Theorem Security Lab | Cybersecurity Consulting San Diego

What We Do

Comprehensive Cybersecurity Services

From strategic executive advisory to hands-on technical assessments, we deliver end-to-end security solutions tailored to your organization's unique risk landscape.

Cybersecurity Program Assessments

A comprehensive evaluation of your entire cybersecurity program — spanning people, processes, and technology. We benchmark your current state against industry frameworks, identify critical gaps, and deliver an actionable roadmap to measurably strengthen your security posture.

Identify & prioritize program gaps Benchmark against industry frameworks Executive-ready reporting Actionable risk-reduction roadmap

Security Metrics Development

We design and implement meaningful security KPIs and KRIs that enable data-driven decision-making. Turn your security program into a measurable, communicable business function that speaks the language of the boardroom and demonstrates clear return on security investment.

Demonstrate security ROI Track program effectiveness over time Board-level communication Data-driven risk decisions

Virtual CISO (vCISO) / Cyber Advisory Services

Access seasoned CISO-level leadership on a fractional basis — without the full-time executive cost. Our vCISO service delivers strategic security oversight, board and executive communication, risk management governance, and program direction tailored to your organization's size, industry, and risk appetite.

Cost-effective executive leadership Strategic program direction Board & stakeholder alignment Flexible, scalable engagement model

Cybersecurity Threat Briefings

Stay ahead of the threat landscape with expert-led cybersecurity threat briefings tailored to your audience and industry. Our briefings can be customized for all employees, your dedicated security team, or executive leadership — ensuring every level of your organization receives the right intelligence at the right depth. Each briefing is sector-specific, delivering actionable threat intelligence, emerging attack trends, and adversary tactics relevant to your industry. Whether delivered in-person or virtually, our threat briefings transform complex threat data into clear, decision-ready insights that drive proactive security action.

Tailored to all staff, security teams, or executives Sector-specific threat intelligence & trends Actionable, decision-ready insights Available in-person or virtually

Third-Party / Supply Chain Risk Assessment

Your security posture is only as strong as your weakest vendor. Our Third-Party / Supply Chain Risk Assessment evaluates the cybersecurity risks introduced by your vendors, suppliers, and technology partners — examining their security controls, data handling practices, contractual obligations, and access to your environment. We help you understand and quantify the risk your third parties pose, prioritize vendors by criticality and risk level, and build or mature a sustainable third-party risk management (TPRM) program that scales with your business.

Identify & quantify vendor risk exposure Prioritize vendors by criticality & risk level Strengthen contractual security requirements Build a scalable TPRM program

NIST CSF Assessment

Evaluate your cybersecurity program against the NIST Cybersecurity Framework's five core functions — Identify, Protect, Detect, Respond, and Recover. We assess your current maturity across all framework categories, benchmark you against industry peers, and deliver a prioritized improvement roadmap aligned to your risk tolerance.

Full maturity assessment across all 5 functions Industry benchmarking Prioritized improvement roadmap Executive & technical reporting

ISO/IEC 27001 Gap Assessment

Measure your organization's readiness for ISO/IEC 27001 certification. We evaluate your information security management system (ISMS) against all Annex A controls, identify gaps between your current state and certification requirements, and provide a structured remediation roadmap to accelerate your path to certification.

Full Annex A controls evaluation ISMS readiness assessment Gap-to-certification roadmap Reduce certification timeline & cost

SOC 2 Readiness Assessment

Prepare for your SOC 2 Type I or Type II audit with confidence. We assess your controls against the Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy — identify control gaps and design deficiencies, and help you remediate before your auditor arrives.

Trust Services Criteria gap analysis Control design & implementation review Reduce audit findings & surprises Type I & Type II preparation

PCI DSS Assessment

Assess your compliance posture against the Payment Card Industry Data Security Standard. We evaluate your cardholder data environment (CDE), scoping, and controls across all PCI DSS requirements, identify compliance gaps, and provide detailed remediation guidance to prepare your organization for formal QSA assessment.

