Book assessment
08 · Assessment

Framework & Gap Assessments

Picking a security framework is easy. Knowing where you actually stand against it — and what to do next — is the hard part. We benchmark your current state, identify the gaps, and produce a roadmap your team can actually execute.

Request a proposal All services
  • CIS
  • NIST CSF
  • ISO 27001
Typical duration
4–8 weeks
Team
1 governance lead + analyst
Prerequisites
Target framework + program documentation
Deliverable
Gap register + sequenced closure roadmap

Picking a security framework is easy. Knowing where you actually stand against it — and what to do next — is the hard part. We benchmark your current state, identify the gaps, and produce a roadmap your team can actually execute.

What is a Framework & Gap Assessment?

A framework and gap assessment measures your current security posture against a chosen reference framework — NIST Cybersecurity Framework, CIS Critical Security Controls, ISO 27001, or your industry’s specific guidance — and identifies the gaps between where you are and where you should be.

The deliverable isn’t a pass/fail certificate. It’s a maturity score per control area plus a prioritized roadmap of what to invest in next, sized to your team’s actual capacity to execute.

Why a framework matters

Security frameworks exist because no organization can defend everything equally. A framework provides:

  • A common vocabulary — your team, your board, and your customers can have aligned conversations about security posture
  • A defensible reference — “we follow NIST CSF” is a meaningful answer to vendor risk questionnaires; “we do our best” is not
  • A maturity ladder — clear next steps from where you are to where you want to be, with industry benchmarks
  • A budget rationale — investments mapped to specific control gaps, not generic “we need more security”

The hard part isn’t picking a framework. It’s honestly assessing where you stand against it, then prioritizing the closure work for actual impact rather than checkbox completion.

CyberBullet’s methodology

1. Framework Selection & Scope

If you haven’t picked a framework yet, we’ll recommend one based on your industry, customer requirements, regulatory context, and team capacity. For organizations already aligned to a framework (or required to be), we work with that one.

2. Evidence Gathering

We collect the documentation, configurations, and operational evidence needed to score each control: policies, network diagrams, IAM exports, incident response procedures, vulnerability management reports, change control records, training completions, and existing audit findings.

3. Stakeholder Interviews

We conduct structured interviews with control owners — security, IT, DevOps, HR, legal, leadership. Interviews surface the operational reality that documentation alone doesn’t capture (the policy says X; what actually happens is Y).

4. Control-by-Control Assessment

For each framework control, we score current implementation against maturity criteria — typically a 0-4 or 1-5 scale depending on the framework. Each score is evidence-backed; subjective scores aren’t useful for the roadmap that follows.

5. Gap Prioritization

We identify the highest-impact gaps based on: risk reduction value (which gaps actually move the security needle), remediation cost, dependencies (gaps that block other improvements), and quick-win candidates (gaps closable in 30 days).

6. Roadmap & Reporting

The deliverable is structured for two audiences: an executive summary with maturity scoring and budget recommendations for leadership, plus a detailed remediation roadmap with control-level next-actions for the security and IT teams.

Frameworks we assess against

  • NIST Cybersecurity Framework (CSF 2.0) — most common for U.S. organizations
  • CIS Critical Security Controls (v8) — prescriptive, good for organizations early in their maturity journey
  • ISO 27001 + Annex A controls — needed for international certification
  • NIST SP 800-53 — required for federal contractors
  • HITRUST CSF — common for healthcare
  • Industry-specific — NAIC, FFIEC, NERC CIP, AICPA TSC

Who this is for

  • Organizations adopting a security framework for the first time and needing to know where they stand
  • Boards and executives who need a defensible metric for security posture quarter over quarter
  • Companies preparing for SOC 2 Type II or ISO 27001 certification — framework assessment is the typical pre-audit step
  • Post-incident organizations rebuilding their security program with a structured target state
  • Security leaders building their next 12-24 month investment plan

Our methodology

Every engagement runs through the same six phases. Manual validation isn't a finishing step — it's the product.

01 · SCOPE

Scope & Authorize

We define the engagement boundary precisely before testing starts — in-scope assets, out-of-bounds targets, testing windows, and emergency-stop procedures.

