Guardian Plan

Know what attackers already know about your business.

How the Guardian Plan works

Left alone, platforms generate noise. The Guardian Plan turns signal into action — what matters, what doesn’t, and what to do next.

The platform layer

NordStellar — watches continuously

Continuous monitoring across multiple threat surfaces. Alerts come to us first.

Monitoring active

  • Data breaches Credentials, employee data, and customer data exposed in breaches across the internet.

  • Dark web mentions Your business keywords tracked across dark web forums, marketplaces, and Telegram channels.

  • Lookalike domains Malicious domains impersonating your brand, surfaced before they’re used against you.

  • Exposed systems Doors into your network left open to the internet, and software missing security updates.

signal to action

The human layer

GuardXID — a human reviews and acts

You only see what matters, with context and a recommendation.

  • Alert triage Every fired alert reviewed, prioritized, and either escalated to you or resolved at the platform level.

  • Monthly summary A concise written summary of what’s been seen, what’s been resolved, what’s outstanding.

  • Quarterly program review A 60-minute working session covering trends, recommendations, and any scope adjustments for the coming quarter.

  • Direct response support When something matters, you don’t go through a queue. You reach the person already watching your environment.

We assess the container, not the contents — we never read your client files, patient records, or matter documents.

What this is

Most businesses have no idea when their credentials are exposed, when a malicious domain is targeting them, or when an external vulnerability becomes exploitable — not because they don’t care, but because no one is watching continuously. The Guardian Plan runs on NordStellar, a threat-monitoring platform that watches at scale, with GuardXID as the human layer on top: interpreting the alerts, prioritizing what matters, and turning platform output into action you can actually take.

Here is the shape of it. When something surfaces — a credential in a breach dump, a lookalike domain registered against your brand — you don’t get a raw alert to decode. You get a short written summary: the account or domain involved, what was found, the recommended next step, and the name of the person who reviewed it before it reached you. The interpreting is already done. (Representative of what the service produces, not a specific client event.)

What happens if no one is watching

  • Compromised credentials sit in breach databases for months
  • Malicious domains go live before anyone notices
  • External vulnerabilities stay exposed until exploited
  • Executive exposure becomes a business risk without warning

None of these trigger internal alerts. They show up when someone else finds them first.

What’s being watched continuously

The NordStellar platform handles continuous monitoring across multiple threat surfaces. The work GuardXID does on top of that is the prioritization, response, and quarterly program review.

Continuous external visibility

  • Data breach monitoring — credentials, employee data, and customer data exposed in breaches across the internet, with real-time alerts when your domain or accounts surface
  • Dark web monitoring — your business keywords tracked across dark web forums, ransomware blogs, marketplaces, and Telegram channels
  • Lookalike domain detection — malicious domains impersonating your brand or targeting your customers (known as cybersquatting), surfaced before they’re used against you
  • External vulnerability scanning — doors into your network accidentally left open to the internet, and software missing security updates on your internet-facing systems
  • Asset discovery — finding everything of yours that’s visible from the internet — websites, servers, services — including things you didn’t realize were exposed
  • Executive protection — heightened monitoring for designated key individuals (founders, partners, executives) whose personal exposure can become a business risk

What we do with the alerts

NordStellar surfaces the signal. Most of the work is deciding what actually matters and acting before it becomes a problem.

  • Alert triage — every fired alert reviewed, prioritized, and either escalated to you or resolved at the platform level
  • Monthly summary — concise written summary of what’s been seen, what’s been resolved, what’s outstanding
  • Quarterly program review — 60-minute working session covering trends, recommendations, and any scope adjustments needed for the coming quarter
  • Direct response support — when something matters, you don’t go through a queue. You reach the person already watching your environment.
  • Fix support — when an alert maps to a vulnerability that needs to be patched or addressed, we can scope the fix as an additional engagement. NordStellar surfaces the specific software flaw (the CVE) and the recommended fix; we estimate the work and quote it before the vulnerability gets exploited.

What this is not

This does not replace your IT provider, your MSP (managed service provider — your outsourced IT company), or your endpoint security (the antivirus and device protection on your computers).

