Fixed-fee, fixed-scope

A service ladder, not a menu.

Most clients arrive with something broken or messy. The rescue or cleanup fixes it for a fixed fee and produces the evidence; the evidence becomes an approved change list; and teams that want IT handled going forward take the monthly Outside IT plan, with the cleanup fee credited.

The ladder

Any time · Urgent

Email and Access Rescue

Locked out of Microsoft 365 or Google Workspace, email down or bouncing, or the person who ran IT is gone with the passwords. Fast diagnosis, systems back, admin access properly in the owner's hands.

Fixed feepriority scheduling
1 · Start here

Systems and Access Cleanup

Fixed-fee cleanup that starts with a read-only audit of users, admins, file access, groups, shared inboxes, connected apps, OAuth grants, contractors, automations, AI tools, and offboarding gaps. The findings report is the foundation for everything below.

Single system from $750multi-system from $1,500
Any time · Urgent

Departure Lockdown

Fast-turnaround access sweep after a resignation, firing, contractor dispute, partner exit, or messy departure. Ownership transfers first, removal comes last, everything is logged.

Fixed feepriority scheduling
2 · Fix it

Cleanup Sprint

Implementation of the approved fixes from an audit: remove stale access, restructure groups, reduce admin roles, transfer ownership, clean risky app access, and document the workflow.

$2,500 to $12,000tiered by change count
For agencies

Agency Systems and Access Cleanup

The audit-and-sprint path shaped for agencies: client access, contractors, Slack, Google Workspace or Microsoft 365, Shopify, Meta, HubSpot, project tools, and internal operating workflows.

$1,500 diagnosticsprint $5,000 to $12,000
Automation

Secure Automation Review

Automations, API keys, OAuth tokens, Zapier, Make, and n8n workflows, AI agents, and connected apps reviewed for ownership, scope, secrets exposure, approval gates, and offboarding risk.

From $1,500fixed scope
Moving

Email and Tenant Migration

Old host to Microsoft 365 or Google Workspace, tenant to tenant, or between platforms. Written cutover plan, old mail preserved, DNS and deliverability set correctly, 30 days of post-move support included.

Flat per mailbox30-day support included
3 · Keep it fixed

Outside IT Plan

Your outside IT team, monthly: Workspace or Microsoft 365 run properly, every hire set up and every departure closed out, licenses matched to real people, access reviewed on a schedule, and one named person who answers.

Per person, monthlycleanup fee credited

Platform-specific audits

When the problem is confined to one platform, start narrower. Each of these feeds the same cleanup path.

Google Workspace Access & Admin Audit

Users, Super Admins, groups, shared drives, file ownership, and external sharing.

View audit

Microsoft 365 Access & Admin Audit

Users, guests, roles, groups, shared mailboxes, ownership, MFA gaps, and licenses.

View audit

SaaS Access Cleanup Audit

Seats, owners, admins, former users, and external collaborators across your SaaS stack.

View audit

AI Tool Access & Data Risk Review

AI inventory, connected agents, client data rules, approvals, and offboarding.

View review

Cloud Access & Hygiene Review

IAM, idle resources, budgets, alerts, tagging, and basic account guardrails.

View review

Partner delivery

Referral, white-label, or subcontract delivery for MSPs, agencies, and fractional CTOs.

View partner options

Advanced implementation work

When a cleanup shows the fix is structural, VXSec scopes identity, cloud security, and systems projects as separate engagements. These are the growing edge of the practice, quoted case by case, and always after a cleanup.

Identity projects

Microsoft Entra ID and Google Cloud Identity configuration, SSO and MFA rollouts, and conditional access policies.

Secure baselines

CIS-mapped secure baselines for Google Workspace and Microsoft 365, plus offboarding automation so departures run themselves.

Automation governance

AI agent permission governance, secrets and token management, and secure workflow architecture for automation-heavy teams.

Systems and integration builds

API integrations, data and infrastructure migrations, and internal tooling for teams whose audit surfaces deeper systems work, engineered under the same fixed-scope, approved-changes discipline.

Not sure which rung to start on?

That is what the scope check is for. Fifteen minutes, your systems and team size, and a recommendation with a fixed fee. If VXSec is the wrong fit, you will hear that too.

Book a 15-minute scope check