Cardholder data environment scoping All 12 PCI DSS requirements evaluated QSA assessment preparation Reduce scope & compliance burden

HIPAA Security Risk Assessment

Fulfill the HIPAA Security Rule's mandatory Security Risk Assessment (SRA) requirement while gaining a clear picture of your ePHI risk landscape. We systematically identify threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information and provide a risk-prioritized remediation plan.

Fulfill mandatory SRA requirement ePHI threat & vulnerability identification Risk-prioritized remediation plan Audit-ready documentation

CMMC Assessment

Evaluate your readiness for Cybersecurity Maturity Model Certification (CMMC) compliance — a requirement for all DoD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). We assess your practices against your required CMMC level, identify gaps, and prepare you for a successful C3PAO assessment.

CMMC Level 1, 2 & 3 readiness CUI & FCI boundary assessment C3PAO assessment preparation SSP & POA&M development support

CIS Controls Assessment

Assess your implementation of the CIS Critical Security Controls — a prioritized, prescriptive set of safeguards proven to defend against the most prevalent cyber attacks. We evaluate your coverage across all 18 CIS Controls and Implementation Groups, identify quick wins and strategic improvements, and provide a clear action plan to measurably reduce your cyber risk.

All 18 CIS Controls evaluated Implementation Group alignment Quick wins & strategic improvements Measurable risk reduction roadmap

Patch Management Plan Development

We develop a structured, repeatable patch management program that defines how your organization identifies, prioritizes, tests, and deploys security patches across all systems. A well-executed patching program is one of the most effective ways to close known vulnerabilities before attackers can exploit them.

Reduce exploitable attack surface Ensure timely vulnerability remediation Regulatory compliance support Repeatable, auditable process

Vulnerability Management Program Development

We design and implement a comprehensive, risk-driven vulnerability management program that goes beyond periodic scanning. Our approach establishes a continuous lifecycle for identifying, assessing, prioritizing, remediating, and verifying vulnerabilities across your entire attack surface — integrating people, processes, and technology into a sustainable, measurable program.

Continuous attack surface coverage Risk-based prioritization framework SLA tracking & remediation accountability Compliance & audit support

Policy, Procedure, Standard, Guideline, and Runbook Development

Clear, enforceable security documentation is the backbone of any mature security program. We develop tailored security policies, standards, guidelines, standard operating procedures (SOPs), and operational runbooks that ensure your team follows consistent, auditable processes — and that auditors have exactly what they need to see. Security starts with policy.

Consistent security operations Regulatory compliance documentation Reduce human error Audit-ready documentation

Information Security Policy — master policy outlining the overall security program, principles, and governance
Acceptable Use Policy (AUP) — defines permitted and prohibited use of company systems, devices, and networks
Data Classification Policy — categorizes data by sensitivity (e.g., Public, Internal, Confidential, Restricted)
Access Control Policy — governs who can access what systems, data, and resources
Password & Authentication Policy — sets requirements for password strength, MFA, and credential management

Network Security Policy — rules for firewalls, segmentation, monitoring, and traffic management
Remote Access Policy — governs VPN, RDP, and remote work security requirements
Wireless Security Policy — standards for Wi-Fi access, encryption (WPA2/3), and guest networks
Cloud Security Policy — rules for cloud service usage, configuration, and data storage
BYOD (Bring Your Own Device) Policy — standards for personal devices accessing company resources

Data Retention & Disposal Policy — how long data is kept and how it is securely destroyed
Data Breach / Incident Notification Policy — obligations and timelines for reporting breaches
Privacy Policy — how personal data is collected, used, and protected (GDPR, CCPA alignment)
Encryption Policy — mandates for encrypting data at rest and in transit
Backup & Recovery Policy — frequency, storage, and testing of data backups

Incident Response Policy — defines roles, procedures, and escalation paths during a security event
Change Management Policy — controls for making changes to systems to avoid introducing vulnerabilities
Patch Management Policy — timelines and procedures for applying security updates
Vulnerability Management Policy — how vulnerabilities are identified, prioritized, and remediated
Business Continuity & Disaster Recovery (BC/DR) Policy — ensures operations during and after disruptions

Security Awareness & Training Policy — mandates regular employee security training
Social Engineering & Phishing Policy — rules and simulation programs to combat human-targeted attacks
Insider Threat Policy — monitoring and controls for malicious or negligent insiders
Background Check Policy — pre-employment screening for security-sensitive roles
Clean Desk / Clear Screen Policy — physical security controls for sensitive information

