The 21-Day Diagnostic: Why a $10,000 Written Assessment Replaces a $250,000 Big-Four Audit
The Big Four are not selling you an assessment; they are selling you a 4–6 month engagement that produces a deck. The Diagnostic produces a written report under privilege for $10,000, and the report is the one our PE clients hand to their LPs.
Updated for 2026, The Diagnostic economics still hold, and the scope has widened to cover agent infrastructure and AI trust architecture, both of which most Big Four cyber engagements still treat as a separate workstream. See the twelve agent-infrastructure pieces regulated buyers need and trust architecture for regulated AI for what the 2026 Diagnostic now covers in the same 21-day window. What the Big Four sells when you ask for "a cyber assessment" When a portfolio company CFO, a healthcare general counsel, or a regulated SaaS board chair calls one of the Big Four and asks for "a cyber assessment," the engagement that comes back is almost never the engagement they thought they were buying. The pitch deck is excellent. The partners on the first call are senior and persuasive. The price quote has five or six zeros. The SOW is twelve to twenty pages. The timeline is four to six months. And the deliverable, when it lands, is a slide deck. We are not antagonistic about this. The Big Four firms are well-staffed, the methodology is real, and there are situations, covered later in this guide, where a Big Four logo on the cover page is genuinely what the buyer needs. But the buyer should understand what they are actually purchasing, because the engagement shape is not what the pitch implies. The economics are straightforward. A Big Four cyber assessment for a mid-market company typically lands between $180,000 and $350,000. The senior partner who appeared in the pitch is on the engagement for the first three weeks, kickoff, scoping, first interim readout, and then disengages to the next sale. The work is run by a senior manager or director, excellent or merely competent depending on which office you draw. Interviews, data collection, workpaper assembly, and draft authoring are handled by managers and senior associates, most of whom rotated onto the engagement from another industry the prior quarter. The senior partner reappears at the final readout, presents the deck, and disengages again. The deliverable is a slide deck. There is usually a written executive summary attached, three to five pages, and a workpaper trail in the firm's internal system that the client never sees and cannot subpoena later. The deck contains a maturity-model heatmap, a list of observations, a list of recommendations, and a roadmap. The recommendations are sound. They are also, in our reading of dozens of these reports, generic at the level of phrasing, the same phrases recur across deliverables for very different companies, because the underlying templates are shared inside the firm. The reason senior partners disengage after week three is structural, not malicious. Big Four firms run on utilization economics. A senior partner's hour is priced at a multiple where keeping them on a four-month engagement past the scoping phase makes the engagement unprofitable. The economics force a hand-off. The hand-off is well-managed when the senior manager is strong; it is a quality cliff when they are not. The buyer cannot tell the difference at the point of sale. Three other features are worth naming. First, the SOW typically does not commit to a long-form written report; it commits to a presentation and an executive summary. Second, the workpapers are firm property, if the company is later acquired, the acquirer receives the deck, not the workpapers. Third, the change-order economics run heavily in the firm's favor, and the engagement's actual cost frequently lands twenty to forty percent above the original quote. None of this is hidden. It is in the SOW for buyers who read SOWs carefully. But the marketing layer above the SOW does not surface it, and most buyers, board members, GCs, CFOs evaluating cyber for the first time, read the pitch and not the SOW. What the Diagnostic produces The Securem Advisory Diagnostic is the inverse engagement shape. It is fixed-scope, fixed-price, two-to-three weeks elapsed, ten thousand dollars, and the deliverable is a written report. We describe the report concretely below because the concreteness is the point. The report is twenty to forty pages of long-form prose, not a slide deck and not an executive summary attached to one. The body walks through the findings in narrative form: what we examined, what we found, what it means for the audit posture or the deal posture or the operational posture, and what specifically we recommend doing about it in what order. The recommendations are sequenced, the report tells the buyer which fix to make this quarter, which to plan for next quarter, and which to fold into the next budget cycle. Sequencing is the part most assessments skip. The report is signed by the named partner who ran the engagement. The partner who appeared in the sales conversation is the partner who runs the work, writes the findings, and signs the cover page. There is no hand-off to a senior manager between the sale and the delivery. This is structurally possible because Securem is a partner-led firm of approximately ten people, and the economics are designed around partner attention rather than against it. The engagement runs under privilege when the buyer wants it to. We execute under engagement of outside counsel, take direction from counsel, and produce