A Clear Path to Security Leadership.
Every Phylaxion engagement follows the same proven structure: understand your environment, identify the risks, build a prioritized plan, and provide the ongoing leadership to execute it.
hodós (ὁδός) — path, way, journey
From First Conversation to Ongoing Program.
Most engagements follow the same general arc. The pace and scope vary by business, but the structure is consistent: understand the environment, quantify the risk, build the plan, execute with accountability.
Step 01
Initial Consultation
A focused conversation about your business, your environment, and what brought you to the table. No sales pitch. No audit. Just a clear-eyed look at where you stand and what matters most.
No costStep 02
Security Risk Assessment
We assess ten domains of your security environment, mapped to NIST CSF 2.0. This is the recommended entry point for most engagements: it produces a plain-language findings report and a prioritized remediation plan that tells you exactly where to focus first.
Recommended entry pointStep 03
Prioritized Remediation Roadmap
Based on the assessment findings, we build a 12-month roadmap that sequences your security work by business impact. Not a wish list. A practical plan with clear milestones, estimated effort, and defined accountability.
Step 04
Ongoing Advisory Retainer
A named advisor embedded in your business through a Sentinel, Guardian, or Archon engagement. Monthly sessions, documented progress, and the continuity that makes a security program compound over time instead of stalling after the first quarter.
Sentinel · Guardian · ArchonStep 05
Managed Services (Optional)
Hands-on platform management layered on top of your advisory retainer. Identity administration, endpoint oversight, cloud governance, email security. Separately scoped and priced, integrated with your security program.
Optional add-onStep 06
Periodic Reviews and Escalation Support
Quarterly posture reviews, updated risk registers, compliance calendar maintenance, and escalation support when something changes. Your security program stays current because someone is accountable for keeping it there.
What the First Three Months Look Like.
The first 90 days of a Phylaxion engagement are the most intensive. This is when we learn your environment, establish the baseline, build the foundational documents, and create the structure that makes every subsequent session more efficient.
By the end of the first 90 days, Guardian and Archon tier clients have a documented security roadmap, a living risk register, a core policy library in progress, and an incident response plan. These are not templates. They reflect your actual environment.
Sentinel tier clients have a documented posture review, a completed Microsoft 365 or Google Workspace baseline advisory, an email authentication review, their starter policy library, and a cyber insurance readiness checklist.
Security posture assessment completed
Current environment documented, gaps identified, findings translated into business language.
12-month roadmap delivered (Guardian+)
Prioritized remediation plan built from assessment findings, sequenced by risk and cost.
Risk register initialized (Guardian+)
Identified risks documented with business impact, treatment decisions, and tracking cadence established.
IR plan drafted (Guardian+)
Practical incident response plan covering detection, containment, communication, and recovery.
Policy library in progress (all tiers)
Core policies started. Scope and count vary by tier. Written for your actual business, not generic templates.
Advisory cadence established
Session frequency, reporting format, action register, and escalation protocol set and agreed upon.
Advisory vs. Managed Services: Understanding the Difference.
This distinction matters because it affects what you pay, what we deliver, and whether you need an existing IT team. Most small businesses need the advisory layer. Some need both.
Advisory and Governance Layer
What we think, plan, and govern.
The advisory layer is the strategic foundation. This is where Phylaxion operates as your security program owner: setting direction, making recommendations, building documentation, and maintaining the governance that makes your security posture coherent over time.
- Security roadmap and risk register management
- Policy library development and maintenance
- Compliance gap assessment and controls mapping
- Cloud and infrastructure security reviews
- Board and executive reporting
- Vendor risk reviews and third-party oversight
- IR plan development and tabletop facilitation
- Cyber insurance readiness and application support
Managed Services Layer
What we configure, operate, and maintain.
The managed services layer is the hands-on execution layer. This is where Phylaxion goes beyond advising and actively administers your environment: creating users, enforcing policies, managing devices, and maintaining your security posture day-to-day.
- Microsoft 365 and Entra ID tenant administration
- Google Workspace administration and security
- Identity lifecycle: onboarding, offboarding, access reviews
- Intune device enrollment and compliance enforcement
- Cloud IAM and security configuration management
- DNS, SSL/TLS, and web infrastructure management
- Security monitoring coordination and alert triage
- EDR deployment oversight and endpoint compliance
Transparent Terms, Predictable Pricing.
Security advisory should not come with billing surprises. Every Phylaxion engagement is structured around clear scope, fixed pricing, and terms designed to earn your trust rather than lock you in.
Fixed-Fee Projects
Assessments and standalone engagements are scoped and priced before work begins. You know the cost, the timeline, and exactly what you will receive.
Month-to-Month After Commitment
Advisory retainers begin with a three-month initial commitment to allow proper onboarding and program setup. After that, the relationship continues month-to-month.
No Tool Reselling
Phylaxion does not sell, resell, or earn commissions on any security tools or platform licenses. Our recommendations are based on what your environment needs.
What You Can Count On from Every Engagement.
These are not aspirational commitments. They are the structural features of how Phylaxion engagements are designed and delivered.
01
One named advisor. Always.
You will not be handed off to a different advisor when your account grows, shrinks, or gets busy. The person you start with is the person who builds your security program and stays accountable for it.
02
Specific before binding.
We scope every engagement before any commitment is made. The final engagement cost is specific to your environment, stated in writing, and agreed upon before work begins.
03
No vendor affiliations.
Phylaxion does not resell security tools and does not earn commissions on licenses. When we recommend a product, it is because it fits your environment, not because it fits our revenue model.
04
Honest, not alarming.
We present your risk posture accurately, in business terms, without manufactured urgency. You will get an honest assessment of what is serious, what is moderate, and what can wait.
05
Documented, not verbal.
Every advisory session produces written outputs: action registers, roadmap updates, risk register entries, or findings summaries. Everything we produce is yours to keep.
06
Defensive and advisory only.
Phylaxion does not deliver offensive security services, penetration testing, or red team engagements. When third-party testing is appropriate, we help you scope it, select a vendor, and govern the results.
Built on Standards Your Auditors Already Trust.
Every engagement is anchored in recognized security frameworks. No proprietary methodologies or invented scoring systems. Standards your auditors, insurers, and customers already recognize.
Every Program Starts with a Conversation.
Tell us what you are working through. We will explain what a security program looks like for a business your size, and whether Phylaxion is the right fit.