Third-Party Risk Management Policy — vetting and ongoing monitoring of vendors and suppliers
Vendor Access Policy — controls for external parties accessing internal systems
Data Sharing Agreement Policy — governs how data is shared with external organizations

Ransomware Response Runbook — steps to isolate infected systems, preserve evidence, notify stakeholders, assess scope, restore from backups, and conduct post-incident review
Malware Infection Runbook — endpoint quarantine, malware removal, root cause analysis, and reimaging procedures
Fileless Malware Runbook — memory forensics, process analysis, and detection via EDR tools

Phishing Email Response Runbook — report intake, header analysis, URL/attachment sandboxing, user notification, and blocklist updates
Business Email Compromise (BEC) Runbook — financial transaction freeze, account takeover investigation, and law enforcement notification
Spear Phishing Runbook — targeted attack triage, credential reset, and threat actor profiling

Compromised Account Runbook — account lockout, session termination, MFA reset, credential rotation, and access log review
Privileged Account Compromise Runbook — emergency access revocation, lateral movement analysis, and domain-wide password reset
Insider Threat Runbook — HR coordination, account suspension, data exfiltration investigation, and legal hold procedures

Network Intrusion Runbook — traffic anomaly detection, firewall rule updates, SIEM alert triage, and forensic packet capture
Unauthorized Access Runbook — access log review, session termination, entry point identification, and remediation
Lateral Movement Detection Runbook — credential abuse analysis, east-west traffic monitoring, and containment steps

DDoS Attack Runbook — traffic scrubbing activation, ISP coordination, rate limiting, CDN failover, and stakeholder communication
DNS Attack Runbook — DNS poisoning detection, resolver hardening, TTL management, and registrar lockdown
BGP Hijacking Runbook — route anomaly detection, upstream provider notification, and traffic rerouting

Cloud Account Compromise Runbook — IAM key rotation, suspicious API call analysis, CloudTrail/Azure AD log review, and resource audit
S3/Blob Storage Exposure Runbook — misconfiguration detection, public access removal, data exposure assessment, and breach notification determination
Cloud Cryptomining Detection Runbook — unusual compute spike triage, rogue instance termination, and billing alert response
Serverless Function Abuse Runbook — Lambda/Function App anomaly detection, environment variable audit, and code integrity verification
Container Escape Runbook — Kubernetes pod isolation, node cordon, image integrity check, and cluster audit

Lost or Stolen Device Runbook — remote wipe initiation, MDM lock, access revocation, and asset tracking
Endpoint Detection & Response (EDR) Alert Runbook — alert triage, threat scoring, host isolation, and forensic collection
USB / Removable Media Incident Runbook — device identification, data transfer audit, and policy enforcement
Unauthorized Software Installation Runbook — software inventory check, application removal, and user policy acknowledgment

Critical Vulnerability Response Runbook — CVE triage, CVSS scoring, emergency patch deployment, compensating controls, and validation
Zero-Day Vulnerability Runbook — threat intelligence intake, immediate compensating controls, vendor coordination, and patch prioritization
Penetration Test Finding Remediation Runbook — finding classification, owner assignment, remediation SLA tracking, and retest verification

Data Breach Response Runbook — breach scoping, legal counsel engagement, regulatory notification (GDPR 72hr, HIPAA 60-day), affected party notification, and credit monitoring
Data Exfiltration Runbook — DLP alert triage, data classification review, network traffic analysis, and containment
PII Exposure Runbook — exposure scope assessment, privacy officer notification, risk rating, and regulatory filing

Web Application Attack Runbook — WAF log analysis, SQL injection/XSS triage, session invalidation, and hotfix deployment
API Abuse Runbook — rate limit enforcement, API key revocation, abuse pattern analysis, and developer notification
Software Supply Chain Compromise Runbook — dependency audit, malicious package removal, SBOM review, and pipeline hardening

