Most SMBs don't know they're exposed until it's too late. Our CISSP-credentialed team grades your external risk, maps your industry's compliance requirements, and builds a roadmap to close every gap — starting with a single $497 deep-dive audit.
Most small-business owners think attackers go after Fortune 500s. The opposite is true: attackers go after the least protected, and that's a 15-person plumbing company or a five-person dental practice every single day. The four numbers below are the math behind that reality — and the reason your insurance carrier is asking harder questions every renewal.
The threat is real
Small businesses are the #1 target.
Attackers don't pick the biggest businesses — they pick the least protected. And most small businesses have no idea where their gaps are until the breach notification arrives.
43%
Of attacks target SMBs
Nearly half of all cyberattacks aim at small and mid-size businesses — the ones least likely to have a security team.
60%
Close within 6 months
Of the SMBs that suffer a significant breach, 60% shut their doors within six months of the attack.
$200k+
Average breach cost
The average data-breach cost for a small business now exceeds $200k — enough to sink most operations overnight.
7+
Frameworks may apply
HIPAA, FTC Safeguards, PCI DSS, CMMC, GLBA, FERPA, NAIC. Most SMBs don't know which apply — and "we didn't know" doesn't waive the fine.
You can't defend what you can't see.
So what would a breach actually cost your business? It's not abstract. Drop your annual revenue, the rough number of customer records you store, and how many days of downtime your operation could absorb. The calculator runs the same loss math the cyber-insurance carriers run when they price your renewal — and shows you how the $497 audit stacks against it.
The math, on you
Run your own breach numbers.
Move the sliders. The calculator combines downtime revenue loss + customer-record liability + the average forensic, legal, and notification spend — using the same loss model cyber-insurance underwriters use to set premiums.
Your business
$2.5M
Total top-line revenue across all services / SKUs.
5,000
All names, emails, phones, addresses, and any payment / health / financial data your systems store.
7 days
How long would it take to restore systems, notify customers, and resume normal operations?
$50
Notification + credit monitoring + class-action exposure. $50 is the SMB baseline; healthcare / financial sit higher.
What a breach would cost
Downtime revenue loss$48,000
Record-liability exposure$250,000
Forensics + legal + insurance$85,000
Total breach exposure$383,000
LEAP audit + Guided build$5,397
What's at stake vs what we cost
71×
For every $1 you'd spend on a LEAP audit + Guided build, you'd avoid $71 of breach exposure. Insurance carriers use this same math to price your renewal.
Breach exposure
$383k
LEAP cost
$5k
Conservative. The model uses 250 working days/yr for downtime loss, $50/record SMB baseline (healthcare and financial run 2–5× higher), and a $85k fixed cost for forensics + outside counsel + carrier paperwork. Real breach math is usually larger; this is a deliberate floor. The "Guided build" line uses the audit's $497 plus 12% of $40,833 of identified annual risk — the actual fee scales with what we find.
What it does
Five capabilities to lock down your business.
From a one-time scan to an ongoing retainer, we meet you where you are and build security that fits your budget — not your local MSP's hourly rate card.
External vulnerability scan
We scan everything an attacker can see — domains, IPs, open ports, SSL, DNS, email auth — and deliver an A–F security grade with prioritized findings.
Compliance roadmap
HIPAA, FTC Safeguards, IRS Pub 4557, PCI DSS, CMMC, GLBA, NAIC — we map findings against the frameworks that apply to your industry and deliver the policies a regulator expects.
Employee security training
Phishing simulations, password-hygiene training, and security-awareness workshops tuned to your team. Your people are the biggest vector and the cheapest one to fix.
Ongoing monitoring retainer
Continuous external monitoring, quarterly re-scans, threat-intel briefings, and a dedicated security advisor on call. You know your posture in real time.
Incident response planning
We build your IR playbook — who does what, when, and how. So when something does happen, your team reacts in minutes instead of panicking for days.
Vendor risk & access review
Map every third party with access to your systems. Revoke the ex-employees, the lapsed contractors, and the trial accounts you forgot existed — one of the most common breach vectors.
