What this is
Most businesses have no idea when their credentials are exposed, when a malicious domain is targeting them, or when an external vulnerability becomes exploitable — not because they don’t care, but because no one is watching continuously. The Guardian Plan runs on NordStellar, a threat-monitoring platform that watches at scale, with GuardXID as the human layer on top: interpreting the alerts, prioritizing what matters, and turning platform output into action you can actually take.
Here is the shape of it. When something surfaces — a credential in a breach dump, a lookalike domain registered against your brand — you don’t get a raw alert to decode. You get a short written summary: the account or domain involved, what was found, the recommended next step, and the name of the person who reviewed it before it reached you. The interpreting is already done. (Representative of what the service produces, not a specific client event.)
What happens if no one is watching
- Compromised credentials sit in breach databases for months
- Malicious domains go live before anyone notices
- External vulnerabilities stay exposed until exploited
- Executive exposure becomes a business risk without warning
None of these trigger internal alerts. They show up when someone else finds them first.
What’s being watched continuously
The NordStellar platform handles continuous monitoring across multiple threat surfaces. The work GuardXID does on top of that is the prioritization, response, and quarterly program review.
Continuous external visibility
- Data breach monitoring — credentials, employee data, and customer data exposed in breaches across the internet, with real-time alerts when your domain or accounts surface
- Dark web monitoring — your business keywords tracked across dark web forums, ransomware blogs, marketplaces, and Telegram channels
- Lookalike domain detection — malicious domains impersonating your brand or targeting your customers (known as cybersquatting), surfaced before they’re used against you
- External vulnerability scanning — doors into your network accidentally left open to the internet, and software missing security updates on your internet-facing systems
- Asset discovery — finding everything of yours that’s visible from the internet — websites, servers, services — including things you didn’t realize were exposed
- Executive protection — heightened monitoring for designated key individuals (founders, partners, executives) whose personal exposure can become a business risk
What we do with the alerts
NordStellar surfaces the signal. Most of the work is deciding what actually matters and acting before it becomes a problem.
- Alert triage — every fired alert reviewed, prioritized, and either escalated to you or resolved at the platform level
- Monthly summary — concise written summary of what’s been seen, what’s been resolved, what’s outstanding
- Quarterly program review — 60-minute working session covering trends, recommendations, and any scope adjustments needed for the coming quarter
- Direct response support — when something matters, you don’t go through a queue. You reach the person already watching your environment.
- Fix support — when an alert maps to a vulnerability that needs to be patched or addressed, we can scope the fix as an additional engagement. NordStellar surfaces the specific software flaw (the CVE) and the recommended fix; we estimate the work and quote it before the vulnerability gets exploited.
What this is not
This does not replace your IT provider, your MSP (managed service provider — your outsourced IT company), or your endpoint security (the antivirus and device protection on your computers).
Those protect what’s inside your environment.
The Guardian Plan covers what sits outside it — identity exposure, external visibility, and threats that don’t trigger internal systems.
Who this is for
You’re a fit if you:
- Run a small or mid-size business between roughly 5 and 150 employees
- Operate in an industry where compromised credentials, brand impersonation, or breach exposure could meaningfully damage client trust or operational continuity (law, medical, CPA, ag, or similar)
- Want ongoing protection rather than one-time snapshots
- Need ongoing external visibility and threat oversight, but don’t need a full managed security operation.
You’re not a fit if you:
- Believe “we’re too small to be a target”
- Need a formal certification or audit report — see Compliance Readiness for SOC 2, HIPAA, ISO 27001, and HITRUST work
- Want a one-time engagement only — the AI Program Assessment includes identity work as part of its scope
- Need full incident response — if you’re facing ransomware or an active breach, you need a dedicated breach-response firm (the emergency specialists you call during an active attack). See Incident support below for what we do and don’t cover.
How it works
- Discovery and scoping. Free consultation to understand your environment, your industry’s threat profile, and what scope of monitoring fits your business. We confirm whether Guardian Plan is the right engagement or whether something else fits better.
- Setup. Once the engagement starts, we provision NordStellar for your business — primary domain, secondary domains, executive protection list, employee email addresses, and the asset surface we’ll be monitoring. Setup is included in the first month.
- Ongoing monitoring. NordStellar watches continuously. Alerts come to us first. You only see what matters, with context and a recommendation.
- Monthly summary. Written summary of the month’s activity. Concise, scannable, action-forward.
- Quarterly review. 60-minute working session every quarter to review trends, adjust scope if needed, and address any larger questions about where your security stands.
How pricing works
The Guardian Plan is a quarterly retainer scoped to your business. What you pay depends on:
- Business size — number of employees, domains, and assets under monitoring
- Executive protection scope — number of key individuals receiving heightened monitoring
- Response schedule — standard monthly + quarterly is the baseline; a faster schedule or extra working sessions add to scope
We work the proposal in the consultation, not on the page. Setup is included in the first month. Fix work, when it arises, may be quoted as a separate engagement; we surface the scope, the estimate, and the timeline before any work begins.
Book a free consultation and we will scope it to your business.
The boundary
We assess the container, not the contents.
GuardXID examines who has access to your tools, what those tools can reach, and what’s exposed about your business externally. We do not read your client files, patient records, or matter documents — and we never will. This is what makes the work appropriate for law firms, medical practices, and any business where the contents of the work are protected by professional duty.
Incident support for subscribers
When a Guardian Plan subscriber is hit with an incident inside our monitoring scope — credentials surfacing in a published collection of stolen passwords, an executive’s exposure going active, a malicious domain spinning up against the brand, a discovered vulnerability being actively exploited — we work it with you. The platform sees the incident; we help you respond inside the layer we already know.
For incidents outside our monitoring scope — ransomware, active network breaches, anything requiring on-site forensics or insurance-mandated engagement — we refer you to the right breach-response firm and stay involved as a liaison if helpful. We don’t pretend to be one.
We keep the Guardian Plan subscriber count deliberately small — this only works if we know your environment and have the bandwidth to act when something happens.
What comes after
The Guardian Plan stands alone, but for businesses that need more, two natural extensions exist:
- AI Program Assessment — if your AI program needs the same level of formal documentation that your security is now getting from the Guardian Plan. Many clients run both engagements.
- Compliance Readiness — if your monitoring data needs to feed into a formal certification effort (SOC 2, HIPAA, ISO 27001, HITRUST). Guardian Plan generates evidence; Compliance Readiness organizes it for auditors.
If your credentials were leaked today, would you know?
Book a free consultation. We’ll scope what’s exposed about your business right now and whether continuous monitoring is the right fit.