Security advisory request workflow
capture, scope, deliver, and bill non-pentest hours on one record
Security advisory work sits between the formal pentests. A client asks for a threat model review, a vendor questionnaire response, a pre-launch architecture pass, or an opinion on a control gap. Today that work runs through email, a Slack DM, and an hours spreadsheet that nobody reconciles. Run security advisory requests as structured engagements instead: capture the request through a defined intake, scope the hours, link the work to the parent retainer, deliver the writeup through the branded client portal, and invoice against the agreed cadence. The advisory hours stop leaking.
No credit card required. Free plan available forever.
Run advisory hours as engagements, not as inbox archaeology
Security consultancies and pentest firms run a stream of work that is not a pentest: threat models on a new feature, vendor questionnaire responses, pre-launch architecture reviews, control gap opinions, incident hot washes, and buying decision memos. Today most of that work flows through email, a Slack DM, and an hours spreadsheet that finance reconciles after the fact. Advisory hours leak past the retainer block, deliverables ship as email attachments that nobody can find six months later, and renewal conversations anchor on a row in a tracker rather than on the work delivered.
SecPortal models a security advisory request as a structured engagement on the client record. The intake captures the request type, the scope, the deliverable shape, the urgency, and the retainer link before any time is logged. The named consultant is assigned through team management with role-based access. The deliverable publishes through the branded client portal. Findings produced during advisory work feed the firm-wide findings catalogue with CVSS 3.1 vectors. Invoicing rolls up to the agreed cadence through the integrated Stripe Connect billing. Advisory hours stop running on guesswork.
Six request types this workflow covers
Most advisory traffic falls into six recurring request shapes. The intake form captures the type as a structured field so the firm can report on demand patterns, scope hours consistently, and standardise deliverable templates over time.
Pre-launch architecture review
A product team is shipping a new service and asks for a security pass on the design before launch. The advisory engagement captures the architecture document, the in-scope components, the data flows, the trust boundaries, and the deliverable shape (a memo with prioritised findings or a design review checklist). Hours are scoped against the review depth rather than against an open-ended chat thread.
Vendor security questionnaire response
A client asks the firm to draft responses to an enterprise vendor questionnaire (CAIQ, SIG, or a bespoke procurement form). The intake captures the questionnaire, the deadline, the named author on the client side, and the in-scope policy artefacts. The advisory engagement holds the draft, the client comments, and the final response so the next questionnaire reuses the answers rather than rewriting them.
Threat model on a feature or system
A development team needs a structured threat model on a payment flow, an authentication change, or a new external integration. The advisory engagement captures the system boundary, the methodology (STRIDE, PASTA, attack tree), the threat list, the mitigations, and the residual risks. Findings are logged with CVSS 3.1 vectors so they feed the firm-wide findings catalogue rather than dying inside a slide deck.
Control gap or audit-question opinion
A compliance team asks for a written opinion on whether a specific control meets ISO 27001, SOC 2, PCI DSS, or HIPAA expectations. The advisory engagement captures the control text, the auditor question, the in-scope evidence, and the firm position. The deliverable is a memo with citation; the audit trail captures who wrote it and when.
Incident hot wash and lessons-learned facilitation
After an incident, a client asks the firm to facilitate the hot wash and write up the lessons learned. The advisory engagement captures the timeline, the participants, the contributing factors, the recommendations, and the follow-up actions. Hours are scoped against the facilitation and the writeup rather than absorbed into a retainer balance with no record.
Tooling, vendor, or buying-decision review
A buyer asks for an opinion on a piece of security tooling, an MDR vendor shortlist, or a pentest provider RFP draft. The advisory engagement captures the requirement, the criteria, the evaluated options, and the recommendation memo. The deliverable lives next to the rest of the client engagements rather than as an email attachment that vanishes the moment the buyer closes the thread.
