For procurement, security & legal
The answers in writing, before you ask.
Vetting a security vendor without a wall of logos to lean on means doing the homework yourself. So we put the homework on the table — who operates the program, what we sign, where your data lives, and the frameworks we map to — answered plainly so your procurement and legal teams can move fast.
Why this page exists
When there are no logos yet, transparency is the proof.
Obsidian Ridge is an early-stage, CISSP-led practice. We don't have a wall of client logos to point at, and we won't borrow trust we haven't earned. What we can do is be radically clear about how we operate — because for a regulated buyer, a vendor that answers the hard questions up front is worth more than one with a prettier case-study page. Everything below is answered the same way we'd answer it in a procurement questionnaire: directly, and in writing.
Answers in writing
What procurement, security, and legal usually ask
Obsidian Ridge is new — who is actually behind it?
A named, CISSP-certified practitioner with over a decade of hands-on cybersecurity experience — digital forensics and risk analytics at Deloitte, security architecture at Varonis, cloud security at scale, and a current Fortune 500 Zero Trust deployment. You work directly with that practitioner, not a tier-one ticket queue. The firm is young; the operator is not. The full background is on the About page.
Will you sign an NDA and a DPA?
Yes — on request, before any access to your systems or data. We treat NDAs and Data Processing Agreements as table stakes, not negotiations. For HIPAA-covered entities, we also sign a Business Associate Agreement before the engagement begins.
Are you reselling Huntress, or operating it?
Operating it. We are a Huntress partner-of-record — we deploy, configure, tune, triage, and coordinate response on the platform end-to-end. We are not a license reseller marking up a product. The platform price is pass-through; what you pay for is the practitioner program around it.
Where is our data stored, and who are your sub-processors?
Disclosed in full, by name, on the Trust page — the platforms we operate, what each one touches, and where data lives. No surprise sub-processors, no undisclosed offshoring.
What frameworks do you align to?
NIST Cybersecurity Framework 2.0, SOC 2, the HIPAA Security Rule, the FTC Safeguards Rule (and IRS Publication 4557 for tax firms), and PCI-DSS — mapped to the specific controls we operate, with an evidence package assembled as a byproduct of the service rather than a separate project.
What happens if we have an incident while you're engaged?
You get a practitioner on the phone, not a portal link to interpret. We coordinate forensics, breach-notification timing, the cyber-insurance claim, and the client- or patient-facing communication. You remain the decision-maker; we operate every technical and process step the response requires.
How do engagements start — a handshake, or paperwork?
Paperwork. Every engagement begins with a signed, fixed-scope statement of work plus the agreements above — NDA, DPA, MSA, and a BAA where it applies — before any access. No handshake deals, no silent scope creep, no surprise invoices.
Still have a question?
Send it — we'll answer it in writing.
If your procurement or security team has a question this page doesn't cover, put it in the briefing request and we'll answer before you commit to anything. The Cyber Insurance Readiness Sprint is a fixed-scope, no-long-contract way to see exactly how we work first.