What if I'm the only employee?

The framework still applies. The 77 controls are written for shops with five employees or fewer, including sole proprietors. Questions that don't apply to you (no payroll system, no shared devices) get skipped, and your score reflects your actual setup.

How often will I be charged?

Self-Service is billed monthly at $19. Cancel any time from your portal. Full-Service is quoted up front for the work you need; no surprise renewals.

Is a Cyber Risk Assessment required?

For most regulated advisors (RIA, BD, BGA), yes. State and federal examiners increasingly expect a documented assessment mapped to a recognized framework. NIST CSF 2.0, which our 77 controls map to directly, is the most widely accepted reference.

How long does the assessment take?

The free 11-question baseline takes about ten minutes. The full 77-control walk-through, done thoughtfully, takes a few hours spread across one or two sittings. Most customers complete it within a week of starting.

For businesses without a security team

Know exactly where your business stands. In 11 questions, free.

A 77-control framework written for shops with five employees, not five hundred. Built by a thirty-year practitioner, mapped to NIST CSF 2.0, the framework regulators already recognize.

GET MY SCORE Or schedule a demo

Paul Horn standing in his office, holding a printed cybersecurity assessment report bound at the corner with a black binder clip, looking directly at the camera. A laptop and books are visible on the desk behind him.

Paul Horn · Founder, H2Cyber

Independently recognized

Clutch — Texas Top Cybersecurity Company

Why a smaller framework

Cybersecurity is like math. You can’t do geometry without basic arithmetic.

H2Cyber.

Basic arithmetic. 77 controls. What every business needs first.

NIST CSF 2.0.

Geometry. 100+ subcategories. Built for organizations with a security program.

ISO 27002.

Algebra. Enterprise framework. For organizations with a security team.

Five Core Functions

Cover your cybersecurity basics.

The 77 controls organize into the five core functions of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. The same five every NIST CSF assessment uses.

Paul Horn at a whiteboard, gesturing toward a hand-drawn five-ring diagram labeled (outermost to innermost) Recover, Respond, Detect, Protect, Identify, with 'your business' at the center. — Paul Horn · Founder, H2Cyber

77 controls · Across five functions

Identify: 14controls
Protect: 28controls
Detect: 12controls
Respond: 11controls
Recover: 12controls

Total77controls

H2Cyber framework · Mapped to NIST CSF

Five Seals · 77 Controls

Five functions, one credential. Mapped directly to NIST CSF 2.0.

Each seal certifies that every control in the function is in place and on file. Customers post them where credibility matters: their own site, vendor packets, insurance applications. Regulators and underwriters already recognize NIST.

H2Cyber

CONTROLS

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

H2Cyber

Total Controls

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

On Full-Service plans, an H2Cyber practitioner verifies every seal. On Self-Service, you attest to the work with documentation on file. Either way, the seal is what you point to when a regulator or insurance carrier asks about your cybersecurity posture.

Implementation · 7 Phases

By week 4: a baseline. By week 12: access controls. By week 35: all 77.

Wk 01Wk 02Wk 07Wk 13Wk 17Wk 23Wk 29Wk 35

011–2 wk

022–5 wk

033–6 wk

042–4 wk

053–6 wk

063–6 wk

073–6 wk

011–2 wk

Foundation

Account, scoping, baseline.

022–5 wk

Asset Inventory

Devices, vendors, data.

033–6 wk

Access

Identity, MFA, role hygiene.

042–4 wk

Device Hardening

Encryption, monitoring, patching.

053–6 wk

Email & Training

Phishing controls, staff training.

063–6 wk

Detection & Response

Monitoring, response plans.

073–6 wk

Recovery & Continuity

Backups, continuity plan, disaster recovery.

Phases 01–07 · H2Cyber Implementation Schedule

17–35 Weeks Total

01
1–2 wk
Foundation
Account, scoping, baseline.
02
2–5 wk
Asset Inventory
Devices, vendors, data.
03
3–6 wk
Access
Identity, MFA, role hygiene.
04
2–4 wk
Device Hardening
Encryption, monitoring, patching.
05
3–6 wk
Email & Training
Phishing controls, staff training.
06
3–6 wk
Detection & Response
Monitoring, response plans.
07
3–6 wk
Recovery & Continuity
Backups, continuity plan, disaster recovery.
17–35 Weeks Total

WHAT YOU GET · FROM YOUR ASSESSMENT, EVERY MONTH

The score.: Hover any number on your dashboard for a plain-English explanation of what it means for your business.
The memo.: A two-paragraph letter from your auditor, on the first of every month, calling out which controls changed and what it means for your score.
The documents.: Four regulator-ready policies: information security, business continuity, acceptable use, incident response. Generated from the same data, in your inbox in seconds.
The forms.: Cyber-insurance applications, customer security questionnaires, vendor-risk forms: every field auto-fills from your assessment in under a minute, with citations back to the controls.
The advice.: Click Take Action on any gap and the platform writes step-by-step guidance for your devices, your regulators, and the software you actually use.

