Services – MTradecraft

Tier One

Cyber Compliance Consultant — $36,000 / year

A full cybersecurity compliance program operated on an annual cadence, built for firms that have a Chief Compliance Officer and an outsourced IT provider but no internal cybersecurity function. We provide the function. Your CCO retains authority; your IT provider continues to operate the environment.

What's Included

External attack surface assessment
Quarterly. Domain enumeration, exposed services, DNS misconfiguration, certificate hygiene, breach exposure.
Internal vulnerability scanning
Annual. Credentialed Nessus scans, patch posture, configuration drift.
Microsoft 365 / Azure configuration audit
MFA coverage, conditional access, audit logging, retention, sharing settings, admin oversight.
Cybersecurity policy and procedure manual
Drafted, maintained, and updated against the current SEC examination priorities.
Rule 206(4)-7 annual review
Documented annual review of cybersecurity policies, prepared in a format examiners expect.
Vendor due diligence support
Standardized questionnaires sent to vendors; responses reviewed and filed.
Incident response plan
Drafted to firm specifics, with notification matrix and escalation procedures.
Evidence file
Maintained throughout the year so the firm has documentation to produce on demand.
SEC examination preparation
When an examination notice arrives, materials are already in order.
Quarterly advisory call · five-business-day response
One scheduled advisory call per quarter. Email and other non-incident questions answered within five business days.

Quarterly Delivery Rhythm

Q1 Full assessment. External attack surface map, internal vulnerability scan, Microsoft 365 and Azure configuration audit, and policy review against current SEC examination priorities.
Q2 Attack surface reassessment and continued monthly M365 monitoring. First advisory review of remediation progress against the Q1 baseline.
Q3 Mid-year compliance file review. Documentation cross-checked against this year's exam priority letter; any drift in M365 configuration flagged and corrected.
Q4 Annual policy refresh and exam-readiness review. Cybersecurity policy, incident response plan, and vendor procedures updated for the coming year.

Best Fit

SEC-registered investment advisers and private fund managers with a Chief Compliance Officer, an outsourced IT provider, and no internal cybersecurity function. Annual examinations expected.

Tier Two — Most Comprehensive

Remote CISO — $72,000 / year

Everything in the Cyber Compliance Consultant program, plus a named Chief Information Security Officer designation for your firm. The Remote CISO is the right engagement when an insurance carrier, prime broker, custodian, or institutional investor has asked who the firm's CISO is — and the firm needs the answer to be a name, not a role.

Engagement	Annual Cost	What It Adds
Cyber Compliance Consultant	$36,000	Full compliance program operation. No named CISO. No pen testing or tabletop.
Remote CISO	$72,000	Everything above, plus named CISO, annual pen test, annual tabletop, and 24-hour response.

Additional Scope

Named CISO designation
Brian Hahn is listed as the firm's Chief Information Security Officer on the cybersecurity governance chart.
Board and management briefings
Quarterly cybersecurity reports prepared for board, audit committee, or partner meetings.
Direct involvement in incident response
If an incident occurs, the CISO leads the firm's response, coordinates with counsel, and documents the file.
DDQ and questionnaire support
Institutional DDQs, custodian attestations, and insurance applications answered with consistent, defensible language.
Annual Penetration Testing and Tabletop Exercise
A qualified third-party penetration test against the firm's external surface, plus an executive tabletop exercise built against the firm's actual environment. Both documented for the evidence file.
Advisory access as needed · 24-hour response
Direct line for compliance and security questions throughout the year, with 24-hour response on non-incident matters.

When the Remote CISO Engagement Is the Right Call

An institutional investor or pension consultant DDQ asks whether the firm has a designated CISO.
A cyber insurance application requires the name and role of the individual responsible for information security.
A prime broker or custodian has flagged the absence of named cybersecurity leadership in their annual attestation.
An annual penetration test is required — by a regulator, insurance carrier, custodian, or institutional investor.
The firm has grown to a size where board-level cybersecurity reporting is expected but no internal hire is justified.
The firm has experienced a cybersecurity incident and wants ongoing senior oversight without a full-time hire.

À La Carte

One-time engagements.

Not every firm is ready for an annual engagement. The work below is sold as discrete, scoped engagements with a written statement of work and a defined deliverable. Each is examination-ready and produced to the same evidentiary standard as the subscription tiers above.