the report to counsel, preserving attorney-client privilege and work-product protection on the findings. This matters when the buyer is in active litigation, in a regulator-facing posture, or in a transaction where findings could be discoverable. Most Big Four engagements are not structured under privilege by default; the buyer has to ask, and many don't think to. The standard engagement includes a bilateral NDA with a confidentiality clause that survives termination indefinitely. The findings do not appear in our marketing or case studies without explicit written consent. Every Diagnostic comes with a thirty-day clarifying-question window. After delivery, the buyer can come back to us with questions, what did this finding mean, how do we operationalize this recommendation, what should we say to our auditor, for thirty days at no additional charge. This is not implementation work; it is the buyer making sure they understood what we wrote. The report is the buyer's. They keep it, hand it to the board, hand it to outside counsel, attach it to a diligence data room, hand it to the next acquirer, hand it to the next auditor, hand it to their cyber insurance carrier. It stands on its own. The fixed-scope, fixed-price discipline The price does not move during a Diagnostic engagement. We commit to a number at signing and deliver against that number. If we discover during week one that the environment is twice as complex as we thought, that is our problem, not the buyer's. We absorb the discovery cost. This is not how most cybersecurity engagements run. The dominant pricing model in cyber consulting is time-and-materials with an hourly rate and a not-to-exceed cap that, in practice, gets renegotiated halfway through. T&M creates an alignment problem the buyer rarely names: every hour the consultant spends is revenue, so scope discoveries are good for the consultant. Discipline against scope creep then depends on the consultant's professional ethics, usually fine, but the pricing model is fighting the ethics rather than supporting them. Fixed-price reverses the alignment. Every hour we spend past the scoped budget reduces our margin. Our incentive is to scope accurately at the front, work efficiently in the middle, and deliver a complete report at the end. Scope creep hurts us. The discipline is in the pricing, not in the partner's resolve. Scope changes do happen, buyers occasionally want to add a system or pull in a related workstream. When they do, we handle it explicitly: a written scope-change memo, a revised price, the buyer's written acceptance, and then the work begins. The change is in writing or it does not happen. There is no sliding-scope conversation, no "we'll bill for this," no surprise on the final invoice. The discipline shows up in three other ways. First, scoping is rigorous before the engagement starts. We will not sign a fixed-price SOW we cannot deliver against, so the scoping calls, usually two, totaling about ninety minutes, are detailed. The scoping is the part of our process that most resembles diligence; the engagement itself is heads-down work after scoping ends. Second, the timeline is published and held. Two to three weeks of elapsed time, with milestones, interview dates, draft delivery, walkthrough, in the SOW. We hit them. Third, the reading list is short. We ask for the specific artifacts that bear on the questions we are answering, the relevant policies, the prior assessment if there is one, the audit logs we need to sample, the architecture diagrams. We have seen Big Four engagements ask for two hundred documents at kickoff, half of which are never read. The dynamic this creates is qualitatively different from the T&M engagement the buyer may have run before. The conversation is about findings, not hours. The status update is about progress against milestones, not budget burn. Change-order conversations are rare and explicit. The CFO has a number they can budget against; the auditor has a deliverable they can review. What the Diagnostic explicitly is not The Diagnostic is not implementation. We do not configure your firewalls, deploy your SIEM, write your IAM policies, or run your incident response. The engagement produces a written assessment and a sequenced recommendation set; it does not execute against the recommendations. If the buyer wants implementation help after the report lands, we refer to one of three implementation partners we trust, or, for narrow fixed-scope follow-on work, quote a separate engagement with its own SOW. The default answer is "here is the report; here is who can build against it." The Diagnostic is not a retainer. We do not bill monthly fees for general advisory. The firms that sell vCISO-as-monthly-retainer have a fundamentally different business model: they are selling time on standby, and the buyer pays whether they use the time or not. When buyers ask us for ongoing support, we structure it as a fixed-scope productized retainer, a defined deliverable each quarter, a fixed price, a fixed scope of meetings, so the buyer is paying for output, not availability. If the work doesn't fit a productized shape, we don't take the engagement; we are not a body shop. The Diagnostic is not hourly billing. There is no rate card, no timesheet, no end-of-month invoice with line items. The engagement is a fixed price, paid fifty percent at SOW signing and fifty percent at report delivery. The buyer's procurement team treats it like a software license, most of our engagements clear procurement in under five business days, because there is