deep-research-report

Prospecting Private Foundations for Cybersecurity and Operational Resilience

Market sizing and affordability signals

Your thesis (“wealth-management-grade sensitivity + lightweight ops + low vendor attention”) is directionally consistent with how many private foundations run: a very large number of organizations, much of the work outsourced, and widely varying sophistication. citeturn44search1turn41search0turn19view0

What we can quantify reliably right now

Total U.S. private foundations (baseline universe): entity[“company”,“Cause IQ”,“nonprofit data platform”] reports 150,762 private foundations in the U.S., with $1T\ast \ast inassets,\ast \ast$175B+ in revenue, and 31,750 employees (Cause IQ aggregates IRS filings + other sources). Confidence: Medium (large-scale, but not an official IRS count and relies on proprietary classification/cleaning). citeturn41search0

Colorado “top-of-funnel”: Cause IQ reports 2,797 private foundations in Colorado with $20.6B in assets and 651 employees. Confidence: Medium (same reasons). citeturn19view0

Colorado size distribution (by revenue, not assets): Colorado private foundations in Cause IQ show 35 orgs in $5M–$25M revenue and 11 orgs in $25M–$100M revenue (again, revenue bands). Confidence: Medium (useful directional proxy; not the assets band you asked for). citeturn19view0

Colorado “more than 2,000 private and community foundations”: entity[“organization”,“Philanthropy Colorado”,“state philanthropy membership org”] states Colorado is home to “more than 2,000 private and community foundations.” Confidence: Medium (secondary compilation; not a raw count). citeturn29view0

The gap: Assets-banded counts ($5M–$50M) by state

You asked for precise counts of private foundations in $5M–$10M, $10M–$25M, $25M–$50M assets, nationally and for CO + neighboring states. That is absolutely computable from IRS public data, but in practice the raw IRS extracts most commonly used for this are distributed as large bulk files (often ZIP/XLSX). In this session I was unable to directly ingest the IRS state-level EO-BMF CSVs / annual financial extracts due to tool download constraints, so I cannot responsibly publish exact assets-banded counts for CO/WY/NM/KS/NE/UT from IRS-first computation here.

What I can do (and do below) is:

• show you the free IRS/ProPublica building blocks you can use to compute the bands yourself in minutes/hours with a script,
• provide the exact field logic to classify private foundations and filter by assets + filing recency,
• deliver a verified Colorado starter list (with a transparent “in-range vs out-of-range” flag) from a source that already normalizes the filings.

How private foundations operate and buy services

Outsourcing is the norm (this matters for your wedge)

A key operational reality: small-to-midsize foundations commonly outsource most “non-mission” functions. entity[“organization”,“Exponent Philanthropy”,“philanthropy membership association”] summarizes its 2025 Foundation Operations & Management data as: 99% of foundations used a consultant for at least one service in the past year, and 9% fully outsourced operations. The most common outsourced services were tax preparation (81%), investment services (58%), legal work (55%), audit services (49%), and bookkeeping (41%). Confidence: High for the “consultant prevalence” directional takeaway (comes from a sector-specific operations report), Medium for applying it directly to IT/MSP adoption without additional IT-specific survey cross-tabs. citeturn44search1

Why this is actionable for ORB outbound: If you position ORB as the “operational assurance layer” that complements their outsourced tax/audit/investment stack—rather than “yet another IT vendor”—you’re aligned with how they already buy services (they’re comfortable paying specialists for defined, bounded work). citeturn44search1

Practical buyer map for your deal size ($5k–$12.5k)

Even when boards are heavily involved, foundations often have:

• a small internal team (or none),
• a CPA firm handling compliance,
• an investment advisor,
• counsel,
• and a grants/admin platform vendor.

This pushes ORB buying decisions toward:

• Executive Director / President / Foundation Director (if staffed),
• Board treasurer or finance chair (especially if unstaffed),
• Trusted CPA / outsourced foundation administrator as influencer.