What the advisory intake captures
Six fields define the advisory intake. The intake is the contract for the engagement; it is what the deliverable answers and what the hours are billed against. Skipping any of the fields is the source of the failure modes below.
| Intake field | What it controls |
|---|---|
| Requester and authority | Named requester, the team they sit on, and the authority they hold to approve scope and hours against the retainer. Captured at intake so the firm never starts work on a request where authority is ambiguous and finds out at invoice time. |
| Trigger and request type | The category (pre-launch review, threat model, vendor questionnaire, control opinion, hot wash, vendor review). Captured as a structured field rather than free text so reporting and pattern recognition across the client base actually work. |
| Scope summary and assets | A short scope statement, the in-scope assets or systems, the data sensitivity, and the explicit exclusions. The scope statement is the contract for the advisory engagement; it is what the deliverable answers and what the hours are billed against. |
| Deliverable shape | Memo, scorecard, slide, response document, or a structured findings list. Captured up front so the consultant scopes hours against the right artefact and the client sees what is coming rather than negotiating the format at draft review. |
| Urgency and SLA | Standard, expedited, or pre-incident urgent. The urgency drives the response SLA on the engagement and the queue priority for the consultant pool. SLA breach risk lives on the engagement record so it is visible before the deadline rather than after. |
| Retainer link and drawdown rule | The parent retainer the engagement draws against (where one exists) and the explicit rule for hours that exceed the planned scope (advisory rate, change-order, hard-stop). Captured before any time is logged so the commercial decision is taken once rather than re-negotiated at invoice. |
Where advisory work usually goes wrong
Six failure modes account for most of the advisory hours that quietly leak past the retainer or get written off at invoice time. Each one is silent during delivery and loud at renewal.
Requests arrive through email and Slack with no record
The advisory request lives in a thread on a single consultant inbox. When the consultant is on leave, nobody knows the request exists. Hours get logged from memory, the deliverable is reconstructed at the last minute, and the audit trail starts at the published memo rather than at the request that triggered it.
Hours are not scoped before work begins
The consultant starts work on a request without a planned hours figure on the engagement. Three weeks later the bill arrives and the client objects to the volume. With no planned figure to reference, the firm either eats the overrun or argues with the client. Both outcomes erode the relationship.
Advisory hours leak past the retainer block
The retainer carries a block of advisory hours, but advisory engagements draw down from the block without a structured drawdown rule. The block is exhausted three months early, the firm has a difficult conversation with the client about a top-up, and renewal anchors on the disagreement rather than on the value delivered.
Deliverables ship as email attachments
The advisory memo is attached to an email and sent to the requester. The client retains the file in one inbox; the firm retains a copy in OneDrive. Two months later, when the same client asks for a follow-up advisory pass, neither side can find the original answer and the work gets repeated.
No SLA on response or delivery
The intake captures the request but never sets a response SLA or a delivery target. The consultant picks the request up when capacity opens; the client chases by email after a week. The chase becomes the SLA. With no documented response time, the firm cannot price urgency premiums or staff the advisory pool with confidence.
Findings produced during advisory work die outside the catalogue
A control gap surfaced during a threat model, or a misconfiguration spotted during a pre-launch review, gets recorded inside the advisory memo and nowhere else. The next pentest finds the same issue and rediscovers it as new. The firm-wide findings catalogue is missing every issue that originated in advisory work.
SLA bands that price urgency without overcommitting
Advisory traffic is not all the same shape. Three SLA bands cover most of it and let the firm price urgency, staff the consultant pool, and report SLA hit rate without overpromising on response time.
| Band | Response | Delivery | Notes |
|---|---|---|---|
| Standard advisory | 2 business days | 5 to 10 business days | Default tier for non-urgent reviews and questionnaire responses. Sized for predictable retainer consumption. |
| Expedited advisory | 1 business day | 2 to 5 business days | Pre-launch reviews and procurement deadlines. Priced at an expedited rate or a higher draw against the retainer. |
| Pre-incident urgent | Same day | 24 to 48 hours | Live procurement window, regulator question, or incident-adjacent advisory. Captured on the engagement so the SLA breach risk is visible. |
How the workflow looks in SecPortal
Advisory request handling is one workflow stitched into five feature surfaces: the engagement record, findings management, team management with role-based access, the branded client portal, and the integrated Stripe Connect invoicing. The advisory engagement looks structurally similar to a pentest engagement, with the right intake and deliverable shapes for non-pentest work.