nothing to negotiate. The Diagnostic is not a sales pitch for the next engagement. The report does not contain a chapter at the end recommending that the buyer hire us for implementation, retain us as ongoing advisors, or sign up for our subscription. Recommendations are vendor-neutral and silent on our own follow-on services. The report is the engagement; whatever comes after is a separate decision the buyer makes on their timeline. These four "is nots" are the four ways consulting engagements most commonly disappoint. Assessment turns into implementation. Project turns into retainer. Fixed price turns into hourly billing with a cap that didn't hold. Independent advice turns into a thinly-veiled pitch for the next phase. The Diagnostic is engineered against all four, and the discipline is structural, in how the engagement is priced and scoped, not in our resolve to behave well. Five engagement shapes, how they map to the buyer The Diagnostic is one product with five shapes, mapped to the five buyer profiles we serve. Each shape is the same fixed-scope, fixed-price, written-report engagement; what changes is the question being asked, the artifacts being examined, and the audience for the report. HIPAA + Azure Diagnostic, for healthcare nonprofits, behavioral health providers, and regulated digital health organizations. The question is whether the organization's HIPAA posture survives an OCR audit, a payer-network attestation, or a Joint Commission review. The artifacts are the Security Rule control inventory, the BAA chain, the Azure architecture under the BAA addendum, the audit log retention, and the access control matrix. The audience is the CIO, the GC, and the board. This shape is most often run under outside counsel privilege because the findings are most likely to be discoverable in a future regulator-facing posture. See /industries/healthcare and /industries/behavioral-health. Trust Accounting + Close Diagnostic, for property management firms, escrow operators, and trust-account-holding fiduciaries. The question is whether the trust accounting environment, the close process, and the segregation of duties pass a state regulator's audit. The artifacts are the trust ledger, the bank reconciliations, the close calendar, the systems-of-record inventory, the role-mapping against duty separation, and the cyber controls protecting the trust environment from intrusion. The audience is the broker-of-record, the firm principal, and the state regulator. This shape often surfaces close-process gaps the internal accounting team could not see because they were inside the process. See /industries/property-management. PE Cyber/Tech Diagnostic, for private equity firms running cyber-and-tech diligence on a portfolio company or a target. The question is whether the target's cyber and tech posture is acceptable, fixable, or disqualifying, and at what cost. The artifacts are the target's environment, the prior assessments, the integration plan, and the LP-facing reporting requirements. The audience is the deal partner, the operating partner, and ultimately the LPs who receive the firm's diligence packet. PE is the segment where the report is most often handed onward, the LP reads it, and the report has to stand up to that reading. See /industries/private-equity. AI Platform + Compliance Diagnostic, for regulated SaaS providers and AI-native companies adopting models in regulated workflows. The question is whether the AI architecture is defensible against the compliance regime that governs the company, HIPAA, state privacy law, SOC 2, sector-specific frameworks, and what specifically must be true of the architecture, the BAA chain, the audit logging, and the orchestration layer for the AI program to survive its first audit. The audience is the CTO, the CISO, and outside counsel. See /industries/regulated-saas. EHR + Billing Diagnostic, for healthcare provider organizations running EHR-and-billing platforms with cyber and revenue-cycle exposure. The question is whether the EHR, the billing platform, the integration layer between them, and the cyber controls around the combined environment hold up against payer audits, RAC audits, and HIPAA audits simultaneously. The audience is the practice CIO, the revenue-cycle leader, and the GC. This shape is most often run because the practice has had a near-miss, a payer denial pattern, a billing dispute, a HIPAA breach notification, and leadership wants a written assessment of how exposed they actually are. See /industries/healthcare. Each shape is the same engagement architecture: fixed-scope, fixed-price, two-to-three weeks, written report, named partner, NDA, optional privilege, thirty-day clarifying-question window. What varies is the question, the artifacts, and the audience. The buyer who needs penetration testing, ongoing managed detection, or incident response is a buyer we refer to a firm built for that shape, the Diagnostic is not a universal product and we do not pretend it is. The decision framework: Big Four vs Diagnostic There are situations where the Big Four is the right answer, and we will say so. The decision framework is not "always pick the boutique." It is "pick the engagement shape that fits the question." The Big Four is the right answer when the buyer needs a regulator-required attestation that only a Big Four firm is structurally positioned to deliver. SOX-equivalent assertions for a public-company subsidiary, certain federal-contractor attestations, certain state-licensure regimes that explicitly enumerate Big Four-eligible firms, these