Our services

Everything an enterprise security team does — right-sized for you.

We don't sell policy templates or churn out reports to wave at an auditor. NIST CSF 2.0 is the backbone — CIS Controls is how we implement it — and every other framework you need maps back to that one core. We build the program, operate it in our own GRC platform, and quantify your posture improving over time, one business at a time.

A recognized spine

Every service is a control within NIST CSF 2.0 and CIS Controls — not a loose list of tools. Defensible structure an enterprise reviewer recognizes on sight.

Run on our own platform

Your whole program lives in Citadel, our GRC platform — controls, evidence, and live maturity in one place, not a spreadsheet and a consultant's memory.

Proven by offensive testing

We attack what we build and grade the result — a posture score you can track quarter over quarter and hand to the customers asking how you know you're secure.

Map to what you actually need

Because everything sits on the CSF 2.0 core, we don't rebuild from scratch for each framework — we map your existing controls to it and close the specific gaps. Not every business needs every framework: some need SOC 2, some need PCI, some need HIPAA. We figure out which ones actually apply to you, then get you ready for the independent audit — Qanta builds the program; we don't certify it.

SOC 2

The report your enterprise customers keep asking for. We build the controls and the evidence trail, then get you audit-ready for an independent CPA attestation.

ISO 27001

The international standard, expected once you sell outside the US. We stand up the ISMS and ready you for certification by an accredited body.

HIPAA

If you touch patient health data, this isn't optional. We map the Security Rule safeguards to your controls and get you defensibly ready for scrutiny.

PCI DSS

If you take card payments, your acquirer requires it. We scope it down to what actually applies to you and prepare you for the right SAQ or assessment.

Service catalog by NIST CSF 2.0 function

GV

Govern

Security leadership, policy, and risk ownership.

The function CSF 2.0 added — and the one most SMBs have nothing for. We stand up the decision-making layer: who owns risk, what the policies are, and how the program is run and measured.

Virtual CISO (vCISO)

Senior security leadership without a senior security salary.

What we do
A named, certified security executive assigned to your account. Monthly strategy working sessions and quarterly business reviews; a security roadmap tied to your CSF maturity tier; budget and architecture guidance; and direct participation in your customers' security reviews and vendor due-diligence calls.
What you get
Board-ready posture report, prioritized roadmap, and a CSF Tier 1→4 maturity scorecard updated every quarter.
Maps toGV.OCGV.RRGV.SCCIS 17

Risk & Gap Assessment

Know exactly where you stand in two to three weeks.

What we do
A full maturity assessment across all six CSF 2.0 functions and 22 categories, plus a CIS Controls IG1 gap analysis. Includes asset and data-flow discovery and a risk register scored on likelihood × impact, with each gap rated by remediation effort and cost.
What you get
Maturity scorecard, scored risk register, and a sequenced remediation roadmap you can hand to leadership.
Maps toGV.RMID.RAID.IMCIS 1–18 (IG1)

Security Policy Development

Real, enforceable policies — not a template you never read.

What we do
A complete ISMS document set tailored to how you operate: Information Security, Acceptable Use, Access Control, Data Classification & Handling, Incident Response, BC/DR, Change Management, SDLC, and Vendor Management. Each policy is cross-referenced to CSF, CIS, and the SOC 2 / ISO 27001 clauses it satisfies.
What you get
Approved, version-controlled policy set with employee attestation tracking in Citadel and an annual review cadence.
Maps toGV.POGV.RRCIS 14

Third-Party Risk Management

Your vendors won't become your breach.

What we do
Vendor inventory and tiering by data access and business criticality; security questionnaire issuance (SIG-Lite / CAIQ); collection and review of vendor SOC 2 and ISO reports; security-clause review for new contracts; and continuous monitoring of your most critical suppliers.
What you get
Vendor risk register with per-vendor ratings and review attestations, refreshed on a defined cycle.
Maps toGV.SCID.RACIS 15
ID

Identify

See your assets, data, and exposure clearly.

You can't protect what you can't see. We build a living picture of what you own, where your sensitive data lives, and how you look to an attacker on the outside.

Asset & Data Discovery

A live inventory of everything you have to protect.

What we do
Automated discovery of endpoints, servers, cloud workloads, and SaaS — including shadow IT. Sensitive-data discovery and classification (PII, PHI, PCI, intellectual property) with sensitivity labeling, plus data-flow mapping of where regulated data is created, stored, and transmitted.
What you get
Continuously-updated asset inventory, a data classification matrix, and current data-flow diagrams.
Maps toID.AMCIS 1CIS 2CIS 3

Vulnerability Management

Find and fix weaknesses before attackers exploit them.