IOC (Indicator of Compromise) Ingestion Runbook — threat feed intake, IOC validation, SIEM/EDR rule update, and blocklist deployment
Threat Hunt Runbook — hypothesis development, data source identification, hunt execution, finding documentation, and detection rule creation
Dark Web Monitoring Alert Runbook — credential leak validation, affected account reset, and executive notification

Security Audit Preparation Runbook — evidence collection, control testing, gap remediation, and auditor coordination
Regulatory Exam Runbook — examiner request intake, document production, interview preparation, and finding response
PCI DSS Incident Runbook — cardholder data environment isolation, forensic investigator engagement, and card brand notification

Ransomware Detection & Initial Triage Runbook — identify encrypted file patterns, isolate affected endpoints from the network, activate IR team, and preserve volatile memory and disk images for forensics
Ransomware Containment Runbook — segment infected network zones, disable compromised accounts, block C2 communication at the firewall/proxy, and prevent lateral spread to backup infrastructure
Backup Integrity & Recovery Readiness Runbook — validate offline and immutable backup availability, confirm backup recency and integrity, identify clean restore points, and sequence recovery by business criticality
Ransomware Eradication Runbook — identify and remove malware persistence mechanisms, reimage or restore affected systems from verified clean backups, rotate all credentials, and validate environment integrity before reconnection
Ransom Negotiation & Payment Decision Runbook — engage legal counsel and law enforcement (FBI/CISA), assess decryptor reliability, evaluate regulatory implications of payment, coordinate with cyber insurer, and document decision rationale
Post-Ransomware Recovery & Lessons Learned Runbook — restore business operations in priority order, conduct root cause analysis, remediate initial access vector, update detection rules, and document findings for executive and regulatory reporting

Incident Response Program Development

Build or mature a robust incident response capability before an incident strikes. We develop comprehensive IR plans, scenario-specific playbooks, RACI matrices, communication templates, and escalation procedures — giving your team a clear, tested framework to follow when seconds matter most.

Faster response & containment Reduced breach impact & costs Regulatory compliance (HIPAA, PCI, etc.) Scenario-specific playbooks

Incident Response Tabletop Exercises

Stress-test your incident response plan through expertly facilitated simulation exercises. Our tabletop exercises present realistic attack scenarios — ransomware, data breaches, insider threats, supply chain compromises — and guide your leadership and response teams through decision-making and escalation in a no-stakes environment that builds real-world readiness.

Validate plans before an incident Identify response gaps & failures Build cross-team coordination Satisfy regulatory & cyber insurance requirements

Incident Response Workshops

Equip your security and IT teams with the knowledge, tools, and techniques needed to respond effectively when incidents occur. Our hands-on workshops cover incident classification, triage, digital forensics fundamentals, evidence preservation, threat containment, eradication, and recovery — turning theory into practice through scenario-driven exercises.

Build team knowledge & skills Hands-on practical training Improve cross-team alignment Reduce incident handling time

Ransomware Readiness, Response, & Recovery Assessment

Evaluate your organization's ability to withstand, respond to, and recover from a ransomware attack — before one happens. Our assessment examines your prevention controls, detection capabilities, backup integrity, network segmentation, identity hygiene, and recovery procedures against real-world ransomware tactics. We deliver a prioritized roadmap that closes the gaps most likely to result in prolonged downtime, data loss, or extortion payments.

Identify gaps before an attack occurs Validate backup & recovery capabilities Reduce downtime & ransom risk Support cyber insurance requirements

Internal/External Network Penetration Testing

Our ethical hackers simulate real-world cyberattacks against your network, applications, and systems to uncover exploitable vulnerabilities before adversaries do. We offer network, web application, cloud, and social engineering penetration tests — each delivering detailed findings, risk ratings, and remediation guidance grounded in the tactics and techniques of real threat actors. Network penetration test engagements can be scoped as internal, external, or combined internal + external: an internal network pentest simulates a threat actor who has already gained a foothold inside your environment, uncovering lateral movement paths, privilege escalation opportunities, and weaknesses in internal controls; an external network pentest targets your internet-facing assets to identify vulnerabilities exploitable by an outside attacker before they can breach the perimeter; and a combined internal + external engagement provides the most comprehensive coverage, mapping the full attack chain from initial perimeter breach through to internal compromise and data exfiltration.

