What this is
Most businesses have no idea when their credentials are exposed, when a malicious domain is targeting them, or when an external vulnerability becomes exploitable.
Not because they don’t care - because no one is watching continuously.
Identity and external threat exposure aren’t snapshot problems. They change every week.
It runs on Nordstellar, the threat intelligence platform we use to deliver continuous monitoring at scale. GuardXID is the human layer on top - interpreting the alerts, prioritizing what matters, and turning platform output into action your business can actually take.
This isn’t a software subscription.
Left alone, platforms generate noise. Alerts fire, dashboards fill up, and nothing changes.
The Guardian Plan exists to turn signal into action - what matters, what doesn’t, and what to do next.
What happens if no one is watching
- Compromised credentials sit in breach databases for months
- Malicious domains go live before anyone notices
- External vulnerabilities stay exposed until exploited
- Executive exposure becomes a business risk without warning
None of these trigger internal alerts. They show up when someone else finds them first.
What’s being watched continuously
The Nordstellar platform handles continuous monitoring across multiple threat surfaces. The work GuardXID does on top of that is the prioritization, response, and quarterly program review.
Continuous monitoring (via Nordstellar)
- Data breach monitoring - credentials, employee data, and customer data exposed in breaches across the internet, with real-time alerts when your domain or accounts surface
- Dark web monitoring - your business keywords tracked across dark web forums, ransomware blogs, marketplaces, and Telegram channels
- Cybersquatting detection - malicious domains impersonating your brand or targeting your customers, surfaced before they’re used against you
- External vulnerability scanning - open ports, exposed services, and software patching gaps on your internet-facing infrastructure
- Asset discovery - automatic identification of all internet-exposed assets associated with your business, including ones you may not realize are exposed
- Executive protection - heightened monitoring for designated key individuals (founders, partners, executives) whose personal exposure can become a business risk
What we do with the alerts
Nordstellar surfaces the signal. Most of the work is deciding what actually matters and acting before it becomes a problem.
- Alert triage - every fired alert reviewed, prioritized, and either escalated to you or resolved at the platform level
- Monthly summary - concise written summary of what’s been seen, what’s been resolved, what’s outstanding
- Quarterly program review - 60-minute working session covering trends, recommendations, and any scope adjustments needed for the coming quarter
- Direct response support - when something matters, you don’t go through a queue. You reach the person already watching your environment.
- Remediation support - when an alert maps to a vulnerability that needs to be patched or addressed, we can scope the remediation work as an additional engagement. Nordstellar surfaces the CVE and the recommended fix; we estimate the work and quote it before the vulnerability gets exploited.
What this is not
This does not replace your IT provider, MSP, or endpoint security.
Those protect what’s inside your environment.
The Guardian Plan covers what sits outside it - identity exposure, external visibility, and threats that don’t trigger internal systems.
Who this is for
You’re a fit if you:
- Run a small or mid-size business between roughly 5 and 150 employees
- Operate in an industry where compromised credentials, brand impersonation, or breach exposure could meaningfully damage client trust or operational continuity (law, medical, CPA, ag, or similar)
- Want ongoing protection rather than one-time snapshots
- Don’t have an internal security team and aren’t ready for an MSSP retainer at $1,500+/mo
You’re not a fit if you:
- Believe “we’re too small to be a target”
- Need formal compliance attestation — see Compliance Readiness for SOC 2, HIPAA, ISO 27001, and HITRUST work
- Want a one-time engagement only — the AI Governance & Assessment includes identity work as part of its scope
- Need full incident response services — if you’re facing a ransomware attack, an active network breach, or any incident requiring on-site forensics, you need a dedicated IR firm. Guardian Plan subscribers do receive support during incidents within our monitoring scope (identity compromise, credential exposure, exposed asset exploitation), but we are not a full-spectrum incident response provider.
How it works
1. Discovery and scoping. Free consultation to understand your environment, your industry’s threat profile, and what scope of monitoring fits your business. We confirm whether Guardian Plan is the right engagement or whether something else fits better.
2. Setup. Once the engagement starts, we provision Nordstellar for your business - primary domain, secondary domains, executive protection list, employee email addresses, and the asset surface we’ll be monitoring. Setup is included in the first month.
3. Ongoing monitoring. Nordstellar watches continuously. Alerts come to us first. You only see what matters, with context and a recommendation.
4. Monthly summary. Written summary of the month’s activity. Concise, scannable, action-forward.
5. Quarterly review. 60-minute working session every quarter to review trends, adjust scope if needed, and address any larger questions about your security posture.
Pricing
From $400/mo. Setup included in the first month.
The actual price depends on:
- Business size — number of employees, domains, and assets under monitoring
- Executive protection scope — number of key individuals receiving heightened monitoring
- Response cadence — standard monthly + quarterly is the baseline; faster response cadences or additional working sessions add to scope
We work the proposal in the consultation, not on the page. The starting price covers a typical small SMB engagement at baseline scope.
Remediation work, when it arises, is quoted as a separate engagement. We surface the scope, the estimate, and the timeline before any work begins.
The boundary
We assess the container, not the contents.
GuardXID examines who has access to your tools, what those tools can reach, and what’s exposed about your business externally. We do not read your client files, patient records, or matter documents - and we never will. This is what makes the work appropriate for law firms, medical practices, and any business where the contents of the work are protected by professional duty.
Incident support for subscribers
When a Guardian Plan subscriber is hit with an incident inside our monitoring scope — credentials surfacing in a breach dump, an executive’s exposure going active, a malicious domain spinning up against the brand, a discovered vulnerability being actively exploited — we work it with you. The platform sees the incident; we help you respond inside the layer we already know.
For incidents outside our monitoring scope — ransomware, active network breaches, anything requiring on-site forensics or insurance-mandated engagement — we refer you to the right IR firm and stay involved as a liaison if helpful. We don’t pretend to be a full-spectrum IR provider.
This is part of why we keep the Guardian Plan subscriber count deliberately small.
This only works if we know your environment and have the bandwidth to act when something happens.
What comes after
The Guardian Plan stands alone, but for businesses that need more, two natural extensions exist:
- AI Governance & Assessment - if your AI program needs the same level of formal documentation that your security posture is now getting from the Guardian Plan. Many clients run both engagements.
- Compliance Readiness - if your monitoring data needs to feed into a formal certification effort (SOC 2, HIPAA, ISO 27001, HITRUST). Guardian Plan generates evidence; Compliance Readiness organizes it for auditors.
If your credentials were leaked today, would you know?