Services

What We Deliver.

15 cybersecurity advisory and managed services, built for small businesses. Each one is scoped to your environment, delivered by a named advisor, and designed to work within your budget.

0
Advisory and managed services covering the full security lifecycle.
0%
of SMB cyberattacks begin with a human action: phishing, social engineering, or credential theft.
0%
year-over-year increase in supply chain attacks targeting small businesses.
Leadership & Strategy

Security Leadership Without the Full-Time Cost.

The advisory layer that sits between your business and the security decisions that shape it. Strategy, governance, and executive-level guidance, delivered by a named advisor.

Virtual CISO

Security leadership without the full-time executive cost.

Most small businesses do not need a $300,000 CISO. They need a trusted security advisor who understands their environment, speaks their language, and shows up consistently. That is what a Phylaxion vCISO relationship delivers.

  • Security Strategy and Roadmap
  • Risk Assessment and Posture Review
  • Policy Development and Maintenance
  • Risk Register Management
  • Compliance Readiness Guidance
  • Leadership and Investor Reporting
  • Vendor and Third-Party Risk Reviews
Guardian tier and above. Also available as standalone.
Ask about this service
Principal Advisory

The people at the top carry the most risk. We protect them specifically.

Founders, executives, and key leaders face a different threat profile. Targeted phishing, account takeovers, and impersonation attacks are disproportionately aimed at the people whose names are on the door. This service addresses that directly.

  • Executive Device Hardening
  • Secure Communications Practices
  • Account Security Review
  • Social Engineering and Impersonation Risk
  • Travel Security Briefing
Archontier (included). Also available standalone: $1,500–$3,500/month.
Ask about this service
Managed Operations

Hands-On Security for Your Digital Environment.

Advisory tells you what to do. Operations makes it happen. These services cover the day-to-day security management of your platforms, infrastructure, and endpoints.

Managed Secure IT

Operations that protect, not just maintain.

There is a meaningful difference between an IT environment that functions and one that is secure. Phylaxion delivers hands-on management of your Microsoft 365, Google Workspace, identity environment, and endpoints with security as the first filter.

  • Microsoft 365 and Entra ID Administration
  • Google Workspace Administration
  • Identity and Access Management
  • Endpoint Security Oversight
  • Intune and Google Device Management
  • Access Lifecycle Management
  • Security Monitoring Coordination
Available at any advisory tier and as standalone managed service.
Ask about this service
Cloud Security

Cloud environments built to be secure, not retrofitted.

Cloud infrastructure designed without security governance creates technical debt that compounds over time. Phylaxion reviews, designs, and manages AWS, Microsoft, and Google Cloud environments with least-privilege access, monitoring, and governance built in from the start.

  • Cloud Architecture Review and Design
  • IAM Least-Privilege Design
  • Cloud Security Monitoring Configuration
  • Cost and Governance Controls
  • Secure Deployment Practices
  • Ongoing Cloud Governance
Advisory in all tiers. Managed services scoped separately.
Ask about this service
Website & Digital

Your website is part of your security posture.

An insecure website is not just an IT problem. It is a credibility problem, a liability, and sometimes an entry point. Phylaxion reviews, hardens, and manages your web presence with the same security-first approach we apply to every part of your environment.

  • DNS Security and Management
  • SSL/TLS Certificate Management
  • Website Platform Security
  • Google Cloud and Firebase Hosting Security
  • Third-Party Integration Review
  • Web Application Security Guidance
Included in all advisory tiers.
Ask about this service
Risk & Compliance

Navigate Risk, Insurance, and Regulatory Obligations.

Compliance requirements, insurance renewals, vendor risks, and privacy regulations. These services help you meet obligations, reduce exposure, and document your posture.

Insurance Readiness

Get insurable. Stay insurable. Use your coverage when it matters.

Cyber insurers are tightening requirements, raising premiums, and adding exclusions for businesses that cannot demonstrate basic security controls. Phylaxion prepares small businesses to qualify for coverage, meet renewal requirements, and collect on a claim when they need to.

  • Insurance Readiness Assessment
  • Controls Remediation Guidance
  • Application Support
  • Renewal Preparation
  • Incident Response Plan Documentation
  • Claims Readiness Guidance
Included in all tiers. Standalone from $2,500.
Ask about this service
Data Privacy Advisory

Privacy laws changed. Your compliance posture probably did not.

Over 20 U.S. states now have active data privacy laws. Colorado, California, Virginia, Texas, and others impose real obligations on businesses handling personal data, regardless of size. Most small businesses are unaware of their exposure.

  • Privacy Law Applicability Assessment
  • GDPR Exposure Review
  • Data Mapping and Classification
  • Privacy Policy and Notice Review
  • Data Subject Rights Procedures
  • Vendor Data Processing Review
Included in Guardian tier and above. Initial assessment from $3,500.

Phylaxion provides advisory, not legal counsel. For formal legal opinions, we work alongside qualified privacy counsel.

Ask about this service
Vendor Risk Management

Your vendors are part of your attack surface.

Supply chain attacks increased 68% in a single year. Most small businesses grant vendors access to their systems, data, and infrastructure without a formal security review. Phylaxion helps you understand who has access, assess the risk, and put the right controls in place.

  • Vendor Security Assessment
  • Third-Party Access Governance
  • Vendor Questionnaire Management
  • Contract Security Clause Review
  • Vendor Risk Register
  • New Vendor Onboarding Review
Guardian and above (up to 2 reviews/quarter). Standalone from $1,500/vendor.
Ask about this service
M&A Due Diligence

Security gaps discovered after close cost far more than those found before.

Whether you are acquiring a business, being acquired, or preparing for investor due diligence, security posture is now a standard part of the review. Phylaxion provides independent security due diligence for small business M&A.