What we do
Authenticated scanning across network, host, and cloud — continuous external and monthly internal. Findings are prioritized by real-world risk (CVSS + EPSS exploit probability + asset criticality), not raw CVE count, with patch SLAs tracked and remediation verified by rescan.
What you get
Risk-ranked vulnerability report with SLA tracking, trend dashboards, and remediation evidence per finding.
Maps toID.RAPR.PSCIS 7

Attack-Surface & Brand Protection

See what an attacker sees — from the outside in.

What we do
External attack-surface management: domain, subdomain, and certificate monitoring; exposed-service and misconfiguration discovery; dark-web and credential-leak monitoring; and detection and takedown of typosquat and phishing domains impersonating your brand.
What you get
External exposure report, leaked-credential alerts, and a log of impersonation takedowns.
Maps toID.RAPR.IRCIS 12
PR

Protect

Put the right safeguards in place — and keep them there.

The largest function, and where day-to-day defense lives. We deploy, configure, and continuously maintain the controls that limit what an attacker can reach and do.

Identity & Access Management

The right people, the right access — and nothing more.

What we do
MFA enforced everywhere, SSO consolidation, and role-based least-privilege access. Privileged-access controls for admin accounts, a joiner-mover-leaver provisioning workflow, and quarterly access recertification so entitlements don't quietly accumulate.
What you get
MFA coverage report, privileged-account inventory, and signed quarterly access-review attestations.
Maps toPR.AACIS 5CIS 6

Endpoint Protection & Hardening

Every laptop and server defended and locked down.

What we do
Managed EPP/EDR deployment and tuning across the fleet, with full-disk encryption enforced and CIS Benchmark hardening applied to operating systems and browsers. Application allowlisting where it fits, and continuous device-compliance posture checks.
What you get
Endpoint compliance posture report and a hardening attestation measured against CIS Benchmarks.
Maps toPR.PSPR.AACIS 4CIS 10

Email & Web Security

Shut down the number-one way breaches start.

What we do
A managed email security gateway against phishing, business email compromise, and malware; DMARC, DKIM, and SPF implemented and driven to an enforcing p=reject policy; DNS filtering; and a managed Web Application Firewall in front of your public apps.
What you get
DMARC enforcement report, blocked-threat metrics, and a documented WAF ruleset.
Maps toPR.PSPR.IRCIS 9CIS 13

Secure Configuration & DevSecOps

Secure by default — in the cloud and in the pipeline.

What we do
Cloud Security Posture Management for AWS, Azure, GCP, and Microsoft 365 measured against CIS Benchmarks, with drift detection. For teams that build software: SAST, software composition analysis, secret scanning, and infrastructure-as-code scanning wired into CI/CD.
What you get
CSPM posture score, benchmark conformance report, and pipeline scan results with trend lines.
Maps toPR.PSPR.IRCIS 4CIS 16

Data Protection & DLP

Keep sensitive data from walking out the door.

What we do
Data Loss Prevention policy and tooling across email, endpoint, and cloud; verification of encryption at rest and in transit; encrypted, tested backups; and handling controls applied to data based on its classification.
What you get
DLP incident report and an encryption-coverage attestation across regulated data stores.
Maps toPR.DSCIS 3

Security Awareness & Phishing Simulation

Turn your team into the first line of defense.

What we do
Role-based training and new-hire onboarding modules, with monthly phishing simulations that escalate in difficulty and just-in-time micro-training the moment someone clicks. Click and report rates are tracked by department over time.
What you get
Training completion records and phishing failure/report trend reports — exactly what auditors ask for.
Maps toPR.ATCIS 14
DE

Detect

Catch threats before they become incidents.

Prevention fails eventually. We watch continuously — across endpoint, network, cloud, and identity — so suspicious activity is caught and triaged in minutes, not months.

Managed Detection & Response (MDR / XDR)

24/7 eyes on your environment, with a team that acts.

What we do
A managed SOC running extended detection and response that correlates endpoint, network, cloud, and identity telemetry. Proactive threat hunting, defined response playbooks, and contractual MTTD/MTTR service levels — not just alerts forwarded to your inbox.
What you get
Monthly SOC report covering alert volume, dwell time, MTTD/MTTR, and full incident timelines.
Maps toDE.CMDE.AERS.MACIS 8CIS 13

SIEM-as-a-Service

The audit trail your auditors and investigators need.

What we do
Centralized log aggregation across systems with correlation rules and alerting, plus compliance-grade retention sized to your regulatory obligations. The same log pipeline that powers detection also satisfies SOC 2, PCI, and HIPAA logging requirements.
What you get
Log-source coverage report, a documented alerting catalog, and a retention attestation.
Maps toDE.CMPR.PSCIS 8

Behavioral Analytics & Threat Detection

Catch the anomalies that signatures miss.

What we do
User and entity behavior analytics (UEBA), cloud anomaly detection, and insider-threat indicators, with detection content continuously tuned against current threat intelligence to cut false positives and surface what matters.
What you get
Anomaly detection report and a maintained, tuned detection-rule catalog.
Maps toDE.AEDE.CMCIS 8CIS 13
RS

Respond

A tested plan, and a team on speed-dial.

When something happens, improvisation is the enemy. We make sure the plan exists, the roles are known, and your defenses have been proven against a real attacker before it counts.

Incident Response Retainer

A practiced plan and responders ready when it counts.

What we do
A documented, tested incident response plan with defined roles and runbooks, backed by a retainer with a guaranteed response window — covering both a security incident and a disaster-recovery activation. Containment, eradication, and recovery procedures, a structured post-incident review, and tabletop exercises to keep the team sharp.
What you get
IR plan, retainer SLA, and tabletop after-action reports with lessons learned.
Maps toRS.MARS.ANRS.MIRS.COCIS 17

Offensive Security — Phantom Ops

Prove your defenses against a real attacker.

What we do
Phantom Ops, our red team, plays the adversary against your live environment — external, internal, web, API, and cloud — with real manual exploitation, not just a scan. Engagements run on Wraith, our testing framework built atop industry-leading and open-source tooling, with purple-team exercises to validate detections and a remediation retest to confirm fixes hold.
What you get
Two reports: a full technical writeup with proof-of-exploit and attack paths, and a sanitized version safe to share with customers and auditors — plus a 30/60/90 remediation roadmap.
Maps toID.RAID.IMPR.PSCIS 18
RC

Recover

Get back to business fast — even after the worst day.

The function almost every SMB skips entirely. We make sure that when something does go wrong, you can restore operations on a known timeline and come back stronger.

Backup, Resilience & Continuity

Recover on a known timeline, even from ransomware.

What we do
An immutable, tested backup strategy (3-2-1-1-0) with real restore drills — not just green backup dashboards. Defined RTO and RPO targets, a business continuity and disaster recovery plan, and a ransomware recovery runbook validated by an annual DR test.
What you get
BC/DR plan, restore-test attestations, and an RTO/RPO scorecard against your stated targets.
Maps toRC.RPRC.COCIS 11

The platform

Your entire program lives in Citadel — our GRC platform.

Most SMB “security programs” live in spreadsheets and a consultant's head. Yours lives in Citadel: a comprehensive, customizable GRC platform we run for you — every control, every piece of evidence, and your live maturity in one place. Built for the way SMBs actually operate, with the reporting depth an enterprise reviewer expects.

Twelve modules, one system of record

Compliance Task Engine

GV

Recurring controls with owners and due dates, and automatic L1→L2→L3 escalation when something slips.

Risk Register

GV

Identify, score, treat, and accept risk on a 5×5 likelihood-impact heatmap, with corrective action plans tracked to close.

Document Management

GV

Full policy and procedure lifecycle — reviews, exceptions, and employee acknowledgments captured and timestamped.

Vendor Risk

GV

Vendor registry with agreements, access, and risk tiers, plus recurring security reviews you can evidence.

Asset Inventory

ID

Hardware and software inventory with CIA ratings and compliance flags — the foundation everything else maps to.

Vulnerability & Patch Mgmt

ID

Import scan findings, risk-rank them, track remediation against SLAs, and manage documented exceptions.

Access Management

PR

Joiner-mover-leaver workflows and recurring access reviews, so entitlements never quietly accumulate.

Security Training

PR

Training programs, completion records, phishing campaigns, and a per-employee compliance matrix.

Incident Response

RS

The full incident lifecycle, from detection through close, with metrics that hold up to scrutiny.

Business Continuity / DR

RC

Backups, DR tests, business impact analysis, and recovery objectives (RTO/RPO) tracked and exercised.

Physical Security

PR

Visitor logs, equipment, media destruction, and clear-desk audits — the controls frameworks ask for and most tools ignore.

Digital Forms

GV

16 templated forms — access requests, firewall changes, NDAs, records destruction and more — routed through multi-step approval queues, so every sign-off is structured and auditable.

