foundations - deep-research-report with csv

Targeting U.S. Private Foundations for Cybersecurity and Operational Resilience Outreach

Executive summary

Solanasis’s thesis (private foundations hold wealth-management-grade sensitive data but often operate with lean staff and lightweight IT) is directionally supported by (a) the scale of the private-foundation filing universe (Form 990-PF filers are a six‑figure population), (b) strong evidence that a large segment of grantmakers intentionally operate with “few or no staff,” and (c) the reality that Colorado (and neighboring states) impose “reasonable security” and fast breach-notification obligations on any “covered entity” that holds residents’ personal identifying information—obligations that don’t depend on being a regulated financial institution. citeturn27search1turn19search0turn20search1turn20search0

Two practical constraints matter for your outbound motion:

1. Exact counts of “private foundations with $5M–$50M assets” aren’t reliably available as a single pre-filtered public table; the clean way is to compute them from IRS bulk sources (TEOS XML + EO-BMF, or IRS “Annual Extract” 990-PF summary files). citeturn26search2turn26search15turn2search0
2. You can build a fully automated pipeline that produces: foundation name, EIN, address, latest filing date, assets, revenues, officer names/compensation fields, and a “sales-ready” shortlist—and then enriches with website + emails from the return XML and/or web lookups. The IRS bulk datasets explicitly support monthly updates for 990-series XML. citeturn26search2turn26search8turn26search4

To support immediate outbound, this report provides:

• A repeatable, programmatic method to compute the national and state counts across the exact asset bands you specified (with scripts and concrete dataset paths).
• A tool-by-tool breakdown of free sources and how to filter for: private foundations, $5M–$50M assets, state, active, and filed in the last 2 years (or the closest defensible proxy).
• A Colorado starter prospect list (20+ targets) in your asset band, with “why this is a fit” signals and confidence ratings, plus CRM-ready CSVs.

Confidence legend used throughout:
High = directly supported by primary/official sources (IRS, state AG/statute) or directly from the cited profiles.
Medium = supported by reputable sector sources but may be sample-based or not specific to your exact asset band.
Low = plausible inference or requires computation you’ll run from bulk files to confirm.

Private foundation landscape and affordability

How big is the private-foundation universe?

The IRS’ current Form 990 instructions include a table of projected return volumes that explicitly lists Form 990-PF separately from Form 990 and 990‑EZ (projected 134,000 Form 990‑PF returns). This is a strong “order of magnitude” anchor for the number of filing entities you’re fishing in, even though it is a filing-volume projection rather than a deduplicated count of distinct foundations. Confidence: High. citeturn27search1

Counts by assets and by state in your requested bands

You asked for exact counts of private foundations with total assets in:

• $5M–$10M
• $10M–$25M
• $25M–$50M

…and to break those out nationally and for Colorado plus neighboring states (Wyoming, New Mexico, Kansas, Nebraska, Utah).

In this session, the most reliable way to produce exact counts is to compute them from IRS bulk sources (scripts provided in the next section). “One-click” public pages generally do not publish those bins pre-aggregated in a trustworthy, current way. citeturn26search2turn2search0turn26search15

Two computation routes are worth knowing:

• Route A (fastest for assets binning; weaker on “last 2 years”): IRS “Annual Extract of Tax‑Exempt Organization Financial Data” for 990‑PF provides expanded financial data by calendar year of filings, explicitly including 990‑PF. This is designed for programmatic analysis. Confidence: High. citeturn2search0turn3view0
  Limitation: The “annual extract” is by calendar year and may lag your “last 2 years” requirement depending on what years are posted. In contrast, TEOS XML is posted monthly and is best for strict recency. citeturn26search2

• Route B (best for “filed in last 2 years”; heavier compute): IRS TEOS Form 990 Series (XML) bulk downloads, which are updated monthly, include an index with filing type, EIN, tax period, and submission date, and the XML contains the return financials (including assets) and officer names. Confidence: High. citeturn26search2turn26search8turn26search4

Typical staffing and IT realities for your target band

While there is no single public table that says “$5M–$50M foundations have X staff,” multiple sector sources support the operational pattern you’re targeting:

• entity[“organization”,“Exponent Philanthropy”,“lean funders association”] explicitly defines its core constituency as “lean funders (those who practice philanthropy with few or no staff)”. Confidence: High that “few/no staff” is a major segment. citeturn19search0turn19search1turn19search2
• Exponent’s member community even defines a “Very Small Funders” group as **less than $5Minassetsand1ornopaidstaff\ast \ast ,astronghintthat“smallassets\leftrightarrow minimalstaff”iscommoninthefield.\ast \ast Confidence:Medium\ast \ast forextrapolatingto$5M–$50M, but it supports the direction. citeturn19search5
• A sector blog post associated with entity[“company”,“Blackbaud”,“nonprofit software company”] cites that 30% of leanly-staffed funders have no paid staff (this is not a primary dataset link in the excerpt, so treat as suggestive). Confidence: Medium. citeturn19search8
• Family-foundation research (e.g., entity[“organization”,“National Center for Family Philanthropy”,“family philanthropy nonprofit”] materials) underscores that many family foundations run unstaffed or with very small teams and often “borrow” capacity from family offices—exactly where backup validation, access control, and vendor governance tends to be informal. Confidence: Medium. citeturn19search46

Implication for Solanasis positioning: your ORB is easiest to sell when it is framed as a board-grade risk reduction and operational assurance deliverable that doesn’t require them to “build an IT department.”

Compliance and “must-have controls” that apply to foundations

There is no IRS rule that directly says “990-PF filers must implement MFA” (the IRS focuses on tax reporting). But foundations in Colorado (and similarly in other states) face data security and breach response obligations if they hold personal identifying information.

In Colorado:

• Any “covered entity” that owns/maintains/licences personal identifying info of a Colorado resident must implement reasonable security procedures and practices appropriate to the data and the size of the entity, and must also ensure service providers maintain reasonable security (unless the covered entity retains primary responsibility with compensating controls). Confidence: High. citeturn20search1
• Breach notification must happen without unreasonable delay and no later than 30 days after determining a breach occurred; notice to the Colorado Attorney General is required when 500+ Colorado residents are affected. Confidence: High. citeturn20search0turn20search2
• The entity[“organization”,“Colorado Attorney General”,“state attorney general office”] also provides practical FAQ guidance that restates the statutory timelines and notification thresholds. Confidence: High. citeturn20search2

On consumer privacy law applicability:

• Colorado’s entity[“law”,“Colorado Privacy Act”,“state privacy law”] can apply to nonprofits if they meet data-volume or data-sale thresholds, per the AG’s CPA resource page and the CPA’s applicability statute. Many private foundations likely do not process data at the 100,000-consumer scale, but the “nonprofits are covered” point is important for messaging about governance and practices. Confidence: High (coverage), Medium (whether typical foundations meet thresholds). citeturn21search0turn21search9

Actionable compliance takeaway for outreach: Foundations may not have a named cybersecurity regulation, but they do have:

• an obligation to implement “reasonable security” (and vendor security governance), and
• an obligation to respond quickly and correctly to breaches—both of which map well to ORB deliverables (backup restore verification, incident readiness, and vendor access review). citeturn20search1turn20search0

Free data sources and automated pipeline design

image_group{“layout”:“carousel”,“aspect_ratio”:“16:9”,“query”:[“IRS Form 990-PF example pages”,“ProPublica Nonprofit Explorer screenshot”,“IRS TEOS bulk data downloads page screenshot”,“IRS EO BMF extract CSV example”] ,“num_per_query”:1}

The short list of primary free sources

IRS TEOS Bulk Data Downloads (official)

• Provides monthly-updated bulk datasets, including Form 990 series filings in XML, Publication 78 data, and the automatic revocation list. Confidence: High. citeturn26search2

IRS Form 990 series downloads (official)

• Provides year/month organized bulk XML packages and index files (e.g., 2025 and 2026 ZIP packages). Confidence: High. citeturn26search8

IRS Exempt Organizations Business Master File Extract (EO‑BMF) (official)

• The “cumulative” profile file with organization names, addresses, and codes; downloadable as CSV by state. Confidence: High. citeturn26search15

ProPublica Nonprofit Explorer API and site (free)

• Offers a documented API for organization search and a second endpoint returning filings with extracted financial fields including totassetsend (total assets end of year) and similar aliases. Confidence: High. citeturn22view1turn14search1

IRS Annual Extract of Tax‑Exempt Organization Financial Data (official)

• Offers expanded financial data on 990, 990‑EZ, and 990‑PF by filing year; ideal for computing asset bands quickly (when you’re okay tying recency to posting year). Confidence: High. citeturn2search0

Open data projects (free, community-maintained)

• entity[“organization”,“Nonprofit Open Data Collective”,“open nonprofit data community”] offers open projects around IRS data and has been involved in packaging IRS 990 data; community-maintained resources can accelerate database construction but may lag current IRS updates and may not include 990‑PF in some builds. Confidence: Medium. citeturn26search9turn6search2