Engagement	What you receive	Fee
Cyber Risk & Vulnerability Threat Assessment (CRVT)	The flagship one-time assessment. External attack surface mapping, internal vulnerability scanning, M365 / Azure configuration audit, OSINT and breach exposure analysis, and policy review — combined into a single examination-ready report with executive summary, regulatory mapping, evidence archive, and remediation roadmap.	Starting at $10,000
External Penetration Test	Adversarial testing against internet-facing systems — active exploitation of identified vulnerabilities to demonstrate real-world impact. Scope agreed in writing before engagement. Report includes exploitation evidence, proof-of-concept documentation, risk-rated findings, and remediation guidance. Suitable for board reporting and SEC examination.	Starting at $8,000
Tabletop Exercise	Executive tabletop built against the firm's actual environment — incident scenario design, facilitated walkthrough with named participants, and written after-action report. Documented for the evidence file and the firm's cybersecurity training record.	Starting at $5,000
M365 / Azure Configuration Audit	Benchmark scan of the firm's Microsoft 365 and Azure environment with pass / fail results mapped to SEC-relevant controls — Regulation S-P, Rule 206(4)-7, Rule 204-2. Written report with screenshots for every finding, regulatory mapping for every failure, and a prioritized remediation roadmap.	Starting at $5,000
Internal Network Vulnerability Scan	Credentialed Nessus scan of the firm's internal network — patch status, exposed services, misconfigurations, and policy violations across workstations, servers, and network devices. Findings report with severity-ranked vulnerabilities, patch gap analysis, and remediation guidance mapped to SEC examination expectations.	Starting at $4,000 per location
External Attack Surface Assessment	OSINT, DNS and certificate transparency analysis, and breach exposure check across all internet-facing systems and services associated with the firm. Identifies exposed services, credential leaks, subdomain enumeration, and OSINT-visible risk. Written report with attack surface inventory, prioritized findings, and remediation roadmap.	Starting at $4,000
Policy & Documentation Review	Review of the firm's cybersecurity policy, incident response plan, vendor risk procedures, and employee technology usage agreement against current SEC examination priorities. Written gap analysis with finding-by-finding regulatory mapping and example corrective language ready for insertion into existing documents.	Starting at $3,000
Vendor Due Diligence Questionnaire	Complete due diligence on a specific third-party vendor — OSINT research, review of the vendor's security documentation and certifications, and a written assessment of the vendor's posture against the firm's obligations under Regulation S-P and Rule 206(4)-7. Completed DDQ with supporting evidence and vendor risk summary.	Starting at $2,500 per vendor
Incident Response Coordination Non-subscribers	For firms not on a Cyber Compliance Consultant or Remote CISO engagement who are managing a confirmed or suspected security incident. MTradecraft provides coordination and regulatory management — initial triage, insurance carrier activation, Regulation S-P 30-day clock management, legal coordination, and post-incident documentation. Technical forensics and remediation handled by the firm's insurance-panel IR provider.	$300 / hour 4-hour minimum

Final fee reflects scope — number of domains, locations, vendors, or systems involved. All engagements are scoped in writing before work begins. À la carte pricing reflects the full value of the deliverable; discounting is not available on one-time engagements.

A Note on Economics

A firm purchasing three à la carte engagements — M365 audit, external attack surface assessment, and policy review — starts at $12,000 and scales up from there. The Cyber Compliance Consultant engagement is $36,000 and includes all three in Q1, plus twelve months of continuous monitoring, quarterly advisory calls, breach monitoring, an annual Rule 206(4)-7 review, and a maintained evidence file. At the point a firm is buying multiple one-time engagements in the same year, the subscription is the economically rational choice.

Self-Serve

The BrainTrust — $2,500 / year

Some firms are not ready for a full engagement, but still need the documentation. The BrainTrust is MTradecraft's resource library — policy templates, frameworks, the AI compliance framework, incident response materials, and FieldCraft Security Awareness Training — sold as an annual membership for firms doing the work themselves.

See What's Included

Two engagements. One discipline.

Cyber Compliance Consultant — $36,000 / year

Remote CISO — $72,000 / year

One-time engagements.

The BrainTrust — $2,500 / year

Tell us what's driving the timing — and we'll tell you which engagement fits.