Most SMBs already pay something for "security" — usually their IT vendor, sometimes a $19/mo scanner, occasionally a five-figure enterprise consultancy. None of those options actually cover what a CISSP-credentialed engagement covers. Here's the honest comparison.
Side by side
Your IT vendor. A scanner. A Big-4 firm. Or this.
Four ways an SMB tries to handle cybersecurity. Three of them either don't go deep enough or charge enterprise rates for an enterprise scope. We built LEAP Security as the option that actually fits.
Your IT vendor
$19/mo scanner
Big-4 / enterprise
LEAP Security
CISSP-credentialed lead
×
×
✓
✓
Findings prioritized by $ risk
×
Generic CVSS
✓
✓
Compliance mapping
Maybe one
×
✓
✓
Written policies for auditor
×
×
✓
✓
Will help you remediate
If you ask
×
✓
✓
Cost for first opinion
Bundled, hourly
$19–99/mo
$15k–50k
$497
Build / remediation pricing
Hourly
Self-fix
$50k+ project
% of risk found
Time to first report
—
Instant, raw
4–8 weeks
5 days
Insurance-ready evidence
×
×
✓
✓
How to read this. The $497 LEAP audit is a paid 45–60 minute consultation where Andrew reviews your reported posture, our external-scan output, and the dollar values we surface from each finding — it's not an on-prem hands-on assessment. Big-4 and enterprise engagements bundle hands-on internal discovery into their five-figure scope. The "Build / remediation pricing" row is where the larger commitment actually lives; we anchor ours as a percentage of what we identify, not a flat number we made up.
How it works
From order to answers in days.
No software to install. No agents on your network. Just order, share your domain + public IPs, and we handle the rest.
01
Order audit
Pay $497, share company name, domain, and any public IPs. That's all we need.
02
We scan your perimeter
Comprehensive external assessment of every public-facing surface. Zero touch on your internal network.
03
Receive your report
A–F grade, finding-by-finding severity, and a prioritized fix list with dollar values on every line.
04
Discovery call
We walk you through the report. Every question answered. You leave knowing your real risk.
05
Optional build
If you want help fixing what we found, pick Advisory, Guided, or Hands-on. The $497 credits in.
Different industries answer to different regulators. The audit isn't one-size-fits-all — we run it through the specific framework your business has to follow. Pick yours below to see what that looks like.
Built for your industry
Same audit. Your specific rules.
We map your findings against the frameworks that apply to your business — and deliver the written policies that stand up to a regulator, an auditor, or your insurance carrier.
Healthcare & Dental
HIPAA isn't optional and the OCR is auditing more aggressively every year. We map your audit findings against the Privacy and Security Rules, write the risk analysis your auditor will ask for, and build the breach-notification playbook HITECH requires.
We've worked with single-provider dental practices and multi-location specialty groups. The deliverable is the same: documentation an OCR auditor accepts.
HITECHBreach-notification timelines and OCR reporting workflows.
OCR audit readinessDocumentation packet matching the OCR Audit Protocol.
State medical-privacy lawsState-by-state add-ons (CMIA in CA, etc.) where they exceed HIPAA.
Financial & Insurance
RIAs, broker-dealers, IARs, and independent insurance agents face a stack of overlapping rules — SEC Reg S-P, FINRA cybersecurity expectations, the NAIC Data Security Model Law, and GLBA. We deliver the WISP your regulator and your E&O carrier both expect to see.
If you're a smaller RIA without a CCO, we build the cyber-section of your compliance program from scratch.
FINRA cybersecurityReg notices 21-29, 22-29 expectations, written supervisory procedures.
NAIC Data Security Model LawInsurance-licensee version of the federal cyber rules; adopted by 20+ states.
GLBA / FTC SafeguardsWritten Information Security Plan + qualified individual designation.
Legal & Law Firms
ABA Model Rule 1.6(c) makes cybersecurity an ethical duty, not a tech preference. State bar opinions go further every year — some require written safeguards, some require client notification on incidents. We deliver the documentation that satisfies both your bar and your client letterhead.
