How We Work
Engagements
High Context
By ensuring a dedicated, ongoing, and embedded interest in the business better quality of service can be provided through informed and deeply accumulated context about the client’s systems and business.Client Focused
All engagements are month-to-month. No minimum commitment, no lock-in — and when our clients are ready to support their own security in-house, a transition plan and hiring assistance can be providedExpert Facilitation
Work isn’t limited; key experts can be brought in across engagements allowing for cost optimization without sacrifice. This also ensures work spans both strategic direction (risk roadmaps, board-level communication), and technical aspects without compromise.Brasstower engagements follow a four-phase model designed to deliver immediate security value while building toward long-term capability. Every engagement starts with an assessment of the client's actual architecture and threat surface, progresses through a prioritized roadmap, and executes against it on a monthly retainer. When the client is ready to support security in-house, Brasstower helps hire and transition — the model is designed to end well, not to create dependency
Lifecycle
-
~1-4 Weeks
Brasstower conducts a security posture assessment against the client’s actual architecture threat surface, and business model.
A prioritized risk register specific to the client’s systems, stage, and adversary profile is developed covering:
Existing security controls and their effectiveness,
Architecture review of production systems,
Threat model development,
Identification of regulatory and compliance obligations, and
A gap analysis against industry benchmarks relevant to the client’s market.
Outputs:
Prioritized risk register. Issues ranked by business impact and exploitability, with ownership assignments and remediation cost estimates.
Initial security roadmap. Sequenced remediation plan with timelines, resource requirements, and measurable success criteria.
Written threat model. Adversary profiles, attack surfaces, and risk appetite boundaries that inform all subsequent roadmap decisions.
-
~4 weeks.
The risk register is converted into a prioritized roadmap calibrated to the client's headcount, budget, risk tolerance, and growth trajectory. Every item is assigned to one of three ownership categories:
Brasstower: Work performed directly under the retainer — design reviews, architecture decisions, policy design, executive communication.
Client: Work performed by the client's engineering or operations teams, with Brasstower providing guidance and review.
Specialists: Work requiring domain-specific practitioners from the Brasstower bench — penetration testing, compliance audit preparation, cloud infrastructure hardening, etc — scoped and managed transparently without surprise costs.
Outputs:
Security roadmap. Ownership assignments, timelines, and resource estimates for every item.
Bench Plan. Identified specialist engagements with scope definitions and cost estimates sequenced against the roadmap.
Stakeholder summary. Board-ready risk narrative for executive and investor audiences.
-
Ongoing.
Monthly retainer work against the roadmap. Scope and cadence scale to the client's needs — from a few hours per month for early-stage companies to a substantial weekly commitment for companies in active growth or facing regulatory pressure.
Ongoing execution work includes:
Architecture and design reviews for new features, services, and infrastructure changes.
Threat modeling for new product capabilities, integrations, and deployment patterns.
Security review of system designs — including AI, ML, and agentic architectures, model deployment pipelines, tool-chain authorization — and traditional services.
Incident triage and response guidance.
Compliance program design and gap assessment — SOC 2, HIPAA, PCI-DSS, GDPR, particularly at the intersection of these frameworks and AI workloads.
Board and executive communication — quarterly risk briefings, investor-facing security narratives.
Engineering team integration — PR reviews, design document review, participation in architecture meetings.
Brasstower integrates into the client's existing tools — Slack, Teams, Jira, Notion, GitHub, Google Workspace — and participates in relevant design and engineering discussions.
Outputs:
Monthly deliverables. Completed roadmap items with written documentation.
Updated risk register. Re-prioritized as the threat surface and business evolve.
Design reviews and threat models. Written artifacts for every significant architecture or product change.
-
Optional Offramp
When the client's scale, risk profile, or organizational maturity justifies a dedicated internal security leader or team, Brasstower helps build that capability and transitions out.
Transition work includes:
Job description and leveling criteria for the security hire.
Candidate interview loop participation and evaluation.
Onboarding the new hire with institutional knowledge — risk register, roadmap, threat models, architecture context, and relationship map.
Structured handoff period, typically 1–2 months, where Brasstower and the new hire overlap.
Outputs:
Hiring package. Job description, leveling criteria, and interview rubric tailored to the client's specific security needs — including culture match.
Knowledge transfer documentation. Consolidated risk register, roadmap, threat models, and architectural context in a format the incoming hire can operate from on day one.
Transition plan. Defined handoff milestones and exit criteria so the end of the engagement is clean, not abrupt.
The goal is to build the security capability the client needs — not to create dependency on the advisory relationship.
Fractional Security Philosophy
“The word ‘fractional’ describes a retained advisory engagement where the client gets a defined allocation of senior time each month, embedded in their team, without the cost structure of a full-time executive hire.”
In practice, this means:
A defined number of hours per month, scaled to the client’s scope and budget
Embedded in the client’s Slack, Teams, or preferred communication platform
Available for ad-hoc questions and incident triage within the retainer scope
Attends design reviews, sprint planning, and architecture discussions as relevant
Produces written deliverables: threat models, architecture reviews, roadmaps, risk summaries, board decks
Does not require office space, equipment, benefits, or equity
This model works because the range of security specializations a company needs — AI security, application security, infrastructure hardening, cryptography, compliance, incident response — is too broad for any single full-time hire to cover.
A fractional advisor at the senior level can operate across these domains, activate specialists when depth is required, and maintain continuity through accumulated context.
Specialist Network
“Some engagements require focused depth that extends beyond strategic advisory. Brasstower maintains a vetted network of senior practitioners who can be activated on short notice, scoped tightly to the problem, and managed under the existing advisory relationship.”
Specialist domains:
Artificial Intelligence & Machine Learning Security.
Penetration testing and red team operations.
Cloud infrastructure security — AWS, GCP, Azure.
SOC2 and compliance audit preparation.
Detection and response engineering.
Hardware and firmware security.
Supply chain security assessment.
Research and development — specialist security services and novel feature development.
One advisor, one relationship with transparent specialist activation — Brasstower defines the scope, manages the engagement, and integrates the output into the broader security roadmap.
How This Compares
| Point-in-Time Pentest | Large Consultancy | Full-Time CISO | Brasstower (Fractional) | |
|---|---|---|---|---|
| Typical annual cost | $15K–$80K per engagement | $200K–$1M+ per project SOW | $350K–$600K+ all-in | Monthly retainer, scaled to scope |
| Ramp time | 2–4 weeks | 4–8 weeks | 6–9 months | 1–4 weeks |
| Context accumulation | None | Low — staff rotates | High — embedded full-time | High — ongoing, same advisor |
| Availability | Engagement window only | Scoped to deliverables | Full-time, single company | Retained hours, ongoing |
| Breadth | Narrow — single scope | Broad — generalist | Bounded — one person | Advisory + specialist bench |
| AI/ML security | Niche — fewer firms, premium cost | Emerging — variable quality | Rare at CISO level | Core practice area |
| Delivery | Report delivered, ends | Delivers to contract scope | Reports to board, full authority | Shared roadmap, monthly deliverables |
| Contract | Per-engagement SOW | Project SOWs, often with minimums | Employment, equity vesting | Month-to-month, no minimum |
| Client exclusivity | None — engagement too short | May serve direct competitors | Exclusive to employer | Managed through agreements |
| Transition model | Report delivered, no relationship | Deliverables retained, context decays | Transition during notice period | Planned from day one (Phase 4) |
