Resources for security leaders
Assessments, checklists, playbooks, and field-tested case studies — mapped to the frameworks public and private sector buyers actually care about: NIST CSF 2.0, CIS Controls v8, ISO 27001, and Essential Eight.
Featured
Cybersecurity Self-Assessment
20 questions mapped to NIST CSF 2.0, CIS Controls v8, ISO 27001, and Essential Eight. Instant posture score across six domains.
Ransomware Readiness Checklist
30-point checklist across identity, backups, EDR, segmentation, response, and recovery — aligned to NIST CSF 2.0 and CISA #StopRansomware.
vCISO Engagement Playbook
How a fractional CISO operates inside your business — scope, cadence, deliverables, and outcomes by quarter.
Resource library
54 resources
Cybersecurity Self-Assessment
20 questions mapped to NIST CSF 2.0, CIS Controls v8, ISO 27001, and Essential Eight. Instant posture score across six domains.
Ransomware Readiness Checklist
30-point checklist across identity, backups, EDR, segmentation, response, and recovery — aligned to NIST CSF 2.0 and CISA #StopRansomware.
vCISO Engagement Playbook
How a fractional CISO operates inside your business — scope, cadence, deliverables, and outcomes by quarter.
Global Cybersecurity & Privacy Compliance Map
Single-page reference covering GDPR, UK GDPR, NIS2, DORA, HIPAA, CMMC, PIPEDA, LGPD, POPIA, NDPR, Kenya DPA, Ghana DPA, Essential Eight, PDPA-SG, APPI, ISO 27001/27701/42001, SOC 2, and PCI DSS.
Global Breach Notification Matrix
Regulator and individual notification clocks across 17 jurisdictions — EU, UK, US (federal & state), Canada, Brazil, Australia, Singapore, Japan, South Africa, Nigeria, Kenya, Ghana, and the UAE.
Cloud Security Posture Checklist
Cloud-neutral controls across AWS, Azure, and GCP — aligned to CIS Benchmarks, CSA CCM, and ISO/IEC 27017 / 27018.
Zero Trust Roadmap
Five-stage roadmap across identity, devices, networks, applications, and data — aligned to NIST 800-207, CISA ZTMM 2.0, UK NCSC, and the Australian ISM.
Tabletop Exercise Scenarios Pack
Eight ready-to-run scenarios spanning ransomware, BEC, insider threat, SaaS compromise, cloud takeover, OT incident, AI misuse, and regulator inquiry.
Vendor / Third-Party Risk Mini-Assessment
15 questions to benchmark your third-party risk program against NIST 800-161 and ISO/IEC 27036. Scores in five minutes.
Incident Response Plan Starter
Phases, roles, severity matrix, and a first-24-hour runbook aligned to NIST SP 800-61r2. Use it as a baseline you can tailor.
AI Security & Governance Checklist
25 controls for safe enterprise AI adoption — aligned to NIST AI RMF, ISO/IEC 42001, and the OWASP LLM Top 10.
SEO Audit Checklist for Security Firms
Free, no-email checklist covering technical SEO, content, and trust signals for cybersecurity consultancies.
Cybersecurity in K-12: Why School Districts Keep Getting Hit
K-12 districts run enterprise-scale environments on shoestring budgets. The result is a sector that adversaries treat as soft, predictable, and high-impact.
Technical Colleges: The Workforce Pipeline Attackers Forgot to Forget
Community and technical colleges sit at the intersection of workforce development, federal funding, and open enrollment. That makes them uniquely exposed.
State University Systems: Federation Is Not a Security Strategy
Multi-campus state systems share identity, share procurement, and share blast radius. Most have not reckoned with what that means when one campus is compromised.
HBCUs and Cybersecurity: A Resource Equity Conversation
Historically Black Colleges and Universities are doing more with less in nearly every dimension of their security programs. The threat actors targeting them are not adjusting for that.
Private and Public Schools: Different Budgets, Same Threats
Independent schools and public districts face nearly identical threat actors with very different governance, funding, and procurement realities. Both gaps matter.
Research Universities: When Compliance and Curiosity Collide
R1 institutions are being asked to harden environments built around openness, collaboration, and academic freedom. The path forward is segmentation, not uniformity.
Post-Quantum Cryptography: When to Start, What to Do
The post-quantum migration is the largest cryptographic transition in three decades. For most organizations the right answer is *not yet*, but the right *preparation* starts now.
Vendor Due Diligence Without the Spreadsheet
The standard vendor security questionnaire is a 200-row spreadsheet that nobody enjoys filling out and nobody reads when it comes back. There is a better way.
Building a Security Champions Program
A 10-person security team will never out-write or out-review a 200-person engineering org. A champions program borrows leverage from people already embedded in the work.
Practical Threat Hunting for Small SOCs
Threat hunting is often described as an art practiced by analysts with decades of experience. That framing keeps small teams from trying. The truth: structured hunting works at any team size if you co
Network Segmentation Without the Datacenter
The classic segmentation playbook, VLANs, firewalls, DMZ, assumed a physical datacenter you owned. For cloud-native and hybrid environments, the moves are different but the goal is the same: limit b
Securing Kubernetes Without a Dedicated Platform Team
If a single engineer set up your Kubernetes cluster and now no one quite understands it, you have company. Here is the minimum security baseline for small-team Kubernetes.
Logging and Telemetry: What to Keep and Why
Logging programs fail in two directions: too little to investigate anything, or too much to afford. The middle path is intentional.
