50-Point Security & Privacy Assessment — One-on-One · In-Person or Virtual

Know exactly
where you stand.
Fix what matters.

Not a scan. Not a software report. A structured one-on-one assessment where Mike works through your actual digital environment — your passwords, devices, network, backups, vendor relationships, and personal data exposure. Fifty checks. Written findings. Ranked action plan. Plain English throughout.

Format Virtual (anywhere) or in-person (Albuquerque / Santa Fe metro · travel by arrangement)
Structure Intake interview + two working sessions + written findings report
Coverage 50 checks across 5 domains: credentials, devices, network, vendors, and privacy
Deliverable Written findings report + prioritized action plan + remediation guidance
Advisor Mike Lopez, PhD — cybersecurity researcher, red team practitioner, R&D leader
Book Assessment — $3,000 See How It Works
$3,000
flat fee · one business · 50-point review
  • Intake interview: your business, risk profile, and current security posture
  • Session 1 (90 min): Credentials, devices, and network assessment
  • Session 2 (90 min): Vendor security, data handling, and privacy exposure
  • Written findings report: every check scored, flagged, and explained
  • Prioritized action plan: ranked from easy wins to critical fixes
  • Remediation guidance: plain-English direction for every finding
  • 30-day follow-up: questions as you work through the action plan
Book Assessment

Mike follows up within one business day to discuss fit and schedule.

The 50 Checks

Five domains. Every
layer of your exposure.

The assessment covers every significant attack surface a small business faces — from the obvious (reused passwords, unpatched devices) to the overlooked (vendor data-sharing agreements, personal information exposed by data brokers). Fifty checks. Every finding documented. Every risk explained in plain English.

Domain 01 — 12 Checks

Credentials & Identity

Weak or reused passwords are the single most common entry point for business breaches. This domain covers every credential surface in your business — including ones you may not have thought of.

  • Password strength, uniqueness, and reuse across accounts
  • Password manager adoption and configuration
  • Multi-factor authentication on all critical accounts (email, banking, cloud)
  • Shared credentials and service account hygiene
  • Recovery email and phone number security
  • Former employee account deprovisioning
  • Social account security and recovery options
  • Domain registrar and DNS account access controls
  • Admin vs. standard account separation
  • Password reset vulnerability mapping
  • Known breach exposure (HIBP and similar)
  • Authentication logging and alert configuration
Domain 02 — 11 Checks

Devices & Endpoints

Every device that touches your business data is a potential entry point. This domain covers computers, phones, tablets, and the software running on them.

  • Operating system patch status on all devices
  • Software updates and auto-update configuration
  • Endpoint encryption (FileVault, BitLocker)
  • Device screen lock and timeout settings
  • Antivirus and endpoint protection configuration
  • Mobile device management (MDM) for business phones
  • Personal vs. business device separation
  • Browser security and extension hygiene
  • Remote access software security (TeamViewer, AnyDesk, RDP)
  • Retired device data sanitization procedures
  • Device inventory and unmanaged endpoint identification
Domain 03 — 10 Checks

Network & Connectivity

Your network is the highway your data travels on. A misconfigured router or an unsecured Wi-Fi network can expose everything connected to it.

  • Router firmware version and update status
  • Default credentials changed on all network devices
  • Wi-Fi encryption standard (WPA3/WPA2 vs. legacy)
  • Guest network isolation for visitors and IoT devices
  • Remote management ports (SSH, Telnet, WAN admin) status
  • VPN usage for remote employees and off-site work
  • DNS security configuration
  • Network monitoring and intrusion detection
  • Open ports and unnecessary services exposure
  • ISP-provided equipment default configuration review
Domain 04 — 9 Checks

Data, Backups & Vendors

Most businesses don't know exactly where their data lives, who has access to it, or what their vendors do with it. This domain maps your data exposure and validates your recovery posture.

  • Backup existence, frequency, and off-site copy validation
  • Backup restoration testing (last confirmed working restore)
  • Cloud storage access controls and sharing settings
  • Business-critical data inventory and location mapping
  • Vendor security questionnaire and review process
  • SaaS tool data retention and deletion policies
  • Business associate agreements (BAAs) where required
  • Data classification and handling procedures
  • Incident response and breach notification plan existence
Domain 05 — 8 Checks

Personal Privacy & Data Broker Exposure

Business owners, executives, attorneys, and healthcare professionals are high-value targets. Your personal data — home address, phone number, family relationships, financial information — is likely available to anyone willing to look. This domain maps that exposure and provides concrete steps to reduce it.

  • Data broker exposure audit (Spokeo, Whitepages, BeenVerified, and 40+ others)
  • People-search site opt-out status and process
  • Google account privacy and data sharing settings
  • Social media oversharing and location data exposure
  • Home address exposure via public records and WHOIS
  • Doxxing vulnerability assessment
  • Family member exposure as attack vector
  • Professional profile and directory data review

Why This Is Different

Not a scan. Not a
software report.

01

Fifty checks. Not a sample.

Automated scanners check what they can reach from the outside. This assessment goes through your actual environment — your accounts, your devices, your vendors — and documents every finding, not just the ones a scanner can detect.