PRICING · THREE WAYS IN

FREE

Self-check.

Phase 1 of the framework. No card required to start.

GET STARTED

Recommended

SELF-SERVICE

Guided.

$19/mo

All 77 controls, the wizard, the monthly memo, four regulator-ready policies, and the form auto-fill.

START TRIAL

FULL-SERVICE

We do it for you.

Pricing on request

Same framework, our team holds the pen. Step-by-step guidance written for your actual devices, with an H2Cyber practitioner's signature on every deliverable.

GET A QUOTE

Managed Services · Staffed by Partners

Beyond the assessment.

When you’re ready to move from knowing to doing, our managed services pick up where the framework leaves off.

Device Monitoring

$17/device/month

Patches, anti-malware, and remote management for every laptop and desktop.

Partners: SyxsenseCylanceWizer

Talk to us

Email Security

$9/user/month

Phishing protection on incoming mail, leak detection on outgoing, and impersonation checks inside your domain.

Partners: INKYHuntress

Talk to us

Virtual CISO

Hourly, prepaid blocks

An on-demand Chief Information Security Officer, billed by the hour. The same role you'd hire full-time, fractional.

Talk to us

Oversight · For Aggregators, Regulators, Insurers

One score, every member firm.

See cyber posture across every affiliated firm. Spot the controls most are missing. Compress audit cycles from years to days.

Schedule a demo

Eligible audiences

BGAs
Private Equity
Franchises
BDs
RIAs
Regulators
Cyber Insurance
State Agencies

In Their Own Words

Portrait of John Chuff, President at BA Securities. — John Chuff · PresidentBA Securities

Portrait of Andy Brinkman, CEO at Stableford Capital. — Andy Brinkman · CEOStableford Capital

Portrait of Alicia Fuschak, COO at Avid Wealth Partners. — Alicia Fuschak · COOAvid Wealth Partners

FOR YOUR INSURANCE BROKER

Your insurer just doubled your premium.

Because they couldn’t see your posture.

H2Cyber’s 77-control assessment is the evidence underwriters want. Paste your cyber-insurance application or your customer’s security questionnaire, and every field auto-fills from your data, with citations back to the specific controls behind each answer. Built for the form your broker sent you Friday afternoon.

SEE A SAMPLE AUTO-FILLED APPLICATION

From the blog

Plain-language guides from working practitioners.

All articles

Microsoft 365 · 5 min read

How to protect company data on personal phones and tablets with Microsoft 365

Control your business data on personal phones with ease.

May 8, 2024

Microsoft 365 · 5 min read

A laptop screen displaying Microsoft 365 application icons, illustrating the variety of licensing tiers a small business owner has to navigate.

Understanding Microsoft's complex license and version types

Making sense of Microsoft's licenses and versions.

May 8, 2024

Email Security · 5 min read

A person reading email on a laptop, where a contextual security banner is the only thing standing between them and a convincing-looking phishing invoice.

Why behavioral email security is so important

Leverage contextual notification banners on email only when needed.

May 8, 2024

FAQ

Frequently asked questions.

What if I'm the only employee?: The framework still applies. The 77 controls are written for shops with five employees or fewer, including sole proprietors. Questions that don't apply to you (no payroll system, no shared devices) get skipped, and your score reflects your actual setup.
How often will I be charged?: Self-Service is billed monthly at $19. Cancel any time from your portal. Full-Service is quoted up front for the work you need; no surprise renewals.
Is a Cyber Risk Assessment required?: For most regulated advisors (RIA, BD, BGA), yes. State and federal examiners increasingly expect a documented assessment mapped to a recognized framework. NIST CSF 2.0, which our 77 controls map to directly, is the most widely accepted reference.
How long does the assessment take?: The free 11-question baseline takes about ten minutes. The full 77-control walk-through, done thoughtfully, takes a few hours spread across one or two sittings. Most customers complete it within a week of starting.