For teams outgrowing their first-generation IT.
For 10–250 person Canadian firms that need cybersecurity, IT, and web infrastructure that scales with the business. One senior team across all three pillars. NIST CSF 2.0 baseline. Fixed-fee. Vendor-agnostic. No multi-year lock-in.
Four ways most SMBs start with us.
Most engagements graduate into a managed retainer once the baseline is in place. None of these locks you in.
Posture Audit
A 2–4 week fixed-fee assessment across cybersecurity, IT, and web. Output: a board-ready remediation roadmap mapped to NIST CSF 2.0 and the 13 CyberSecure Canada controls.
Book an audit →Vendor Takeover
For firms moving off a generalist helpdesk or break-fix vendor. We run a 30–60 day transition: inherit, document, stabilise. No multi-year contract on our side.
Plan a takeover →Cybersecurity + IT + Web Bundle
Managed cybersecurity, managed service desk, and managed hosting in one engagement. One senior lead, one invoice, one runbook. Built for the SMB tech footprint.
Scope a bundle →Fractional CISO
For 50–250 person firms that need executive-grade security strategy without a full-time CISO hire. Board reporting, compliance roadmap, vendor risk, insurance liaison.
Discuss a vCISO →What right-sized looks like.
For most 10–250 person Canadian firms, this is the floor. We build to it within the first engagement, then stabilise.
Identity
Phishing-resistant MFA on every account. Conditional access on the identity provider. Quarterly access reviews. No shared credentials.
Endpoint
Managed EDR on every laptop and server. Disk encryption enforced. OS and browser patching automated. Asset inventory current.
SPF, DKIM, DMARC at p=reject with DMARC reporting flowing into a monitored mailbox. M365 / Workspace hardened to a defensible baseline.
Network
Segmented Wi-Fi (guest, staff, IoT). Firewall managed. VPN replaced by ZTNA where it fits. Inventory of inbound exposure.
Backup
3-2-1 backup discipline. Off-site immutable copy. Quarterly restore tests. Documented recovery time targets.
Governance
Acceptable-use, incident-response, and privacy policies in writing. Named privacy officer. Annual tabletop exercise. Board-ready posture summary.
Built for Canadian SMB compliance.
We map every SMB engagement to these frameworks — from day one, not retroactively.
Common SMB questions.
We already have a helpdesk vendor. Can you take over?
Yes — it is one of our most common entry points. We run a 30–60 day transition: audit what we inherit, document everything tribal, stand up clean operations while the lights stay on. No multi-year lock-in on our retainer.
Are we too small for a vCISO?
Probably not. We typically engage on a fractional CISO basis with firms in the 50–250 staff range. For smaller teams, a posture audit plus a managed cybersecurity retainer usually covers the same governance ground at lower cost.
Do you bundle cybersecurity, IT, and websites in one engagement?
Yes. SMBs benefit most when one senior team holds the full stack — identity, endpoint, network, web, and email all under one roof. We scope the bundle, deliver as one engagement, and keep the running monthly cost predictable.
Are you a fit if we already have an internal IT lead?
Yes. Many of our SMB engagements run alongside an internal IT lead who needs senior cybersecurity, network, or compliance horsepower they cannot justify hiring full-time. We work as their force multiplier, not their replacement.
How fast can we get to a "defensible" cybersecurity posture?
For a typical 10–100 person firm, a four-week Posture Audit followed by an 8–12 week Stabilisation engagement gets you to a defensible NIST CSF 2.0 / CIS Controls IG1 baseline. Faster if you only need the high-impact controls (MFA, EDR, email auth, backup).
Start with a posture audit.
Two to four weeks. Fixed-fee. Board-ready output. Clear next steps. No commitment beyond the audit itself.