02

Written findings you can act on.

Every check produces a documented finding. Every finding gets a plain-English explanation of the risk, a severity rating, and specific remediation guidance. You leave with a written report you can hand to your IT person, your attorney, or your insurer.

03

Ranked by what actually matters.

Not every finding is equally urgent. The action plan is ranked by real-world risk, implementation complexity, and business impact — so you know exactly what to fix first and what can wait until next quarter.

04

Privacy is built in — not bolted on.

Most cybersecurity assessments skip personal privacy exposure entirely. This one doesn't. Your personal data in data broker databases and people-search sites is a real attack surface — especially for business owners and executives.

05

30 days of follow-up included.

The report is just the beginning. You get 30 days of follow-up support as you work through the action plan — questions answered, guidance on specific fixes, and a final check-in to confirm your most critical items are resolved.

06

The advisor is a red teamer.

Mike's background isn't compliance checkbox reviews. It's adversarial assessment — thinking like an attacker to find what's actually exploitable, not what looks good on a report. That perspective is built into every check in this assessment.

How It Works

Four stages. One
complete picture.

The assessment runs in four stages over two to three weeks. The intake sets context. The two working sessions cover all 50 checks. The written report delivers findings and the action plan.

Total time from your side: approximately four to five hours across the intake and two sessions. Mike handles the analysis, documentation, and reporting.

Intake interview~45 min
Session 190 min
Session 290 min
Report delivery5–7 days
Follow-up support30 days
Stage 1
~45 min
Live

Intake Interview

Mike learns your business before starting the assessment. This session covers your industry, team size, the software and services you rely on, your current security practices, and any specific concerns you already have. The information gathered here shapes how the assessment is conducted and what gets prioritized.

  • Business profile and risk context
  • Current technology stack and key vendors
  • Known concerns and prior security incidents
  • Compliance requirements (HIPAA, PCI, state privacy laws)
Stage 2
90 min
Live

Session 1 — Credentials, Devices, and Network

The first assessment session works through Domains 1, 2, and 3 of the 50-check framework. Mike walks through each check with you, documents findings in real time, and flags items that need immediate attention. You participate directly — this isn't a passive scan, it's a guided review of your actual environment.

  • 12 credential and identity checks
  • 11 device and endpoint checks
  • 10 network and connectivity checks
↓ Real-time findings captured for the report
Stage 3
90 min
Live

Session 2 — Data, Vendors, and Privacy

The second session covers Domains 4 and 5 — data handling and backup posture, vendor security review, and personal privacy exposure. The privacy domain in particular surfaces findings that business owners rarely know about but that represent meaningful personal and business risk.

  • 9 data, backup, and vendor checks
  • 8 personal privacy and data broker exposure checks
  • Regulatory and compliance gap identification
↓ All 50 checks complete — report in progress
Stage 4
5–7 days
Written

Written Findings Report & Action Plan

Mike delivers a written report documenting every check, every finding, and every recommendation. The action plan ranks all findings by priority — critical, high, medium, and low — with plain-English remediation guidance for each. This is a document you can hand to your IT person, your attorney, or your insurance broker.

  • Full findings documented: every check scored and explained
  • Executive summary: what's most important and why
  • Prioritized action plan: ranked from critical to low
  • Remediation guidance: specific steps for every finding
  • 30-day follow-up support included
↓ Deliverable: Written findings report + prioritized action plan

Is This Right for You?

Built for businesses that
handle real data.

Good fit This is you

  • You own or operate a small business and make the technology decisions
  • You handle client data, financial information, health records, or legal documents
  • You've never had a formal security assessment — or it's been more than two years
  • You're worried about a specific area: phishing, vendor risk, employee access
  • You need a written report for a client, insurer, or compliance requirement
  • You want an advisor who speaks in plain English, not jargon

Book Your Assessment

Tell Mike about
your business.

Submit the form and Mike will follow up within one business day to discuss fit, format, and scheduling. No charge until you've had a conversation and decided to proceed.

  • 1 You submit the form with a brief description of your business and any specific concerns.
  • 2 Mike follows up within one business day to discuss fit and answer questions.
  • 3 If it's a fit, you schedule the intake interview and payment is collected to confirm — $3,000 flat.
  • 4 Intake, two sessions, and your written report — typically completed within three weeks of booking.
Book Your Assessment
$3,000 flat · 50 checks · written report · no charge until you decide to proceed

No charge now. Mike follows up within one business day.

Mike will be in touch.

Your submission is in Mike's inbox. Expect a response within one business day. If you don't hear back within 24 hours, check your spam folder or call directly at (505) 933-9287.

The Roadrunner Cybersecurity,
AI, and Privacy Brief

One email a month. Threats, AI developments, and privacy issues that matter to small business owners — in plain English. No jargon, no vendor pitches.

  • Real threats hitting small businesses right now
  • AI tools — what's safe, what's risky, what to watch
  • Privacy and data broker updates
  • One practical action item every issue
↓ Free PDF: 17-Point Security & Privacy Checklist — sent when you subscribe