This segmentation is consistent with the high consultant utilization pattern reported above. Confidence: Medium (strong inference from consultant reliance; not a direct “IT buyer” survey cross-tab). citeturn44search1turn40search0

Governance and compliance touchpoints that create cybersecurity urgency

IRS filing + public disclosure dynamics create real risk surface

Private foundations file Form 990-PF as their core annual return. The IRS describes late-filing penalties and notes e-filing requirements/thresholds. Confidence: High (primary IRS guidance). citeturn32search15

Two particularly relevant compliance mechanics you can reference in outreach without fear-mongering:

• State reporting propagation: The IRS states that a private foundation must list on Form 990-PF the name of any state to which it reports or where it has registered as a charitable organization, and must provide a copy of its return to each state required to be listed. Confidence: High. citeturn17search14
  Why it matters: Foundations are already used to compliance “fan-out” (multiple states), which can support your narrative: operational controls need to be consistent, documented, and repeatable.

• Disclosure thresholds that hint at “ability to pay vendors”: IRS instructions note that some 990-PF dollar thresholds are $5,000intotalassets\ast \ast (drivingcompletionrequirementsforcertainbalancesheetcolumns)and\ast \ast$50,000 minimums that impact listing highest paid employees and listing professional fees. Confidence: High for the existence of thresholds; Medium for using it as a budget proxy. citeturn17search1

“Data handling is messy” is not hypothetical

A cautionary historic example: ProPublica documents a dispute that arose because certain released nonprofit PDFs contained unredacted Social Security numbers, which affected bulk public access to filings at the time. Confidence: High that disclosure errors have occurred; Medium for predicting probability today (processes changed, but the lesson stands). citeturn14search2

Your ORB can credibly position around “we don’t just assess controls—we validate restoration, data mapping, and who can access sensitive documents.”

Free data sources and step-by-step workflows for building your list

This section is written as an operator’s playbook: what to use, what you can filter, and how to stitch it into a repeatable pipeline.

Free source that is genuinely useful: ProPublica API + Nonprofit Explorer

entity[“organization”,“ProPublica”,“investigative journalism nonprofit”] provides an API for its Nonprofit Explorer database.

Key features you can rely on for automation:

• Search endpoint: /search.json supports filters like keyword query and state. citeturn15view0
• Organization endpoint: /organizations/:ein.json returns filings and includes a formtype field where 2 = Form 990-PF. citeturn15view0turn18view1
• Filing objects include convenience aliases like totassetsend (total assets, end of year), plus revenue/expense and many form-specific fields. citeturn18view1
• Organization objects include additional IRS EO-BMF status/categorization codes (useful for active/inactive logic once you map code meanings). citeturn16view1turn18view1

Exactly how to filter to your ICP (programmatic logic)
Below is the logic you want in your script:

1. Start with a candidate EIN set for a geography

   • Use /search.json with state[id]=CO (repeat for WY/NM/KS/NE/UT) and a broad query like q=foundation to build a seed list. citeturn15view0
   • (You will over-include; that’s okay.)

2. For each EIN, fetch full filing history via /organizations/:ein.json. citeturn18view1

3. Keep only organizations that have a recent 990-PF filing

   • Filter filings where formtype == 2. citeturn18view1
   • For “filed in last 2 years” you can use tax_prd_yr as a proxy year field, understanding it’s fiscal year end year—not necessarily “received by IRS.” (If you need exact filing/received dates, use the PDF/XML metadata when available.) citeturn18view1turn17search0

4. Apply the assets band

   • Use totassetsend (book value end-of-year) as your consistent numeric filter. citeturn18view1
   • Keep: 5_000_000 <= totassetsend <= 50_000_000.

5. Active/not dissolved

   • Use the EO-BMF status fields returned on organization objects (you’ll need the EO-BMF documentation mapping). citeturn18view1turn17search15

This is “free but compute-heavy.” The upside is: once built, you can refresh monthly.

