EFROS

How We Engage

From assessment to full operations in 90 days.

Most consulting engagements work by the hour and hope the scope keeps growing. We run differently. Every phase here has a named duration, a defined deliverable, and an outcome your team can verify. If something changes, we renegotiate honestly.

01

Day 0

· 1-2 weeks

Free Assessment

  • Infrastructure inventory and architecture review
  • Security posture review mapped to MITRE ATT&CK
  • Compliance gap assessment (SOC 2, HIPAA, PCI, NIST CSF, or industry-specific)
  • Prioritized remediation roadmap with effort and impact
  • Proposal with scope, SLA, and pricing clearly stated upfront

Outcome:You know exactly where you stand and what's worth fixing. From there you decide whether to engage us. If you don't, you still keep the roadmap.

02

Day 1-14

· 2 weeks

Foundations

  • Contract, SLA, and BAA (where applicable) signed
  • Named primary contacts on both sides, with direct contact info
  • Secure access provisioned (MFA, PAM, session recording)
  • Kickoff workshop covering stakeholders, escalation tree, and communication rhythms
  • Any Priority-1 gaps get fixed in parallel

Outcome:Everyone knows who does what. Escalation paths are live. First quick wins are already shipped.

03

Day 15-30

· 2 weeks

Initial Coverage

  • Monitoring deployed across endpoints, network, identity, and cloud
  • SIEM/XDR platform tuned for your environment
  • First detection content deployed, mapped to your industry's threat model
  • Backup and DR runbooks documented and tested
  • Help desk or support operations in active handover

Outcome:Threat detection is live. 24/7 SOC coverage begins. MTTD targets enforced from this point.

04

Day 31-60

· 4 weeks

Tuning & Custom Content

  • Custom detection rules for your environment's specific TTPs
  • SOAR playbook automation for the top 20% of alert patterns
  • Compliance evidence pipeline running continuously, not as an audit-season panic
  • First tabletop exercise with your leadership team
  • Monthly executive review cadence established

Outcome:False-positive rate drops. Detection coverage hits steady-state. Compliance evidence stops being a quarterly fire drill.

05

Day 61-90

· 4 weeks

Steady-state Operations

  • First full quarterly business review with outcomes against SLA
  • Threat hunting program active, running weekly hypothesis-driven hunts
  • Penetration testing or red team exercise (if in scope)
  • Annual DR drill scheduled and dry-run executed
  • Board-ready risk report delivered

Outcome:You're running at mature-ops quality. Your CIO or CISO has the reporting they need. The SOC has enough context about your environment to catch the non-obvious stuff.

06

Day 90+

· Ongoing

Continuous Improvement

  • Monthly executive review
  • Quarterly architecture review
  • Annual strategy refresh aligned to business goals
  • Threat intelligence updated weekly, detection content tuned continuously
  • Incident post-mortems inform both your environment and our broader detection library

Outcome:Your security and operations posture measurably improves every quarter.

How we operate

Fixed-fee, not time-and-materials

Monthly fee covers everything in scope. No meter running. You get a predictable line item; we get incentive to be efficient.

Named people on both sides

Not a ticket-queue hand-off. You get a primary account engineer, a SOC lead, and (for vCISO engagements) an executive owner. You talk to the same people.

Exit ramp by design

All custom detection content, runbooks, and documentation are yours. If you ever need to move to another provider or build in-house, we hand over clean.

SLA enforced, not aspirational

MTTD, MTTC, response time, and uptime are contractual. Misses are documented and service-credited. No excuses.

Start with a free assessment