Gold Rock Gold Coin Gold Bar
Full-Stack IT Services · Woodbridge, VA

From first look
to fully managed.

Our three-phase service model takes you from a free security audit all the way to a fully managed IT partnership — at your pace, on your terms.

Phase 1 IT Audit Free Phase 2 IT Consulting Phase 3 Managed IT Subscription
Phase 1 · Free

IT Audit

We identify security gaps, public-facing vulnerabilities, and infrastructure risks in your current environment — at no cost. This is how we earn your trust before asking for your business.

🌐
External Attack Surface
  • Public DNS records & subdomain enumeration
  • SSL/TLS certificate validity & configuration
  • Open ports & exposed services (passive scan)
  • Web application headers & security policies
  • WHOIS & registrar exposure review
  • Email security — SPF, DKIM, DMARC verification
🔎
OSINT & Public Footprint
  • Leaked credential check (public breach databases)
  • Social engineering exposure vectors
  • Employee PII visible in public records
  • GitHub/code repository exposure scan
  • Google dorking & search engine exposure
  • Dark web mention check (surface-level)
💻
Website & Web Application
  • CMS version & plugin vulnerability check
  • HTTP security header analysis
  • Cross-site scripting (XSS) surface review
  • Admin panel & login page exposure
  • Form validation & input handling review
  • Third-party script & dependency risk
📋
Compliance & Documentation Gaps
  • Privacy policy & terms of service review
  • Cookie consent & CCPA/GDPR surface check
  • ADA/WCAG accessibility quick review
  • Vendor & third-party risk indicators
  • Data handling & contact form security
  • Business continuity surface assessment
Findings Are Rated by Severity

Every audit deliverable categorises findings using the following scale. Clients receive a written report with each finding explained in plain language.

Informational
No immediate risk. Awareness item — best practice improvement suggested.
Low
Minor exposure. Remediation recommended within 90 days.
Medium
Exploitable under certain conditions. Remediation recommended within 30 days.
High
Significant risk to data or operations. Remediation recommended within 7 days.
Critical
Active or imminent threat. Immediate remediation required — same-day disclosure.
⚖️
Authorized Testing Agreement (ATA)

Before any audit activity begins, TIMBUKTU LLC requires a signed Authorized Testing Agreement (ATA). This document is legally required to ensure all assessment activities are explicitly authorized by the client organization and comply with applicable federal and state law, including:

  • Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 — prohibits unauthorized access to computer systems. The ATA establishes written authorization for all testing activities performed.
  • Virginia Computer Crimes Act, Va. Code § 18.2-152 — state-level authorization requirement for any system interaction or security testing.
  • Electronic Communications Privacy Act (ECPA) — governs interception and access to electronic communications. All audit activities are passive or explicitly authorized by the ATA.
  • Scope Limitation Clause — all testing is strictly limited to systems, domains, and assets explicitly listed in the ATA. No testing is performed outside the defined scope under any circumstances.
  • Confidentiality & Non-Disclosure — all findings are treated as strictly confidential. Reports are delivered only to the authorized signatory. TIMBUKTU LLC does not retain or share audit findings with any third party.
  • Limitation of Liability — passive assessment methods are used exclusively during Phase 1. TIMBUKTU LLC is not liable for pre-existing vulnerabilities discovered during audit. Destructive or intrusive testing requires a separate Penetration Testing Agreement (PTA) available in Phase 2.
  • No Guarantee of Completeness — the audit covers public-facing and OSINT-accessible information only. An audit report is not a guarantee of security. Undiscovered vulnerabilities may exist beyond the scope of passive assessment.
The ATA is provided to the client for review and signature before engagement begins. No fees are charged for Phase 1. The client may withdraw at any time before or during the audit by written notice.
What You Receive
The TIMBUKTU IT Audit Report

A professionally formatted written report delivered within 5–7 business days of scope confirmation, containing every finding categorised by severity, written explanations in plain language, recommended remediation steps, and an executive summary suitable for leadership review.

📄 Executive Summary
🔴 Severity-Rated Findings
🛠 Remediation Roadmap
📊 Risk Score Overview
🔒 Compliance Gap Notes
📞 30-min debrief call
Request Your Free Audit No commitment required. Audit is 100% free. Signed ATA required before start.

IT Consulting

After your audit reveals the gaps, consulting turns findings into a prioritised, actionable plan. We combine your audit report, your industry, your business data, and IT best practice to give you a clear roadmap — then leave the execution entirely in your hands.

