Assess Your Security Program

Identify vulnerabilities. Build a roadmap. Execute with purpose.

Down arrow

Detect risks. Secure systems and people.

CIS Gap Assessment

Is your organization’s cyber security a guessing game for you? We get it. Many small business leaders also struggle to find out where to start improving security, what to prioritize and how to measure and report. To find out the answers of these questions, conducting a CIS Gap Assessment is an effective starting point.

What is a CIS Gap Assessment?

A CIS gap assessment is a step-by-step assessment of your existing security program. Our experts review your cybersecurity program against a IT security framework called the Center for Internet Security (CIS) 18 Critical IT Security Controls, also known as CIS Controls.

Assessing your cybersecurity program against this framework helps you build a solid security foundation to meet industry standards, from cloud to compliance.

CIS Gap Assessment

How to use assessment findings for better security? can support you using the 90 Days to Better Security Approach:

  1. Days 1 – 30: Receive a detailed assessment report that identifies areas to improve and recommendations broken down by cost, effort, threat model and urgency.
  2. Days 31 – 60: discusses assessment findings, recommendations, a strategic roadmap with your team and helps execute remediation activities to address security gaps.
  3. Days 61 – 90: Continue to perform remediation activities and get continuous support from the team to improve security.

Can I find out which types of attacks is my organization most vulnerable to?

Ransomware, email fraud and data breaches are the common attacks that most businesses fear. However, gap assessments do not provide answers to the specific incidents that your organization is most susceptible to – risk registers do. That’s why gap assessments and risk registers are often conducted simultaneously. 

Having findings of both gap assessment and risk register can help you map out the vulnerabilities and contributing factors to incidents. They can also help generate insights to build an effective cybersecurity roadmap as well as a list of best practices. Based on the needs of your organization, you can also conduct gap assessments against other standards like Canada CyberSecure, SOC 2, NIST and ISO27001.

CIS Gap Assessments starting from $5000.

Privacy Gap Assessment

What’s the difference between CIS gap assessment and privacy gap assessment?

Privacy gap assessments review the privacy portion of your overall cybersecurity program thoroughly. In the field of privacy, it typically has its own set of regulatory and compliance standards based on the industry you are in or selling to. Examples include GDPR, Bill 64, and CCPA/CPRA. Privacy gap assessments will assess your existing privacy policies, data processing procedures, privacy breach containment and more.


Why do I need a privacy gap assessment?

The answer is simple and straightforward – it is to ensure that you maintain compliance and safeguard sensitive data.

Clients expect you to help them solve problems, not to create problems. It is your responsibility to protect your clients’ data. If you solely rely on your CRM provider or financial institution to protect the sensitive data you collect, you are putting both your clients and your business at risk.

Deliverables from

Learn more about how you can better protect your clients, employees and organization’s privacy, here.

Privacy Gap Assessments starting from $7500.

Privacy Program

Do you know how susceptible your teams are to cyber attacks? Do a penetration test to find out before they fall victim to an attack.

Pentests (short for penetration tests) – sometimes also called ethical hacking – offer a practical way of testing your cyber security measures using trained professionals. Regular pentests form an essential part of any cyber security program and indeed are mandatory to maintain compliance with various standards such as SOC2 and PCI.

Pentest Approaches

  • Vulnerability Scans

    Scan your environment for known vulnerabilities in hardware and software.

  • OWASP Application Security Verification Standard (ASVS) assessments

    Assess your application security based on the rigorous and standardized framework.

  • Black Box Pentest

    Identify vulnerabilities in a system that are exploitable by ethical testers without previous knowledge of the network.

  • Gray Box Pentest

    Provide a more in-depth assessment of the system and identify the greatest risks and countermeasures.

  • White Box Pentest

    A sophisticated type of testing that provides a comprehensive assessment of both internal and external vulnerabilities.

  • Social Engineering Pentest

    A type of testing that manipulates staff to disclose sensitive information that is valuable for a future attack. This test provides an understanding of staff awareness of security threats.

  • Physical Pentest

    This testing method exposes the weaknesses of physical controls including locks, cameras or sensors.

How to choose the right pentest for my business? works with you to recommend the most effective approach based on:

  1. The data you’re trying to protect
  2. How critical the application or system is
  3. Industry and business objectives

Penetration tests starting from $5000.

Phish Testing

End users are the largest and most vulnerable target in most organizations. Phishing attacks grow every year, making an end-user security awareness training program and regular phishing tests essential for any security programs. We pair our phish testing with security awareness training. Learn more about our user education. 

What is phish testing?

A phishing test is a mock phishing attack simulated by professional security experts. It is created to test how effectively an organization’s employees can resist phishing attacks. Depending on the test results, organizations can work with to carry out various remediation measures to tighten up security and train employees.

Tailor phish testing to your organization

For example:

  1. Include all your employees or a subset, according to your objectives for the test.
  2. Run tests for a month with approximately two emails targeted at each user per week, with a mix of standard and custom messages.
  3. Design remediation activities based on actionable reporting and metrics provides.
  4. Run tests periodically to keep your team’s skills sharp, measure improvements and reduce your risks.

Frequently Asked Questions

Penetration testing is an intrusive practice, as the name suggests. With the intrusive nature of penetration tests, testers get an intimate understanding of the organizations they engage with. Penetration testers can use their experience and identify gaps beyond what insiders may be able to identify alone. Penetration tests allow organizations to make informed security decisions.

Penetration testing is also a requirement for organizations striving to achieve compliance to several industry-recognized certifications.


Small and medium organizations often struggle with the preparation process to get ready for their penetration tests. Penetration tests follow a common approach. The reason there is a common approach is to help define repeatable processes while minimizing the impact of testing to the organization being tested. The steps are as follows:

1. Information Gathering

2. Analysis and Planning

3. Vulnerability Identification

4. Exploitation

5. Risk Analysis and Remediation

6. Reporting and Lessons Learned.

Organizations can modify and adjust the procedures to be catered toward their business processes, but they will typically follow the methodology.