United States · North America

Threat and Risk Assessment in the United States

TRA for US founders and operators. A TRA is what a government buyer, a prime contractor, or an enterprise vendor-risk team asks for when they want proof you have assessed your risk and can show your work. We test the environment first, with our offensive-security partner, then write the assessment, so every risk rating traces back to something we actually found instead of a template with your logo on it.

Book a discovery call Full TRA service page

US ecosystem context

US enterprise buyers are the reason most of our clients need SOC 2 in the first place. The shape of it is always the same: a company wins real interest from a US enterprise, a vendor-security review lands in the middle of the deal, and everything parks until there is a report to hand over. The bar here is set by the buyer, not by a regulator, which is why it shows up as a questionnaire and a procurement gate rather than as a law you can look up.

We are a Canadian firm and we work with US clients cross-border, across US time zones. We do not keep a US office, and we are not going to pretend otherwise. What we do instead is coordinate around how you actually work, and establish presence for the length of the engagement where the work calls for it. What we bring is specific, repeated experience getting companies through US enterprise security review: what the questionnaire is really asking, which controls the reviewer actually checks, and what has to be true before the deal moves. We prep you to pass. Only an independent CPA firm can sign a SOC 2 report, and we will introduce you to one.

Threat and Risk Assessment scope

A TRA is what a government buyer, a prime contractor, or an enterprise vendor-risk team asks for when they want proof you have assessed your risk and can show your work. We test the environment first, with our offensive-security partner, then write the assessment, so every risk rating traces back to something we actually found instead of a template with your logo on it.

  • Scope definition: the systems, data, users, and third parties covered
  • Hands-on testing of your environment, delivered with our offensive-security partner
  • Threats identified against how you actually operate, not a generic list
  • Risk register with every risk rated by likelihood and impact
  • Documented mitigations, honest gaps, and a prioritized remediation plan

For the full service detail, see the Threat and Risk Assessment page. For fixed-price productized engagements, see pricing.

Services US clients usually bundle

Threat and Risk Assessment in other locations

Threat and Risk Assessment in the United States, on your timeline

Book a free 30-minute discovery call. We’ll tell you whether this engagement fits, what it would cost, and when we could start.

Book a call