Illustrative — Citadel compliance dashboard

Citadel/ dashboard

Compliance posture

Northwind · NIST CSF 2.0 · demo workspace

Audit-ready

3.2

Maturity
Tier 3 / 4

184/ 212

Controls met

72 high

Open risks

96%+4 mo

Evidence current

41/ 44

Tasks on track

Coverage by CSF function

Govern
82%
Identify
74%
Protect
79%
Detect
68%
Respond
71%
Recover
64%

Risk heatmap

Likelihood × impact

Customizable, not one-size-fits-all

Citadel is built on a framework engine, not a fixed checklist. We anchor your program on NIST CSF 2.0 and CIS Controls, then map your controls across to whatever a customer or regulator demands — SOC 2, ISO 27001, HIPAA, PCI DSS — and surface exactly where the gaps are.

Build once. Map to many. Close the gaps that are actually yours.

Reporting deep enough for a board — or an auditor

  • Cross-module compliance scoring with a live maturity gauge and a risk heatmap
  • Board- and customer-ready exports, generated from the same evidence you operate on
  • A complete, immutable audit log — every change, by whom, when — built for auditors
  • Automated reminders, overdue escalation, and a weekly compliance digest

Find it. Exploit it. Measure it.

We attack what we build — then track it.

Defending in the dark is guessing. Our offensive stack proves where you actually stand and turns it into a posture score you can show your board and a report you can hand over.

01The engine

Wraith

Qanta's testing framework, built on industry-standard and open-source security tooling — no secret sauce, just disciplined use of the tools the best operators already trust. Wraith automates reconnaissance, scanning, and exploitation across networks, applications, and cloud, so every engagement is consistent, thorough, and repeatable, not dependent on one operator's memory.

02The red team

Phantom Ops

Qanta's red-team service. We play the adversary against your live environment — external and internal, web and API, cloud and on-prem. Real manual exploitation and chained attack paths, not just a scanner's output. You see precisely how an attacker gets in and exactly what they could reach.

03The posture score

Ghost Vector

Qanta's way of turning every finding into one number you can show your board and watch improve over time. A Security GPA with per-asset detail beneath it — our own tracking and communication tool, not an industry rating or an external grade. Tracked quarter over quarter, so progress is something you can see, not just assert.

Ghost Vector — Security GPA

Hardened
Resilient
Exposed
At risk
Critical

A letter grade leadership grasps instantly, backed by per-asset detail and a trend line. It's Qanta's internal posture score — a way to show your board where you stand and watch it climb, not an industry rating or a substitute for an audit.

The report your customer actually sees

Every engagement ships in two forms.

Full technical

Proof-of-exploit, chained attack paths, severity-rated findings, and a 30/60/90-day remediation roadmap your team works from.

Sanitized

Sensitive detail redacted, safe to hand to a customer, an auditor, or an insurer — the proof of posture an enterprise reviewer asks for, without exposing your internals.

See the deliverable

This is what you get.

Every engagement ends in a report built to hold up to scrutiny — clear severities, real proof-of-exploit, and a prioritized remediation roadmap.

The preview is a redacted sample — a fictitious client with sanitized findings. Real client data never leaves the engagement. Contact us to request a fuller redacted sample report from a real engagement.

How our assurance works

A Qanta report is a managed-program and posture report. We build, operate, and test your security program and get you audit-ready for an independent SOC 2 attestation (a CPA firm) or ISO certification (an accredited body). It is not a substitute for that attestation, and we don't act as our own auditor — the independent reviewer is the point. We'd rather tell you that up front than have you find it out later.

QANTA
Redacted sample

Penetration Test Report

External & Internal Network · Prepared for Northwind Trading Co.

Executive summary

Overall risk rating

HIGH

0

Critical

2

High

2

Medium

1

Low

IDFindingRisk
EX-01Remote access portal without enforced MFAHigh
IN-01SMB signing not enforced on legacy hostsHigh
IN-02Local administrator password reuse across endpointsMedium
EX-02Legacy TLS (1.0/1.1) negotiable on public web appMedium
IN-03Service banners disclose software versionsLow

The full report includes attack narratives, proof-of-exploit, CVSS scoring, positive controls, and a 30/60/90-day remediation roadmap — delivered in both full-technical and sanitized, shareable forms.

Ready to build real security?

Start with a free assessment. We'll baseline your maturity against NIST CSF 2.0 and show you exactly where you stand — no obligation, no jargon.

Book a free assessmentExplore our services