MFA everywhere, endpoint EDR, phishing drills, PIPEDA / SOC 2 readiness. We start with what would actually stop a breach — not what looks good on a slide. 全员 MFA、终端 EDR、钓鱼演练、PIPEDA / SOC 2 准备。先做能真挡住入侵的事 —— 不做 PPT 上漂亮的事。
Every engagement starts from your specific threat model — not a generic checklist. The biggest two patterns vary by industry; tell us what you do and we'll tell you which two come first.每个项目都从你的具体威胁模型开始 —— 不套通用清单。最重要的两件按行业不同。告诉我们你的业务,我们告诉你先做哪两件。
Phishing-resistant MFA on every account that matters — admin, finance, email, source code, payroll. SSO via Okta / Azure AD so it's actually used.关键账号(管理员 / 财务 / 邮件 / 源代码 / 工资)全部抗钓鱼 MFA。Okta / Azure AD 单点,确保真在用。
EDR (CrowdStrike, SentinelOne), disk encryption, screen lock, USB controls, tested rollback. Endpoint is where most breaches actually land.EDR(CrowdStrike、SentinelOne)、硬盘加密、锁屏、USB 管控、回滚测试。大部分入侵的落点其实就在终端。
SPF, DKIM, DMARC enforced. Anti-phishing filters tuned. Vendor-impersonation flags. Banner on external email so the "CEO transfer request" gets flagged at a glance.SPF / DKIM / DMARC 全部强制。反钓鱼过滤器调优。供应商冒充识别。外部邮件加横幅,"老板让你打款"一眼能看出来。
Quarterly real-world phishing simulations (KnowBe4 / Hoxhunt). Bilingual where needed. We measure click-rate, report-rate, and follow up with 5-min training for the people who fell for it.每季度真实钓鱼演练(KnowBe4 / Hoxhunt)。需要时双语。统计点击率 / 上报率,被钓中的人 5 分钟微培训跟进。
SOC 2 Type II, PIPEDA, ISO 27001 readiness. Vanta / Drata for evidence collection — but we own the actual controls, not just the dashboard.SOC 2 Type II、PIPEDA、ISO 27001 准备。Vanta / Drata 收证据 —— 但我们做的是真正的控制点,不只是仪表盘好看。
A written runbook for the first 24 hours: who calls whom, what gets isolated, who talks to insurance, when to call the lawyer. Tabletop-exercised every six months.前 24 小时书面响应手册:谁打谁、隔离什么、谁联系保险、什么时候叫律师。每半年桌面演练一次。
Threat model first, controls second, evidence third, drill fourth, run forever. The drill is what separates "we said we did MFA" from "MFA actually stops the test attack."先建威胁模型、再做控制、再收证据、再做演练、然后长期运转。演练是关键 —— 它把"我们说做了 MFA" 变成"测试攻击真被 MFA 挡住了"。
Two weeks: external scan, internal review, identity audit, email config check, endpoint sample, vendor inventory. Output: a 30-page assessment + a written threat model specific to your business + risk register sorted by blast radius.两周:外部扫描、内部评审、身份审计、邮件配置检查、终端抽样、供应商清册。产出:30 页评估报告 + 你公司专属的威胁模型 + 按"爆炸半径"排序的风险清册。
The biggest controls roll out in this phase. MFA universal by week three. EDR everywhere. SPF / DKIM / DMARC enforced. A real backup restore tested end-to-end (we restore one). Each control has a written acceptance test before we mark it done.主要控制在这个阶段落地。第三周前全员 MFA。EDR 全部覆盖。SPF / DKIM / DMARC 强制。备份做端到端真还原(真做一次)。每项控制有书面验收标准,过了才算完。
A 30-min company-wide training (bilingual recordings — staff can watch in either language). Then we run the first phishing drill. The point isn't to embarrass anyone; it's to baseline who needs more help and which lures actually work on your team.全员 30 分钟培训(双语录制 —— 员工选语言看)。然后做第一次钓鱼演练。不是为了让人尴尬,是为了基线评估:谁需要更多帮助、什么诱饵真对你们团队管用。