IRS free bulk building blocks

entity[“organization”,“Internal Revenue Service”,“us tax agency”] publishes a centralized list of public disclosure datasets, including:

• Tax Exempt Organization Search (TEOS) tool and bulk data downloads (updated monthly),
• Exempt Organizations Business Master File Extract (EO-BMF) downloadable by state or region. citeturn17search15turn17search16

What these are best for:

• EO-BMF: legal/status metadata (formation, ruling date, foundation code, etc.)—useful for “active” filtering and enrichment. citeturn17search15turn17search16
• TEOS bulk: cross-checking entity existence and, depending on dataset, modernized e-file stylesheets and related artifacts. citeturn17search16

Cause IQ (free pages) as a “fast shortlist generator”

Cause IQ’s public directory pages give you immediate lists with EIN + assets + employees for visible items and useful rollups (US-wide and by state). This is not IRS-primary, but it’s extremely practical for prospecting. citeturn41search0turn19view0

Use it for:

• quick initial sourcing of known foundations in a geography,
• sanity checks (assets magnitude),
• and as a bridge until your IRS/ProPublica pipeline is built.

Open data projects to consider

entity[“organization”,“Nonprofit Open Data Collective”,“open nonprofit data community”] describes a free foundations dataset released by entity[“organization”,“Open990.org”,“open nonprofit data project”] (noted as updated October 2019 in that writeup). Confidence: Low/Medium for current completeness because the referenced update is older; still useful as a historical bootstrap or for grants tables. citeturn17search9

Foundation tech stack and where ORB fits

Foundations tend to run a small “back office” stack: grants management + accounting + document storage + outsourced experts. The grants-management layer is especially standardized, and vendor ecosystems can become proxy indicators for maturity.

image_group{“layout”:“carousel”,“aspect_ratio”:“16:9”,“query”:[“Form 990-PF example page”,“Foundant Grant Lifecycle Manager screenshot”,“Fluxx grants management dashboard”,“Foundation Source Impactfully Select platform”],“num_per_query”:1}

Grants management software commonly marketed “for foundations”

Examples with explicit foundation positioning include:

• entity[“company”,“Foundant Technologies”,“grants management software company”] Grant Lifecycle Manager (GLM) emphasizes foundation use cases and features like compliance monitoring and integrations including QuickBooks Online and SSO. citeturn44search0
• entity[“company”,“GivingData”,“grant management software company”] positions its product for private/family/independent foundations and notes ecosystem alignment with Foundant + SmartSimple. citeturn44search2
• entity[“company”,“SmartSimple”,“grant management software company”] markets SmartSimple Cloud as configurable grants management for many grantmaker types. citeturn44search8
• entity[“company”,“Fluxx”,“grants management software company”] positions itself as a grants management solution for foundations (among others). citeturn44search5turn44search12
• entity[“company”,“Submittable”,“submission management software company”] markets grant management software explicitly for foundations and cites scale metrics (programs supported / funds managed). citeturn44search3

Why this matters to your targeting: if a foundation runs a modern GMS, they likely:

• accept online applications (data intake risk),
• store attachments/W-9s/bank details (PII/financial info),
• and have operational workflows ORB can validate (access, retention, backup/restore).

Foundation Source: dominant platform + where the cybersecurity gap may be

entity[“company”,“Foundation Source”,“private foundation management provider”] positions itself as a large provider of foundation management solutions and has launched software + services aimed at “private foundation operations.” citeturn44search6turn40search0

Two specific signals relevant to your competitive framing:

• Foundation Source has promoted “monitoring and detection tools” for website security incidents as part of a managed website services offering. Confidence: High the website service includes security monitoring; Medium for claiming it covers broader operational resilience beyond the website scope. citeturn44search4turn44search13
• Foundation Source claims scale: “support more than 4,000 charitable organizations” and administer “more than $22 billion in foundation assets” (July 2024 press release). Confidence: Medium (self-reported marketing claim, but still useful for positioning your “not crowded” thesis). citeturn44search4

Actionable positioning: Don’t compete with Foundation Source as “the foundation admin platform.” Position ORB as vendor-neutral operational assurance, validating backups/restore, identity controls, device security, and incident readiness across whatever stack they use (including Foundation Source + CPA + cloud storage + GMS).

Colorado starter target list and outbound messaging

What I can deliver as a verified Colorado starter list today

Below are Colorado private foundations surfaced in the public Cause IQ Colorado directory view captured in this research session. It includes EIN, assets, employees, and (where provided) city. citeturn43view0turn19view0

Important limitation: In the captured list view, only one foundation clearly falls inside the $5M–$50M assets band. The rest skew much larger (still viable, but not your “underserved midsize” hypothesis). I’m including them anyway because they are specific, findable, and immediately usable as an outbound “phase 1” list while your automated pipeline produces the full $5M–$50M Colorado set.

