What our engagements actually look like.

Series A SaaS company with Vanta running and a folder of policy templates. Auditor surfaced 11 findings two weeks before fieldwork. First $400,000 enterprise deal gated on the SOC 2 attestation and a buyer security questionnaire. We ran the 2-week Sprint: traced the auditor findings to actual production controls, surfaced a missing MFA configuration on three SaaS admin accounts, ran a focused pentest on the auth flow that caught two real bugs, and shipped policy rewrites that match how their engineering team actually deploys. Enterprise deal closed three weeks later. Sprint converted to an Embedded retainer for Type II maintenance.

Digital health company processing PHI on AWS, with HIPAA covered. Hospital system buyer started asking for HITRUST certification with a 90-day timeline. Auditor draft surfaced 11 findings. We ran the gap analysis with their engineering team in week one and shipped policy fixes in week two: BAA library cleanup, MFA enforcement on three forgotten admin accounts, PHI data-flow diagrams from their real architecture. Auditor cut findings from 11 to 2 between draft and final. Sprint converted to Embedded retainer to lead them through HITRUST e1 certification over the following six months.

Series B fintech building an embedded payments product on AWS. Sponsor bank deal required SOC 2 Type II plus PCI DSS scoping in 90 days. Drafts of policy package from a previous consultancy. Customer security questionnaire backlog had been untouched for six weeks. We mapped the cardholder data flow first, designed them into SAQ-D scope (instead of the full ROC their QSA had been quoting, which would have doubled audit cost), and surfaced three IAM misconfigurations that would have failed PCI requirement 7. Security questionnaire turnaround dropped from 3 weeks to 2 days. Bank deal closed on schedule. SOC 2 Type II ran in parallel through the next six months.

50-person defense sub-prime building software for a tier-1 prime. Received a CMMC Level 2 flowdown clause with a 9-month deadline. Outdated SSP from a prior contract, tabletop exercise no one had run in two years. We started with a 4-week readiness review: gap analysis against the 110 NIST SP 800-171 controls, scoping decision (most of corporate IT was out of CUI scope; engineering environment was in), and an SSP rewrite reflecting their actual AWS GovCloud setup. We drafted the POA&M, prioritized the 14 partial-implementation items, and ran a mock C3PAO audit. They passed the prime's pre-assessment six months later. Engagement continued as a retainer through the actual C3PAO assessment.