Intelligence & Analysis

Deep dives into the evolving threat landscape and practical guides for scaling security programs.

Cybersecurity Audits for Fully Remote Companies: The Framework That Actually Fits a Distributed Workforce
Audits and Compliance21 min read

Cybersecurity Audits for Fully Remote Companies: The Framework That Actually Fits a Distributed Workforce

A 47-person fully distributed analytics company received a 38-page security questionnaire from a US health insurer (USD 2.1M ARR pending) with a single load-bearing question: please describe your physical security controls and provide your most recent facility walkthrough report. Twelve states, three time zones, two continents, no office. Her previous auditor suggested leasing a co-working space for USD 18,000 a year just to satisfy that one question. We answered in four lines, the deal closed eight days later, the lease was cancelled before it was signed. From 23 audits run on fully remote companies between 12 and 380 employees in the last 18 months, this is the framework. The nine domains that define a real remote-company audit (identity and access, endpoint security, network and home WAN, SaaS sprawl and OAuth, data classification and DLP, secrets and key management, incident response with no NOC, vendor governance, people controls), the seven traps that fail audits even when dashboards look green (MDM installed vs enforcing, personal-device workaround, stale SaaS inventory, no break-glass for credentials, untested IR runbook, 38-hour termination SLA, home WAN survey privacy fights), real budgets by size from USD 14K for 10-25 people to USD 164K for 151-380 people, where the auditor opinion fee really lands (Big 4 vs Tier 2 vs boutique like Schellman/A-LIGN/Prescient/KirkpatrickPrice), evidence collection without an office (the five-step SaaS-to-repo pipeline that audits accept on the first pass), and a 60-day plan from pending to audit-ready. Six FAQ entries on lease-an-office pressure, Type 1 vs Type 2 sequencing, Vanta and Drata limits, multi-country distributed teams, BYOD scope booby traps, and pushing back on auditor travel demands.

6/1/2026
Read Post
Top 5 vCISO Services for AI and LLM Companies: What Actually Works When Your Product Is a Probability Distribution
vCISO20 min read

Top 5 vCISO Services for AI and LLM Companies: What Actually Works When Your Product Is a Probability Distribution

A Series A LLM-application founder called on a Sunday: their largest customer (a top-10 US bank) had just sent a 41-page AI Vendor Risk Assessment with model lineage, training data provenance, RAG retrieval audit trails, hallucination metrics with a hard upper bound, plus the usual SOC 2 boilerplate. Their generalist fractional CISO read four pages and said let me get back to you Monday. The deal: USD 1.8M in year one. Distilled from 19 AI / LLM engagements over 18 months: the eight AI-specific risk surfaces enterprise buyers now assess, the five vCISO archetypes you will see in your inbox (Big 4 USD 28-95K monthly, AI-native boutique USD 9.5-22K, compliance tool plus advisor USD 3.5-7K, solo SOC 2 fractional USD 5.5-12K, academic cross-over USD 4-9K), with the specific deal categories each one closes and the failure modes that turn a 90-day program into a year of remediation. The five concrete artifacts a real AI vCISO ships in 90 days (AI threat model, model and data inventory, customer-facing AI trust portal, eval and red team rhythm, SOC 2 + ISO 42001 readiness roadmap), the decision tree by stage and customer profile, a five-stage cost table from seed (USD 22-38K per year) to late stage (USD 680K-1.4M), the five mistakes that quietly cost AI startups a quarter (SOC 2-only treatment, premature Big 4, foundation-model inheritance argument, eval vs red team confusion, deferring ISO 42001), and a day-by-day 90-day plan from selection through trust portal launch. Six FAQ entries on AI security expert vs vCISO, SOC 2 vs ISO 42001 sequencing, generalist upskill timelines, pre-revenue minimum viable posture, vCISO evaluation criteria, and HIPAA + AI buyer overlap.

