Audit calendars about to slip. AI features shipping faster than the AI policy can be written. A new state law that nobody noticed until a customer asked. M&A diligence with a 10-day window. We do the work that needs a senior practitioner on the line — not a junior consultant with a checklist.
Our flagship 30-day sprint. SOC 2, ISO 27001:2022, and PCI DSS 4.0 reviewed against a unified control map; threat-informed assessment of how the controls actually behave in your environment; a "red flag" report ranking material issues with remediation paths. Designed to surface findings before the formal look-back window opens.
30-day sprintYou have 90 days until your auditor walks in. We rehearse — walkthroughs with each control owner, sampling against the same evidence the auditor will request, drafting a System Description that survives scrutiny. The point is to make Day 1 of the audit boring.
Pre-auditData inventory, lawful-basis matrix, DPIA / TIA framework, DSAR / consumer-rights operations, cross-border transfer governance, vendor & processor agreements. Built once, operable across 20+ US state regimes and the major international frameworks. See Privacy.
Multi-jurisdictionalAI inventory and risk-tiering, architecture review of RAG / agent / copilot pipelines, LLM & agent red-teaming, ISO 42001-aligned governance build-out. For organizations that want to ship AI and sleep at night. See AI Security.
2026 prioritySenior security leadership without the cap-table impact of a full-time hire. Right-sized for the Series A / B startup, the post-acquisition portfolio company, or the established business with a CISO transition. Board-level narrative included.
Fractional10-day cybersecurity diligence: control inventory, breach exposure, audit posture, AI exposure, top-of-book risk concentration. Designed to fit inside the diligence window, with a written deliverable that doesn't read like it was generated yesterday.
Time-boxedVendor inventory, tiering, questionnaire automation that doesn't reduce a SOC 2 to a yes/no checkbox, and a continuous-monitoring program that integrates with your existing GRC. Plus the unsexy work: actually reading the SOC 2s on file.
ContinuousTranslating the cyber program into language that lands with audit committees, finance leaders, and prospective investors. Risk register storytelling, KRI / KPI selection, and quarterly board materials that lead with what changed and what it cost.
CommunicationsA pattern that works whether you're scaling, integrating an acquisition, or recovering from a finding nobody wants to talk about.
Stakeholder alignment, system inventory, prior audits/reports, regulatory exposure, and an explicit list of inclusions / exclusions. We get aligned with your risk lead and start with access to the most-recent audit reports — that single step saves weeks downstream.
SME interviews, evidence sampling, control walkthroughs, and a gap matrix. We focus on whether you can say what you do, and do what you say — the audit-tested standard.
On-site (or in-environment) assessment focused on the controls that actually carry the weight. Deliverable: a unified control map across applicable frameworks and a red-flag report ranking material findings with remediation owners and timelines.
For clients who want this to be a habit rather than a project: lightweight quarterly health-checks, annual full re-baseline, and continuous evidence cadence — particularly valuable in scaling environments where control drift is the real enemy.
Colocation, hyperscale, and edge providers. Physical access regimes, environmental controls, power resilience, and the audit overlap between SOC 2, ISO 27001, and PCI DSS for facilities operations.
GLBA / FTC Safeguards, NYDFS Part 500, PCI DSS 4.0, and the heightened SEC cybersecurity disclosure regime. Plus the AI-decisioning edge cases that fair-lending regulators are now paying attention to.
HIPAA, HITECH, Washington's My Health My Data Act, and the HITRUST-vs.-SOC 2 strategic question. Plus the AI-in-clinical-workflow risk surface, which is moving fast.
SOC 2 first, then ISO 27001 + ISO 42001 for the AI angle. Multi-tenant isolation, model supply-chain, and the data-flow questions enterprise customers are now asking in security questionnaires.
Acquisition diligence, post-close 100-day plans, and a portfolio-wide cyber posture view that reduces the surprises in the value-creation plan.
StateRAMP / FedRAMP-adjacent posture, CJIS, and the evolving state-level AI rules for public-sector vendors. We work alongside (not in place of) accredited 3PAOs.
Achieving Security is led by Mike Grannan — a long-tenured information-security and compliance practitioner who has spent his career bridging the gap between auditors, executives, and the engineering teams that actually have to operate the controls. Engagements are scoped so that the person you talk to in the discovery call is the person doing the work.
Where it makes sense, we partner with privacy counsel, accredited audit firms, and specialized red-team practitioners — but we don't sell the audit and we don't sell the tool. We sell clear thinking and the artifacts that come out of it.