Independent security assessments, post-incident validation, and continuous monitoring — grounded in NIST and CIS standards. No vendor agenda. No jargon. A clear, documented picture of where you stand.
"Nothing hidden. Nothing unmeasured."
The Problem
You've done some security work. You're not sure if it was enough. And if something happens, you can't prove it either way.
A breach happened. You think it's contained — but customers, partners, and regulators want documentation. You need an independent voice saying: "Yes, this is remediated."
You've never had a structured assessment. You're operating on instinct and vendor promises, with no documented posture to measure against — or defend.
Your security posture changes constantly — new staff, new tools, new vendors. Without periodic assessment, last year's clean bill of health is this year's liability.
Services
A documented, defensible picture of your security posture — independently verified against recognized standards.
Independent third-party confirmation that a security incident has been fully contained and remediated. Produces a report suitable for sharing with customers, partners, or regulators.
A comprehensive assessment of your current security posture against NIST CSF 2.0 and CIS Controls v8. Your documented starting point for everything that follows.
Quarterly reviews that track your security posture over time — measuring progress against your baseline, identifying new exposures, and keeping your documentation current.
How It Works
A structured, standards-based process that produces clear outputs at every stage.
30–60 min to define scope, gather documentation, and align on deliverables and timelines.
Read-only access to logs, configuration, and audit data. No agents installed. No disruption to operations.
Findings structured against NIST CSF 2.0 and CIS Controls v8. MITRE ATT&CK mapping for threat validation.
Executive summary for leadership and customers. Technical appendix for your team. Both defensible, both useful.
Live walkthrough of findings. Clear answers on priority, remediation, and next steps.
Standards & Frameworks
No proprietary scoring systems. No invented maturity models. We assess against established, recognized frameworks.
Govern · Identify · Protect · Detect · Respond · Recover. The foundation for organizational security posture assessment.
Computer security incident handling guide. Structures our post-incident validation methodology.
Prioritized, actionable security controls. Used for finding categorization and remediation prioritization.
Adversary tactic and technique mapping for incident analysis and threat modeling.
Monitoring & Observability
Security posture and operational visibility are two sides of the same coin. We help organizations establish the monitoring infrastructure they need — so threats become visible before they become incidents.
Deploy a production-grade observability stack tailored to your environment — metrics collection, log aggregation, and alerting configured from the ground up.
$5,000 – $12,000
Custom dashboards aligned to your security posture and compliance requirements. Executive views and operational views — always grounded in your actual data.
$3,000 – $8,000
Ongoing visibility as a service. Alert triage, monthly posture reports, and continuous tuning — so your team stays focused on what matters.
$1,500 – $3,000 / month
Part of the XRAY family. XRAY VU Corp operates alongside XRAY Communications, IT Extension, and Audio Extension — a group of independent, employee-owned technology companies serving Canadian businesses. Our monitoring and security practices are built to complement managed IT and communications services for organizations that want a coordinated approach to infrastructure and security.
Get Started
Start with a 30-minute scoping conversation. No obligation. We'll tell you whether an engagement makes sense and what it would look like.
XRAY VU Corp · Canadian Corporation · Independent · No vendor affiliations