5/30/2026
Read Post
HIPAA and SOC 2 in One Combined Assessment: When It Saves You Six Months and When It Wastes Six Figures
Healthcare Compliance19 min read

HIPAA and SOC 2 in One Combined Assessment: When It Saves You Six Months and When It Wastes Six Figures

A healthcare SaaS founder asked me in March: our hospital customer wants both HIPAA evidence and a SOC 2 report, the auditor quoted two separate engagements, are we being upsold? The honest answer from 22 combined-scope engagements: about half. A correctly scoped combined HIPAA + SOC 2 program reuses roughly 70 to 78 percent of evidence between the two, and running them in sequence typically wastes 4 to 7 months and 35 to 60 thousand dollars in duplicated work. Inside: the procurement shift that made combined the modal request, the decision framework on when to combine and when to separate, the AICPA-blessed SOC 2 + HIPAA report format buyers actually accept in 2026, a real cost decision table for a 30-person SaaS (76,000 to 118,000 dollar swing between sequential and combined), why auditor selection is load-bearing and which one in four CPA firms can actually issue both opinions, the 14-to-20-week readiness schedule, and the five mistakes that quietly turn one combined engagement into two engagements wearing one engagement letter. Six FAQ entries on single-firm HIPAA opinions, adding HIPAA to an existing SOC 2 report, when HITRUST is the better choice, the no-ePHI framing trap, mapping vs opinion, and the pre-Series-A minimum viable posture.

5/28/2026
Read Post
Top 5 HIPAA Compliance Mistakes Cloud SaaS Companies Make (and What Each One Actually Costs)
Healthcare Compliance18 min read

Top 5 HIPAA Compliance Mistakes Cloud SaaS Companies Make (and What Each One Actually Costs)

A signed BAA with AWS is not a HIPAA program. From 30 healthcare-adjacent engagements: the five mistakes we find in roughly 80 percent of cloud-native SaaS audits, with the cost of fixing each compared to the cost of finding out the hard way. Includes the ePHI Register pattern, how ePHI leaks into Sentry and Datadog and CloudWatch, the production-to-staging propagation chain we surface in 7 of 10 audits, the Slack and Notion ePHI repository nobody manages, and the missing 164.308(a)(1)(ii)(A) Risk Analysis OCR cites in two thirds of resolution agreements. Cost decision table, 90-day fix plan from $73K to $193K, six FAQ entries on encryption-only programs, Business Associate status, SOC 2 plus HITRUST, early-stage minimums, four-factor breach analysis on observability leaks, and small-team self-serve scope.

5/26/2026
Read Post
Law Firm Data Breach: The 72-Hour Playbook That Protects Privilege, Coverage, and the Bar Standing
Incident Response19 min read

Law Firm Data Breach: The 72-Hour Playbook That Protects Privilege, Coverage, and the Bar Standing

A partner opens a laptop on Saturday morning and finds an extortion email with a sample of client files attached as proof. The next 72 hours decide how much of the matter you keep privileged, whether your ABA Rule 1.6 duty is met, and whether the firm's name appears in a state attorney general's breach register. Hour by hour from a decade of incident response inside law firms: why a legal-sector breach is its own category (concentrated counterparty secrets, standardized cloud tooling, exceptional reputational leverage), the Hour Zero call order that protects privilege and coverage (breach counsel, then carrier through counsel, then forensics on a counsel-signed engagement, then IT, then law enforcement, then clients on counsel's advice), the first 24-hour stabilize-preserve-contain window (identity containment via session revocation not just password reset, M365/Workspace audit-log preservation before retention rolls off, endpoint imaging before reimage, offline backup verification, written chronology), the seven notification clocks running in parallel (state breach statutes, cyber carrier notice clause, ABA Opinion 483/Rule 1.4 client notice, outside counsel guideline clauses, HIPAA 60-day rule, GDPR 72-hour rule, bar rules of professional conduct), the ransom decision tree (backup-restore feasibility first, OFAC check before any payment, exfil-only extortion handled separately, panel negotiator and panel crypto facilitator), the Rule 1.4 client notification letter (five sections, named signer, scoped to the client, breach counsel reviewed, three traps to avoid), and the 30/60/90-day post-incident hardening that aligns to the next cyber insurance renewal. Six FAQ entries on IT-first calls and privilege recovery, who gets a notification letter, what cyber insurance actually pays for, OFAC and ransom legality, access-without-exfil obligations, and small-firm response plans.

