in 8 weeks: the pentester's playbook
Most SOC 2 readiness guides tell you to pick a framework, get Vanta, and hire a consultant. Here is the order I run every Sprint, why I run a pentest in week 1, and the three findings that blow up most audits.
Why I include a pentest in SOC 2 Sprints
A SOC 2 auditor checks that you have a vulnerability management policy. An attacker checks whether your vulnerability management policy is being followed. Only one of them matters if you get breached.
The honest guide to compliance automation
Compliance platforms promise to automate your audit. They automate evidence collection. Everything else still requires a human who knows what they are doing.
Writing an incident response playbook that actually works
Most incident response playbooks have never been used. The ones that get used are not the ones with the most pages. They are the ones with the fewest assumptions.
Two years on: which 2024 cybersecurity trend predictions actually held up
Early 2024 was peak prediction season. Now we can grade them. Some played out exactly as advertised. Others were hype that never connected to a buying decision.
The incident response plan test no one runs
Most incident response plans are binders on a shelf that have never been exercised. Here is a 2-hour test any security team can run this week, and what to do with what it finds.
Ready when you are
Your next move starts with a 30 minute call.
If vCISO.com is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.