Prioritized outreach angle tailored to foundation leadership

Use language that matches their world:

• “operational assurance” and “fiduciary stewardship” rather than “IT project”
• “verification” (restore tests, access reviews, tabletop exercises) rather than “assessment theater”
• “protect grantee/vendor banking info and tax documents” rather than generic “cybersecurity”

Avoid:

• “zero trust transformation,” “SIEM,” “SOC” unless they ask
• fear-first ransomware stats
• implying negligence

A high-performing opener for an ED / foundation director:

Subject: Quick question about backup restore testing for [Foundation Name]

Hi [Name] — I work with small-to-midsize private foundations on operational resilience: verifying backups actually restore, tightening access to sensitive documents, and building a pragmatic incident plan that’s board-friendly.

Many foundations outsource tax/audit/investment work, but the “day-to-day data plumbing” (grant docs, W-9s, ACH info, board packets) often lives across a few cloud tools with unclear restore and access assumptions.

Would it be unreasonable to ask: when was the last time your team did a real restore test (not just “backup successful”) for your core document system? If it’s been >12 months, I can share a short checklist we use in our 10-day ORB process.

— Dmitri

That message is consistent with how frequently foundations already use consultants and outsource specialized services. citeturn44search1turn40search0

Colorado prospect CSV

foundation_name,city,state,EIN,assets_usd,employees,source,fit_5m_to_50m_assets,confidence_assets,confidence_employees,notes
Sabrina Merage Foundation,Englewood,CO,26-0601805,15500000,0,CauseIQ,YES,Medium,Medium,"In-range target; no employees listed; likely outsourced ops"
Gates Family Foundation (GFF),,CO,84-0474837,430900000,12,CauseIQ,NO,Medium,Medium,"Out-of-range (very large); still could buy ORB but likely more mature"
The Colorado Health Foundation,,CO,74-2568941,2800000000,66,CauseIQ,NO,Medium,Medium,"Out-of-range; large staffed foundation"
David and Laura Merage Foundation,,CO,45-0493925,69600000,0,CauseIQ,NO,Medium,Medium,"Slightly above range; may still behave like mid-size depending on staffing"
Find Us Faithful Foundation,Parker,CO,20-5632085,86300000,0,CauseIQ,NO,Medium,Medium,"Above range; no employees listed"
Adolph Coors Foundation,,CO,51-0172279,206600000,0,CauseIQ,NO,Medium,Medium,"Large; no employees listed"
Buell Foundation,,CO,84-6037604,440300000,19,CauseIQ,NO,Medium,Medium,"Large; staffed"
National Endowment for Financial Education (NEFE),,CO,84-0632115,149500000,27,CauseIQ,NO,Medium,Medium,"Large; staffed"
Margulf Foundation,,CO,13-2927245,249600000,4,CauseIQ,NO,Medium,Medium,"Large; small staff count listed"
The Ryan Foundation,Greenwood Village,CO,36-3755606,1400000000,0,CauseIQ,NO,Medium,Medium,"Very large assets; no employees listed"
NextFifty Initiative,,CO,26-2700185,263800000,6,CauseIQ,NO,Medium,Medium,"Large; small staff count listed"
Daniels Fund,,CO,84-1393308,1300000000,42,CauseIQ,NO,Medium,Medium,"Very large; staffed"
Anschutz Foundation,,CO,74-2316617,1600000000,12,CauseIQ,NO,Medium,Medium,"Very large; staffed"
Boettcher Foundation,,CO,84-0404274,279000000,13,CauseIQ,NO,Medium,Medium,"Large; staffed"
The Colorado Trust,,CO,84-0994055,531400000,42,CauseIQ,NO,Medium,Medium,"Large; staffed"
Schlessman Foundation,,CO,84-6030309,84400000,1,CauseIQ,NO,Medium,Medium,"Above range; small staff count listed"
Bohemian Foundation,,CO,84-1605993,187800000,17,CauseIQ,NO,Medium,Medium,"Large; staffed"
El Pomar Foundation,Colorado Springs,CO,84-6002373,447600000,39,CauseIQ,NO,Medium,Medium,"Large; staffed; specific city provided"
Brothers Brook Foundation,New Canaan,CT,46-1509070,90900000,1,CauseIQ,NO,Medium,Medium,"Not Colorado-located; included in the directory view captured"
Louis Calder Foundation,,NY,13-6015562,194200000,7,CauseIQ,NO,Medium,Medium,"Not Colorado-located; included in the directory view captured"