Structured intake
The intake opens an advisory engagement under engagement management. Requester, trigger, scope, deliverable, urgency, and retainer link are captured as structured fields rather than as free text in an email.
Named assignment
The named consultant is assigned through team management with role-based access, and the assignment lands on the activity log so the audit trail captures the routing decision.
Findings feed the catalogue
Issues surfaced during advisory work are logged through findings management with CVSS 3.1 vectors so the firm-wide catalogue captures every issue rather than losing the ones that originated in memos.
AI-assisted writeup
Draft memos, scorecards, and questionnaire responses with AI report generation against the structured engagement record. The consultant edits and signs off before anything ships through the portal.
Branded delivery
Publish the deliverable through the branded client portal on the tenant subdomain. The artefact lives next to the rest of the client engagements rather than in one inbox.
Invoiced on cadence
Bill on the contracted rhythm through the integrated Stripe Connect invoicing with line items that reference the parent retainer and the consumed advisory engagements.
Signals the advisory ledger surfaces by default
When advisory work runs on engagements rather than on memory, five signals come straight off the record without a manual reporting pass. They drive scoping accuracy, SLA pricing, consultant hiring, and the renewal proposal.
Hours scoped versus delivered
Planned at intake, actual at close. The variance per engagement and across the term shows whether the firm is scoping the advisory work realistically or whether it is consistently underestimating the depth a request needs. The scoping accuracy is the leading indicator for retainer profitability.
SLA hit rate
Response SLA hit, delivery SLA hit, and the count of breaches by band. Breach risk shows on the engagement record before the breach lands so the engagement lead can intervene with a status update or a re-scope rather than discovering the miss at month end.
Request types delivered
A structured count of the request categories the firm fulfilled across the term. The pattern shows where the demand is, which justifies which consultants the firm hires next and which advisory templates the firm should standardise.
Findings produced from advisory work
The findings created from advisory engagements, fed into the firm-wide findings catalogue with CVSS 3.1 vectors. Advisory work that produces zero structured findings every term is a signal that issues are dying inside memos rather than feeding the durable security record for the client.
Client-side requesters and concentration
How many distinct requesters on the client side the firm delivered for, and whether any single requester accounts for most of the advisory consumption. Concentration warnings let the account owner spot key-person risk on the client side before a contact change interrupts the relationship.
Reviewer checklist before an advisory engagement closes
Before the advisory engagement is marked closed and rolls into invoicing, the engagement lead runs through a short checklist. Each line takes seconds; missing any one of them is the source of the failure modes above.
- The advisory request opens as an engagement against the client record, not as an email thread.
- The intake captures requester, trigger, scope, deliverable shape, urgency, and retainer link before any time is logged.
- Planned hours are recorded on the engagement at scoping, with an explicit overrun rule (advisory rate, change-order, or hard-stop).
- The named consultant is assigned through team management with role-based access, and the assignment lands on the activity log.
- Response SLA and delivery SLA are set per request and tracked on the engagement, not on a calendar in the head of one consultant.
- Findings produced during advisory work are logged in the findings catalogue with CVSS 3.1 vectors, not buried in the memo.
- The deliverable is published through the branded client portal, not sent as an email attachment.
- Actual hours are recorded at close and the retainer balance updates against the planned drawdown.
- The engagement is invoiced through the integrated Stripe Connect invoicing on the agreed cadence.
- The advisory engagement is reviewable at renewal alongside the pentest engagements as part of the same retainer record.
Where advisory work sits across the engagement lifecycle
Advisory engagements compose with the rest of the client lifecycle on the same record. They draw from the parent retainer, feed the firm-wide findings catalogue, and feed the renewal evidence pack alongside pentest engagements.
Parent and child
Each advisory engagement is a child of the pentest retainer where one exists, drawing down the contracted block. The parent retainer carries the commercial commitment; the advisory engagement carries the consulting hours.
Onboarding and project
New clients are stood up through pentest client onboarding. Live pentest delivery runs through pentest project management. Advisory request handling is the third workflow that sits alongside both.
Programme and retest
Across multi-quarter programmes, advisory engagements feed security testing programme management. Findings produced during advisory work follow the same retesting workflow as pentest findings.
