A SaaS vendor's billing does not match the contract. A government program's eligibility screen is trivially bypassable. A corporate control says one thing in the policy doc and does another in the system. An audit trail has a gap the size of a barn door.
The gap is always between three things: what the policy says, what the system does, and what the humans actually click. Fraud lives in that gap. Sometimes deliberate. Usually sloppy. Always there.
A regulatory finding, class-action exposure, a notification letter the CFO did not want to sign, or a press release you did not write. By the time a third party surfaces the issue, the cost is no longer the fix. It is the fix plus legal, plus brand, plus insurance premium, plus the board meeting.
Organizations that find their own gaps first pay the fix. Organizations that wait for the outside eye pay everything else on top.
I work the same way an internal audit function does, scoped, timeboxed, and delivered as an outside consultant under NDA. I review the policy doc, the system behavior, and the human workflow (in that order) for any framework you answer to. I find the gap. I document it for your counsel. Your CISO decides what to remediate, what to report, and what to log.
You own the findings. Nothing goes public. The next external audit does not find anything, because it was already fixed.
Government-funded activities tend to be where the largest catches have landed. It is not a niche I market. It is a pattern of where the big gaps hide. Money plus complexity plus oversight gaps equals opportunity.
SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA, SOX, False Claims Act, DCAA, FAR / DFARS, CMMC, NIST 800-171, FedRAMP, FINRA, AML / BSA, 21 CFR Part 11, FTC §5, OMB 2 CFR 200 / Single Audit, Form 990 / §4958, state charitable trust, and whatever internal controls your organization has layered on top. The acronym is just the dialect. The gap is the gap.30 minutes, remote. You name the framework and describe your organization. I tell you your three biggest gaps. If the pattern does not match reality, you owe me nothing and leave with the list. If it does, we talk scope. No NDA required for this step. I do not need your data to know where fraud hides.
A one-page scope and a fixed fee. A two-day program review is not priced the same as a six-week engagement. You approve both before I touch anything. No hourly billing.
Under NDA, under a consulting agreement, with your legal team in the loop. Documents, systems, interviews, whatever the scope says. Nothing is disclosed externally at any stage.
Findings ranked by exposure. Each with a remediation plan and an effort estimate. Your legal team reads it first. Your CISO decides what to act on. You own everything.
| Tier | Typical Window | Commercial | Non-profit |
|---|---|---|---|
| Scoping sprint Narrow, single question |
1 week | $15K to $25K | $10K to $18K |
| Program review One framework, end-to-end |
2 to 4 weeks | $40K to $90K | $25K to $60K |
| Deep dive Multi-framework, post-audit, or board-ordered |
6 to 10 weeks | $120K to $300K | $75K to $180K |
Non-profit engagements are priced on the reduced ladder. Public service has overhead limits. I respect them.
30 minutes. No NDA. If there is nothing worth doing, I will say so and we part ways. If there is, I will write you a scope and a fixed fee.
Pick a date and time → Opens the diagnostic-call calendar. Pick a time and your email client opens pre-filled. Or reach me on LinkedIn.CAGE 1CQ66 · UEI W7X3HAQL9CF9 · SAM.gov active · MD eMMA SUP1095449. Primary NAICS: 541512 (Computer Systems Design Services), 541611 (Management Consulting), 541990 (Professional Services). DCAA-familiar. Contact for past performance and rate structure.
Michael Cochran, dedicated cyber security architect, founder of The Cochran Block, LLC, based in Baltimore, Maryland. Army 17C Cyber Operations Specialist. Former USCYBERCOM J38. Thirteen years across defense and enterprise cyber. Service-disabled veteran. Single-member LLC, SDVOSB, Maryland eMMA registered.
I spent a decade finding what was broken in other people's systems. Now I help organizations find it in their own, before someone outside does.