CASE STUDIES
Programs we’ve built.
Results that held up.
Anonymized at client request. The work speaks for itself.
SOC 2 TYPE II — SAAS COMPANY
From zero controls to clean Type II opinion.
A 60-person SaaS company had never been through a SOC 2. Their security posture was ad hoc, their policies were templates from the internet, and they had an enterprise customer deal contingent on a Type II report. We built the entire program from scratch — scoped controls, wrote policies, stood up evidence collection, and liaised directly with their auditor.
Outcome:
Clean Type II opinion issued 7 months after engagement start. No exceptions.
GRC PROGRAM — FINTECH STARTUP
Building a risk program that could hold up to VC diligence.
A Series B fintech was preparing for a large enterprise deal that required a mature GRC program. They had a head of security but no compliance foundation. We ran a gap assessment, built their risk register, developed a full policy suite, and created board-level reporting templates that their investors could actually read.
Outcome:
Enterprise deal closed. GRC program cited as a competitive differentiator in investor materials.
FEDRAMP ADVISORY — CLOUD PROVIDER
SSP development and 3PAO readiness for a cloud provider.
A cloud platform targeting federal markets needed help navigating FedRAMP Moderate. We developed the System Security Plan, wrote control narratives mapped to NIST SP 800-53, and prepared the team for 3PAO assessment. We also trained their internal team on evidence collection and continuous monitoring.
Outcome:
Authorized under FedRAMP Moderate. Internal team capable of maintaining compliance independently.