🔐
Security Hardening Plan
Priority-ordered remediation steps for every finding in your audit report, with estimated effort and cost ranges.
📐
Infrastructure Architecture Review
Assessment of your current network, server, cloud, and endpoint environment with recommendations for modernisation.
📄
IT Policy & Documentation
Gap analysis of your existing policies (AUP, IRP, BCP) with templates and guidance to bring documentation up to standard.
📈
Business & Digital Growth Advisory
Review of your public-facing digital presence, advertising analytics, SEO posture, and CRM/operations tooling with improvement recommendations.
☁️
Cloud & SaaS Optimisation
Audit of your Microsoft 365, Google Workspace, or other SaaS subscriptions for redundancy, cost, and security configuration.
⚖️
Compliance Readiness
Readiness assessment for HIPAA, PCI-DSS, CMMC, or SOC 2 depending on your industry, with a gap-to-compliance roadmap.
Choose Your Consulting Engagement
Findings Report
$750one-time
Ideal for small businesses wanting documentation only
  • Written consulting report based on audit findings
  • Plain-language remediation recommendations
  • Vendor & tool recommendations with cost estimates
  • Priority matrix — what to fix first
  • One 60-minute debrief session (video call)
  • Business & digital growth advisory
  • Compliance readiness assessment
  • Follow-up advisory sessions
Get Started
Most Popular
Strategic Consultation
$2,500one-time
Ideal for growing businesses ready for a full IT strategy
  • Everything in Findings Report
  • Full infrastructure architecture review
  • IT policy & documentation gap analysis
  • Business & digital growth advisory
  • Cloud & SaaS optimisation review
  • Three 60-minute advisory sessions
  • 30-day email Q&A support post-delivery
  • Compliance readiness assessment
Get Started
Enterprise Roadmap
$5,000one-time
Ideal for larger orgs with compliance or federal requirements
  • Everything in Strategic Consultation
  • Full compliance readiness assessment (HIPAA / CMMC / PCI)
  • Gap-to-compliance remediation roadmap
  • Network architecture diagram & recommendations
  • Vendor RFP template & evaluation criteria
  • Five 60-minute advisory sessions
  • 60-day email Q&A support post-delivery
  • Optional: Penetration Testing Agreement available
Get Started
Schedule a Consulting Call Phase 1 audit not required to begin consulting. All engagements begin with a signed SOW.
Phase 3 · Subscription

Managed IT Services

You've seen the gaps. You have the roadmap. Now let us run it. Our managed IT subscription makes TIMBUKTU your full in-house IT department — monitoring, securing, and maintaining your systems so your team can focus on the business.

