What's included in an engagement?
One bundled engagement — not à-la-carte. Discovery and documentation, recovery runbooks & DR analysis, and compliance ship together in 4–6 weeks. You receive validated inventory, L2/L3 topology, a cross-tier dependency map, RTO/RPO analysis, recovery runbooks, automated compliance reports for every supported framework, a board-ready executive summary, and a reproducible witness bundle any third party can use to verify our conclusions.
Which compliance frameworks do you support?
We ship automated compliance reports with subset mapping per framework for: FFIEC BCM Booklet; SOC 2 — Common Criteria 9 (Risk Mitigation / BCM); SOX ITGC (recovery + change-management subset); HIPAA Security Rule §164.308(a)(7) Contingency Plan; HHS 405(d) HICP — Resilience subset. Each engagement includes per-framework gap analysis, a cross-framework index, and evidence bound to the captured estate in the witness bundle. Full control catalogs are scoped in the SOW.
Who should sponsor an engagement?
Security and compliance leaders: CISOs, Heads of Risk, IT Compliance leaders, and Directors of Internal Audit — typically when a calendared DR audit or regulatory cycle creates budget and urgency. Platform teams provide access and validate output during the engagement; MKDC scopes and delivers the audit artifact set your committee needs.
Our operational documentation does not match what is running — can you help?
Yes — that gap is why security and compliance leaders engage us before an audit cycle. We map what is actually running via read-only capture — networks, compute, storage, and dependencies — and deliver validated inventory, topology, and a dependency map tied to recovery runbooks and framework gap reports. Your operational teams fill in business context through guided follow-ups we structure for them.
How do you document an estate when runbooks and topology are stale?
Read-only capture from management APIs — vCenter, switches, storage, OOB — not interviews alone. MKDC normalizes that into inventory, L2/L3 topology, and a cross-tier dependency map validated before publish. Your operational teams document intent — what is critical, who owns it — through guided follow-ups we structure for them.
We have stale runbooks and Visio diagrams — can you replace them with something current?
Yes. We capture what is running today and generate recovery runbooks ordered by the dependency map — not a copy of outdated docs. You get RTO/RPO analysis, gap findings, and runbooks tied to validated infrastructure state, plus a witness bundle so the next audit cycle starts from evidence, not narrative.
Can you resolve production vs. non-production for audit scope?
We document what is running and how it connects from read-only API capture. Labeling production workloads, application ownership, and business criticality requires context your operational teams hold. We structure follow-ups so they can enrich the map with the labels auditors need — instead of guessing under exam pressure.
What if our vendor mix isn't fully covered?
We run a short qualification conversation before any SOW. Estates with partial coverage receive a reduced-fee engagement with every deliverable clearly labeling what was captured and what was not. Estates outside current coverage go on a wait-list — and inform our vendor coverage roadmap directly.
Do you change anything in production?
No. Capture is read-only via authenticated access to management APIs only — vCenter, network device APIs, storage controllers, OOB — with no agents installed on production workloads. Zero production interruption is a core requirement of how we built the product, not a best-effort claim.
We already have discovery or CMDB tooling — do we still need MKDC?
Often yes, for different reasons. Discovery tools and CMDBs give you ongoing maps you operate day to day. MKDC delivers audit-grade capture in one engagement: cross-tier validation, recovery runbooks, automated compliance reports, and a reproducible witness bundle. We complement daily ITSM when the gap is audit documentation — not when you only need a live dependency dashboard.
When is MKDC not the right fit?
Mapping-only with no approaching audit or compliance cycle. Cloud-native SOC 2 where there is no operational data center to capture. A need for formal attestation signatures or facilitated DR tabletop exercises today — we ship advisory documentation; we do not attest or facilitate tests.
Why are discovery, runbooks, and compliance bundled?
Runbooks and compliance reports are derived from the same validated capture. Splitting the pillars would produce inconsistent or non-reproducible artifacts — runbooks disconnected from the dependency map, compliance gaps without estate evidence. One fixed-fee engagement, 4–6 weeks, one witness bundle.
Where is our data stored during the engagement?
Captures and credentials live in a dedicated engagement environment for the duration of the project. Retention, credential rotation, and data-handling terms are documented per customer in the SOW.
How is liability structured?
Engagements are signed under a Master Services Agreement with a fixed-scope SOW. Liability is capped at the engagement fee. We carry $5–10M aggregate Errors & Omissions coverage, bound before any signed engagement.
Is this a formal attestation?
Initial engagements ship as advisory, not formal attestation, until our credential and partner-attestation chain (ISO 22301 Lead Auditor, CISA, or boutique-attestation partner) lands. The witness bundle is independently re-derivable today regardless of attestation posture — that is the entire point.
'%20filter='url(%23glow)'%20opacity='0.95'/%3e%3c!--%20power%20ring%20--%3e%3ccircle%20cx='64'%20cy='64'%20r='38'%20fill='none'%20stroke='%23dcfce7'%20stroke-opacity='0.95'%20stroke-width='10'%20stroke-linecap='round'%20stroke-dasharray='200%2060'%20transform='rotate(-95%2064%2064)'/%3e%3c!--%20power%20stem%20--%3e%3cline%20x1='64'%20y1='22'%20x2='64'%20y2='58'%20stroke='%23dcfce7'%20stroke-opacity='0.95'%20stroke-width='10'%20stroke-linecap='round'/%3e%3c/svg%3e){kind=small}
