SDVOSB · Veteran-led · Boston, MA
§ 0 · The firm · Framingham, MA · est. Q3 2024
Eight principals · veteran-led · senior-only · written deliverables

A senior firm. For the work that cannot be junior.

We are a small, deliberately senior firm: eight principals, no juniors on file. Every memo is signed by the practitioner who wrote it.

Established
Q3 '24
Framingham, MA
Principals
8
All senior · all named
Frameworks
22
Reconciled into one program
Engagement
Fixed
Written fee · written scope
Engaged by GetAhead · DeDupely · Titan Intake · and clients under NDA in IT services, paralegal-tech, and DoD subcontracting.
§ I · A note from the founder
Signed · Jack Giordano · Framingham, MA
Jack Giordano, Founder & Managing Director, Nexurion
Service
USMC · Rescue
Education
M.S. × 2
Bench
RTX · USAF
Founded
Q3 '24

I started Nexurion because too many firms treat the work like an obligation. It is the argument that closes deals.

I left the Marine Corps, worked technical rescue, and moved into cybersecurity, and watched well-run companies get told the same thing by three different consultancies: buy a tool, hire a junior, accept a nine-month timeline. The deals waiting on the audit died on the table. The investors' diligence questions sat unanswered. The model that was about to ship sat in legal review for another quarter.

I built Nexurion as the firm I would have wanted on the other side of the table: senior practitioners only, written scoping memos in forty-eight hours, fixed fees you can put in a board update. We write the memo, we sign the deliverable, and we are still on the call when the auditor has a follow-up six months later.

If you have a buyer asking for SOC 2, a regulator asking for the AIMS scope, an investor asking about the AI policy, or a model about to ship into a regulated market: tell us the trigger. If we are the right firm we will tell you so in writing. If we are not, we will tell you that too, and point you to who is.

Jack Giordano · Founder & Managing Director, Nexurion USMC · M.S. Cybersecurity · M.S. Security & Resiliency Studies · BC Law: Security, Risk & Governance · Cleared GovCon background Framingham, MA · November 2025
§ II · The bench
Eight principals · all named · all senior

The names on the cover are the names on the call.

Every engagement at Nexurion is led by a principal: not a manager with junior leverage underneath. Below: the eight people who do the work. Their certifications are real, their tenure is real, and the bio is the one that shows up on the LinkedIn message you send them.

Across the bench,
CISSP ISO 27001 Lead Auditor CISM CIPP CIPM CIPT CEH AIGP SSCP Sec+ FIP SCCE BC Law · Security, Risk & Governance
Jack Giordano
No. 01 · Founder

Jack Giordano

Founder & Managing Director

USMC · M.S. Cybersecurity · M.S. Security & Resiliency · BC Law Security, Risk & Governance

Desarie Green, JD
No. 02 · Privacy

Desarie Green, JD

Principal · Data Privacy

JD · CIPP/E · CIPM · 15+ yrs

David Monahan
No. 03 · Fractional CISO

David Monahan

Principal · Fractional CISO

CISSP · CISM · 25+ yrs

Akash Shitole
No. 04 · Security engineering

Akash Shitole

Principal · Sec. Engineering & MSSP

CCSK · AWS · Azure · GCP

Shaun McDonald
No. 05 · Public sector

Shaun McDonald

Principal · Public Sector & Risk

U.S. Army · CISM · CMMC · NIST

Sean Cook-Scott
No. 06 · Security engineering

Sean Cook-Scott

Security Engineer

CMMC · NIST · FISMA

Kaitlyn Bestenheider
No. 07 · Federal services

Kaitlyn Bestenheider

Principal · Federal Services

CISSP · CCP · FedRAMP · CMMC

Andres DiazPinto
No. 08 · Federal services

Andres DiazPinto

Principal · Federal Sec. & Compliance

CISSP · CCP · FedRAMP · GovCloud

The bench is selectively open Senior practitioners only: fifteen-plus years, named on engagements, comfortable writing the memo and signing the deliverable. Apply
§ III · Recent engagements
Six clients · Six audits · One firm

The work, on the record.

A short ledger of the engagements we'd point a buyer to. Three are named with permission. Three are under NDA: described by sector, scope, and outcome only. Every entry below is a real audit Nexurion took to "ready" in the last twelve months.

Audit pass rate
100%
Across SOC 2, ISO 27001, ISO 22301, ISO 20000, CMMC L2
Median time to "audit ready"
~4 wks
From kickoff memo to auditor handoff
Combined practitioner experience
120+ yrs
On the bench, today · M.S. + JD + military service
№ 01 · Audit-ready sprint 2025

Paralegal-tech firm NDA

Inherited a control environment scoring 44% against SOC 2 with 10,000+ open vulnerabilities. Rebuilt the policy stack, re-architected access and logging, ran the remediation sprint, and walked the client into the auditor's room at 100%: in under a month.

SOC 2 readiness · 30 days 44 → 100%
№ 02 · ISO 27001 2024: present

GetAhead

Stood up the IT environment from zero, took it through ISO 27001 implementation and audit, and now operate the environment as their managed security partner.

Result Passed · retained
№ 03 · Internal audit 2025

DeDupely

Delivered a board-defensible internal audit report in three weeks: scope, evidence, gaps, and remediation plan in a single document the leadership team could act on immediately.