The Three Conversations Every CFO Needs About Cyber
CFOs are increasingly accountable for cybersecurity outcomes, SEC disclosure, insurance underwriting, M&A diligence, without being trained in the field. Three conversations bridge the gap.
Threat Intelligence on a Budget
A premium CTI feed runs six figures a year. Most mid-market companies cannot justify the spend and end up with no threat intelligence at all. There is a middle path.
Why Your Vulnerability Scanner Lies (and What to Do)
A typical enterprise vulnerability scan reports 40,000 findings. The number of those findings that actually reduce risk if remediated this quarter is closer to 200.
Cloud Identity Federation 101
If you still have IAM users with long-lived access keys in your AWS, Azure, or GCP environment, federation is the single highest-ROI change you can make this quarter.
The Case for Privileged Access Management
PAM tools are expensive and operationally heavy. They are also, by a wide margin, the control with the highest evidence base for reducing the impact of an intrusion.
Tabletop Exercises That Don't Waste Anyone's Time
A bad tabletop is a two-hour status meeting in costume. A good tabletop is the cheapest insurance you can buy.
PCI DSS 4.0: What Changed and What to Do
PCI DSS 4.0 became mandatory in early 2024 with a long tail of "future-dated" requirements landing March 31, 2025. If you are still operating to 3.2.1, the gap is wider than it looks.
Securing Remote Workforces in 2024
Hybrid work is permanent. The security model that worked in 2020, VPN, corporate laptop, occasional office visit, is showing its age.
The Anatomy of a Business Email Compromise
A typical BEC investigation we run unfolds in five acts. Recognizing them in progress is the difference between a near-miss and a six-figure loss.
AI-Generated Phishing: New Defenses for an Old Problem
The grammar mistakes are gone. The bizarre formatting is gone. The "Dear Sir/Madam" salutations are gone. Generative AI removed the surface-level tells that defenders trained users to look for.
Cyber Hygiene Metrics Your Engineers Will Trust
Engineering teams treat most security metrics like marketing numbers, directionally true, locally meaningless. Here are five that survive engineering scrutiny.
Regional bank reaches SOC 2 Type II in 11 months
Embedded vCISO leadership delivered a clean SOC 2 Type II audit with zero exceptions, unlocking three enterprise deals.
Series B healthtech builds a HIPAA program around a fractional CISO
Replaced ad-hoc compliance with a named security leader, a written roadmap, and a HIPAA Security Rule program that survived an enterprise customer audit.
B2B SaaS rebuilds board-level security reporting after CISO exit
Stepped in 11 days after the CISO resigned, kept SOC 2 surveillance on-track, and ran the next two board meetings without disruption.
Specialty hospital network blunts ransomware staged against a peer
Sector-focused intel surfaced infrastructure overlap with a peer hospital intrusion 96 hours before the affiliate pivoted to our client.
B2B SaaS catches typosquatted dependency before production deploy
Dependency-focused intel flagged a typosquatted npm package on the build server seven minutes after publication, blocking a credential-stealing payload.
Manufacturer segments OT network ahead of ransomware wave
Network segmentation and proactive intel monitoring kept three production lines online during a sector-wide ransomware campaign.
B2B SaaS rebuilds AWS landing zone, cuts cloud risk by 71%
Replaced a single-account AWS sprawl with an Organizations-based landing zone and reduced critical CSPM findings from 312 to 90.
Manufacturer modernizes Azure tenant before a $90M ERP cutover
Re-architected an unmanaged Azure tenant into a Cloud Adoption Framework landing zone in time for the ERP go-live.
AI startup hardens GCP for an enterprise model deployment
Locked down GCP projects hosting model training and inference so a Fortune 100 customer could approve production deployment.
Industrial group ships a plant copilot with documented safety rails
Wrote the policy, evaluation harness, and human-in-the-loop controls that let an operator-facing LLM ship to 14 plants without slowing safety review.
AI startup ships LLM features with documented guardrails
Built a prompt-injection test harness and policy framework that let a 12-person team launch enterprise LLM features in 6 weeks.
AmLaw firm rolls out an AI use policy across 480 attorneys
Replaced an outright ban with a tiered policy, vetted toolset, and evaluation pipeline that satisfied ethics counsel and the executive committee.
AI startup stands up enterprise-grade IT before Series B
Translated a founder-built IT environment into an enterprise-ready stack. Identity, endpoint, ticketing, and procurement. In 90 days.
Boutique law firm rationalizes a sprawled SaaS portfolio
Cut 41 redundant SaaS tools, consolidated identity onto a single IdP, and freed $612k in annual spend.
Specialty retailer standardizes store IT across 92 locations
Replaced eight overlapping point-of-sale and back-office stacks with a single reference architecture and a written rollout plan.
International law firm certifies to ISO 27001 across three offices
Ran the certification end-to-end. Gap assessment to surveillance plan. Across NY, London, and Singapore in 9 months.
E-commerce brand passes PCI DSS 4.0 after failed audit
Rebuilt scoping, segmentation, and quarterly scans to clear PCI DSS 4.0 in 90 days after a failed QSA assessment.
EdTech platform clears statewide FERPA review for K-12 contract
Authored the FERPA, COPPA, and state data-privacy artifacts that unlocked a statewide deployment to 612 districts.
Need help acting on what you found?
Book a free 20-minute consult with a Dephiant principal. We'll walk your results and pinpoint the two or three controls that move your posture the most.