How to turn this into the 20–30 midsize Colorado list you actually want (free + repeatable):

• Use the ProPublica /organizations/:ein.json endpoint to pull totassetsend + formtype==2 for a larger set of Colorado foundations and filter to $5M–$50M. citeturn18view1turn15view0
• Use EO-BMF fields (returned with org objects + downloadable from IRS) to filter active status codes once mapped. citeturn17search15turn18view1

Additional CRM entities doc

entity_name,category,why_it_matters,reference
ProPublica,Data source,"Free API to pull 990-PF filings, assets, and filing history by EIN; core for automated pipeline","https://projects.propublica.org/nonprofits/api/"
Internal Revenue Service (IRS),Data source,"Official public disclosure datasets (TEOS bulk, EO-BMF), 990-PF instructions and lifecycle guidance","https://www.stayexempt.irs.gov/charities-non-profits/public-disclosure-datasets-and-downloads"
Exponent Philanthropy,Association,"Publishes foundation operations research; consultant usage stats support your outbound positioning","https://exponentphilanthropy.org/"
Philanthropy Colorado,Association,"State philanthropy ecosystem org; useful for credibility and partnership adjacency in Colorado","https://www.philanthropycolorado.org/"
Cause IQ,Data source,"Fast directory for state-level foundation lists with EIN/assets/employees; good for quick sourcing","https://www.causeiq.com/"
Foundation Source,Vendor,"Dominant foundation management platform/provider; good to map gaps (website security vs broader ops resilience)","https://foundationsource.com/"
Foundant Technologies,Vendor,"Grant management software used by foundations; signals a modern tech stack and data intake risk surface","https://foundant.com/"
GivingData,Vendor,"Foundation-oriented grants management platform; can be an integration / risk surface indicator","https://www.givingdata.com/"
SmartSimple,Vendor,"Configurable grantmaking platform; indicates workflow complexity and permission sprawl risks","https://www.smartsimple.com/"
Fluxx,Vendor,"Grants management platform used by foundations; another common system-of-record for intake + documents","https://www.fluxx.io/"
Submittable,Vendor,"Often used for application intake/review; creates document + PII handling workflows worth auditing","https://www.submittable.com/"
GTIA,Grant program,"Example of tech-oriented grant program; can support AI/tech readiness positioning for nonprofit ecosystem work","https://gtia.org/giving/grants"
Northern Trust,Wealth/finance partner,"Illustrates advisor ecosystem partnering with Foundation Source; similar partners can be channel targets","https://foundationsource.com/"

Direct links to key tools and datasets

ProPublica Nonprofit Explorer API (docs): https://projects.propublica.org/nonprofits/api/
IRS public disclosure datasets landing page: https://www.stayexempt.irs.gov/charities-non-profits/public-disclosure-datasets-and-downloads
IRS TEOS bulk downloads: https://www.irs.gov/charities-non-profits/tax-exempt-organization-search-bulk-data-downloads
IRS “listing of states to which foundation reports”: https://www.irs.gov/charities-non-profits/private-foundations/listing-of-states-to-which-foundation-reports
IRS instructions for Form 990-PF: https://www.irs.gov/instructions/i990pf
Cause IQ – U.S. private foundations directory: https://www.causeiq.com/directory/private-foundations-list/
Cause IQ – Colorado private foundations directory: https://www.causeiq.com/directory/private-foundations-list/colorado-state/

Confidence rubric used in this report

• High: primary source (IRS) or direct citation of a sector research report excerpt.
• Medium: large-scale aggregation widely used in practice (Cause IQ), or strong inference from sourced operational facts.
• Low: older datasets (e.g., last updated 2019) or claims not directly verifiable from primary documentation in this session.