About MTradecraft

A boutique cybersecurity compliance firm — built by an operator, not a vendor.

MTradecraft serves SEC-registered investment advisers, hedge funds, broker-dealers, and family offices. The firm is independent: no hardware resale, no MSP partnerships, no vendor commissions, no managed services pass-through. Recommendations exist because they are right for the firm, not because they're profitable for us.

Brian Hahn, Founder and Principal Consultant of MTradecraft

Brian Hahn

Founder & Principal Consultant

Brian Hahn is the founder of MTradecraft. His background combines two disciplines most cybersecurity vendors do not have access to: the operational discipline of a Wall Street trading floor and the analytical methodology of corporate intelligence tradecraft.

He spent most of his pre-MTradecraft career at Bridgewater Associates, the world's largest hedge fund, where he managed hedge fund trade desk operations and operational risk for institutional portfolios executing across global markets. That work demanded a specific kind of rigor — the kind that comes from operating systems where a configuration error costs real money in real time, and where the documentation of every process is the audit trail.

Brian's cybersecurity work draws on that same discipline. MTradecraft does not approach compliance as an IT problem with regulatory paperwork bolted on. It approaches compliance as a documentation problem with technical evidence underneath — which is how SEC examiners, cyber insurance underwriters, and institutional investors actually evaluate firms.

He brings an adversarial-thinking framework to assessments — reconnaissance methodology, information asymmetry, attack surface enumeration — that most generic cybersecurity firms do not. The result is a compliance program built around what an adversary could actually exploit, and what a regulator could actually ask for, rather than a checklist of generic controls.

MTradecraft is headquartered in Dallas / McKinney, Texas, and works with clients across the United States.

Operating Philosophy

Three principles. No exceptions.

Principle 01

Compliance before technology

Every technical recommendation has to map to a specific regulatory obligation — Rule 206(4)-7, Regulation S-P, Regulation S-ID, Rule 204-2, or current SEC examination priorities. Generic "best practices" without a regulatory anchor are noise.

Principle 02

Evidence-driven findings

Every finding is supported by an artifact — scan output, screenshot, DNS record, log excerpt, configuration evidence. If a finding cannot be demonstrated to an SEC examiner with evidence, it did not happen.

Principle 03

Independence from vendors

MTradecraft sells no hardware, resells no MSP services, and accepts no vendor commissions. The firm has no financial reason to recommend any tool, platform, or provider it does not believe is right for the client.

Scope

What MTradecraft does, and what it does not.

A clear scope protects clients from overreach and protects MTradecraft from drift. The list below is the actual perimeter of the firm's work.

What MTradecraft Does

  • Cybersecurity compliance consulting for SEC-registered firms
  • External attack surface assessments
  • Internal vulnerability scanning (Nessus credentialed)
  • Microsoft 365 / Azure configuration audits
  • Cybersecurity policy and procedure drafting
  • Rule 206(4)-7 annual reviews
  • Incident response planning
  • Vendor due diligence questionnaire administration
  • Named CISO designation (Remote CISO tier)
  • SEC examination preparation
  • Cyber insurance application support
  • DDQ and custodian attestation support
  • Board and management cybersecurity briefings
  • Tabletop exercise design and facilitation
  • External penetration testing
  • Corporate intelligence and OSINT analysis

What MTradecraft Does Not Do

  • Sell hardware, software, or licenses of any kind
  • Function as a managed service provider or MSP
  • Operate a security operations center (SOC)
  • Provide 24/7 monitoring or incident response on retainer
  • Replace a firm's existing IT provider
  • Accept vendor commissions or referral fees
  • Provide legal advice or act as counsel
  • Provide forensic services or post-breach investigations
  • Issue cyber insurance or underwrite coverage
  • Operate a marketplace or refer clients to specific vendors
  • Provide retail or consumer cybersecurity services
  • Work with firms outside the financial services sector
Direct

If a cybersecurity firm cannot tell you what it doesn't do, it is selling you everything.

MTradecraft is built to do a specific thing well — cybersecurity compliance for SEC-registered firms — and to stay out of the work that belongs to other parties. The first call is a chance to confirm we are the right fit before either side commits.

Click here to start a conversation →