Real-world attack simulation Risk-rated findings & remediation guidance Compliance requirement fulfillment Executive & technical reporting

Web Application Penetration Testing

Purpose-built for the unique attack surface of web applications, our Web Application Penetration Testing service goes beyond automated scanning to simulate the manual, creative techniques real attackers use. Our testers assess your application against the OWASP Top 10 and beyond — probing for authentication flaws, authorization bypasses, injection vulnerabilities, business logic abuse, API weaknesses, and session management issues. Engagements are available as black-box, gray-box, or white-box assessments, and deliver detailed findings with proof-of-concept evidence, risk ratings, and developer-friendly remediation guidance.

OWASP Top 10 & beyond coverage Manual testing beyond automated scans Black-box, gray-box, or white-box scoping Developer-friendly remediation guidance

Physical Security Program Assessments

Cyber threats don't stop at the digital perimeter. We assess the physical security controls protecting your facilities, data centers, and sensitive assets — evaluating access control systems, surveillance, badge protocols, visitor management, and physical intrusion resistance — to ensure your physical and cyber programs work in concert.

Identify physical vulnerabilities Protect sensitive assets & data Complement your cyber security program Compliance & regulatory alignment

Phishing Assessments & Social Engineering

Your people are both your greatest asset and your most targeted attack surface. We conduct controlled, realistic phishing simulations — including email, smishing, and vishing campaigns — to measure employee susceptibility, identify high-risk individuals and departments, and provide targeted training recommendations that meaningfully reduce social engineering risk.

Measure human risk baseline Identify high-risk users & groups Target training where it matters most Track improvement over time

Network Mapping & Asset Discovery

You cannot protect what you don't know exists. Our Network Mapping & Asset Discovery service provides a comprehensive, authoritative inventory of every device, system, and service present on your network — including shadow IT, unmanaged endpoints, and forgotten infrastructure. From a cybersecurity perspective, a complete and accurate asset inventory is foundational to every downstream security function: vulnerability management, patch prioritization, attack surface reduction, and incident response all depend on knowing exactly what is in your environment. Uncharted assets are prime targets — attackers actively seek out unmanaged and unmonitored systems that fall outside the scope of your security controls. From an IT governance perspective, asset discovery directly supports configuration management, software licensing compliance, capacity planning, and audit readiness. Regulatory frameworks including NIST CSF, CIS Controls, ISO 27001, and PCI DSS all require organizations to maintain an accurate inventory of hardware and software assets as a foundational control — making this engagement both a security imperative and a governance requirement.

Complete network & asset visibility Shadow IT & rogue device detection Foundation for vulnerability & patch management Audit readiness & compliance support IT governance & configuration management

Vulnerability Assessments

Gain comprehensive visibility into the vulnerabilities present across your IT environment. Our vulnerability assessments leverage industry-leading scanning tools and expert analyst review to identify, classify, and prioritize security weaknesses — giving you a clear picture of your risk exposure and a prioritized roadmap to remediation.

Full asset vulnerability visibility Risk-based prioritization Compliance requirement support Actionable remediation guidance

Static & Dynamic Application Security Testing (SAST / DAST)

Identify security vulnerabilities in your applications at every stage of the development lifecycle — from source code to running production systems. Our SAST/DAST service combines two complementary analysis techniques to deliver the broadest possible coverage of your application's attack surface.

Static Application Security Testing (SAST) analyzes your application's source code, bytecode, or binaries without executing the program — finding vulnerabilities at their root in the codebase itself. SAST is performed early in the development lifecycle (shift-left), enabling developers to discover and fix issues like hardcoded secrets, insecure functions, injection flaws, and misconfigurations before code ever reaches production. Because it examines the code directly, SAST provides deep visibility into the internal logic of an application and can pinpoint the exact file and line where a vulnerability exists.

Dynamic Application Security Testing (DAST) tests the application from the outside while it is running — simulating how an attacker would interact with the live system without access to source code. DAST uncovers runtime vulnerabilities that only manifest during execution, such as authentication weaknesses, session management flaws, misconfigurations, and server-side issues that static analysis cannot detect. Because DAST operates against a live environment, it reflects the real-world risk of your deployed application.

