Run professional security assessments.
Close managed security deals.
A 7-document toolkit that gives MSPs everything needed to conduct a structured cybersecurity audit, deliver a credible executive-level report, and convert findings into recurring managed security revenue.
Instant download. Lifetime access. Editable Markdown format.
7 documents. Everything from first call to closed deal.
Not a single generic checklist — a complete workflow that takes you from first client contact through to a signed managed security engagement.
Pre-Assessment Client Questionnaire
30 questions across 8 sections. Send to the client before you show up — their answers tell you where to focus and prime them for the findings conversation.
150-Point Technical Audit Checklist
NIST CSF & CIS Controls v8 aligned. 8 security domains. Score each checkpoint as you work — the risk matrix aggregates everything automatically.
Risk Scoring Matrix
Weighted domain scoring with letter grades A–F and industry benchmarks by vertical. Turns 150 data points into a defensible overall risk posture.
Executive Summary Report Template
Written for CEOs and CFOs, not IT staff. Non-technical language, letter grade up front, top 3 findings with business impact. The document that closes deals.
Assessment-to-Managed-Security Upsell SOP
Step-by-step framework for turning assessment findings into a managed security proposal — including 5 objection-handling scripts for the most common pushbacks.
Assessment Scope & Rules of Engagement Letter
Client signs this before you start. Defines what you're assessing, what you're not, and what happens with the findings. Protects you and sets professional expectations.
README + Workflow Guide
Full step-by-step instructions for running the assessment workflow, plus a placeholder index so you can find and replace your MSP name everywhere at once.
150 checkpoints across 8 security domains
Covers the full attack surface of a typical SMB client — from identity and endpoints to cloud and backup. Aligned to frameworks your clients' cyber insurance carriers recognize.
From first call to closed deal — step by step
The toolkit is built around a single repeatable workflow. Run it the same way every time, and assessment-to-revenue becomes a predictable process instead of a one-off effort.
Send the questionnaire
Send Document 01 to the client before you arrive. Their answers shape the assessment focus and signal which domains need the most attention.
Sign the scope letter
Get Document 06 signed before any work begins. Defines scope, limitations, and expectations. Protects you legally and professionally.
Run the 150-point audit
Work through Document 02 domain by domain. Score each checkpoint as you go. Use Document 03 to calculate weighted domain grades.
Build the executive summary
Use Document 04 to create the client-facing report. Overall grade, top 3 findings, business impact language — no IT jargon. This is the document that gets a meeting.
Present findings and close
Use Document 05 to structure the upsell conversation. The SOP walks you through the pitch and gives you scripted responses for the 5 most common objections.
Built for MSPs who want security assessments to pay for themselves
🚀 MSPs starting to offer security assessments
You know assessments are a revenue opportunity but you've been building your own process from scratch. This gives you a professional, structured toolkit you can use on the first engagement.
📋 MSPs with inconsistent assessment processes
Your team does assessments, but the output depends on who runs it. This standardizes the process so every assessment produces a consistent, professional deliverable regardless of who's doing the work.
💰 MSPs struggling to convert assessments to recurring revenue
You run a good assessment but the close falls apart. The upsell SOP and 5 objection scripts are specifically designed to bridge the gap between "here's what we found" and a signed managed security agreement.
Questions worth answering
What format are the files?
All 7 documents are Markdown (.md) files. They open in any text editor, Notion, Obsidian, VS Code, or Word. You can edit, white-label, and print them without any special software.
Is this a penetration test toolkit?
No. This is a security assessment toolkit — it covers process, configuration, policy, and controls. It's not a pen test and doesn't replace one. The scope letter in Document 06 makes this explicit.
Can I white-label this and use it with clients?
Yes. The documents are designed to be white-labeled. Replace the placeholder text with your MSP name and branding. You're the one presenting the findings — this is your toolkit.
How does the risk scoring matrix work?
Each of the 8 domains has a weighted score. As you complete the checklist, you enter pass/fail/partial scores. The matrix calculates a weighted domain grade and an overall letter grade (A–F) with industry benchmarks by vertical so you can contextualize findings for different client types.
Do I need NIST or CIS expertise to use this?
No. The checklist translates framework requirements into plain-language questions you can answer during a standard client visit. The framework alignment is built into the structure — you don't need to be a compliance expert to use it effectively.
What do the objection-handling scripts cover?
The 5 scripts address the most common pushbacks MSPs face when pitching managed security after an assessment: "we have internal IT," "we'll fix it ourselves," "we can't afford it right now," "we're not a target," and "our insurance doesn't require it."
Start running professional security assessments today.
$67 one-time. Instant download. Everything you need to run the assessment, deliver the report, and close the managed security deal.
Instant download · Lifetime access · Editable Markdown format
Also available as part of the full MSP ops toolkit: