Pricing & Service Tiers
Choose the level of assurance that matches your risk profile and requirements. All services are async-first—no calls required.
Tier 1
Executive Laptop Security Review
Timeline: 2–5 business days
Good when: Rapid, high-signal security posture review and targeted triage without full disk acquisition.
Includes:
- Threat model + intake (target profile, travel, comms patterns, asset sensitivity)
- OS posture review (patching, encryption, firewall, Secure Boot, local admin, attack surface)
- Identity posture (MFA/passkeys, browser credential hygiene, session risks)
- Persistence triage (common autoruns / launch agents / scheduled tasks / services)
- Network & remote access review (VPN/ZT posture, Wi-Fi profiles, remote tooling exposure)
- "Quick hunt" checks (known bad indicators, suspicious binaries, common LOLBAS patterns)
Deliverable: Executive summary + remediation checklist + technical appendix
Tier 2
Executive Forensic Assurance
Timeline: 5–10 business days
Good when: Credible assurance work with evidence handling and deeper artifact-level analysis.
Includes:
- Everything in Tier 1, plus:
- Forensic acquisition (live-response collection + full disk image or targeted forensic image)
- Integrity hashing + acquisition notes (for defensibility)
- Deep artifact review (logs, persistence, browser artifacts, auth/session traces)
- Malware triage (static/dynamic triage as needed)
- Hardening plan (practical changes prioritized by impact + disruption)
Deliverable: Forensic-grade report (methods, hashes, findings, confidence, and remediation plan)
Tier 3
High-Assurance Executive Device Inspection
Timeline: 10–20 business days
Good when: For sophisticated persistence concerns, high-value targeting, or rebuild + validation needs.
Includes:
- Everything in Tier 2, plus:
- Boot chain / firmware posture validation (UEFI + platform security checks where feasible)
- External device surface review (USB/Thunderbolt/DMA posture, port controls, peripheral risks)
- "Clean rebuild" plan and validation (secure re-image path, key rotation guidance, post-rebuild verification)
- Optional coordination with internal IT/MSP/EDR team for production-grade changes
Deliverable: High-assurance report + rebuild/validation runbook
Compare Tiers
| Capability | Tier 1Security Review ($2,250) | Tier 2Forensic Assurance ($8,500) | Tier 3High-Assurance ($15,000) |
|---|---|---|---|
| Threat model + intake | |||
| Patch/encryption/firewall/secure boot posture | |||
| Identity + MFA/session hygiene review | |||
| Persistence triage (autoruns/services/tasks/agents) | |||
| Targeted compromise hunt | limited | deep | deep + higher rigor |
| Forensic acquisition + hashing | |||
| Full disk image / targeted forensic image | |||
| Malware triage (as needed) | light | ||
| Boot chain / firmware posture checks | where feasible | ||
| Clean rebuild + post-rebuild validation plan | optional add-on | ||
| Executive summary report | |||
| Forensic-grade methods section + evidence notes | |||
| Typical analyst hours (single analyst) | 6–8 | 20–28 | 35–50 |
Note: No security assessment can guarantee "no compromise." These services provide risk reduction + evidence-based assurance within the selected scope.
Add-ons & Field Services
Add-ons
| Add-on | Price | Notes |
|---|---|---|
| Second laptop/desktop (same executive) | $1,500–$6,000 | Depends on Tier 1 vs Tier 2 depth |
| Mobile device posture review (iOS/Android) | $750–$2,500 | Configuration + account/session hygiene; forensic depth varies |
| Secure media package (client keeps encrypted evidence drive) | $175–$350 | Typical for Tier 2/3 acquisitions |
| Expedited turnaround | +25–50% | Subject to scheduling |
| Executive monitoring & quarterly re-attestation | $1,250–$3,500/mo | Depends on telemetry access + response expectations |
| IR escalation if compromise is found | scoped separately | Can convert engagement into incident response retainer |
Onsite / Field Services
| Service | Price | Notes |
|---|---|---|
| Onsite day rate | $1,500/day + travel | Best for high-risk handling or no-remote-access environments |
| Evidence pickup / chain-of-custody handling | scoped | Use when legal/insurance expectations exist |
What We Actually Do
This isn't a generic checklist. Here's what we review at each technical layer.
Hardware / Platform Security
- Full-disk encryption posture (FileVault/BitLocker), recovery key handling
- Secure Boot / boot chain posture (Tier 3-focused)
- Peripheral exposure: USB/Thunderbolt, DMA considerations, rogue device risk
- Device inventory/firmware posture signals (what's feasible without destructive methods)
OS & Application Posture
- Patch levels, vulnerable components, attack surface reduction
- Local privilege and admin boundaries
- Startup persistence locations (OS-specific autoruns / agents / scheduled tasks)
- Remote access tooling and exposure (legitimate tools abused in compromise)
Identity & Session Risk
- MFA/passkeys posture and account recovery weaknesses
- Browser credential storage, token/session persistence risks
- Email and cloud account session sanity checks (as access permits)
Compromise Detection (scope-appropriate)
- High-signal triage checks (Tier 1)
- Artifact-level review with forensic acquisition (Tier 2/3)
- Malware triage and containment guidance if discovered
How It Works
Kickoff & Intake(30–60 min)
Define target profile, travel, threat model, and what "secure" means for the CEO.
Evidence-Safe Collection(Tier-dependent)
Remote collection or forensic acquisition with integrity controls (Tier 2/3).
Analysis & Hardening Plan(varies)
Findings prioritized by risk and operational impact.
Readout Call(30–60 min)
Walk through findings with CEO/IT lead.
Report Delivery(final)
Executive summary + technical appendix. For Tier 2/3: methods + integrity notes.
Deliverables
What the client receives:
- Executive Summary (non-technical, board-friendly)
- Findings & Risk Ratings (what matters, why, how confident we are)
- Remediation Plan (prioritized, minimal-disruption first)
- Technical Appendix (artifacts reviewed, evidence notes, hashes where applicable)
- Optional: rebuild/validation runbook (Tier 3)
Frequently Asked Questions
Can you guarantee it's "not compromised"?
We cannot provide a guarantee that a device is "not compromised." What we provide is evidence-based assurance within scope: posture validation, compromise hunting, and defensible reporting.
Do you need admin access?
Usually yes (or a paired IT admin) for full posture validation and artifact collection. We can operate in a "CEO-only" mode, but depth is reduced.
Will this disrupt the CEO's work?
Tier 1 is typically low disruption. Tier 2/3 can be scheduled to minimize downtime; we design collection steps to avoid business interruption.
Remote or onsite?
Remote is common. Onsite is available for higher-risk handling or strict environments.
What if you find something bad?
We'll contain risk immediately (in coordination with you) and can pivot into incident response under a separate scope.
Scope Boundaries
- • Pricing assumes one device unless otherwise stated.
- • Access constraints (no admin, no logs, no telemetry) reduce attainable assurance.
- • We do not provide a "clean bill of health." We provide findings + confidence and a remediation plan.
- • If legal/insurance requirements exist, tell us up front so we can align evidence handling and documentation rigor.
Ready to Secure Your CEO's Laptop?
Choose a tier above or request a written scope. Async-first—no calls required.
Philadelphia, PA • Async-first engagement • Written scope provided before work begins