Services

Senior security work, scoped to exactly what you need.

Whether you need a one-time picture of your risk or a leader to own the program, every TRAG engagement ends the same way: you know what to do next, and you can defend the spend.

01 / ASSESSMENT

Cybersecurity Risk Assessment

The flagship engagement. A structured review of your security posture across all 18 areas, scored against recognized frameworks and delivered as a plan — not a verdict.

The baseline is built from your team's own structured responses — fast, and light on staff — with optional verification against real evidence when you need findings that hold up to auditors and insurers. You receive a maturity baseline, a ranked findings register, and a remediation roadmap with cost and effort attached to every item.

See how the assessment works

What's included

  • All 18 assessment areas, governance to recovery
  • Built from your team's structured responses (Discovery)
  • Crosswalked to NIST CSF 2.0 and the K-12 SIX Essentials
  • Maturity scoring (1–5) across every control
  • Ranked findings register with severity & impact
  • Executive, Technical & Compliance reports
  • Costed, phased remediation roadmap
  • Optional evidence verification (Standard / Deep Dive)
  • Live executive readout & Q&A

What your advisor covers

  • Keeping your remediation roadmap moving
  • A sounding board for risk decisions
  • Policy & standards guidance
  • Board, audit & cyber-insurance reporting
  • Vendor & contract security review
  • Plain-English answers when questions arise
  • Incident-readiness guidance & a hand on the bad day
  • Mentoring for your IT team
02 / RETAINER

Security Advisory Retainer

A seasoned security advisor on call for your district — the expert judgment, none of the hiring cost or risk.

Most districts need CISO-level judgment but can't justify a $200K+ hire — and can't find one anyway. TRAG fills that gap as an independent advisor: helping you make risk calls, keeping your roadmap moving, vetting vendors, satisfying auditors and insurers, and being the person you call the moment something looks wrong. You get continuity and a steady hand, scaled to the hours you actually need. We advise — we don't sell you tools or take over your team.

See retainer tiers
03 / ROADMAP

Technical Remediation Roadmap

You already know you have problems. TRAG turns them into a plan you can execute and track.

Pen test results, an auditor's findings, a cyber-insurance questionnaire, or the aftermath of an incident — TRAG consolidates them into one prioritized backlog. Each item gets effort sizing, cost, dependencies, an owner, and a target phase, so progress is visible to everyone from the help desk to the board.

This is the namesake of the practice, and it's the artifact clients come back for: a roadmap that stays current instead of dying in a spreadsheet.

Roadmap · Phased ViewTRAG-OUTPUT
Now0–2 wk
Near30 day
Plan90 day
Mature6 mo
Identity / MFA
Critical
Backup isolation
Critical
Patch program
High
Network segmentation
Medium
Policy refresh
Low
Critical High Medium Low

Formats

  • Half-day technical workshops for IT teams
  • Executive & board security tabletops
  • Ransomware & breach simulations
  • Phishing campaigns & awareness programs
  • Secure configuration & hardening clinics
  • New-hire and annual refresher training
04 / TRAINING

Training & Tabletop Exercises

The cheapest control you own is a team that knows what to do. TRAG builds that muscle.

Technical training lifts your IT staff's day-to-day defensive skills. Tabletop exercises put your leadership through a realistic incident — a ransomware demand, a data exposure, a vendor breach — so the first time they make those decisions isn't during a real one. Every session is tailored to your environment, not generic slideware.

Also Available

Specialist engagements

Targeted, à la carte work that often follows an assessment or rides alongside a retainer.

A / RANSOMWARE

Ransomware Readiness Review

A focused review of your defenses, backups, and recovery posture against a ransomware event — the threat schools face most.

B / VULN SCAN

Internal Vulnerability Scan

An authenticated network scan delivered with a clear, prioritized findings report your team can act on.

C / AD SCAN

Active Directory Security Scan

A review of AD privileges, configuration, and the common misconfigurations attackers target first.

D / RISK

Formal Risk Assessment

A structured risk analysis delivered with a risk register your district keeps and reuses going forward.

E / INSURANCE

Cyber Insurance Support

Help completing insurer questionnaires accurately and closing the controls that drive your premiums.

F / POLICY

Policy & Standards Development

Practical, enforceable security policies written for your district — not boilerplate nobody reads or follows.

Not sure which engagement fits?

That's exactly what the briefing is for. Tell us what's keeping you up at night and you'll get a straight recommendation — even if the honest answer is "you don't need us yet."