Pre-Meeting Checklist

Why this matters: M3SecTools bundle ($42.86/user) explicitly includes Axcient in the CW invoice description. Ironside is paying for BCDR but has zero protected devices. The Axcient account exists but shows "UNPROTECTED." If Tim asks about backups, we have no answer.

Action: Deploy Axcient agents to all critical servers and workstations. Prioritize CANNON server replacement (in client deck) and any file/application servers. Verify backup jobs are running and test a restore.

The client deck now includes "No Tested Backup & Recovery" as a CRITICAL finding ($5K–$8K). Language is "no documented recovery plan, no verified backup procedures" — does NOT mention Axcient specifically or M3 deployment failure.

Why this matters: Sec Platinum includes EDR + 24/7 SOC/MDR on ALL endpoints. Client deck shows Blackpoint as a strength (27 active devices). But 22 endpoints have no agent at all, and 11 more are in idle/inactive state. Tim will see "27 active" on the strengths slide.

Action: Install Blackpoint agent on all 22 unprotected endpoints. Investigate 5 idle + 6 inactive agents (11 in degraded state). Total enrolled is 38 but only 27 are active.

Why this matters: Sec Platinum includes "MFA & Self-Service Password Reset" via Microsoft Entra ID. This was finding PR.AA-03 in the original NIST assessment. Removed from client deck because charging for MFA when it's already included would embarrass M3.

Action: Verify MFA enforcement across all M365 accounts. Enable conditional access policies. If already done, document evidence so we can mention it as a strength. If not done, enforce before Tuesday.

Why this matters: Sec Platinum includes Cisco Umbrella / DNS filtering. No API connector exists for Umbrella so we can't verify programmatically.

Action: Log into Umbrella dashboard. Verify Ironside networks and roaming clients have DNS filtering active. Install if missing.

Why this matters: BSN dark web monitoring detected compromised credentials. This is now a CRITICAL finding in the client deck (Dark Web Credential Exposure, $2K–$3.5K). It's a talking point in the meeting ("we caught it, we're fixing it") but only if remediation has started.

Action: Force password resets for all breached users. Enforce unique passwords via Keeper. Schedule targeted remediation training for most-exposed users.

Why this matters: Michael requested (Feb 27) that simulated phishing tests are actively running for Ironside and Power Service. The client presentation now shows a 2% phishing fail rate on the BSN strength card. This needs to be based on current data, not stale campaigns.

Action: Log into BSN portal (portal.breachsecurenow.com). Verify phishing simulation campaigns are scheduled and actively sending for Ironside Group. Our API only pulls aggregate fail rates — it cannot confirm whether campaigns are currently active. Also verify for Power Service.

BSN API returns average_pfr (2% for Ironside) but no campaign-level data. Manual portal check required.

Why this matters: Those who complete training score well (87% quiz avg). Problem is participation, not comprehension. Client deck shows BSN as a strength with ESS 625 and 2% phishing fail rate — low completion weakens that story if Tim asks.

Action: Send training reminder blast. Set completion deadline before meeting. Escalate to Ironside management to mandate completion.

Why this matters: 80 MP licenses vs 35 CW active end users = poor offboarding hygiene. Client deck shows "80 licensed mailboxes" as a strength. If Tim notices his company only has ~35 people, that's a question we don't want.

Action: Audit all 80 MP accounts against CW active contacts. Disable ~45 stale accounts. Related to stale user inventory (item #9).

Why this matters: CW bills 50 managed seats at $147.14/user + $10 STDTools + $42.86 SecTools = $200/seat. Only 33 are active end users. That's 17 excess seats = ~$3,400/mo in overbilling. This was finding ID.AM-01 — removed because it exposes M3's license management oversight.

Action: Conduct access review across CW, MP, Keeper. Align billing seat count with actual active users. Do NOT raise this in the meeting — fix internally first.

Why this matters: Both IT Gold and Platinum include "User Onboarding & Offboarding." This was finding PR.AA-05 — removed because it's an IT Platinum deliverable M3 should already provide.

Action: Create a standard offboarding checklist (access revocation, license recovery, device return, data handoff). Document so we can reference if Tim asks.

Why this matters: IT Platinum explicitly includes "Cyber Insurance Questionnaire (Included)." The client presentation originally charged $500–$1K for this — now reframed as "Included in Platinum" with Option A at $0. We need to actually do the work so it's not an empty promise.

Action: Review Ironside's cyber insurance policy. Map requirements (MFA, backups, policies, IR plan) against current posture. Identify gaps. Prepare a summary M3 can present at the meeting showing we're proactively managing this.

Why this matters: Finding #10 in the client deck says encryption is "unverified" and charges $1K–$2K. If the technician can confirm BitLocker is active via CW Automate or NinjaOne in 30 minutes, we can flip this to a strength at the meeting instead of a finding.

Action: Check BitLocker/FileVault status in CW Automate or NinjaOne for all Ironside endpoints. If encryption IS active, document evidence. If not, enable via GPO before the meeting.

If confirmed active, we should update the client deck to remove finding #10 and add encryption as a strength. That reduces the moderate count by 1 and lowers the investment total.

Why: ESET is included in M3STDTools (all tiers). ScalePad AV integration not connected.

Action: Connect AV reporting to asset management. Verify all 49 endpoints have ESET installed and active.

Why: CW Automate / NinjaOne patch management is included in all IT tiers. Supports the Win10 upgrade conversation in the client meeting.

Action: Verify RMM deployment and patching policies. Establish compliance reporting.

Why: NinjaOne is part of the M3STDTools bundle ($10/user) which Ironside pays for. Should already be on every managed device.

Action: Deploy NinjaOne agent to all Ironside endpoints. Not urgent for the meeting but backlog priority.