Kindroot · Cybersecurity, Pacific Northwest
Security work, done properly. Then put to work.
Kindroot is a cybersecurity consulting and implementation firm working with businesses, nonprofits, and community organizations across Washington, Oregon, and Idaho. We assess what you have, build what's missing, and stay until it runs. A report sitting in a drawer protects nothing.
Assessments · Penetration testing · Secure infrastructure · Detection platforms · Identity & access · Policy & compliance · Training
The work
What we do, in plain terms
Eight areas of practice. Most engagements combine a few of them; all of them end with something running, not just something recommended.
-
Security assessments
A clear-eyed look at your environment: what exists, what it protects, and where it falls short. You get findings you can act on, ranked by what actually matters to your organization.
Read more -
Secure infrastructure
Design and build of networks, cloud environments, and systems with security in the structure — whether you’re starting fresh or untangling something that grew over a decade.
Read more -
Penetration testing
Controlled, scoped attacks against your systems by people who explain what they found, how they got in, and what to fix first. Not an automated scan with a cover page.
Read more -
Training & awareness
Security training built around how your people actually work. Practical sessions, not annual compliance videos everyone clicks through.
Read more -
Policy & governance
Security policies, standards, and governance written for your organization, in language your team will read and follow — short enough to be used, specific enough to hold up.
Read more -
Compliance controls
Implementing the controls behind frameworks like SOC 2, HIPAA, or CMMC — so the audit passes because the work was done, not because the paperwork was creative.
Read more -
Detection & response platforms
Selection, deployment, and tuning of EDR, XDR, and SIEM platforms. Configured for your environment, with the noise turned down and the alerts that matter turned up.
Read more -
Identity & access management
IAM architecture and rollout: single sign-on, MFA, role design, and the unglamorous cleanup of who-can-touch-what that most breaches trace back to.
Read more
How engagements run
Four phases, in order, every time
The sequence matters. Scoping before assessing keeps the work relevant. Assessing before building keeps it grounded. And implementing before handing off is the entire point.
-
Listen and scope
We start by understanding your organization. What it does, what would hurt if it stopped, what you've already built, and which constraints are real. The scope comes out of that conversation, in writing, before any work begins.
-
Assess honestly
We look at what's actually there: configurations, access, architecture, habits. Findings are ranked by consequence to your business rather than by scanner severity scores. When something is fine, we say it's fine.
-
Build and implement
This is the point where many consultancies hand over a PDF and move on. We stay for the build. Platforms get deployed, access gets restructured, infrastructure gets hardened, and your team works alongside us so the knowledge stays in the building.
-
Operationalize and hand off
Done means running. Tuned alerts, documented procedures, trained staff, and a clear picture of what to maintain. Some clients keep us on for periodic reviews. Either way, you own your own security and can operate it without us.
Who this is for
Businesses and communities across the Northwest
We work with small businesses, nonprofits, healthcare groups, manufacturers, credit unions and community banks, utilities, school districts, tribal organizations, logistics companies, and software firms across Washington, Oregon, and Idaho. Different sizes, different missions, same situation: real operations, real obligations, and security that needs to be built properly rather than performed.
Based in Washington State. On site when it helps, remote when distance makes no difference.
A good fit usually looks like this
- Security has landed on someone's desk as an actual responsibility instead of everyone's vague worry. That someone might run a five-person nonprofit or a five-hundred-person company.
- You've outgrown “the IT person handles it,” but a full internal security team isn't in the budget yet. Or you have one, and it needs reinforcement on specific work.
- A customer, regulator, insurer, or board is asking questions you want to be able to answer truthfully.
- You'd rather fix things than collect attestations about them.
- Your budget is what it is. We scope to it. A small organization gets a small, useful engagement, not a scaled-down enterprise one.
If you're after a rubber-stamp assessment or the cheapest path to a certificate, we're honestly not the right firm. You'll hear that from us on the first call, and we can usually point you toward someone better suited.
The first conversation costs nothing and commits you to nothing.
Tell us what's on your mind. A question, a concern, a project that's been waiting. We'll tell you what we'd actually do about it, and whether we're the right firm to do it.