No enterprise overhead. No under-equipped SMB toolset. Every engagement is calibrated for Quebec organizations between 50 and 2,000 employees — and delivers the documentary evidence you'll present to your auditor, regulator, or cyber insurer.
Continuous monitoring by bilingual analysts in Montréal. Detection across the full signal set — endpoint, network, cloud, identity. When a signal becomes an alert, a human is at the keyboard in under 15 minutes median (22 minutes at the 95th percentile).
The centre isn't a dashboard. It's a human engagement. Monthly reports document what was seen, contained, and learned — not a raw alert count. Every organization gets two dedicated analysts plus an escalation team.
Four hours on-site, or immediately remote. A dedicated incident response team takes the helm: containment, digital forensics, threat actor negotiation if required, regulator and insurer communication, phased remediation plan.
Available as one-off engagement or as an annual retainer (40 hours blocked · fixed rate · trigger SLA < 2 h). The retainer eliminates rate negotiation mid-crisis — the invoice is known in advance.
Penetration tests executed by our in-house red team. No subcontracting. The engagement covers the agreed surface — external, internal, application, cloud, social — with a report delivered to the client within 14 days of the final execution.
Three formats. The fixed-depth test (predictable scoping), the objective red team (free infiltration target chosen by CostLink), and the continuous program (rolling waves over 12 months — equivalent to a private bug bounty program).
Five frameworks covered in regular practice: Quebec's Law 25, ISO 27001, SOC 2 Type II, PCI-DSS v4, NIST CSF 2.0. Every engagement delivers the documentary dossier that passes the audit — policies, procedures, registries, operational evidence, gap remediation plan.
Privacy officer designation, governance policy, incident registry, PIA template, training program.
Certification readiness, Statement of Applicability, risk assessment, treatment plan, internal audits.
Trust Service Criteria scoping, continuous evidence collection, observation period, CPA auditor liaison.
Multi-site retailers, e-commerce, franchised restaurants. SAQ, AOC, scope analysis, segmentation.
Posture measurement across six functions (govern, identify, protect, detect, respond, recover).
For Defense (CA/US) subcontractors. Levels 1 and 2 covered. Available on specific engagement.
Deployment and continuous operation of the EDR layer across the entire fleet — workstations, servers, mobile devices. Calibrated prevention policies, updates validated within maintenance windows, automatic isolation on confirmed compromise.
Three models: we operate your existing license (BYOL), we provide the license under our tenant (managed), or we co-administer with your internal team. No engagement forces an editor change without clear operational benefit.
Continuous training calibrated by role. Phishing simulation campaigns with measured learning curves. Tabletop exercises for executive committees. Everything delivered in Quebec French — not a rough translation of an American program.
Measure what matters: not module completion rates, but the actual reporting rate for a suspicious email, the reporting delay, and the click rate reduction quarter over quarter.
A director walks through your current posture — governance, technical, human — and hands you a report and a roadmap. If we work together afterwards, the report is credited against the first engagement. If not, keep it.