Service Offerings & Pricing Guide
Counter Measures Security
Cybersecurity Services
Independent, third-party security assessment and advisory services for organizations of all sizes
Penetration Testing
| Features | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| External scan of specified IPs | ✓ | ✓ | ✓ | ✓ |
| Multi-pass port scanning (all 65,535 TCP/UDP ports) | ✓ | ✓ | ✓ | ✓ |
| Service and device fingerprinting | ✓ | ✓ | ✓ | ✓ |
| Vulnerability mapping and scoring | ✓ | ✓ | ✓ | ✓ |
| Dynamic testing and active exploitation | – | ✓ | ✓ | ✓ |
| Website testing and attempted exploitation | – | ✓ | ✓ | ✓ |
| Proof of concept documentation | – | ✓ | ✓ | ✓ |
| External attack surface mapping | – | – | ✓ | ✓ |
| Threat reconnaissance (incl. dark web) | – | – | ✓ | ✓ |
| Custom phishing campaigns | – | – | – | ✓ |
| Wireless and in-person assessments | – | – | – | ✓ |
| Advanced red teaming and custom objectives | – | – | – | ✓ |
| Report and findings walk-through | ✓ | Up to 3 | Up to 3 | Up to 3 |
| Letter of attestation | ✓ | ✓ | ✓ | ✓ |
| Starting at | $2,500 | $5,000 | $8,000 | Custom |
Tier 1 checks the box for most insurance and compliance questionnaires.
Tier 2 includes actual penetration without risking business disruption.
Tier 3 creates greater risk awareness and context.
Tier 4 simulates real-world attacks and shows impact.
AI Consulting
AI Security and Strategy Advisory
Scoped per engagement
Advisory services for organizations adopting AI tools and platforms. Covers AI security posture evaluation, policy development for AI usage, data protection in AI workflows, and custom AI system development using Microsoft Power Platform and AI Builder.
✓ AI tool and platform evaluation
✓ AI usage policy development
✓ Data protection in AI workflows
✓ Custom AI system development
Service Offerings & Pricing Guide
Counter Measures Security
Testing & Simulations
Vulnerability Assessment Signature Service
From $3,000
A deep-visibility assessment designed to discover and fingerprint every asset on the network. Performs a full sweep of all private address spaces and specified network ranges, including ARP-level discovery for locally connected segments. Incorporates authenticated scanning where possible and extends to cloud environments such as Azure, Entra ID, and Intune-joined devices. The goal is maximum asset visibility and the deepest possible analysis — not just scanning what’s known, but finding what isn’t.
✓ Full private network sweep and asset discovery
✓ ARP-level scanning for local segments
✓ Authenticated scanning (as broadly as possible)
✓ Cloud and identity scanning (Azure, Entra ID, Intune)
✓ Vulnerability scoring and prioritized remediation guidance
Application Security Testing
From $5,000
Security assessment of web applications, portals, and SaaS platforms following OWASP methodology. Identifies vulnerabilities in application logic, authentication, and data handling.
✓ OWASP WSTG-aligned methodology
✓ Authentication and session testing
✓ Business logic assessment
✓ Detailed findings and remediation report
Breach Attack Simulation
From $1,500
Simulates real-world attack scenarios to test an organization’s detection and response capabilities. Evaluates how well existing controls perform under realistic conditions.
✓ Scenario-based attack simulation
✓ Detection and response evaluation
✓ Gap identification
✓ Improvement recommendations
Assessment & Compliance
Cyber Risk Assessment (NIST CSF v2.0)
From $10,000
Comprehensive evaluation of an organization’s security posture against the NIST Cybersecurity Framework version 2.0. Identifies gaps, evaluates controls, and provides a prioritized roadmap for improvement.
✓ NIST CSF v2.0 alignment assessment
✓ Detailed findings report
✓ Prioritized recommendations
✓ Executive summary
✓ Presentation and walk-through
HIPAA Security Assessment
From $10,000
Independent evaluation of HIPAA Security Rule compliance for healthcare organizations and their business associates. Covers administrative, physical, and technical safeguards.
✓ Security Rule gap analysis
✓ Risk assessment documentation
✓ Remediation roadmap
✓ Compliance attestation
Vendor Risk Assessment
From $3,000 per vendor assessed
Evaluates the security posture of third-party vendors and service providers. Reviews questionnaire responses, documentation, and external-facing infrastructure to assess risk exposure.
✓ Vendor documentation review
✓ External posture assessment
✓ Risk scoring and findings
✓ Recommendation report
Service Offerings & Pricing Guide
Counter Measures Security
Advisory & Policy
Policies and Procedures Development or Updating
From $3,000
Development or revision of written information security policies and procedures tailored to the organization’s regulatory environment and business needs. Includes acceptable use, incident response, data classification, and access control policies.
✓ Custom policy and procedure drafting
✓ Regulatory alignment (HIPAA, PCI, SOC, FINRA)
✓ Review and revision cycle
✓ Implementation guidance
Compliance Consulting
From $2,000
Hands-on guidance for organizations navigating vendor security requirements, regulatory questionnaires, and compliance obligations. Helps companies meet the security standards required by clients, partners, and regulators such as FINRA, SOC, and institutional due diligence processes.
✓ Vendor security questionnaire assistance
✓ Regulatory requirement interpretation
✓ Gap remediation and documentation
✓ Readiness assessment for institutional due diligence
Cyber Threat Reconnaissance
From $2,500
Maps the organization’s external attack surface and investigates dark web exposure. Identifies leaked credentials, spoofed domains, exposed services, and brand impersonation risks.
✓ Attack surface mapping
✓ Dark web monitoring
✓ Credential exposure check
✓ Brand and domain impersonation review
All services include: a findings report with prioritized recommendations, a presentation and walk-through of results, and a signed letter of attestation where applicable. Pricing is based on organizational size, scope, and complexity. All work is performed by Robert Rittich, CISSP, CHPS, CEH — a certified, insured, independent third party with no product sales or managed service conflicts.
Regulatory note: The HITECH Act update is expected to require twice-yearly vulnerability scans beginning in late 2026 or early 2027. Now is a good time for healthcare organizations to establish a baseline.