Trust-account controls and privileged-data handling get specific attention — those are the failure modes that draw bar grievances.
Privilege·Critical
Bar exposure·Direct
Frameworks & rules we cover
ABA Model Rule 1.6(c)Reasonable efforts to prevent unauthorized disclosure of client information.
State bar cyber opinionsTranslated into your jurisdiction's specific safeguard requirements.
Client trust account controlsWire-fraud / BEC defense procedures specific to escrow handling.
Privilege & confidentialityEmail, document, and matter-data segmentation policies.
Defense & Manufacturing
If you sell anything to the DoD or sit anywhere in a DoD supply chain, CMMC 2.0 is now mandatory. Most small subs hear about it from their prime contractor with three months' notice. We build your SSP, your POA&M, and the underlying NIST 800-171 controls before the next gate.
DFARS 252.204-7012 reporting + ITAR / EAR awareness covered for clients with controlled-technical-data exposure.
NIST SP 800-171110 controls, mapped against your environment with evidence files.
DFARS 252.204-7012Cyber-incident reporting and rapid-reporting capability requirements.
ITAR / EAR awarenessWhere controlled tech data may be in scope and how to fence it.
Real Estate & Title
The two threats that actually hurt real-estate firms are wire-fraud / BEC at closing, and GLBA exposure on customer financial data. We harden both. Title agencies and mortgage brokers get the FTC-Safeguards-aligned WISP that regulators and underwriters expect.
We've watched single-wire fraud events sink small firms; the playbook for stopping them isn't a tool, it's a procedure.
State licensing & escrow rulesState-by-state escrow handling controls.
Retail & Restaurants
If you accept cards in any form, you're in PCI DSS scope. Most small retailers and restaurants think their POS vendor "handles it" — the SAQ they sign every year says otherwise. We finish the SAQ for you with evidence that holds up.
Card-not-present fraud and POS skimming are the two failure modes; we close both with documentation your acquirer will accept.
SAQ type·A / B / C / D
Volume·Any
Frameworks & rules we cover
PCI DSS 4.0Self-Assessment Questionnaire (A through D) plus the evidence binder.
Schools, tutoring centers, and EdTech vendors all touch student data — and that data sits inside FERPA at the federal level, sometimes COPPA for under-13s, and a state-by-state web of student-privacy laws. We map your real handling and write the policies your district contracts will demand.
Vendor data-sharing review matters a lot here: most breaches in EdTech come through a third-party tool nobody audited.
Federal·FERPA + COPPA
State laws·40+
Frameworks & rules we cover
FERPAStudent-education-record protection and parent / student access rights.
COPPAVerifiable parental consent for under-13 data collection.
State student-data privacySOPIPA-style laws across 40+ states.
FTC Safeguards and IRS Pub 4557 are the two regs every CPA, EA, and bookkeeper needs to satisfy — and the IRS has been actively rejecting PTIN renewals from preparers without a documented WISP. We write yours, including the qualified-individual designation, and hand back the file your state CPA board accepts.
If you're a multi-partner firm, the WISP scales without rewriting from scratch.
Required·For PTIN renewal
Carrier ask·Mandatory
Frameworks & rules we cover
FTC Safeguards Rule (GLBA)Written Information Security Plan + qualified-individual designation.
Written Information Security PlanDrafted in your firm's voice, regulator-ready format.
State CPA / accountancy board rulesState overlay where safeguard requirements differ.
Why LEAP Security
CISSP-credentialed. SW Michigan local.
Enterprise expertise at small-business scale.
LEAP Security is led by AJ Poole, a CISSP-credentialed cybersecurity professional with hands-on enterprise security architecture experience. The CISSP — Certified Information Systems Security Professional — is the gold-standard credential in cybersecurity, covering access control, cryptography, risk management, and security architecture across eight domains.