Turnaround 3 weeks
№ 04 · SOC 2 2025

Titan Intake

Audit-ready for SOC 2: full Trust Services Criteria mapping, control implementation, and evidence package handed to the auditor.

Status Audit-ready
№ 05 · Dual ISO certification 2025

National IT integrator NDA

Took a multi-hundred-person services firm audit-ready for ISO 20000 (service management) and ISO 22301 (business continuity) in parallel, in a single month: including the integrated control map across both frameworks.

Two frameworks · 30 days Audit-ready
№ 06 · CMMC Level 2 In flight

DoD subcontractor NDA

Currently driving CMMC Level 2 audit-readiness: 110 NIST 800-171 controls, a CUI enclave, and the SSP/POAM package the C3PAO will assess against.

Track CMMC L2
: Methodology note

Numbers are pulled from project closeout memos, not marketing material. NDA entries are described accurately enough for a buyer to vet the work without identifying the client. References available under mutual NDA on request.

§ IV · From the engagements
On the record, from a client

What the work looks like, after the SOW is signed.

Nexurion helped us bring our infrastructure to the next level. We’re now much more conscious about IT decisions and have transparency into our security posture.
MA
Mathias Alt
Senior Executive · GetAhead · Supply chain
§ V · What we won't do
The disqualification list, in writing

The strongest signal a senior firm can send is what it refuses.

Most firms tell you what they do. We think it's more useful to tell you what we won't. If your engagement looks like one of these, we'll write it in the memo and tell you to call someone else.

01

We don't resell tools.

No platform kickbacks, no affiliate fees, no preferred-partner margin. We recommend the tool that fits, and tell you when the one you own is fine. Our revenue is your fee, full stop.

02

We don't put juniors on your account and bill it as "team leverage."

Every engagement is led and delivered by a named principal. If a senior practitioner won't do the work themselves, we don't take it.

03

We don't subcontract the deliverable.

The memo, the SSP, the readiness package, the board report: all written and signed by the practitioner whose name is on it. No rebadging, no offshore subcontracting.

04

We don't run the audit-mill playbook.

Every engagement starts with a written scoping memo because every environment is different. If the work fits a template, you don't need us, and we'll say so.

05

We don't take engagements where the answer is "buy more software."

If your problem is procurement, hire procurement. We solve the controls, the architecture, the policy, and the audit posture, not the purchase order.

06

We don't engage below the senior threshold.

If the work is genuinely junior, there are good firms for that and we're not one of them. We take engagements where seniority materially changes the outcome.

: The corollary

When we say yes, it's because a senior practitioner believes the work needs senior hands. When we say no, that is the most useful thing we can tell you in the memo.

§ VI · Questions, answered straight
Four things buyers ask before the call

The questions we'd rather answer in writing.

If you're researching a senior firm, you have predictable questions. We'd rather settle them here than waste a discovery call. Click any question for the honest answer.

№ 01

Are you a reseller or do you take software referral fees?

No. We take no software referral fees, no GRC platform commissions, no SIEM affiliate margin, no "preferred partner" kickbacks. The fee you pay us is the only money the firm makes on your engagement.

If we recommend a tool, it's because that tool fits the environment: and we will tell you when the tool you already own is the right one.

№ 02

Who actually does the work: the partner who pitched, or someone I haven't met?

The named principal on the SOW does the work. Period. No analyst-and-PM-with-a-script model. If a senior practitioner doesn't want to do the work themselves, we don't take the work.

You can see the bench in § II. The principal assigned to your engagement is named in the scoping memo before you sign.

№ 03

What's your fee structure? Do you do retainers, fixed-fee, or hourly?

Fixed-fee for defined scope. The scoping memo includes the fee, the deliverable list, the timeline, and the named practitioner. You can put the number in the budget before you sign.

Where we run an environment past the audit (e.g. fractional CISO, ongoing managed compliance), we move to a monthly retainer at a written rate. No hourly billing, no scope-creep change orders, no "we'll true it up later."

№ 04

What happens if we fail the audit?

This hasn't happened, but it's the right question. Our engagement standard is "audit-ready": meaning we believe a competent auditor will issue an unqualified opinion against the in-scope criteria.

If the auditor identifies a finding that originated in work we delivered, we remediate it at our cost until the finding is closed. That commitment is in the SOW, in writing. If the finding is in scope we explicitly excluded: or in work the client did themselves: we'll help, but on a separate fee.

: Question we didn't answer?

Send it to [email protected]. If it's the kind of question other buyers also ask, we'll add it here.

The 5-minute scoping memo · written by a senior practitioner

Tell us the trigger. We'll write the memo.

Five questions. One reply. Tell us the trigger: an enterprise buyer, a regulator, an investor, a model that's about to ship: and within forty-eight hours a senior practitioner sends a written scoping memo: what's in scope, what isn't, the realistic calendar, and the fee range.

If the right answer is "don't engage us yet," we'll write that too.

The memo is the value exchange. No pitch deck. No nurture sequence. No partner-of-the-week call. If the memo lands and you want to talk, the booking link is at the bottom of it.

Nexurion Field Notes, Vol. I, our inaugural issue: published Apr 2026. Next volume lands the next morning either way.

Contact us Read Vol. I first
Senior practitioner · 48-hour written memo · No obligation · [email protected]