An exam is coming
You need a defensible evidence file — not a last-minute binder of policies nobody has tested.
We build, test, and maintain the cybersecurity compliance program your SEC or FINRA examiner, insurer, custodian, and investors expect to see.
Independent by design: no product resale, no commissions, no vendor bias.
Most engagements begin with a deadline, a questionnaire, or a concern that the current documentation will not survive scrutiny.
You need a defensible evidence file — not a last-minute binder of policies nobody has tested.
The carrier wants precise answers on MFA, backups, response plans, controls, and ownership.
A custodian, prime broker, or investor expects controls your MSP cannot credibly document.
An incident or exposure revealed the distance between written policy and operational reality.
Cybersecurity compliance is not a document purchase. It is a repeatable operating discipline with proof attached.
Explore the EngagementsAssess the public attack surface, cloud configuration, credentials, vendors, and internal controls the way an adversary — and examiner — would.
Turn findings into policies, procedures, accountable owners, and evidence mapped to Reg S-P, Reg S-ID, Rule 206(4)-7, and Rule 204-2.
Test, update, and retain evidence throughout the year so readiness does not depend on a scramble when the request arrives.
Two paths for two kinds of firm. Both use the same examiner-focused methodology and working materials.
For firms with a CCO and outsourced IT, but no internal security leader to connect controls, documentation, and regulatory evidence.
For CCOs and IT leaders who need the same policies, frameworks, training, and readiness tools we use in client engagements.
Founder & Principal Consultant
“Your cybersecurity advisor should understand the rule, the technology, and the operating reality of a financial firm.”
Brian Hahn founded MTradecraft after two decades inside financial services — including the CCO chair, trading operations, and corporate intelligence work. He has built the systems examiners inspect and taken a firm through an SEC examination with no material findings.
An exam, a renewal, a DDQ, a custodian attestation, or a concern you cannot quite dismiss. Twenty minutes is enough to establish fit.
Not ready for an engagement? The BrainTrust starts free →