National security firms charge five figures for an engagement and treat small businesses like an afterthought. We're based in SW Michigan, work directly with local owners, and price our services so a 15-person shop gets the same quality assessment as a Fortune 500 — at a fraction of the cost.
Plus IAM specialization
CIAM
Certified Identity & Access Manager
CIGE
Certified Identity Governance Expert
CIMP
Certified Identity Management Professional
CIST
Certified Identity Security Technologist
Issued by the Identity Management Institute — depth in access control, governance, vendor risk, and identity-security architecture. The four credentials cover the IAM domain end-to-end and are directly load-bearing on the audit's MFA / vendor-access / identity-governance findings.
The audit is where every engagement starts. $497 buys a 45–60 minute deep-dive with our paid Audit consultant, a branded Effort/Impact matrix report inside 24 hours, and a 30-minute review call with our team. If we identify enough risk to justify the build, the $497 credits in.
Pricing
You pay a fraction of what's at stake.
Start with the $497 audit. If you engage LEAP for the build, project fees scale with the dollar value of risk we identify — never a flat rate, never a number we made up. You always keep most of the upside.
Step 1 · The audit
$497
Where every engagement starts
A 45–60 minute deep-dive with Andrew, our AI Audit Consultant. He maps your full security posture across 6 areas, flags every gap with a dollar value, and delivers a branded Effort/Impact matrix report inside 24 hours. We review it with you on a free 30-minute call. The $497 fee credits toward your project if you engage LEAP for the build.
Step 2 · The build (optional · you pick the level)
Advisory
8–10%
of identified annual value · project fee
Self-led with our written playbook
We deliver a step-by-step remediation playbook plus a 60-minute Q&A. Your team executes; we're on email throughout for questions.
Example
If we identify $120k/yr at risk: 8–10% = $9,600 – $12,000
Most popular
Guided
12–15%
of identified annual value · project fee
We lead, your team clicks
6–8 Zoom working sessions over the engagement. We lead, your team clicks, we verify. You leave knowing how to maintain it.
Example
If we identify $120k/yr at risk: 12–15% = $14,400 – $18,000
Hands-on
18–22%
of identified annual value · project fee
We execute, you review
Grant LEAP temporary admin access; we execute every fix directly and walk you through what changed. Fastest path to remediation.
Example
If we identify $120k/yr at risk: 18–22% = $21,600 – $26,400
Optional retainer
After the build, you can sign a monthly retainer for ongoing maintenance — 8–18% of your project fee per month, depending on involvement level. Quarterly access reviews, vendor risk re-checks, monitoring tuning, IR playbook updates as the business evolves. Skip it if you'd rather self-maintain.
Prefer monthly?
Some clients prefer to skip the upfront project fee and pay one ongoing monthly subscription instead. We can quote that during your review call — typically 25–30% higher than the equivalent project + retainer to reflect the all-monthly cash flow.
What's not in the price
The $497 audit fee credits toward your project fee if you engage LEAP for the build. No long proposals. No surprise invoices. Every dollar on your audit report shows the math behind it. Tools you already own (M365, EDR, backup software) we use as-is; if a control gap requires a new tool, we recommend it transparently and you license it directly — no markup.
One more thing. The audit and build cover your full security posture — but if you just want a quick external read on your domain, there's a lightweight option for that too. The Security Snapshot.
Security Snapshot
Two ways to get one.
External, passive, letter-graded report on your public-facing posture across 9 categories — SSL/TLS, browser headers, email spoofing protection, domain & DNS hardening, cookie security, software version disclosure, subdomain attack surface, malware blocklist, and (coming soon) dark web breach exposure. Buy it standalone or claim the complimentary one bundled with any paid LEAP service.
Standalone
Buy a Snapshot
From $49
$49 one-time, or $29/mo for ongoing tracking
On-demand scan, full report in your inbox within 5–10 minutes
Letter-graded across 9 categories: SSL/TLS, headers, email auth, DNS hardening, cookie security, version disclosure, subdomain exposure, malware blocklist, plus dark web breach exposure (coming soon)
Best for vendor RFPs, board updates, insurance carriers, or ongoing drift monitoring
The questions every owner asks before they sign. The scan. The hand-off. The "do I really need this if my IT vendor handles security." Asked and answered before you have to email us.
