A virtual Chief Information Security Officer is an outsourced executive who sets security strategy, policies, and governance without the cost of hiring a full-time CISO.

How long does SOC 2 readiness take?

Typical SOC 2 readiness engagements take 6–12 months depending on maturity and remediation needs.

Do you provide managed detection and response?

FWS partners with MDR/MSSP providers and offers managed security services and vendor-managed detection options as part of our ongoing programs.

Does Framework Security perform post-incident forensics?

Yes — we provide incident response and digital forensics to investigate root cause, scope, and remediation after breaches or ransomware.

What is SOC 2 and why would we need it?

SOC 2 is an independent audit that shows your company protects customer data using strong security and operational controls. Many enterprise customers make it a contract requirement before they’ll sign.

What is NIST CSF 2.0?

It’s a framework from NIST that organizes cybersecurity into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It’s often used as a roadmap to measure maturity and prioritize improvements.

How do SOC 2 and NIST CSF fit together?

NIST CSF can guide how you build your security program; SOC 2 is the external attestation you can hand to customers. Companies often use both: CSF internally, SOC 2 for external proof.

If you don’t have senior security leadership but need to meet compliance requirements, manage risk, or respond to customer security reviews, a vCISO is a practical option.

What’s the difference between a vulnerability assessment, penetration test, and red team?

A vulnerability assessment is a broad scan for weaknesses. A penetration test is a scoped simulation where testers exploit issues to show real-world impact. A red team is a full adversary simulation, often across multiple attack paths, designed to test detection and response.

How often should we do security testing?

At least once a year and whenever systems change significantly. More frequent testing is recommended for internet-facing applications or regulated industries.

What happens if we fail a pentest?

There is no 'pass/fail.' You get a report showing vulnerabilities, their severity, and how to fix them. After remediation, a retest confirms the issues are closed.

Do you help with regulatory frameworks other than SOC 2?

Yes, common ones include CIS 18, NIST, ISO 27001, HIPAA, PCI DSS, and others depending on your industry requirements.

Where do we start if we’re new to security programs?

Schedule a call with us to determine your organization’s best path forward.

What’s included in your vCISO packages?

Tiered options include governance, risk management, compliance roadmap, AI risk strategy, and quarterly QBRs. Each tier can bundle SOC 2 readiness and pentesting.

How fast can we achieve SOC 2 with Framework Security?

Timelines vary by maturity; many clients reach readiness in weeks and complete audits within a quarter when remediation items are addressed promptly.

Do you offer AI risk assessments?

Yes. We evaluate AI/ML use cases, data handling, third‑party/LLM risks, and control governance, and deliver a prioritized mitigation plan.

Comprehensive vCISO Engagement and AI Governance for Lender Toolkit

The Framework Security–LTK partnership showcases the full power of a mature vCISO engagement.

Since February 2023, Framework Security has partnered with Lender Toolkit (LTK), a 60-person remote organization delivering mortgage technology solutions, to build a mature, scalable, and audit-ready security program. What began as a tactical engagement quickly evolved into a multi-year strategic partnership—spanning compliance, governance, risk management, threat validation, penetration testing, and AI governance.

Comprehensive vCISO Engagement and AI Governance for Lender Toolkit

Overview

The initial Client Onboarding Assessment surfaced several critical challenges:

Difficulty responding to complex vendor security questionnaires
SOC 2 policy gaps and control inconsistencies
Need for improved AWS security management
Limited documentation and process maturity across security operations

With these baseline issues identified, Framework Security built and executed a multi-phase transformation plan.

1. Foundational Security Enhancements

Framework Security began by strengthening LTK’s technical and governance foundations. This phase included extensive penetration testing, adversary reconnaissance, and MITRE ATT&CK–aligned threat mapping across all major components of the LTK ecosystem—automation products, AI tools suite, and the PowerTools platform.

Atlas Mitre: Adversary-Mapped Control Validation

A core differentiator of this engagement was Framework’s use of Atlas Mitre, our internal MITRE ATT&CK–based threat mapping and validation framework.

Through Atlas Mitre, Framework:

Mapped LTK’s control environment against real-world adversary tactics and techniques
Identified detection and response coverage gaps across AWS, application layers, and identity systems
Validated existing logging and monitoring controls against known attack pathways
Translated technical findings into executive-level risk narratives

Rather than relying solely on checklist compliance, Atlas Mitre ensured LTK’s controls were tested against how attackers actually operate. This significantly strengthened both operational resilience and audit defensibility.