If you need formal compliance — SOC 2 Type II, PIPEDA, ISO 27001 — we collect evidence in Vanta / Drata, walk you through what an auditor will ask, and stand beside you for the audit window. We aim to make your auditor say "this is the cleanest set of evidence I've seen this quarter."需要正式合规(SOC 2 Type II、PIPEDA、ISO 27001)时:在 Vanta / Drata 里收齐证据、过一遍审计师会问的问题、审计期间陪同。目标是让审计师说"这季度看到最干净的一套证据"。
Quarterly phishing drills (lures evolve). Monthly EDR + email dashboard review. Tabletop incident-response drill every six months. Annual external pen test (or threat-led red team for higher-risk clients). 24/7 incident hotline included.每季度钓鱼演练(诱饵迭代)。每月 EDR + 邮件看板复盘。每半年事件响应桌面演练。每年外部渗透测试(高风险客户做"威胁主导红队")。含 24/7 事件热线。
Vendor-agnostic on the categories that matter. If you've already paid for one of these, we use yours; if we're picking, these are the ones with proven SMB-fit.关键类目我们厂商中立。已经买了的,我们用你的;让我们选,这些是 SMB 适配最好的。
If yours isn't here, write to [email protected]. A real engineer answers within 4 business hours.没列到的问题,发给 [email protected]。真人工程师 4 小时内回。
Yes — typically 6–12 months from greenfield. Type I in 2–3 months, Type II observation window after that. The biggest variable is internal change-management discipline; the controls themselves are standard.能 —— 从零起算通常 6–12 个月。Type I 大约 2–3 个月,之后开始 Type II 观测期。最大变量是公司内部变更管理的纪律,控制点本身是标准的。
Average across our clients: 17% reduction in annual premium after our hardening project — driven mostly by MFA universal, EDR everywhere, and tested backups. We can introduce you to brokers who underwrite SMB cyber policies if you don't have one.客户平均:加固后年保费下降 17% —— 主要靠全员 MFA、EDR 全覆盖、备份做过真还原。如果你还没有保单,我们可以引介承保 SMB 网络险的经纪人。
In the retainer: yes, annually, by an independent third party we trust (we don't pen-test our own work — that's a conflict). Hardening project: optional add-on at cost. We don't mark up the pen-test bill.月度合同含:每年一次,由我们信任的独立第三方做(不让我们渗自己的工作 —— 那是利益冲突)。加固项目:可加配,按成本转交。我们不在渗透账单上加价。
Retainer clients: 24/7 hotline, 15-min response on confirmed incidents. We'll isolate, triage, then orchestrate the formal response — bringing in your insurance carrier's incident team and (if needed) outside counsel. We coordinate; we don't replace specialists for the legal / regulatory side.月度客户:24/7 热线,确认事件后 15 分钟响应。我们先隔离、分诊、再协调正式响应 —— 接入你保险公司的事件团队,需要时外部律师。我们做协调,法律 / 监管那一面交给专业的。
Yes — bilingual security training is part of every hardening project. Quarterly phishing drills under the retainer. Training is short (30 min company-wide once, plus 5-min micro-trainings per drill).做 —— 双语安全培训是每个加固项目的一部分。月费含季度钓鱼演练。培训不长(全员一次 30 分钟,每次演练后被钓中的人 5 分钟微培训)。
Honestly, depends on the threat model. If you handle health data, financial accounts, or any customer PII at scale, yes. If you're a 4-person creative studio with no client data on your side, probably just MFA + EDR + a backup is enough. We'll tell you on the audit call which case you're in — including "you don't need us" when that's true.老实说,看威胁模型。如果你处理医疗数据、金融账号、或大量客户 PII,需要。如果你是 4 人创意工作室且不在你这边存客户数据,大概 MFA + EDR + 备份就够了。审计电话里我们直说 —— 包括"你不需要我们"这种情况。