Honest answers to
honest questions.

ClearPath provides independent technology risk oversight for small organizations. We help you understand where your cyber risk is hiding, what controls are missing, and what to fix first—without requiring you to hire a full-time IT or security team.

Your IT provider handles day-to-day operations—keeping things running. ClearPath is focused on risk oversight: independently verifying that the right controls are in place, identifying gaps, and giving you a plain-language view of your risk posture. We work alongside your IT provider, not in competition with them.

No. ClearPath is focused on risk oversight, not operational security management. We don't monitor your network 24/7, respond to incidents in real time, or manage your security tools. We verify that the right things are in place and help you understand your risk—then work with your existing team or provider to address gaps.

It's a plain-language document your leadership or board can actually read—no 80-page compliance frameworks. You'll get a Red/Yellow/Green summary of key control areas, a prioritized list of what to fix, and enough context to make decisions without needing a security background. We also do a 30-minute readout call to walk through findings.

The baseline is a one-time snapshot—it tells you where you stand right now. Ongoing oversight is a monthly retainer that keeps things from quietly going sideways after the baseline. Controls drift, people change, and new risks emerge. Most clients start with a baseline and then move to oversight once they've addressed the top priorities.

No. ClearPath provides operational and documentation support to help you answer questionnaires accurately and build an evidence pack. We are not lawyers and do not provide legal advice. For legal questions about your policy, consult a qualified attorney.

Typically 2–3 weeks from kickoff to delivery, depending on your availability for interviews and access to your environment. We keep it lightweight—no heavy software installations, no lengthy questionnaires. Most of the work happens on our end.

No. ClearPath is vendor-neutral and works alongside whoever you currently use for IT. If you don't have an IT provider, we can help you think through that—but it's not a requirement to get started.

We work primarily through interviews, documentation review, and configuration checks—not deep technical access or installed software. The specific access needed varies by engagement and will be clearly scoped before we begin. We're explicit about what we need and why.

Nonprofits are actually one of the most targeted types of organizations for cyber incidents—and often the least prepared. The baseline assessment is designed specifically for organizations like yours: practical, affordable, and scoped to your actual situation. Many nonprofits start there and find it worth every dollar.

Insurance covers you after an incident—ClearPath helps prevent the incident in the first place, and helps make sure your policy accurately reflects your actual controls. Many insurers are also tightening requirements and increasing scrutiny at renewal. Having a documented baseline and evidence pack makes that process much smoother.

ClearPath is not a compliance audit firm and doesn't issue formal compliance certifications. However, many of the controls we assess overlap with frameworks like SOC 2 and HIPAA, and a baseline engagement can help you understand where your gaps are before engaging a formal auditor. We're happy to discuss your specific situation on an intro call.

No long-term commitments required. Most clients stay because they find value in the steady oversight—not because they're locked in. We believe the work should speak for itself.

Scope and complexity. The number of users, systems, and locations; whether you have an existing IT provider to coordinate with; and the state of your current documentation all factor in. We'll give you a specific quote after a brief intro conversation.

Absolutely. The baseline is a standalone engagement with no strings attached. If it's useful and you want to continue, great. If not, you'll still have a clear picture of your risk posture that you can act on independently.