Security & assurance

Assessments, hardening,and evidence you can show an auditor

NIST-shaped reviews, penetration testing, and remediation planning for teams that answer to legal, insurers, or federal flow-down — written for humans who sign ATOs, not buzzword bingo.

Trusted by teams in DC & remote-first orgs

No obligation · Response within 1 business day · NDA available

Why teams hire us

  • Principal engineers on your account
  • Written scope before build starts
  • Weekly demos & shared backlog
  • NDA-friendly from first call
NIST CSF
Common framing
Evidence
Collector-friendly
Scoped
Rules of engagement
Retainer
Optional follow-on
NIST CSF
Common framing
Evidence
Collector-friendly
Scoped
Rules of engagement
Retainer
Optional follow-on

What you get

Built for operators, not demos

Assessor-readable

Findings mapped to controls your customer already names — fewer translation meetings.

Assume breach

Detection and response gaps called out with severity tied to business impact, not CVSS alone.

POA&M friendly

Remediation items written so engineering can ticket them — not vague “improve security” lines.

Let's scope your project in one call

Bring your timeline, stack, and stakeholders. We'll tell you honestly if we're the right fit and what a first milestone could look like.

Book a scope call

Capabilities

What we actually ship

Written acceptance criteria, visible milestones, and owners named on day one.

01

Risk & control assessment

Current-state review against CSF 2.0 and, when in scope, SP 800-171 / 800-53 families relevant to your boundary.

Key deliverables

  • Governance and vendor risk interviews
  • Control sampling with evidence requests
  • Heat map + prioritized backlog
  • Executive summary separate from detail

02

Compliance support

SSP, POA&M, and self-assessment language for CMMC-oriented contractors and SaaS vendors facing customer questionnaires.

Key deliverables

  • CUI boundary workshops
  • Policy templates tuned to your size
  • Evidence collection cadence
  • Tabletop exercises for leadership

03

Penetration & app testing

Scoped external/internal/web-app engagements with reproduction steps devs can follow.

Key deliverables

  • OWASP-oriented web/API coverage
  • Phishing simulations when requested
  • Retest window defined up front
  • MITRE mapping where it adds clarity

04

Detection & response readiness

SIEM/EDR tuning guidance and runbooks — we are honest about what a 24×7 SOC does and does not fix.

Key deliverables

  • Log source gap analysis
  • Detection backlog prioritization
  • IR tabletop and comms templates
  • Third-party SOC RFP support

Technology stack

NIST CSF 2.0NIST SP 800-53NIST SP 800-171CMMC 2.0MITRE ATT&CKMicrosoft SentinelSplunk / ElasticCrowdStrikeTenableBurp Suite

Outcomes

Proof in the work

Directional benchmarks from real engagements — details on a call under NDA when needed.

2–4 wk
CSF snapshot

Typical calendar time for a mid-size org once logs and policies are accessible — larger boundaries quoted after scoping.

SLA
Where contracted

Managed detection offerings include written response targets; assessments are milestone-based, not hourly mystery.

Retest
Included windows

Penetration tests ship with defined remediation verification — not a surprise add-on.

Why Thorium

The Thoriumdifference

Principals stay on the thread. Scope, owners, and weekly visibility are written down — so you are not guessing what shipped.

Business language

Risk explained with likelihood and impact your CFO and GC recognize.

No fear selling

We do not invent dragons. Findings tie to exploit paths or policy failures we can show.

Fed-adjacent experience

Comfortable with contractor environments, HIPAA-covered entities, and professional services holding client secrets.

Engineering respect

Recommendations consider maintenance cost — not a laundry list of expensive appliances.

How it works

Our provenprocess

Weekly checkpoints, shared backlog, and change requests in writing.

  1. Phase 1

    Scope

    Systems, data classes, and assessor expectations agreed in writing — including out-of-scope lines.

  2. Phase 2

    Assess

    Evidence collection with minimal disruption; read-only where possible.

  3. Phase 3

    Remediate

    Joint prioritization with IT; quick wins separated from multi-quarter programs.

  4. Phase 4

    Verify

    Retest or continuous monitoring check-ins depending on engagement type.

FAQ

Common questions

Are you a certified C3PAO?

We prepare you for C3PAO assessment and coordinate with your chosen assessor; we do not award CMMC certification ourselves.

Do you provide 24/7 SOC?

We design and tune detection; fully managed SOC is available with partners or under a defined retainer — capacity is not implied.

Will you sign our customer security addendum?

Yes, after review. We map exceptions explicitly rather than rubber-stamping.

How fast after a breach?

If you have an active incident, say so on intake — we escalate to IR specialists in our network if needed.

Cloud-only environments?

Common. We focus on identity, logging, data egress, and backup integrity — the places cloud breaches actually hurt.

Work with Thorium

Ready whenyou are

Tell us what you need to ship. We respond within one business day with next steps — not a generic pitch deck.

Thorium DC, LLC provides technology consulting and security advisory services. We are not a law firm, certified auditor, C3PAO, or government entity. Work related to NIST, CMMC, SOC 2, HIPAA, FedRAMP readiness, and similar programs is advisory and implementation support only. We do not issue certifications, attestations, or authorizations. Regulated and federal-adjacent clients remain responsible for control operation, evidence, and outcomes with their assessors and contracting officers. Website content is informational; engagements are governed solely by executed agreements. Full compliance notices.

Get Free Consultation