Those protect what’s inside your environment.

The Guardian Plan covers what sits outside it — identity exposure, external visibility, and threats that don’t trigger internal systems.

Who this is for

You’re a fit if you:

  • Run a small or mid-size business between roughly 5 and 150 employees
  • Operate in an industry where compromised credentials, brand impersonation, or breach exposure could meaningfully damage client trust or operational continuity (law, medical, CPA, ag, or similar)
  • Want ongoing protection rather than one-time snapshots
  • Need ongoing external visibility and threat oversight, but don’t need a full managed security operation.

You’re not a fit if you:

  • Believe “we’re too small to be a target”
  • Need a formal certification or audit report — see Compliance Readiness for SOC 2, HIPAA, ISO 27001, and HITRUST work
  • Want a one-time engagement only — the AI Program Assessment includes identity work as part of its scope
  • Need full incident response — if you’re facing ransomware or an active breach, you need a dedicated breach-response firm (the emergency specialists you call during an active attack). See Incident support below for what we do and don’t cover.

How it works

  1. Discovery and scoping. Free consultation to understand your environment, your industry’s threat profile, and what scope of monitoring fits your business. We confirm whether Guardian Plan is the right engagement or whether something else fits better.
  2. Setup. Once the engagement starts, we provision NordStellar for your business — primary domain, secondary domains, executive protection list, employee email addresses, and the asset surface we’ll be monitoring. Setup is included in the first month.
  3. Ongoing monitoring. NordStellar watches continuously. Alerts come to us first. You only see what matters, with context and a recommendation.
  4. Monthly summary. Written summary of the month’s activity. Concise, scannable, action-forward.
  5. Quarterly review. 60-minute working session every quarter to review trends, adjust scope if needed, and address any larger questions about where your security stands.

How pricing works

The Guardian Plan is a quarterly retainer scoped to your business. What you pay depends on:

  • Business size — number of employees, domains, and assets under monitoring
  • Executive protection scope — number of key individuals receiving heightened monitoring
  • Response schedule — standard monthly + quarterly is the baseline; a faster schedule or extra working sessions add to scope

We work the proposal in the consultation, not on the page. Setup is included in the first month. Fix work, when it arises, may be quoted as a separate engagement; we surface the scope, the estimate, and the timeline before any work begins.

Book a free consultation and we will scope it to your business.

The boundary

We assess the container, not the contents.

GuardXID examines who has access to your tools, what those tools can reach, and what’s exposed about your business externally. We do not read your client files, patient records, or matter documents — and we never will. This is what makes the work appropriate for law firms, medical practices, and any business where the contents of the work are protected by professional duty.

Incident support for subscribers

When a Guardian Plan subscriber is hit with an incident inside our monitoring scope — credentials surfacing in a published collection of stolen passwords, an executive’s exposure going active, a malicious domain spinning up against the brand, a discovered vulnerability being actively exploited — we work it with you. The platform sees the incident; we help you respond inside the layer we already know.

For incidents outside our monitoring scope — ransomware, active network breaches, anything requiring on-site forensics or insurance-mandated engagement — we refer you to the right breach-response firm and stay involved as a liaison if helpful. We don’t pretend to be one.

We keep the Guardian Plan subscriber count deliberately small — this only works if we know your environment and have the bandwidth to act when something happens.

What comes after

The Guardian Plan stands alone, but for businesses that need more, two natural extensions exist:

  • AI Program Assessment — if your AI program needs the same level of formal documentation that your security is now getting from the Guardian Plan. Many clients run both engagements.
  • Compliance Readiness — if your monitoring data needs to feed into a formal certification effort (SOC 2, HIPAA, ISO 27001, HITRUST). Guardian Plan generates evidence; Compliance Readiness organizes it for auditors.

If your credentials were leaked today, would you know?

Book a free consultation. We’ll scope what’s exposed about your business right now and whether continuous monitoring is the right fit.

Ready to talk?

Book a free consultation. We'll figure out whether this is the right fit — or point you to something that is.

Book a free consultation