Five practices. Each designed around a specific buyer pain,
not a generic SOW template.
The five practices below are the intellectual scope of what Birchlogic delivers. The three commercial shapes that follow are how you actually buy it.
- I
Strategic Advisory and vCISO.
Embedded senior leadership inside the executive team, not next to it. Risk appetite renegotiated each fiscal cycle. Governance built through workflow. Board reporting in financial language.
- II
CRQ and Strategic Assessment.
Sixteen-domain CMMI maturity scoring. FAIR-CAM control efficacy quantification. Monte Carlo loss exceedance modelling. Quant work accelerated by our internal workbench, while interviews, scenario scoping, and board framing remain partner-led.
- III
Compliance, Privacy and Regulatory.
Multi-framework programme design where evidence is collected once and mapped across overlapping regimes. RBI, SEBI, MAS TRM, EU AI Act, NIS2, DPDP, UAE PDPL, DESC. Workflow-built evidence linkage so audit preparation stops being a sprint.
- IV
Application, Cloud and AI Security.
Engineering-led security where the security team ships code. Cloud architecture across AWS, Azure, and GCP. AI security architecture for AI-native systems: agentic threat modelling, MCP security, supply-chain governance for models, EU AI Act compliance design that engineering teams can actually execute.
- V
Resilience, Incident Response and Recovery.
Crisis-grade incident response with hours-not-days containment objectives. DFIR with forensic-grade evidence preservation. Business continuity that does not depend on the CISO being available at the moment of crisis.
Twelve quick sprints.
One specific thing, fixed in weeks.
A founder with a US enterprise deal stuck on AI questions does not need a year. A SEBI mid-cap CISO with an attestation due in 60 days does not need a one-off audit. They need one specific thing fixed in one month, by a senior practitioner, with a partner accountable for the outcome.
| Sprint | What it fixes | Duration |
|---|---|---|
| Multi-Framework Compliance Program | SOC2, ISO 27001, DPDP, AI governance, all delivered as one program. Evidence collected once, mapped across regimes. | 6 to 8 weeks |
| SOC2 Type I in 2 Weeks | You are stalled mid-Vanta. Senior firm pushes you across the audit line. | 2 weeks |
| AI Security Posture Sprint | US prospects asking AI questions. You have no answers. | 4 weeks |
| ISO 42001 Readiness Sprint | EU customer asked for ISO 42001. You have no AIMS. | 4 weeks |
| Cloud Security Architecture Review | AWS, Azure, GCP grew reactively. Customer-defensible architecture in 4 weeks. | 4 weeks |
| SEBI CSCRF Attestation Sprint | Audit committee deadline. CRQ in rupees alongside controls evidence. | 4 weeks |
| DPDP Act Readiness Sprint | ROPA, DPO, breach playbook, cross-border transfer framework. | 4 weeks |
| TPRM Audit Rescue | A deal is stuck. We unstick it in three weeks. | 3 to 4 weeks |
| AI Security Questionnaire Response Engine | Multiple enterprise prospects asking AI questions. We build the answer library. | 3 weeks + monthly |
| MAS TRM Single-Domain Sprint | One open TRM Domain finding. MAS-fluent partner. | 4 weeks |
| Post-Incident 30-Day Hardening | After the breach: identity, backups, IR runbook, board recovery report. | 4 weeks |
| M&A Cyber DD Express | PE-ready cyber DD. IC-grade output. | 3 to 4 weeks |
A full-time CISO hire is six months and a board approval away. A vCISO retainer gives you the function in two weeks, with cross-industry pattern recognition that a first-time CISO has not yet built. Month-to-month commercial. Most engagements run multi-year because the program compounds and the partner who closed the engagement runs every quarterly review.
Light.
Quarterly board pack, monthly steering, audit support, on-call Slack hours.
Standard.
Light plus ongoing program management, vendor risk, AI governance reviews, custom policy authoring, Trust Center maintenance.
Regulated.
Standard plus regulator response, monthly board pack, audit committee briefings, custom policy aligned to RBI, SEBI, or MAS, supervisor letter response.
We are month-to-month. We have no minimum commitment. Most of our clients stay multi-year because the partner who closed the engagement runs every quarterly review.
vCISO retainers are advisory. Fractional Security Office is execution. The buyer here is not looking for an advisor; they are looking for the entire security function as an outsourced capability. Birchlogic owns the program. Runs the team. Reports to the board.
Core.
Partner plus one senior plus 0.5 junior FTE-equivalent dedicated.
Plus.
Partner plus two senior plus one junior FTE-equivalent dedicated.
Premium.
Partner plus two senior plus two junior plus on-call IR readiness, dedicated.
Our model is single-tenant. We can hand the capability back to you when you are ready to bring it in-house. We are not designed to be sticky. We are designed to be necessary while we are there.
These are all important.
They are separate disciplines.
- Managed Detection and ResponseCoordinated, not owned
- Live incident responseCoordinated, not owned
- Penetration testingCoordinated, not owned
- Cybersecurity productsCoordinated, not owned
- Managed IT helpdeskCoordinated, not owned
We do not run these in-house. We coordinate the best specialist for each. You get senior judgment on the program. You get top-tier delivery on each specialist line. You get one accountable partner across all of it.