What Is This?
Most security assessments focus on finding vulnerabilities — what's wrong with your systems. A controls assessment is different. It asks: do your defenses actually work?
You might have antivirus on every computer, a firewall at the perimeter, and a SIEM collecting logs. But does the antivirus catch real attack tools? Does the firewall block lateral movement? Does the SIEM alert when something suspicious happens? Those are the questions we answer.
Think of it this way
A vulnerability assessment is like checking if your doors and windows are locked. A penetration test is like hiring someone to try to break in. A controls assessment is like testing whether your alarm system, cameras, and security guards would actually notice and respond if someone did break in. You might have all the equipment — but is it working the way you think it is?
What Do We Test?
- Identity and access controls — are password policies enforced? Is multi-factor authentication actually required everywhere it should be? Are there old accounts with too much access sitting around unused?
- Network segmentation — if one computer gets compromised, can the attacker reach your financial systems? Your backups? Your domain controller? We test whether your network zones are actually isolated the way you think they are
- Endpoint detection — we run controlled, safe versions of real attack tools on your systems and see if your antivirus or EDR catches them. You'd be surprised how often it doesn't
- Log visibility and alerting — are the right events being logged? Are those logs reaching your SIEM? When something bad happens, does anyone get alerted? We trace the entire detection pipeline from event to alert
- Email security — we send test phishing emails through your email filters and see what gets through. Not to trick your people — to test whether your filters are doing their job
- Active Directory hygiene — stale accounts, service accounts with domain admin rights, weak Kerberos configurations, delegation issues. AD is the backbone of most business networks and it's often a mess
- Incident response readiness — if we told you right now that an attacker was in your network, what would you do? We run tabletop exercises and live drills to measure your team's response time and decision-making
- Backup and recovery validation — you have backups, but have you actually tested restoring from them? We verify that your backups are complete, uncorrupted, and that you can actually recover your systems when it matters
What You Get
- Control-by-control scorecard — each control rated as pass, partial, or fail with clear evidence for every rating
- Prioritized remediation roadmap — we rank fixes by attacker impact, not just theoretical risk. The controls that would let an attacker move fastest get fixed first
- Framework alignment — results mapped to CIS Controls and NIST Cybersecurity Framework so you can track progress against industry standards
- Executive summary — a clear, jargon-free overview for leadership that explains your defensive posture and what needs to change
- Retest option — after you've made fixes, we come back and verify the controls that failed now pass
How Is This Different from a Pentest?
A penetration test answers: "Can an attacker get in and what can they reach?"
A controls assessment answers: "Would your team even know an attacker was there, and could they stop it?"
Pentests focus on offense — finding a path to compromise. Controls assessments focus on defense — testing every layer of protection to see where it breaks down. They complement each other. Many clients do both.
Who Needs This?
- Businesses that have invested in security tools but aren't sure they're configured correctly or providing real protection
- Companies preparing for compliance audits that need evidence their controls actually work, not just that they exist on paper
- Organizations that had a security incident and want to make sure the gaps that allowed it have been closed
- IT teams that inherited their infrastructure and need an independent assessment of what's actually in place
What Affects the Price?
- Scope — testing 5 controls is different from testing 20. We'll work with you to prioritize based on your biggest concerns
- Environment size — a 20-person office with one domain is simpler than a multi-site organization with cloud infrastructure
- Depth — a high-level review of control categories versus hands-on testing of each individual control
- Compliance requirements — if you need results mapped to specific frameworks with audit-ready documentation, that takes additional time