  • Written authorization letters exchanged before any packet leaves our infrastructure
  • Signal / Slack channel established for real-time findings during the engagement
  • Explicit rules of engagement reviewed with legal, IT, and business stakeholders
02 · PASSIVE

Passive Reconnaissance

Before a single packet touches your infrastructure, we map your external footprint using public sources only — DNS, CT logs, code repos, internet-wide scan data.

  • Typically discovers 15-30% more attack surface than the client originally provided
  • Certificate transparency, BGP, and GitHub exposure reporting
  • OSINT profile for social engineering vectors if in scope
03 · ACTIVE

Active Discovery

We enumerate live services across in-scope assets — ports, software versions, auth mechanisms, and protocol configurations — correlated against current vuln data.

  • Hand-tuned scanning profiles — not the default Nessus run
  • Protocol-level inspection for TLS, SSH, SMB, Kerberos, LDAP
  • Service fingerprinting to ground truth before any exploitation
04 · MANUAL

Manual Validation

Every potential issue is validated by hand before it makes the report. No CVE-dumping. No false positives. This is what separates the engagement from a scan.

  • Manual exploitation attempts for any finding of High severity or above
  • Business-logic testing on top of the technical layer
  • Chained vulnerabilities analyzed as a single attack path
05 · EXPLOITATION

Exploitation & Impact

For confirmed vulnerabilities with attacker value, we attempt exploitation to prove impact — not just that a CVE applies, but what it gets you.

  • Proof-of-exploit captured for every confirmed critical finding
  • Pivot paths mapped to the actual crown-jewel data
  • Interim notification inside 24 hours for anything critical
06 · REPORT

Report & Remediate

Every finding is paired with severity rated on real exploitability, reproducible proof-of-exploit, and remediation guidance your team can ship this sprint.

  • Executive summary and technical deep-dive in a single report
  • Findings mapped to CIS, NIST CSF, and relevant compliance families
  • Retest included — we confirm the fix before we close the finding

What you walk away with

Frameworks we map to

Findings ship mapped to the control families your regulators and auditors actually check. Governance clients use these crosswalks directly in their program documentation.

  • CIS Controls v8
  • NIST CSF 2.0 / 800-53
  • PCI DSS 4.0
  • HIPAA Security Rule
  • SOC 2 Type II
  • OWASP ASVS

Questions we get asked

What's the difference between a framework assessment and a compliance assessment?

Compliance assessments measure you against a regulation that has legal teeth (PCI DSS, HIPAA, GLBA) — pass/fail, often externally audited. Framework assessments measure you against a security framework you've adopted voluntarily as a maturity model (NIST CSF, CIS Controls, ISO 27001). The output isn't 'compliant or not' — it's 'how mature are you, and where should you invest next.'

Which framework should we use?

Depends on your context. NIST CSF is the most common for U.S. organizations seeking a flexible maturity model. CIS Critical Security Controls is more prescriptive — better when you want a clear 'do these 18 things' list. ISO 27001 is the right call if you'll need international certification. We'll recommend during scoping based on your industry, customer requirements, and existing posture.

How long does a framework assessment take?

Typically 3-6 weeks: 1-2 weeks of evidence gathering and stakeholder interviews, 1-2 weeks of analysis and scoring, and a week of report drafting and review. Larger organizations or more complex frameworks (ISO 27001 with all annex controls) take longer.

Do we need to share sensitive documents with you?

Some, yes — security policies, network architecture diagrams, incident response procedures, evidence of existing controls. We work under NDA, never retain documents post-engagement, and use secure transfer protocols. The work depth on documentation review is what makes the assessment accurate; we can't score what we can't see.

What do we do with the results?

The remediation roadmap is built to drive your next 12-24 months of security investment — what to budget, what to prioritize, which gaps to close first. For boards and executives, the maturity scoring gives a defensible metric to track quarter over quarter. For your team, it gives a clear backlog of work.

Next step

Tell us what's on your radar — we'll tell you where to start.

A 30-minute scoping call. You talk to the senior operator who would actually run the engagement. Scoping notes back inside 24 hours.

  • No high-pressure follow-up
  • Scoping notes delivered within 24 hours
  • NDA available before the call
Book a scoping call Browse services