are situations where the brand on the cover page is part of the deliverable's regulatory weight. The Diagnostic does not replace those engagements and does not try to. The Big Four is also the right answer when a deal counterparty has explicitly required Big Four diligence as a closing condition. Some LPs, some strategic acquirers, some public-company buyers will not accept boutique diligence above a size threshold. When the deal documents name the firm, the buyer hires the firm. We will sometimes run the Diagnostic alongside a Big Four engagement in those situations, the Diagnostic informs the management team, the Big Four engagement satisfies the counterparty. The Diagnostic is the right answer in approximately every other situation we have seen. When the buyer is making an internal decision and needs a written assessment. When the board is asking a question and needs an answer it can show the board. When outside counsel is structuring a privileged review. When the audit is coming and the buyer needs to know what will be cited. When a transaction is in early diligence. When the cyber insurance renewal needs underwriting evidence. When a regulator has flagged something and the buyer needs to respond with a written posture document. The Diagnostic was built for these. The Big Four is overbuilt for them. The cost differential is worth naming. A Diagnostic is approximately four percent of the cost of a Big Four engagement and approximately ten percent of the elapsed time. The deliverable is a written report rather than a deck. The partner who runs the engagement is the partner who signs the report. Privilege is available by default. Scope and price do not move. For the questions the Diagnostic was built to answer, it is a better fit on every dimension except the one, regulator-required brand attestation, where it is structurally not competing. We recommend this framework to every buyer who calls us, including buyers who ultimately go with the Big Four. It is a way of separating the engagement shape from the engagement brand. Buyers who run the framework usually arrive at the right answer for their situation. Buyers who do not usually buy the engagement that came up first in the conversation, which is usually the engagement that came in through the existing audit relationship. What to ask any cyber consultancy before signing The questions below apply to every cyber consultancy a buyer evaluates, including Securem. They are the questions we wish every buyer asked us, because they would surface the engagement-shape decision before the SOW is signed rather than after the deliverable lands. 1. What is the deliverable, in writing? Not what the deck says it is, what the SOW commits to. Is there a long-form written report? How many pages, approximately? Is it signed by a named partner? Is it the buyer's property after delivery? Many engagements promise "an assessment" and deliver a deck plus a workpaper trail the buyer never sees. Ask for the deliverable in writing. 2. Is the price fixed? Not "fixed with a not-to-exceed cap", fixed. If scope changes, what is the change-order process, in writing? T&M engagements with a not-to-exceed are not fixed-price engagements; they are hourly engagements with a soft cap. Ask which of the two the firm is selling. 3. Who runs the work, and is that the same person who pitched it? Not who is on the SOW as the engagement partner, who is actually heads-down on the work. If the senior partner disengages after kickoff, ask who the engagement is being handed to and what their experience is. The hand-off is fine when the senior manager is excellent; it is a quality cliff when they are not. The buyer should know who they are buying from. 4. Can the engagement run under privilege? If outside counsel engages the firm and directs the work, are the findings privileged? Many cyber engagements are not structured for privilege by default. If the buyer's situation might surface in litigation or regulator-facing review, the privilege posture matters. 5. What is explicitly out of scope? Implementation? Retainer? Hourly billing? Sales pitch for the next engagement? The four "is nots" from earlier in this guide are the four most common ways engagements disappoint. Ask the firm to put the "is nots" in writing. These five questions, asked of every firm in the bake-off, separate the engagement shapes from the engagement brands. They are diligence questions, not gotcha questions, and a firm that resists answering them in writing has just told the buyer something important. If the buyer is evaluating Securem: written twenty-to-forty-page report signed by a named partner; fixed price with written change-order discipline; the partner who pitches is the partner who runs and signs the work; privilege available by default through outside counsel; out of scope is implementation, ongoing retainer outside the productized shape, hourly billing of any kind, and sales pitches for next engagements. The matched comparison is at /why-securem-vs-big-4; a redacted sample report is at /sample-report; engagements run through outside counsel are described at /counsel; and a fixed-price proposal can be requested at /proposal-request or directly at /diagnostic. The Big Four vs Boutique Engagement Comparison Worksheet paired with this guide gives the buyer a side-by-side scorecard across the five questions above plus seven secondary dimensions. Use it on every cyber consultancy you evaluate, including ours. The buyers who pick the right engagement shape are the buyers who scored the engagements before signing.