Peter Meaney · CISSP · Fractional AppSec

Your biggest customer just asked for your SOC 2.

You don't have one. You don't have a security person. And you're not hiring a $250K CISO for a company your size. That's what Nox is for.

Book a Call See Services

What gets analyzed

01 Infrastructure configs — YAML, Terraform, Dockerfile, JSON
02 Security policies and access control documentation
03 Architecture diagrams and system descriptions
04 Vendor and third-party risk documentation
05 Existing audit evidence and compliance artifacts
Experience 11 years AppSec
Credential CISSP certified
First Deliverable 48 hours
Scope Fractional vCISO · AI Security · Compliance Readiness
What every engagement produces

Auditor-ready work product. Not a scan. Not a deck.

Every engagement delivers structured documents written for two audiences: your engineering team and your enterprise customers or auditors.

Compliance Gap Report · SOC 2 Nox Security
Critical MFA not enforced for privileged accounts — violates SOC 2 CC6.2 and HIPAA § 164.312(d).
Critical Shared production credentials. No individual accountability for access events.
High Audit log retention below insurer minimum (90–365 days required).
High No documented incident response — required under SOC 2 CC7.3 and ISO 27001 A.16.
High Unencrypted backup storage containing customer data — violates SOC 2 CC6.1.
7 findings · 30/60/90-day remediation roadmap included
Remediation Roadmap · 30/60/90-Day Priority-ordered

30 Days

Enforce MFA on all privileged accounts

Rotate shared production credentials

Enable cloud audit logging

60 Days

Deploy log retention policy (365-day)

Draft incident response runbook

Enable branch protection rules

90 Days

Encrypt backup storage at rest

Complete vendor risk assessments

SOC 2 evidence package assembled

Mapped to SOC 2 · HIPAA · ISO 27001 control references
Evidence & Documentation Checklist Auditor-ready
✓ Done Access control policy (signed, dated, version-controlled)
✓ Done Incident response runbook and tabletop exercise record
✗ Open MFA enforcement screenshot with admin console export
✗ Open Vendor risk register with assessment dates and ratings
✗ Open Penetration test report (within 12 months) with remediation notes
Pre-mapped to control requirements · 38 items total
Download Sample Report
Who we work with

Built for companies blocked by enterprise security requirements.

Early-stage SaaS companies preparing for SOC 2
Engineering teams without dedicated security staff
Startups responding to enterprise security questionnaires
Teams needing pre-audit readiness before engaging auditors
Founders who need a structured security baseline fast
How we help

Security leadership without a full-time hire.

Three ways to engage, depending on where you are in the procurement or compliance cycle.

Security Gap Review

Compliance Diagnostic

You upload your policies, architecture notes, and vendor list. We identify what's missing, map it to your framework, and return a prioritized remediation roadmap — within 48 hours.

Covers SOC 2, HIPAA, or ISO 27001. Includes evidence checklist, severity-ranked findings, and a 30/60/90-day action plan.

Get Started — $2,500 Flat fee · 48-hour turnaround
Compliance Readiness

Audit Preparation

For companies preparing for a formal SOC 2 or HIPAA audit. We build and maintain the evidence, documentation, and operational controls your auditor will need to see.

Includes policy templates, control implementation guidance, evidence collection, and pre-audit readiness review.

Ongoing Engagement

Fractional vCISO

For growing teams without a dedicated security function. We serve as your security lead — handling vendor questionnaires, architecture reviews, customer security calls, and incident readiness.

Available monthly or project-based. No full-time headcount required.

Assessment findings

What typically blocks enterprise approvals.

These are the issues that appear most frequently in compliance gap reviews — and the ones most likely to stall procurement, delay audits, or expose operational risk.

Each finding is mapped to the relevant framework controls and assigned a remediation priority in the final report.

View a full sample report
Critical MFA not enforced for privileged accounts — violates SOC 2 CC6.2 and HIPAA § 164.312(d).
Critical Shared production credentials across engineering team. No individual accountability for access events.
High Cloud audit logging retention below insurer minimum requirements — typically 90–365 days.
High No documented incident response procedures. Required under SOC 2 CC7.3 and ISO 27001 A.16.
High GitHub branch protections disabled for production repositories — code can be pushed without peer review.
High Unencrypted backup storage containing customer data — violates SOC 2 CC6.1 and HIPAA § 164.312(a)(2)(iv).
High No formal vendor risk review process. Third-party data processors not evaluated before onboarding.

Findings shown are representative examples. Actual report scope is tailored to your environment and framework.

How it works

Upload. Analyze. Receive your gap report.

Step 01 — Upload

Submit Your Materials

Upload code configs, infrastructure files, policies, or architecture docs. Accepted: YAML, Terraform, Dockerfile, JSON, PDF, plain text. No special tooling required.

Step 02 — Analyze

AI Maps to Frameworks

The system maps your inputs against OWASP Top 10, SOC 2 controls, and ISO 27001 domains. Each finding is assigned a severity score and control reference — deterministically, not as freeform opinion.

Step 03 — Receive

Structured Gap Report

Risk register, severity-ranked findings, 30/60/90-day remediation roadmap, and an evidence checklist pre-mapped to your required framework — delivered within 48 hours.

Scope & boundaries

Built for pre-audit triage — not certification.

Enterprise buyers need to know exactly what they're purchasing. Here is the precise scope.

What this is not
A certified audit (SOC 2, ISO 27001, or HIPAA)
A replacement for qualified external auditors
A penetration testing or red team service
A runtime security scanner or continuous monitoring platform
Freeform AI opinions without framework grounding
What it is
Pre-audit readiness engine — finds gaps before auditors do
Security gap triage layer mapped to real audit frameworks
Framework-based control mapping (SOC 2, ISO 27001, HIPAA, OWASP)
Deterministic checklist outputs — not freeform AI opinions
Human-practitioner validation available as an optional engagement tier

Nox Security does not replace auditors — it prepares you for them.

About

Nox is a boutique security advisory practice led by experienced security practitioners focused on practical risk reduction, compliance readiness, and enterprise trust.

Not a generalist MSP. Not a software platform. A focused advisory engagement with a practitioner who has built security programs at companies like yours.

Peter Meaney, CISSP, brings over a decade of applied security experience across AI companies, SaaS, and developer tools.

Expertise
  • CISSP certified
  • SOC 2 · HIPAA · ISO 27001 · NIST CSF
  • 11+ years applied security experience
  • AI companies, SaaS, and developer tools
  • Security program design and implementation
  • Vendor questionnaire and procurement support
  • Cloud security risk assessment
  • Fractional and project-based engagements

Find gaps before auditors do.

Run a structured AI-assisted pre-audit. Severity-ranked findings mapped to SOC 2, ISO 27001, HIPAA, and OWASP. Not a scan. Not a certification. A gap report that prepares you for the real thing.

Book a Call Assess My Compliance Readiness

24–48 hour turnaround · Flat fee · No retainer required