5/24/2026
Read Post
Law Firm Cyber Insurance in 2026: The Underwriting Checklist That Decides Whether a Claim Gets Paid
Risk Management17 min read

Law Firm Cyber Insurance in 2026: The Underwriting Checklist That Decides Whether a Claim Gets Paid

A cyber insurance policy for a law firm pays out only if the firm was running, and can prove it was running, the exact controls it attested to on the application. This is the practical reading for managing partners and firm administrators. It covers what the policy actually covers (first-party loss to the firm and third-party claims against it, plus the law-firm-specific bar-complaint defense grant), why the application is a warranty rather than a form, the eight gatekeeper controls underwriters now require (MFA, EDR, tested offline backups, email filtering, awareness training, patching, a written incident response plan, privileged access control), the five things that get a law firm's claim denied (misrepresentation, failure to maintain controls mid-term, treating a sublimit as the full limit, late notice, and unread exclusions), the funds transfer fraud sublimit that quietly catches firms handling closing and settlement money, a 60-day plan to apply or renew from a position of strength, how to negotiate better terms instead of just a lower number, why insurance transfers the loss but not the ABA Model Rule 1.6 duty, and six FAQ entries.

5/22/2026
Read Post
ABA Model Rule 1.6 and Cybersecurity: What the Duty of Confidentiality Requires of Attorneys
Compliance18 min read

ABA Model Rule 1.6 and Cybersecurity: What the Duty of Confidentiality Requires of Attorneys

Most attorneys treat cybersecurity as an IT problem. Since the 2012 Ethics 20/20 amendments, ABA Model Rule 1.6(c) has made it an ethics problem: a lawyer must make reasonable efforts to prevent the unauthorized disclosure of, or access to, client information. This is the practical reading: what Rule 1.6(c) requires, the five-factor reasonable-efforts test in Comment [18], the four ABA authorities that turn one sentence into a working program (Rule 1.1 technology competence and Formal Opinions 477R, 483, and 498), a concrete ten-control set, a decision tree for when the duty escalates, the Opinion 483 breach-response sequence including the duty to notify affected current clients, five misconceptions, a 90-day path to a defensible position, and six FAQ entries.

5/20/2026
Read Post
Small Business Cybersecurity Cost in 2026: What 30 Real Engagements Actually Spend
Business & Strategy20 min read

Small Business Cybersecurity Cost in 2026: What 30 Real Engagements Actually Spend

How much should a small business spend on cybersecurity in 2026? Honest answer: between USD 18,000 and USD 240,000 per year all-in for firms with 10 to 200 employees, depending on five variables. Cost data from 30 engagements: five maturity tiers (Foundation USD 18-32K, Operating Baseline USD 36-68K, Customer-Audit Ready USD 72-130K, Regulated USD 140-210K, Multi-Framework USD 220-420K), seven cost buckets to demand separately, decision tree by regulatory exposure and customer demand, five mistakes that double the bill, 90-day foundation timeline, six FAQ entries on minimum spend, attestation letter vs SOC 2, questionnaire response budget, vCISO right-sizing, and the MSP-vs-cybersecurity-consultancy split.

5/18/2026
Read Post
Top 5 vCISO Services for EU FinTech in 2026: Who Is Actually DORA-Ready and What Each Costs
Compliance & Regulations18 min read

Top 5 vCISO Services for EU FinTech in 2026: Who Is Actually DORA-Ready and What Each Costs

DORA has been in force for over a year. Your EU bank customers expect a named CISO function, evidence-driven ICT risk management, and a vendor management posture that survives a Joint Examination Team visit. The credible vCISO market splits into five archetypes: senior-led firms like Atlant Security (EUR 60K-140K), Big Four advisory (EUR 220K-420K), mid-market regulatory specialists (EUR 130K-240K), boutique cyber consultancies (EUR 110K-220K), and independent vCISOs (EUR 38K-95K). Decision framework, cost table, 90-day onboarding plan, and the five mistakes that turn a EUR 4M contract into a renegotiation.

5/16/2026
Read Post
Most Stablecoin Losses Aren't Smart Contract Bugs: Why $2B in Operational Failures Came from Configuration, Not Code
Digital Assets15 min read

Most Stablecoin Losses Aren't Smart Contract Bugs: Why $2B in Operational Failures Came from Configuration, Not Code

Over 70% of stablecoin and custody incidents since 2022 originate in operational configuration, not smart contract code. A breakdown of five real-world failure patterns (permission sprawl, mint authority misplacement, webhook secret exposure, recovery credential compromise, sub-processor breach via stale API tokens), what each one cost regulated issuers, and the audit domain that would have caught it.