📡
24/7 Monitoring
Continuous infrastructure and endpoint monitoring with automated alerting.
🎫
Helpdesk Support
Ticketed support system with SLA-guaranteed response times per tier.
🔄
Patch Management
OS and application patching on a scheduled cycle with rollback capability.
🛡️
Endpoint Security
Managed EDR, AV, and firewall policy enforcement across all covered devices.
💾
Backup & Recovery
Automated backups with tested recovery procedures and documented RTO/RPO.
📊
Monthly Reporting
Written monthly report covering uptime, incidents, patches, and open tickets.
Choose Your Managed IT Tier
Essential
$800 /mo · up to 10 users
+$65/user/mo over 10
Growing businesses needing foundational IT coverage
Core Services
  • 24/7 infrastructure & uptime monitoring
  • Helpdesk support (business hours, M–F 9–6 ET)
  • OS patch management (monthly cycle)
  • Managed antivirus & endpoint protection
  • Microsoft 365 / Google Workspace admin support
  • Password manager deployment & management
  • Monthly status report
  • Managed EDR / advanced threat detection
  • Automated cloud backup & DR testing
  • Compliance monitoring & reporting
  • vCISO advisory services
SLA Guarantees
Critical4-hour response
High8-hour response
MediumNext business day
Low72-hour response
Get Started
Recommended
Professional
$1,800 /mo · up to 25 users
+$90/user/mo over 25
Established businesses requiring security & compliance readiness
Core Services
  • Everything in Essential
  • 24/7 helpdesk (including after-hours for critical issues)
  • Managed EDR — advanced endpoint detection & response
  • Automated cloud backup with monthly DR test
  • MFA rollout & enforcement management
  • Security awareness training (quarterly)
  • Network firewall policy management
  • Vulnerability scan (quarterly)
  • SIEM log aggregation & alerting
  • Weekly status report + quarterly business review
  • Compliance monitoring (HIPAA / CMMC / PCI)
  • vCISO advisory services
SLA Guarantees
Critical2-hour response · 4-hour resolution target
High4-hour response · same-day resolution target
Medium8-hour response
Low48-hour response
Get Started
Enterprise
Custom /mo · unlimited users
Flat-rate pricing — no per-user fees
Government, regulated industries, and large organizations
Core Services
  • Everything in Professional
  • Dedicated account manager & escalation path
  • vCISO advisory (monthly strategy sessions)
  • Compliance monitoring — HIPAA, CMMC, PCI-DSS, SOC 2
  • Annual penetration test (internal & external)
  • Incident response retainer & playbook
  • Vendor & supply chain risk management
  • Custom SLA negotiated per contract
  • On-site support available (DMV region)
  • Monthly executive business review
  • IT roadmap & budget planning support
  • Priority 24/7/365 NOC coverage
SLA Guarantees
Critical1-hour response · negotiated resolution SLA
High2-hour response · 4-hour resolution target
Medium4-hour response
Low24-hour response
Request a Quote
Available Add-Ons (Any Tier)
Web Development & Hosting
Custom website design, build, hosting, and maintenance. Monthly retainer available.
From $150/mo
Digital Marketing Management
SEO, Google Ads, social content strategy, and analytics reporting.
From $500/mo
Video Production
Corporate, training, and promotional video production. Per-project pricing.
From $750/project
Penetration Testing
Authorized offensive security testing — internal, external, or web app. Requires PTA.
From $2,500/engagement
Employee Security Training
Live phishing simulation + security awareness training session for your team.
From $500/session
On-Site IT Support
Scheduled or emergency on-site technical support in the DMV region.
$125/hr · 2hr minimum
Service Agreement Notes
Contract Term — All MSP engagements require a minimum 12-month Master Service Agreement (MSA). Month-to-month available at a 15% premium after initial term.
SLA Credits — If TIMBUKTU LLC fails to meet a documented SLA response time, the client is entitled to a prorated service credit for that billing period, as defined in the MSA.
Scope Changes — Changes to covered users, systems, or services require a signed Amendment to the MSA. No out-of-scope work is performed without written authorization.
Termination — Either party may terminate with 60 days written notice after the initial term. Early termination during the initial term is subject to the early termination fee defined in the MSA.
Data Ownership — All client data, configurations, and documentation remain the property of the client at all times. TIMBUKTU LLC does not retain client data after contract termination.
Excluded Services — Capital hardware procurement, third-party software licensing costs, and internet/carrier service fees are not included in monthly pricing unless specified in the SOW.
Schedule a Discovery Call All MSP engagements begin with a free 30-minute discovery call. No audit required to start Phase 3.
Common Questions

Frequently Asked

No. The three-phase model is a recommended pathway, not a requirement. Many clients engage us directly for consulting or managed services. The audit is offered free because we believe it creates a better starting point for any engagement, but you can begin at any phase.

The audit is completely free with no hidden fees. We cover all labor and tooling costs. The only requirement is that you sign our Authorized Testing Agreement (ATA) before we begin, which is also provided at no cost. If you choose not to proceed after the audit, you owe us nothing.

Critical findings are disclosed to you same-day via phone or secure message, even before the full written report is complete. We walk you through the risk in plain language and, if you want, can provide immediate guidance on containment steps at no charge. We never sit on a critical finding.

Absolutely. The consulting deliverable is yours to use however you choose. Our recommendations are vendor-neutral wherever possible. We have no financial relationship with any vendors we recommend, and we will never pressure you to use us for implementation. If you do choose to proceed to Phase 3 with us, we apply a credit toward your first month of managed services equal to 10% of your consulting fee.

Our Essential and Professional tiers are priced per user up to the included base count, then per-user overage applies for each additional user. Enterprise is flat-rate with no per-user fees. "User" means a named person requiring helpdesk and endpoint coverage. Shared workstations count as the number of users who operate them.

Remote support is included in all tiers. On-site support in the Washington DC / Northern Virginia / Maryland (DMV) region is available as an add-on at $125/hr with a two-hour minimum, or can be negotiated into an Enterprise contract as a scheduled service.

All client data, system credentials, configurations, documentation, and intellectual property belong to you. Within 30 days of contract termination, we provide a full documentation handoff package and transition support at no additional charge. We retain no copies of your data after handoff is confirmed.

Yes. We are actively pursuing SAM.gov registration for federal and state contract vehicles and maintain awareness of CMMC, FedRAMP, and FAR requirements. Government clients with specific compliance requirements are encouraged to contact us directly so we can discuss scope and eligibility for the engagement.

Ready to Start?

No jargon. No pressure. Just solutions.

Whether you want a free audit, a consulting engagement, or a full managed IT partnership — every conversation starts the same way: with a call, your questions, and our honest answers.

Get in Touch Start with a Free Audit