Security & assurance
Assessments, hardening,and evidence you can show an auditor
NIST-shaped reviews, penetration testing, and remediation planning for teams that answer to legal, insurers, or federal flow-down — written for humans who sign ATOs, not buzzword bingo.
Assessor-readable
Findings mapped to controls your customer already names — fewer translation meetings.
Assume breach
Detection and response gaps called out with severity tied to business impact, not CVSS alone.
POA&M friendly
Remediation items written so engineering can ticket them — not vague “improve security” lines.
Capabilities
What we actually ship
Written acceptance criteria, visible milestones, and owners named on day one.
Risk & control assessment
Current-state review against CSF 2.0 and, when in scope, SP 800-171 / 800-53 families relevant to your boundary.
Key Deliverables
- Governance and vendor risk interviews
- Control sampling with evidence requests
- Heat map + prioritized backlog
- Executive summary separate from detail
Compliance support
SSP, POA&M, and self-assessment language for CMMC-oriented contractors and SaaS vendors facing customer questionnaires.
Key Deliverables
- CUI boundary workshops
- Policy templates tuned to your size
- Evidence collection cadence
- Tabletop exercises for leadership
Penetration & app testing
Scoped external/internal/web-app engagements with reproduction steps devs can follow.
Key Deliverables
- OWASP-oriented web/API coverage
- Phishing simulations when requested
- Retest window defined up front
- MITRE mapping where it adds clarity
Detection & response readiness
SIEM/EDR tuning guidance and runbooks — we are honest about what a 24×7 SOC does and does not fix.
Key Deliverables
- Log source gap analysis
- Detection backlog prioritization
- IR tabletop and comms templates
- Third-party SOC RFP support
Technology Stack
Outcomes
Examples from client work
Figures are directional; we'll share context on a call under NDA where needed.
Typical calendar time for a mid-size org once logs and policies are accessible — larger boundaries quoted after scoping.
Managed detection offerings include written response targets; assessments are milestone-based, not hourly mystery.
Penetration tests ship with defined remediation verification — not a surprise add-on.
Why Thorium
The Thorium
Difference
Principals stay involved. We do not park you with a rotating bench of juniors.
Business language
Risk explained with likelihood and impact your CFO and GC recognize.
No fear selling
We do not invent dragons. Findings tie to exploit paths or policy failures we can show.
Fed-adjacent experience
Comfortable with contractor environments, HIPAA-covered entities, and professional services holding client secrets.
Engineering respect
Recommendations consider maintenance cost — not a laundry list of expensive appliances.
How It Works
Our Proven Process
Weekly checkpoints, shared backlog, and change requests in writing — so scope stays legible.
Phase 1
Scope
Systems, data classes, and assessor expectations agreed in writing — including out-of-scope lines.
Phase 2
Assess
Evidence collection with minimal disruption; read-only where possible.
Phase 3
Remediate
Joint prioritization with IT; quick wins separated from multi-quarter programs.
Phase 4
Verify
Retest or continuous monitoring check-ins depending on engagement type.
Much of our portfolio is confidential. After a short intro we'll share redacted examples that match your sector and risk profile.
Washington, DC · Remote-friendly
Common Questions
Frequently Asked Questions
Serving Washington, DC
Looking for this service in Washington, DC specifically?