5/15/2026
Read Post
Cybersecurity for WealthTech Vendors: How to Sell to RIAs Without Losing Six Months in Security Review
Sales Enablement14 min read

Cybersecurity for WealthTech Vendors: How to Sell to RIAs Without Losing Six Months in Security Review

If you sell software to Registered Investment Advisers, your sales cycle has two phases: the demo and the security review. The first you have practiced. The second kills more deals than price ever has. The eight question categories every RIA asks, the seven contract clauses that close deals, the custodian marketplace certifications, and the trust portal that cuts security review from 8 weeks to 10 days.

5/14/2026
Read Post
NIST 800-171 Cost and Timeline for Small Manufacturers in 2026: Real Numbers from 12 Months of DARPA/DoD Engagements
Compliance & Regulations17 min read

NIST 800-171 Cost and Timeline for Small Manufacturers in 2026: Real Numbers from 12 Months of DARPA/DoD Engagements

Your prime just emailed a DFARS 252.204-7012 flow-down clause and a 90-day SPRS deadline. You have eight machinists, a dusty network, and no idea what CUI is. Here is what NIST 800-171 actually costs ($103K to $293K all-in for a small shop), how long a credible 12-month implementation takes, the six-figure scope decision that decides whether you self-attest or pay for a C3PAO, and the five mistakes that cost shops their contracts.

5/14/2026
Read Post
Vanta vs vCISO: Where SOC 2 Automation Ends and Human Judgment Begins
SOC 2 & Compliance15 min read

Vanta vs vCISO: Where SOC 2 Automation Ends and Human Judgment Begins

Compliance automation platforms turn a 95 percent green dashboard into a sales asset, but procurement teams still reject the reports, auditors still issue qualifications, and founders still wonder why the engagement cost twice the platform's quoted number. Here is what Vanta, Drata, and Secureframe actually do well, where their automation runs out of road, and what a vCISO does that no tool will ever replace. Data and engagement patterns from a decade of compliance work and 27 startups that ran the hybrid model in the last 18 months.

5/12/2026
Read Post
SOC 2 Type 1 in 2026: What 14 Real Engagements Cost, How Long They Took, and Where the Time Disappears
SOC 2 & Compliance16 min read

SOC 2 Type 1 in 2026: What 14 Real Engagements Cost, How Long They Took, and Where the Time Disappears

A SOC 2 Type 1 is the cheapest way to satisfy enterprise procurement teams that hard-code SOC 2 into vendor contracts, and the most misquoted engagement in the security industry. Here is what 14 of our Type 1 engagements in the last 12 months actually cost, how long they took, where the budget went, where the time disappeared, and the four cases where Type 1 was the wrong move.

5/10/2026
Read Post
Third-Party Security Attestation Letter: The SOC 2 Alternative That Closes Enterprise Deals in Two Weeks
Sales Enablement14 min read

Third-Party Security Attestation Letter: The SOC 2 Alternative That Closes Enterprise Deals in Two Weeks

When a Fortune 500 prospect demands SOC 2 and your audit is months away, a Third-Party Security Attestation Letter from a credible firm closes the trust gap in two weeks. Here is what makes the letter credible, what belongs inside it, when it actually works, and how the two-week engagement runs, written from a decade of issuing these for sales-critical deals.

5/8/2026
Read Post
DORA for SaaS Companies: When You Are an ICT Service Provider to a European Bank
EU Regulation13 min read

DORA for SaaS Companies: When You Are an ICT Service Provider to a European Bank

DORA has been in force across the EU since 17 January 2025. If your SaaS sells to EU banks, payment institutions, insurers, investment firms, or crypto-asset providers, the contractual obligations under Article 30 already apply to you. A practical breakdown of what the contracts say, what 'critical provider' means, how SOC 2 maps to DORA, and how to build a posture instead of negotiating each amendment from scratch.

5/7/2026
Read Post
HIPAA Security Audit: The Complete Guide to Safeguards, Specifications, and Penalties
Compliance14 min read

HIPAA Security Audit: The Complete Guide to Safeguards, Specifications, and Penalties

A HIPAA security audit evaluates whether your organization meets every requirement of the HIPAA Security Rule - covering administrative, physical, and technical safeguards for electronic protected health information. This guide details all 18 implementation specifications, walks through the audit process step by step, and explains the penalty tiers that can reach $2.13 million per violation category.

3/25/2026
Read Post