Tool-by-tool filterability for your exact criteria

Your desired filters:

• Private foundations (exclude public charities and donor-advised-fund sponsors)
• Total assets $5M–$50M
• Located in Colorado or specific neighboring states
• Currently active (not dissolved/revoked)
• Filed a 990‑PF in the last 2 years

ProPublica Nonprofit Explorer (free UI + free API)

• API endpoints (documented): /search.json (organization search) and /organizations/:ein.json (organization profile + filings). citeturn22view1
• Built-in search filters in API: state[id], ntee[id], and c_code[id] (e.g., 501(c)(3)). citeturn22view1
• Limitation: the API’s /search.json returns only Organization objects (no financial data), by design; you must iterate EINs and filter on filings. Confidence: High. citeturn14search0turn22view1

How to filter your criteria using ProPublica API (exact parameters + examples):

# 1) Find organizations in Colorado (state filter) with “foundation” in name/city
curl "https://projects.propublica.org/nonprofits/api/v2/search.json?q=foundation&state%5Bid%5D=CO&page=0"
 
# 2) Fetch full record for a specific EIN (returns filings_with_data and filings_without_data)
curl "https://projects.propublica.org/nonprofits/api/v2/organizations/843716204.json"

Key logic you implement client-side:

• Private foundation: keep only filings where formtype == "990PF" (or where extracted filing data indicates PF; ProPublica includes 990‑PF filing objects). citeturn14search0
• Assets filter: use totassetsend from the latest filing. citeturn14search0
• Filed in last 2 years: filter by tax_prd/tax_prd_yr (tax period), and/or use the PDF/XML “Filed on” date found on ProPublica’s web profile pages (best-effort proxy if you’re not parsing IRS TEOS index). citeturn15search2turn17search0
• Active: cross-check with IRS auto-revocation list (see IRS TEOS) rather than trusting ProPublica alone for “active.” citeturn26search2turn26search1

IRS TEOS bulk data downloads (free, official)

• TEOS provides bulk datasets including Form 990 series filings (XML) and a separate Automatic Revocation of Exemption List; the datasets are updated monthly. citeturn26search2
• For bulk 990 XML, the index provides the key join fields: Return ID, Filing Type, EIN, Tax Period, Submission Date, Taxpayer Name, DLN, and Object ID. citeturn26search4

How to filter your criteria using IRS TEOS (recommended “gold standard” for recency):

1. Download the 2025 and 2026 TEOS XML ZIP packages (index included). citeturn26search8
2. Parse the TEOS index CSVs; filter to filing type = 990‑PF and submission dates within the last 2 years. citeturn26search4turn26search2
3. Extract only those XML returns referenced by Object ID; parse total assets from the XML.
4. Join to EO‑BMF for state/address and org status codes; exclude EINs appearing in the automatic revocation dataset (or treat them separately). citeturn26search15turn26search2

IRS EO-BMF (free, official)

• Downloadable by state, provides organization-level profile data and codes; it is explicitly designed to be merged with filing data using EIN. citeturn26search15turn22view1
• For “active”: the BMF is “cumulative” and reflects the most recent info; use the auto-revocation list for stricter filtering. citeturn26search15turn26search2

Candid/GuideStar and Foundation Directory (mixed free + paid)

• entity[“organization”,“Candid”,“nonprofit data organization”] provides search and directory products; Foundation Directory access is not fully free online, but Candid notes ways to access it free via partner locations/programs. Confidence: High (availability), Medium (exact free feature parity varies). citeturn6search4
• entity[“organization”,“Foundation Directory”,“foundation database”] pricing is published for “Essential” and “Professional” tiers. Confidence: High. citeturn8search3turn8search4
• In practice for outbound list-building, the paid tiers are optimized precisely for “find a list of foundations by assets, location, giving, and staff,” but you asked for free-first, so the IRS+ProPublica approach is the core.

Cause IQ (mixed free + paid)

• entity[“organization”,“Cause IQ”,“nonprofit database”] promotes a free trial and paid tiers; it is useful for quick directory browsing and filtering, but it is not an official source of record and the free tier constraints can change. Confidence: Medium. citeturn6search0

What 990‑PF fields are most useful for qualifying prospects?