Frequently asked
Questions & answers.
We assess your public-facing infrastructure: open ports, SSL/TLS configuration, DNS records, email authentication (SPF, DKIM, DMARC), known vulnerabilities on exposed services, and more. Everything an attacker can see from the outside, we check.
No. The external scan runs entirely from our side. We only look at what's publicly accessible — no agents, no software installs, no access to your internal network. Just give us your domain and public IPs and we handle the rest.
Most reports are delivered within 3–5 business days of your order. Complex scans (multiple domains, large IP ranges) may take up to 7 days. You'll receive an email when your report is ready, along with a link to schedule your review call.
We work across the frameworks SMBs in our service area actually face: HIPAA & HITECH (medical, dental, behavioral health), FTC Safeguards Rule + IRS Publication 4557 (accounting, tax prep, bookkeeping), PCI DSS 4.0 (anyone accepting cards), CMMC 2.0 + NIST SP 800-171 + DFARS (DoD supply chain), SEC Reg S-P / S-ID, FINRA, NAIC Model Law (financial advisors and insurance), GLBA / RESPA (real estate, title, mortgage), FERPA / COPPA (education and EdTech), ABA Model Rule 1.6(c) + state bar opinions (legal), plus state breach-notification laws and cyber-insurance security questionnaires. Your audit maps your business against the ones that apply.
Yes. After your audit, we build a compliance roadmap against the frameworks that actually apply — and deliver the written documents a regulator or insurer expects: a Written Information Security Plan (WISP) for accounting / tax, HIPAA Security Rule policies + risk analysis for healthcare, a CMMC SSP and POA&M for defense, an FTC Safeguards Rule program for financial services, a PCI Self-Assessment Questionnaire for card acceptors, and so on. We can also implement the technical fixes (MFA, encryption, EDR, backups, vendor risk register, IR plan) under any of our delivery levels.
Project fees are value-based: 8% (Advisory), 12% (Guided), or 18% (Hands-on) of the conservative end of the dollar range your audit identifies as recoverable annual risk. We anchor pricing to the LOW end of the value range so you never feel gouged on a stretch number — you always keep the majority of the upside. The full math (e.g. "12% of $120k identified = $14,400") is shown directly on your audit report under each finding, so you can verify every dollar. Your $497 audit fee credits toward the project if you engage us for the build.
Advisory (8–10%) — we deliver a step-by-step playbook + 60-min Q&A; your team executes everything. Best when your team is technically capable and wants to lead.
Guided (12–15%) — we run 6–8 Zoom working sessions over the engagement. We lead each session, your team clicks, we verify. Best for most SMB engagements — balance of speed, learning, and cost.
Hands-on (18–22%) — grant LEAP temporary admin access; we execute every fix directly and walk you through what changed. Best when speed matters or you want white-glove. Lightest lift on your team.
You pick the level on the review call after seeing the audit.
Optional. After your build is complete, you can sign a monthly retainer for ongoing maintenance — 8–18% of your project fee per month, scaled to the level of involvement you want. Covers quarterly access reviews, vendor risk re-checks, log-monitoring tuning, IR playbook updates, and posture re-checks as your business evolves. Skip it if you'd rather self-maintain after we've handed off.
Most SMB IT vendors are excellent at making things work — networks, email, printers, desktops. Very few are credentialed in security architecture or compliance. The two skill sets rarely overlap. If your IT vendor can't tell you which framework applies to your industry, where your gaps are against it, or what evidence you'd hand a regulator or insurance carrier if asked, that's the gap LEAP fills. We don't replace your IT — we audit them too, write the documentation an auditor or carrier will actually accept, and hand it back to your team to maintain.
Ready to start?
Know your score before someone else does.
A $497 audit today is cheaper than a $200k breach tomorrow. Find out where you stand — before an attacker does it for you.
