AlvorAdvisory

The catalogue

Every engagement, in one place.

Twenty-four named engagements across the four delivery tracks. Each carries a commercial shape and a typical duration, and every one is scoped and priced in writing before any work begins. Start with one, or ask us where to start.

24 engagements · 4 tracks

Book a consultation

AssessThe diagnostic

Know exactly where you stand, and what to fix first.

Explore the track

Full page

Security Program Assessment

Fixed-fee · Typically 3–4 weeks

Know exactly where you stand, and what to fix first.

Best for a first, complete read of where the program stands.

Full page

Compliance Readiness Assessment

Fixed-fee · Typically 2–3 weeks

See the exact distance to certification before you commit to the audit.

Best for teams heading into a first certification or surveillance audit.

Domain Maturity Assessment

Fixed-fee · Typically 2–3 weeks

Score a single security function against the model built for it.

Best for a deep read of one capability, not the whole program.

Full page

AI Security and Governance Assessment

Scoped · Typically 2–4 weeks

See where AI is already in your business, and what it exposes.

Best for organisations whose AI adoption is running ahead of governance.

Incident Response and Resilience Readiness

Scoped · Typically 2–3 weeks

Know the plan holds before you ever need it.

Best for teams whose IR plan has never been rehearsed.

Cloud Security Posture Review

Scoped · Typically 2–4 weeks, sized to the estate

Find what your cloud is actually exposing.

Best for cloud-first teams unsure what their accounts expose.

Third-Party Risk Assessment

Scoped · Typically 2–4 weeks

Understand the risk you inherit from the vendors you depend on.

Best for organisations with a growing or unmapped vendor estate.

Full page

Penetration Test and Control Validation

Scoped · Typically 1–3 weeks per scope

Confirm the controls you rely on actually hold.

Best for teams needing technical proof, not just a paper review.

ArchitectThe keystone

Decide what good looks like before a single control is built.

Explore the track

Target-State Security Architecture

Scoped · Typically 4–8 weeks

Decide what good looks like before a single control is built.

Best for organisations building or rebuilding the program deliberately.

Unified Control Framework

Scoped · Typically 3–6 weeks

Design the control set once and evidence every standard at once.

Best for teams answering to more than one standard.

Security Strategy and Roadmap

Scoped · Typically 3–5 weeks

A sequenced, costed path from where you are to the target state.

Best for leaders who need a defensible plan and budget.

Operating Model and Policy Framework

Scoped · Typically 3–5 weeks

Decide who owns what, and write it down.

Best for programs that live in one person's head today.

Identity and Zero Trust Architecture

Scoped · Typically 4–6 weeks

A focused design for identity, access, and Zero Trust.

Best for teams modernising identity as the new perimeter.

Full page

AI Governance and Control Architecture

Scoped · Typically 3–6 weeks

An AI control plane, designed before adoption hardens into habit.

Best for organisations putting AI into products or workflows.

BuildThe implementation

Stand the controls up, integrate them, and prove they work.

Explore the track

Remediation Delivery

Project · Sized to the gap register

Close the gap register against the blueprint, control by control.

Best for teams with a blueprint and gaps to close.

Tooling Selection and Deployment

Project · Typically 6–12 weeks

The right tools chosen against your architecture, not a vendor's roadmap.

Best for teams buying or consolidating security tooling.

Security Engineering and Automation

Project · Typically 4–10 weeks

Controls that hold without anyone remembering to apply them.

Best for engineering-led teams scaling controls.

Audit Preparation

Project · Typically 4–8 weeks

Walk into the assessment ready.

Best for teams with an audit date on the calendar.

Security PMO and Enablement

Project · Runs with the build

The program run to a plan, and your team brought up to speed.

Best for organisations standing up a security program at pace.

OperateThe managed service

Stay audit-ready all year, without rebuilding the capability yourself.

Explore the track

Managed Compliance

Retainer · Standing, reviewed on your terms

Stay audit-ready all year, without rebuilding the capability yourself.

Best for certified teams who must stay certified.

Full page

Virtual CISO and Fractional Leadership

Retainer · Standing, sized to you

The leadership of an in-house team, without the hire.

Best for teams not ready for a full-time CISO.

Continuous Control Monitoring

Retainer · Standing, reviewed quarterly

Posture tracked, not assumed.

Best for leaders who want posture they can prove.

Managed Third-Party Risk

Retainer · Standing, sized to the estate

Vendor risk run for you, as a standing service.

Best for teams with a large or fast-moving vendor estate.

Security Program Management

Retainer · Standing, reviewed on your terms

The wider program run for you, end to end.

Best for organisations outsourcing the run, not just the build.

Not sure where to start? That is a fine place to start.

Book a consultation