Compliance audits
Advisory deliverables that support compliance audits are captured on the engagement, fed by the same findings catalogue, and recorded in the activity log so the audit trail is consistent across the client relationship.
Pair the workflow with the long-form guides
Advisory work sits alongside the rest of the engagement lifecycle. Pair this workflow with the writeup on pentest change order pricing for the commercial discipline that applies when advisory hours overrun, the pricing pentest services guide for the broader pricing model conversation, the pentest pricing models research for the data behind retainer and advisory pricing decisions, the threat modelling guide for one of the most common advisory request shapes, and the CVSS scoring guide for the vector vocabulary advisory findings inherit.
Buyer and operator pairing
A structured advisory workflow is the operating model security consultants, pentest firms, compliance consultants, and vCISOs rely on whenever the work running through the firm is not a scoped pentest. The framework references that shape advisory delivery include ISO 27001 for documented procedures and segregation of duties, SOC 2 for evidence handling, and CREST for accredited firms documenting how advisory work is delivered alongside pentests.
What good advisory delivery feels like
Advisory hours stop leaking
Every request opens as a structured engagement, planned hours land on the record, and actuals reconcile at close. The retainer balance reflects committed and consumed work rather than only billed work. The firm prices the next renewal from real numbers rather than from a feeling.
Audit trail across the lifecycle
Named requester, named consultant, scope, SLA, deliverable, hours, findings, and invoicing all live on the engagement record. CREST, ISO 27001, SOC 2, and client procurement audit answers come from the record rather than from a reconstruction of inboxes and finance spreadsheets.
The security advisory request workflow is the third pillar of consultancy operations, sitting alongside pentest delivery and retainer management. Run it on engagements rather than on inboxes, and the firm prices urgency with confidence, scopes hours from history, carries findings into the durable catalogue, and renews retainers with evidence rather than memory.
Frequently asked questions about security advisory request workflows
What is a security advisory request workflow?
A security advisory request workflow is the end-to-end process by which a security consultancy or pentest firm captures a non-pentest request from a client, scopes the hours, assigns the named consultant, runs the work, delivers the artefact, and bills against the agreed cadence. The work covers requests like pre-launch architecture reviews, vendor questionnaire responses, threat models on a feature or system, control gap opinions, incident hot washes, and tooling or vendor evaluations. SecPortal models the workflow as a structured engagement on the client record so intake, hours, deliverable, findings, and invoicing share one source of truth instead of running through email, Slack, and a finance spreadsheet.
How is this different from pentest project management?
Pentest project management is the workflow for a scoped pentest with a defined deliverable shape (a pentest report) and a methodology framework. Advisory request work covers the consulting hours that sit between pentests: reviews, opinions, threat models, questionnaire responses, hot washes. Both workflows use the same engagement record, but advisory engagements have a different intake (request type rather than scope of work), different deliverable shapes (memo, scorecard, slide rather than report), and different SLA bands (response and delivery rather than test window and report-by date).
How does this fit with retainer management?
Advisory engagements draw down against the parent retainer where one exists. The retainer carries the contracted block (hours or test count); each advisory engagement records its planned and actual hours and updates the retainer balance accordingly. Advisory work that exceeds the contracted block follows the explicit drawdown rule on the retainer (advisory rate, change-order, or hard-stop) so the commercial decision is taken once at the retainer level rather than re-negotiated at every advisory request. The retainer page covers the parent record and the renewal cycle; the advisory request workflow covers the child engagement that draws against it.
Should advisory engagements produce findings?
Yes, when the advisory work surfaces a control gap or a vulnerability. A threat model that identifies a missing authentication check, or a pre-launch review that finds a misconfigured rule, should produce findings logged with CVSS 3.1 vectors in the firm-wide catalogue. Without that step, advisory work fails to feed the durable security record for the client and the next pentest rediscovers the same issues. SecPortal lets advisory engagements log findings exactly as pentest engagements do, with the same severity, evidence, and remediation tracking workflow.
How should the deliverable be shipped?
