Services · Delivered, Not DIY

Security & compliance,
delivered as a service.

Most teams discover their compliance gaps the week of the audit. That's the part we're done with. We run a continuous, audit-ready security and compliance program on your behalf — powered by Adalace, the platform our team operates so your team doesn't have to.

01 /

How Adalace works

A managed program

Adalace is not another tool you have to learn. It's a managed program — a platform plus the people who run it. You get the dashboard. We do the work behind it.

/ STEP 01
Baseline in days, not months
A 10-domain posture scan maps your current state against the frameworks that apply. You get a branded executive report — not a 90-page audit deliverable nobody reads.
/ STEP 02
We operate the program
Controls tracked, evidence collected, vendors reviewed, threats triaged. Your team gets a single live dashboard. Our team does the lifting in the background.
/ STEP 03
Continuous, not point-in-time
Posture moves. So does Adalace. When new vulnerabilities surface, when vendors change, when frameworks update — your program updates with them. No annual scramble.
/ STEP 04
Reports on demand
Board summary? Auditor evidence pack? Customer security questionnaire? Generated from live program data — same source of truth, different audiences.
02 /

A look at your dashboard.

Sample data shown

This is the view your team gets every morning. Framework coverage, control status, open risk items, and last night's evidence captures — all in one place. No more reconstructing the past from twelve different tools.

Sample data shown for illustration. Real dashboards are scoped to your organization, your frameworks, and your evidence.

03 / Live Feed · Sample

This isn't a screenshot.

Adalace's threat intelligence pipeline runs continuously — pulling from vulnerability feeds, active-exploit alerts, breach signals, and vendor advisories, then scoring each event against the technologies and vendors your program actually depends on. Your team sees what matters, not the firehose.

Sample data shown for illustration. Your live feed is scoped to your stack.

Threat Intelligence · Adalace Pipeline LIVE
04 /

Four pillars. One platform.

What's inside
/ 01
Compliance Programs
Control-by-control tracking across SOC 2, ISO 27001, HIPAA, NIST, PCI, GDPR, CMMC and more. Status, owners, evidence, deadlines — live, always. Custom framework mappings supported.
/ 02
Threat Intelligence
Vulnerability feeds, active-exploit alerts, breach signals, and curated cyber news — AI-scored against your stack and your vendors so your team sees what matters, not the firehose.
/ 03
Audits & Risk
Internal audits, vendor reviews, and third-party assessments on a managed cadence. Findings tracked through to closure with owners and dates — not buried in spreadsheets.
/ 04
Reporting & Evidence
Seven report types out of the box: executive summary, board pack, auditor evidence, customer questionnaire response, vendor risk, threat brief, and risk register. All generated from live data.
05 / Frameworks Covered

Eleven frameworks. Mapped, not bolted on.

Adalace ships with control mappings for the frameworks your customers, regulators, and insurers actually ask about. Need something custom? We map it.

SOC 2 (2017 TSC)
ISO 27001:2022
NIST CSF 2.0
NIST 800-171
NIST 800-53
PCI DSS 4.0
HIPAA Sec. Rule
GDPR
CMMC 2.0 L2
CIS Controls v8
COBIT 2019
+ Custom Mappings
06 /

Who Adalace is for

If this sounds like you
You should talk to us if…

You're the one on the hook.

  • You're a CISO, CIO, or compliance lead with too many frameworks and not enough team
  • Your SOC 2 or ISO renewal is 90–180 days out and the evidence is somewhere
  • You just won a deal that requires HIPAA, PCI, or CMMC — and the clock started yesterday
  • Your board is asking sharper questions and the spreadsheet answers aren't landing
  • Your vendors keep changing and nobody's tracking the risk implications
What changes after Adalace

You stop reconstructing the past.

  • One dashboard answers: what's compliant, what's exposed, what's next
  • Audits become a generated report — not a 6-week sprint
  • Threat intel arrives pre-filtered to your stack — no more reading 40 feeds
  • Board updates write themselves from live program data
  • You spend time on the strategic work — not on chasing evidence in Slack
07 /

Three ways to engage.

Pick your depth

Most clients start with a Posture Scan, graduate to the Managed Program, and pull us in for Audit Sprints as new frameworks come into play. Same Adalace platform, different depth.

Start Here
Posture Scan
Fixed Fee · ~2 weeks
  • Baseline assessment across 10 control domains
  • Framework gap analysis (SOC 2, ISO, HIPAA, NIST, PCI…)
  • Branded executive report — board and exec-ready
  • 30-min readout call with the practitioner
  • Remediation roadmap with prioritized next steps
Start a Scan
On-Demand
Audit Sprint
Project Basis · 6–12 weeks
  • SOC 2 or ISO 27001 readiness, end-to-end
  • Evidence assembly & control validation
  • Auditor liaison through certification
  • Remediation roadmap with owners and dates
  • Hand-off to the Managed Program if desired
Scope a Sprint
08 /

See what you'll actually get.

Sample deliverables · Anonymized

Every engagement produces artifacts your team, your board, and your auditors can use directly. These are anonymized samples from real Managed Program clients — the exec summary from a Posture Scan, the control status view an auditor pulls, and the quarterly board narrative.

Sample

Security & Compliance Posture Scan

Prepared for · Northwind Health, Inc.

Report ID · PS-2026-Q1-0847
Assessment Date · 2026-03-14
Scope · 10 Control Domains
Overall Posture · Moderate Risk
Key Metrics
87.4/100
Weighted Posture Score

Aggregate score across 10 control domains, weighted by asset criticality and framework applicability. Above threshold for SOC 2 Type II readiness; below threshold for HITRUST i1.

18gaps
Prioritized Gap Count

3 critical (blocking Type II), 8 elevated (should remediate within 60 days), 7 informational (documentation and hardening improvements).

6weeks
Estimated Remediation Runway

Time to close all critical and elevated gaps with a dedicated 0.5 FTE and Managed Program support.

Executive Narrative

Northwind operates a credible security foundation — access controls, backups, and vendor onboarding are documented and repeatable. The gaps are in continuity of evidence: quarterly access reviews are executed but not archived; vendor SOC 2 reviews happen at signature but not annually; incident response has never been drilled.

These are not architectural problems. They are program-operation problems — the kind that become audit findings the week before a Type II report ships.

Sample

Board Report · Q1 2026

Northwind Health, Inc. · Managed Program

Prepared · 2026-04-08
Audience · Board & Audit Committee
Program Age · 7 months
Program Health · Quarter in Review

Q1 was defined by preparation for the SOC 2 Type II fieldwork window that begins in Q3. The Managed Program advanced from 87.4 to 91.2 on the composite posture score. Three critical gaps identified in the January Posture Scan are now closed; five elevated gaps remain, all tracking to their remediation dates.

Vendor risk cadence caught two SOC 2 downgrade events (both remediated with vendor-side corrective action plans). Access reviews executed for 100% of privileged users on time; documentation stored auditor-ready in-platform.

Risk Register · Top 3 Movements
RiskDeltaOwner Action
Vendor SOC 2 downgrade (billing gateway) Elevated Vendor CAP received; retest 2026-05-20
Delayed OS patching (2 servers, 45+ days) Critical Change window scheduled; IR runbook drilled
Backup restore tests overdue Closed Full restore executed 2026-03-22; passed
Sample

Vendor Risk Register · Live

Northwind Health, Inc. · 47 Active Vendors

Tier 1 · 6 vendors
Reviews Overdue · 2
BAAs Expiring <90d · 3
Vendor Tier Data Handled Last Review Status
AWS (us-east-1, us-west-2) Tier 1 ePHI · PII · Auth 2026-02-14 Current
Snowflake Tier 1 ePHI · Analytics 2026-01-22 Review Due
Stripe (billing) Tier 2 Card · Billing 2026-03-01 Current
Twilio (patient SMS) Tier 2 PHI · Comms 2025-09-30 BAA Expiring
Datadog Tier 3 Ops · Logs 2026-02-28 Current
09 /

Framework FAQ.

SOC 2 · ISO 27001 · HIPAA

A taste of the questions we hear most often. For the full set — including engagement and getting-started questions — head to our FAQ page.

SOC 2
How long does a SOC 2 Type II audit really take?+

Most teams underestimate this. From the day you decide to pursue SOC 2 to the day you have a signed report in hand, plan on 6–12 months — broken roughly into: 2–6 weeks of readiness work, 3–6 months of evidence collection (the audit period), then 4–8 weeks of fieldwork and report finalization. Through the Managed Program, the audit period feels like business-as-usual because evidence is already being captured continuously.

ISO 27001
What's the certification timeline for ISO 27001?+

Plan on 9–14 months from kickoff to certification. The process: Stage 1 audit (documentation review), 3+ months of operating the ISMS, then Stage 2 audit (operational effectiveness). Certifications are good for 3 years with annual surveillance audits. We've shortened this for clients who already have mature security programs — but most teams need the full timeline to build the management system correctly.

HIPAA
Is HIPAA a certification?+

No. HIPAA is a regulation, not a certification scheme — there's no government-issued HIPAA certificate. What exists are HIPAA compliance attestations from third-party assessors (like HITRUST) and self-attestations backed by documented risk analysis, policies, and controls. Many of our clients pursue HITRUST for the credibility, or layer HIPAA controls into their SOC 2 (using the HIPAA-aligned Trust Services Criteria) for efficiency.

See All FAQs

See Adalace operating on real program data.

Book a Walkthrough