Together, SAST and DAST provide defense-in-depth for application security: SAST catches vulnerabilities early and deep within the code; DAST validates what is actually exploitable in the running application. Our engagements deliver prioritized findings, risk ratings, and developer-friendly remediation guidance mapped to OWASP and CWE standards.

Full coverage: code-level & runtime vulnerabilities Shift-left security integrated into the SDLC OWASP & CWE-mapped findings Developer-friendly remediation guidance Reduce breach risk before deployment

Drone (UAS) Cybersecurity Assessment

As organizations deploy Unmanned Aircraft Systems (UAS) for facility inspection, site security, and operational monitoring, drones have become sophisticated "flying IoT" endpoints that traditional security tools are not designed to evaluate. Our UAS Cybersecurity Assessment covers four primary attack vectors: the aircraft — firmware integrity, physical port security, and sensor spoofing (GPS/IMU); communication links — encryption of the Command & Control (C2) link and video/telemetry downlink; Ground Control Station (GCS) — security and patch posture of the tablets, laptops, and controllers used to operate the drone; and cloud and backend infrastructure — storage of flight logs and captured data, API security, and third-party data sharing. Additional risks include drones as network entry points for lateral movement, sensitive data exfiltration (4K video, thermal, LIDAR), shadow IoT from unmanaged employee-operated drones, and external "war-flying" attacks targeting your wireless environment.

Aircraft firmware & sensor security review C2 & communication link encryption analysis Ground control station hardening assessment Cloud backend & API security evaluation Shadow UAS & rogue device identification Physical-to-digital attack surface reduction

Malware Analysis

When malicious code is discovered in your environment, understanding precisely what it does is critical to an effective response. Our analysts perform static and dynamic malware analysis to reverse-engineer malicious software, extract indicators of compromise (IOCs), determine the full scope of impact, and provide actionable intelligence to accelerate containment and strengthen defenses.

Accelerate incident response Extract actionable IOCs & TTPs Determine full attack scope Strengthen defensive controls

Security Monitoring Implementation

You can't defend what you can't see. We design and deploy comprehensive security monitoring architectures — including SIEM platforms, log aggregation, alert tuning, and detection rule development — to provide continuous visibility into your environment and enable rapid detection and response to emerging threats.

Real-time threat detection Reduced attacker dwell time Compliance logging & audit trails Tuned, high-fidelity alerting

Endpoint Detection & Response (EDR) Implementation

Endpoints are the most targeted entry point in any organization. We help you select, deploy, and operationalize Endpoint Detection & Response solutions that provide deep visibility into endpoint activity, detect malicious behavior in real time, and enable rapid investigation and containment — ensuring your endpoints are defended long after the perimeter is breached.

Real-time endpoint threat detection Rapid investigation & containment Behavioral & anomaly-based detection Reduced mean time to respond (MTTR)

Insider Threat Program Development

Insider threats — whether malicious, negligent, or compromised — represent one of the most difficult risks to detect and manage. We help organizations design and implement comprehensive insider threat programs combining technical controls, behavioral analytics, policy frameworks, and response procedures to detect, deter, and respond to threats from within — while respecting privacy and legal boundaries.

Protect sensitive data & intellectual property Early behavioral detection capability Reduce insider risk exposure Privacy-conscious program design

Security Awareness Program Development and Training

Technology alone cannot protect your organization — your people must be an active part of your security defense. We design engaging, role-based security awareness programs that go beyond annual checkbox training, using behavioral science principles to drive lasting behavior change and cultivate a security-first culture at every level of your organization. We deliver security awareness training virtually or live, tailored to your team's schedule and learning environment.

Reduce human-factor cyber risk Build a security-first culture Improve phishing resistance Measurable behavior change

Threat Modeling Workshops

Identify and address security risks during design — not after deployment. Our threat modeling workshops guide your engineering and security teams through structured analysis of systems, applications, and architectures to systematically identify threat actors, attack vectors, and potential vulnerabilities early in the development lifecycle, where fixes are most cost-effective and impactful.

Security by design Proactive risk identification Enable developer security ownership Reduce remediation costs

Prepare. Secure. Reduce Cyber Risk.