Through the branded client portal on the tenant subdomain rather than as an email attachment. The published artefact (memo, scorecard, slide, response document, or AI-assisted writeup) lives next to the other engagements for the client. Comments and follow-up questions land on the engagement record. Two months later, when the same client asks for a follow-up advisory pass, both sides can find the original answer in seconds rather than searching inboxes.
What SLA bands make sense for advisory work?
Three bands cover most advisory traffic. Standard advisory has a response SLA of two business days and a delivery target of five to ten business days; this is the default tier for non-urgent reviews and questionnaire responses. Expedited advisory has a one business day response and a two to five day delivery target; this covers pre-launch reviews and procurement deadlines and is priced at an expedited rate. Pre-incident urgent has a same-day response and a 24 to 48 hour delivery target; this covers live procurement windows, regulator questions, and incident-adjacent advisory. The band is captured on the engagement so the SLA hit rate is reportable.
Can AI-assisted reporting help with advisory deliverables?
Yes. The AI report generation that drafts pentest executive summaries, technical sections, and remediation roadmaps also helps with advisory deliverables: a memo summarising the findings of a threat model, a structured response to a vendor questionnaire, or a control opinion drafted from the captured evidence. The AI works against the structured engagement record, so the output reflects the actual scope, evidence, and findings rather than a generic template. The named consultant edits and signs off the deliverable before it ships through the portal.
How does this support audit and compliance reviews?
The advisory engagement captures the requester, the trigger, the named consultant, the scope, the SLA, the deliverable, the actual hours, and the invoicing record on one engagement. CREST, ISO 27001, and SOC 2 audit questions about how non-pentest consulting work is delivered and recorded answer from the engagement record rather than from a reconstruction of inboxes and finance spreadsheets. The same activity log that captures pentest delivery captures advisory delivery, so the audit trail is consistent across the full client relationship.
How it works in SecPortal
A streamlined workflow from start to finish.
Capture the advisory request through a defined intake
Open an advisory engagement against the client record from a single intake form. Capture the requester, the trigger (pre-launch review, vendor questionnaire, control gap opinion, threat model, incident hot wash), the scope summary, the urgency, the in-scope assets, the data sensitivity, and the requested deliverable shape (memo, scorecard, slide, response document). The intake replaces the email-and-Slack scramble where requests arrive without a structured record.
Scope hours and link to the parent retainer
Estimate planned hours against the request scope and link the engagement to the parent retainer where one exists. The retainer balance updates with the planned drawdown the moment the engagement opens, so the running balance reflects committed work rather than only delivered work. Out-of-retainer requests get an explicit drawdown rule (advisory rate, change-order, or hard-stop) captured on the engagement before any time gets logged.
Triage and assign the named consultant
Route the engagement to the named consultant who owns the topic, with team management and role-based access controlling who can read and edit. The assignment lands on the engagement and on the activity log so the firm can demonstrate, at audit time, that the request was triaged within SLA and assigned to a qualified reviewer rather than picked up by whoever was free.
Run the work on the engagement record
Notes, references, draft writeups, evidence captures, and any findings produced during the advisory pass live on the engagement record exactly as they would for a pentest. Findings (where relevant: a control gap surfaced during a threat model, a misconfiguration spotted during a pre-launch review) are captured with CVSS 3.1 vectors and fed into the firm-wide findings catalogue rather than dying inside a Word document.
Deliver through the branded client portal
Publish the advisory deliverable (memo, scorecard, slide, response document, or AI-assisted writeup) through the branded client portal on the tenant subdomain. The client sees the delivered artefact next to their other engagements, not as an email attachment that lives in one inbox. Comments and follow-up questions land on the engagement so the conversation has a record rather than an inbox memory.
Close, log actuals, and invoice on cadence
Record actual hours against the engagement at close. The retainer balance updates from planned to actual, the variance flags overruns or underruns on the master record, and the advisory engagements roll into the agreed invoicing cadence through the integrated Stripe Connect billing. Renewal conversations open with the actual record of advisory consumption rather than a recap document.
Features that power this workflow
Stop running advisory hours on email and a spreadsheet
Capture the request, scope the hours, deliver through the portal, and bill against the retainer. Start free.
No credit card required. Free plan available forever.