Outcomes scale with capacity. Not tickets. Not hours.
CDA operates on a capacity-based execution model.
You are not buying projects or deliverables. You are securing dedicated execution capacity that adapts as your priorities, threats, and environment change.
Access Levels govern execution capacity. Missions, Campaigns, and Wars apply it.
Foundational Recon Mission
Before any execution begins, every engagement starts with a Foundational Recon Mission (FRM). FRM establishes validated context so execution capacity is applied correctly, not wasted.
Validated FRMs most commonly price in the mid-to-high $30k range, depending on your urgency, operating environment, and outcome criticality.
Produces threat exposure assessment
Maps your architecture, tools, and security controls
Identifies dependencies, gaps, and constraints
Identifies recommended Access Level
Establishes further collaboration plans
3 weeks, full-team surge
Validated roadmap with recommended Access Level, Campaigns, and initial Missions
Not a compliance audit
Not a penetration test
Not campaign execution
Not a fixed deliverable checklist
Execution is structured through Missions, Campaigns, and Wars.
How many of these can run concurrently is determined by your Access Level.
Mission
Time-bound execution with a
single,
measurable outcome.
Campaign
Translates business risk into
coordinated
execution across multiple Missions.
War
Long-term operating model for
sustained security execution at scale.
Execution Capacity Is Governed by Access Levels
Missions, Campaigns, and Wars describe what gets executed.
Access Levels define how much execution your organization can sustain at once.
Three factors determine how much execution capacity your organization requires.
Your Security
Posture Desires
Reflects adversary pressure, exposure, and time sensitivity.
Your Operating
Environment Complexities
Reflects scale, regulation, and coordination complexity that affect execution velocity.
Outcome Criticality
to Your Organization
Reflects how much the outcome of the work matters to the business.
Access Levels define concurrent execution limits, not deliverables or usage quotas.
Discovery efforts
Foundational Recon Only
0
Focused security programs
1
Growing Organizations
2
Complex Environments
3
Enterprise and Government
4
High-Complexity Environments
5
Capacity is allocated across Missions, Campaigns, and Wars based on active priorities.
Execution beyond these limits requires cycle slots or Access Level adjustment.
FAQs
Why don’t you price by Mission or deliverable?
Because outcomes depend on sustained execution capacity, not isolated work items. Access Levels ensure execution remains coordinated, prioritized, and realistic over time.
What Are Cycle Slots?
Cycle Slots allow you to temporarily expand execution capacity.
They are used when:
- Executive urgency increases
- Multiple priorities must run in parallel
- Incident response or board pressure demands acceleration
Cycle Slots expire when no longer needed. Upgrading your Access Level is always more cost-effective for sustained demand.
What CDA Does Not Do?
- No one-off assessments
- No unlimited scope engagements
- No time-and-materials billing
- No execution without context
This model exists to protect outcomes, not maximize activity.
Why do I need Foundational Recon first?
Because execution without context creates noise, not progress. Foundational Recon establishes a shared understanding of your environment, risks, and priorities. It ensures that every Campaign and Mission is grounded in reality.
Can I just buy a single Mission?
No. Missions are executed within Campaigns to prevent fragmented, uncoordinated effort. This ensures outcomes compound instead of resetting.
Why are Missions time-boxed?
Because security is a race against time, not a checklist. Time-boxing guarantees a fixed "speed of delivery," giving you predictable milestones and the ability to course-correct without wasting resources on open-ended engagements.
Why are Missions time-boxed?
Because security is a race against time, not a checklist. Time-boxing guarantees a fixed "speed of delivery," giving you predictable milestones and the ability to course-correct without wasting resources on open-ended engagements.
Is this just another MSSP?
No. CDA does not sell tools, alerts, or generic monitoring. We operate a continuous execution model that coordinates people, process, and technology.
How is pricing determined?
Pricing is based on execution capacity, not hours or deliverables. You are paying for how much security work can run in parallel, not how long someone is busy.
What if our environment is complex or regulated?
Operating Environment affects execution complexity and evidence rigor, not timelines. The model is designed to absorb complexity without breaking cadence.
What happens if priorities change?
Campaigns and Missions are reviewed regularly. Adjustments are made at defined checkpoints, not mid-execution chaos.
Is this a long-term commitment?
Campaigns and Wars are commitments to outcomes. There is no automatic lock-in, but meaningful progress requires continuity.
What if we need to move faster?
You can temporarily increase execution capacity using Cycle Slots or upgrade your Access Level. Speed is achieved through parallelism, not compressed quality.