Core Governance & Control Implementation

Guided by Jerry Sanchez, Framework implemented several foundational controls:

Audit Log Management Process

Centralized collection, monitoring, and retention of critical security events, aligned with ATT&CK detection coverage and SOC 2 requirements.

Formal Remediation Process

Clear ownership, prioritization, and response workflows for vulnerabilities, mapped to adversary exploitation likelihood.

SOC 2- and ISO-aligned Policies

Comprehensive security documentation covering governance, access control, asset management, and operational security.

Framework also delivered key compliance assets such as the Toll Brothers INFOSEC Review and authored custom BCP/DR Policies, enabling LTK to demonstrate resilience and meet client assurance requirements.

2. Strategic Growth & Advanced Compliance

As LTK’s business scaled—including major contract renewals such as the LTK 2025 Deal—Framework Security expanded the engagement to address higher-level compliance, governance, and sales enablement needs.

ISO 42001 AI Governance

Under the leadership of Roberto Planos, Framework introduced an AI governance program rooted in ISO 42001. This work included:

AI risk assessments
AI governance frameworks
Model oversight and risk controls
AI policy development

Atlas Mitre methodology was extended into AI threat modeling—ensuring model risks, data pipeline vulnerabilities, and misuse scenarios were mapped against adversarial behavior patterns.

This positioned LTK to not only manage AI responsibly but to use governance maturity as a competitive differentiator.

SOC 2 Type II Readiness

Framework managed a full SOC 2 Type II readiness initiative:

Control validation and mapping under LTK SOC 2
Audit preparation and evidence walkthroughs
Continuous compliance workflows

By aligning SOC 2 controls with Atlas Mitre threat validation results, LTK strengthened audit narratives. Controls were not only documented—they were demonstrably effective against mapped threat scenarios.

Vendor Risk Management & Security Awareness

To elevate organization-wide maturity, Framework delivered:

A scalable vendor risk management program
Security awareness training for all employees
Governance processes aligned with long-term audit cycles

Vendor risk assessments were enhanced with threat-informed criteria, ensuring third-party risk was evaluated against relevant ATT&CK-aligned adversary techniques.

Sales Enablement Deliverables

Framework produced a sample AI Final Report—modeled on LTK’s own program maturity—to serve as a sales asset.

This showcased:

Threat-informed governance
AI oversight aligned with ISO 42001
ATT&CK-mapped control validation
Continuous monitoring maturity

The result positioned LTK as a benchmark example of responsible AI and mature security governance.

3. Technical Security Implementations

Framework strengthened LTK’s operational security posture through ongoing technical improvements:

Continuous penetration testing & threat modeling
Atlas Mitre–driven adversary simulation and control validation
Audit log pipeline deployment
Remediation workflows and vulnerability tracking
Formalized risk assessment processes
ISO 42001-aligned AI governance implementation
SOC 2 control reinforcement

Atlas Mitre created a structured, repeatable method for validating control effectiveness over time. This ensured security improvements were measurable, not anecdotal.

These controls created a sustainable security foundation designed to grow with LTK’s product roadmap and compliance needs.

Business Impact & Partnership Value

Over two years, the LTK–Framework Security relationship has matured into a fully integrated strategic partnership.

Measurable Outcomes

Consistent audit readiness enabling smooth client and partner audits
SOC 2 controls validated against real-world adversary techniques
Custom BCP/DR and compliance documentation supporting enterprise sales
Reference-grade security program assets used for sales enablement
Reduced operational risk through governance, threat validation, and automation
Improved security posture across cloud, AI, and internal operations
Executive-level reporting translating technical risk into business impact

Strategic Partnership & Future Opportunities

The engagement continues to evolve through:

LTK Partner Deal exploration, including co-branded CISO/CIO services
Joint opportunities to resell Framework Security offerings under LTK’s ecosystem
Collaboration on advanced AI governance and threat-informed risk frameworks
Ongoing Atlas Mitre–driven maturity assessments

This transformation demonstrates how a vCISO partnership can evolve from tactical support into long-term strategic value—grounded in measurable, threat-informed security leadership.

Conclusion

The Framework Security–LTK partnership showcases the full power of a mature vCISO engagement—blending advisory leadership with hands-on implementation and adversary-informed validation.

Through the work of Jerry Sanchez, Roberto Planos, and the broader Framework Security team, LTK now operates with:

A scalable and audit-ready compliance program
Mature governance processes
AI oversight aligned with ISO 42001
ATT&CK-mapped threat validation through Atlas Mitre
Stronger resilience, documentation, and client assurance