The Craftwork Group
Contact
CyberSecurity · Pacific Northwest

95% of breaches
trace to 5% of controls.

Verizon's DBIR and a decade of incident post-mortems say the same thing: most mid-market breaches aren't caused by novel attacks — they're caused by unpatched basics. We find the 5% that matters and close it before someone else does.

95 / 5
Controls that prevent most breaches
<48h
Typical posture audit turnaround
0
Security theater tolerated
Start with a posture audit See Managed IT
// 95 / 5 principle

Two very different approaches.

Most security vendors are incentivized to make the problem look complicated. We're not.

// What most vendors do
Sell you a platform, then license the visibility into it
Produce 400-page compliance reports that nobody acts on
Recommend controls without mapping them to your actual risk surface
Hand off a findings document and disappear
Treat every control as equal weight regardless of exposure
// What we do
Map your actual attack surface before recommending anything
Prioritize the 5% of controls that close 95% of realistic exposure
Build a hardening plan you can execute without a dedicated security team
Stay on to validate that fixes actually close the gaps we identified
Tell you clearly when something is out of scope for us
// What we do

Six things. Done well.

We don't offer a security catalog. We offer six tightly scoped engagements where we can make a measurable difference.

01 // Hardening
Endpoint & Server Hardening
CIS benchmark alignment for Windows, Linux, and macOS endpoints. We close the configuration gaps that automated scanners flag and human reviewers ignore.
Windows CIS L1/L2 · Linux STIGs · macOS hardening profiles · GPO hardening
02 // M365 Audit
Microsoft 365 Security Audit
Most M365 tenants are configured for convenience, not security. We audit conditional access, MFA coverage, admin role bloat, mailbox delegation, and data exposure.
Conditional Access · Defender for Business · Entra ID · Admin role audit
03 // Phishing
Phishing Resilience Program
Not a checkbox simulation. A structured program: baseline assessment, targeted training for highest-risk roles, repeat testing, and measurable reduction in click rates over 90 days.
KnowBe4 or Proofpoint · Role-targeted content · 90-day cadence
04 // Incident Readiness
Incident Response Readiness
You don't want to discover your IR plan doesn't work during an incident. We test it before that happens — tabletop exercises, playbook review, and communication chain verification.
Tabletop exercises · Playbook review · Contact chain testing · Ransomware scenarios
05 // Monitoring
Continuous Posture Monitoring
Ongoing visibility into your security posture — not a quarterly scan. We deploy lightweight monitoring across endpoints, identity, and cloud surfaces and surface what matters.
Defender integration · Identity anomaly detection · Cloud resource monitoring
06 // Advisory
Security Advisory Retainer
A senior practitioner on call for architectural decisions, vendor evaluation, incident triage support, and board-level reporting. Not a helpdesk. An engineer who can explain why.
Fractional CISO coverage · Board reporting · Vendor evaluation · Architecture review
// Internally-built tooling

We built the infrastructure we use. That changes what we can see.

Most security tooling is built by people who sell software, not by engineers who run infrastructure. We built our own AI-assisted analysis layer to accelerate posture audits, surface configuration anomalies, and cross-reference findings across endpoints and identity systems. It doesn't replace judgment — it gives our engineers faster access to the patterns that matter.

Posture audit analysis that would take days compressed to hours
Cross-system anomaly correlation without manual data stitching
Findings prioritized by realistic exploitability, not CVSS score alone
Every output reviewed by a practitioner before it reaches you
"The most expensive security program is the one that creates a false sense of coverage. We'd rather tell you your M365 tenant is a liability in plain English than sell you a dashboard that obscures it."
// Field observation, M365 audit engagement
// Scope & fit

Who this is and isn't for.

We're a good fit for a specific type of organization. Being clear about that upfront saves everyone time.

// Good fit
Mid-market firms (50–500 employees) without a dedicated security team
Organizations on Microsoft 365 who know their security posture is murky
Leadership that wants honest assessment, not reassurance
Teams that have had a near-miss and want to understand their real exposure
Companies preparing for a compliance audit or cyber insurance renewal
// Not a fit
Organizations that need a SOC 2 audit or certification (different engagement)
Enterprises with a mature internal security team looking for SOC services
Situations requiring penetration testing with a formal scoping agreement (we refer)
Companies looking for a vendor who will tell them they're fine

Start with a posture audit.

A structured look at your M365 tenant, endpoints, and identity configuration. You'll know exactly where you stand — no dashboard required.

Request a posture audit See Managed IT