  • Target Security Posture Assessment
  • Pre-Diligence Readiness Preparation
  • Security Findings Translation for Deal Teams
  • Post-Close Integration Planning
  • Investor Security Questionnaire Support
Standalonescoped project. Starting at $8,000–$15,000. Timeline: 3–6 weeks.
Ask about this service
Training & Readiness

Prepare Your People and Your Response.

Your team is your first line of defense. These services train them, test your readiness, and make sure your response plan works before you need it.

Security Training

Your people are your most targeted asset. Train them like it.

Phishing, social engineering, and credential theft succeed because people make mistakes under pressure. A well-run security awareness program reduces that risk measurably, satisfies cyber insurance requirements, and builds lasting security culture.

  • Phishing Simulation Campaigns
  • Security Awareness Training Program
  • New Employee Security Onboarding
  • Executive and Leadership Training
  • Reporting and Compliance Documentation
All tiers. Phishing cadence scales with tier. Standalone from $2,000/year (up to 25 users).
Ask about this service
Incident Readiness

Preparation is the only thing that limits the damage.

Most small businesses do not have an incident response plan. Those that do often have one that has never been tested. Phylaxion builds practical IR programs: the plan, the practice, and the ongoing readiness that turns a crisis into a manageable event.

  • Incident Response Plan Development
  • Tabletop Exercise Facilitation
  • Post-Exercise Remediation Planning
  • Communication Templates and Runbooks
  • Insurance and Compliance Alignment
  • Annual Plan Review and Update
IR Plan in Guardian and above. Tabletops in Archon(2x/year). Standalone: $4,000–$6,000.

Phylaxion provides IR coordination and advisory, not technical IR execution. Forensics and remediation are performed by separate IR firms.

Ask about this service
Testing Oversight

Security testing results are only valuable if someone acts on them.

Third-party penetration tests, vulnerability assessments, and security audits generate findings. What most small businesses lack is someone who can translate those findings into business decisions, hold remediation accountable, and make sure the next assessment goes better.

  • Testing Scope Review
  • Findings Translation and Prioritization
  • Remediation Accountability
  • Re-Assessment Preparation
  • Executive Reporting
  • Vendor Selection Guidance
Archon tier (included). Standalone from $2,500.

Phylaxion oversees and governs testing. Phylaxion does not perform penetration testing, red teaming, or offensive security work.

Ask about this service
Assessments & Setup

Start With Clarity.

Fixed-scope engagements that establish your baseline, identify your gaps, and give you a prioritized path forward. These are where most advisory relationships begin.

Initial Risk Assessment

You cannot fix what you have not measured. Start here.

Most small businesses have never had a structured, independent review of their security posture. They know they have gaps. They just do not know where the biggest ones are, which ones matter most, or what to fix first. This assessment answers all three.

Assessment Domains (NIST CSF 2.0)

  • Identity and Access Controls
  • Endpoint Security and Patch Posture
  • Email and Communications Security
  • Cloud and SaaS Configuration
  • Data Handling, Backup, and Recovery
  • External Exposure Review
  • AI and GenAI Exposure
  • Detection and Monitoring Capability
  • Incident Readiness and Response Posture
  • Policy, Governance, and Vendor Risk

How It Works

  • 01Intake and Discovery: scoping, environment inventory, stakeholder interviews.
  • 02Assessment and Analysis: 10-domain review mapped to NIST CSF 2.0.
  • 03Findings and Roadmap: executive summary, domain-by-domain findings, prioritized remediation plan.

What You Receive

  • Executive Summary
  • Domain-by-Domain Findings
  • Prioritized Remediation Roadmap
  • Recommended Next Steps
$4,500+up to 25 users · 2–3 weeks · tier clients receive reduced rates
Ask about this service
Architecture Review

Controls can pass every checklist and still be fundamentally broken.

A risk assessment tells you whether your controls exist. An architecture review tells you whether they work, and whether the way your systems are designed creates vulnerabilities that no individual control can fix.

Focus Areas (STRIDE Threat Modeling)

  • Trust Boundary Mapping
  • Authentication and Identity Architecture
  • Data Flow and Protection Architecture
  • Integration and API Security
  • Monitoring and Detection Architecture
  • Threat Modeling

Three Phases (2–4 Weeks)

  • 01Architecture Intake: system inventory, data flow documentation, trust boundary identification.
  • 02Analysis and Threat Modeling: STRIDE-based analysis across all focus areas.
  • 03Findings and Recommendations: architecture findings report, threat model summary, prioritized remediation.

What You Receive

  • Architecture Findings Report
  • Threat Model Summary
  • Prioritized Remediation Recommendations
  • Recommended Next Steps
$5,000+focused reviews · 2–4 weeks · tier clients receive reduced rates
Ask about this service
New Business Setup

Build it right from day one.

The security decisions you make in the first 90 days have an outsized impact on everything that follows. Phylaxion helps small businesses, startups, and growing teams set up their Microsoft 365 or Google Workspace environment with security built in from the start.

What's Covered

  • Identity and Access Foundation
  • Email Security Configuration
  • Device Enrollment and Endpoint Baseline
  • Core Security Policy Library
  • Cloud and SaaS Access Controls
  • Security Baseline Documentation

Engagement Details

  • 01Scoping: environment review, platform selection, integration requirements.
  • 02Configuration: identity, email, endpoint, and cloud setup with security-first defaults.
  • 03Documentation: security baseline, policy library, and handoff to ongoing advisory.
$3,000+fixed-scope · ~30 days · platform licensing separate
Ask about this service
Get Started

Not Sure Where to Start?

Most engagements begin with a conversation. Tell us what you are dealing with, and we will help you figure out which services make sense for your business and budget.

Start the ConversationView Programs