For a private foundation, the most actionable qualifiers tend to be: assets, spending/distributions, and admin profile. The IRS’ official 990‑PF instructions describe the major components and sections tied to governance, distributions, and required completion. citeturn27search0

Practical “sales qualifiers” you can extract from 990‑PF / XML + indices:

• Total assets (end of year): use as your first affordability filter (your $5M–$50M target band). ProPublica exposes totassetsend as a convenience alias. citeturn14search0
• Total revenue / expenses: volatility can signal operational complexity and investment activity. ProPublica exposes totrevenue and totfuncexpns. citeturn14search0
• Qualifying distributions / payout pressure: 990‑PF Part XI and Part XII mechanics drive a foundation’s need to plan and document distributions. Confidence: High. citeturn27search0
• Officer/trustee information: 990‑PF includes a section for officers/directors/trustees/foundation managers and contractors; this is where you often find the controlling “operator” for small foundations (even when there is no formal ED). Confidence: High. citeturn27search0turn15search2
• Indirect “consultant budget” proxies: In practice, professional fees and contractor payments are strong signals; your best programmatic approach is to parse the XML for expense categories and cross-check whether the foundation pays third-party service providers (accounting, legal, admin, outsourced grant management, investment fees). The exact data elements will depend on the XML schema and which lines they complete. citeturn26search2turn26search8

A concrete, automated pipeline you can run

Below is a scalable design that produces:

• exact counts (national and per-state),
• and a prioritized prospect list,
• with “last two years filed” fidelity.

flowchart LR
  A[IRS TEOS 990 XML Zip Indexes<br/>(2025-2026)] --> B[Filter index rows<br/>FilingType=990PF<br/>SubmissionDate within 24 months]
  B --> C[Extract matching XML returns<br/>by ObjectID]
  C --> D[Parse return XML<br/>TotAssetsEOY, TotRevenue, etc.<br/>Officers/Trustees]
  E[IRS EO-BMF state files<br/>(CO, WY, NM, KS, NE, UT)] --> F[Join on EIN<br/>Name/Address/State/Codes]
  D --> F
  G[IRS Auto-Revocation list] --> H[Exclude revoked EINs<br/>(or flag)]
  F --> H
  H --> I[Asset band binning<br/>$5-10M / $10-25M / $25-50M]
  I --> J[Counts by state + national]
  I --> K[Prospect scoring + CSV export]
  K --> L[Enrichment layer<br/>website/email/domain tech hints]

Why this pipeline is “primary-source aligned”:

• TEOS bulk data is official, monthly updated, and includes Form 990 series filings in XML. citeturn26search2turn26search8
• TEOS FAQ documents how the index links filing type + EIN + ObjectID to the return XML. citeturn26search4
• EO‑BMF supplies reliable organization names/addresses and is explicitly downloadable by state. citeturn26search15

Turnkey code skeletons to compute the counts you requested

Python (TEOS “last 2 years” method)

import csv, io, os, re, zipfile, requests
from datetime import datetime, timedelta
from collections import defaultdict
 
# ---- CONFIG ----
YEARS = ["2025", "2026"]  # adjust as needed
STATE_FILES = ["CO", "WY", "NM", "KS", "NE", "UT"]
ASSET_BINS = [(5_000_000, 10_000_000), (10_000_000, 25_000_000), (25_000_000, 50_000_000)]
CUTOFF = datetime.utcnow() - timedelta(days=365*2)
 
# Example IRS TEOS XML packages (see IRS Form 990 series downloads page for the current list)
# https://apps.irs.gov/pub/epostcard/990/xml/2026/2026_TEOS_XML_01A.zip (etc.)
 
def download(url: str, out_path: str):
    r = requests.get(url, timeout=120)
    r.raise_for_status()
    with open(out_path, "wb") as f:
        f.write(r.content)
 
def parse_teos_index(index_csv_bytes: bytes):
    """
    TEOS FAQ: index includes Filing Type, EIN, Tax Period, Submission Date, Object ID, etc.
    We filter FilingType==990PF and SubmissionDate>=CUTOFF.
    """
    rows = []
    text = index_csv_bytes.decode("utf-8", errors="replace")
    reader = csv.DictReader(io.StringIO(text))
    for row in reader:
        ftype = (row.get("FilingType") or row.get("FILING_TYPE") or "").strip().upper()
        if ftype not in {"990PF", "990-PF"}:
            continue
        sub_date_str = row.get("SubmissionDate") or row.get("SUBMISSION_DATE")
        if not sub_date_str:
            continue
        # common formats: YYYY-MM-DD or MM/DD/YYYY; normalize defensively
        sub_date = None
        for fmt in ("%Y-%m-%d", "%m/%d/%Y", "%Y%m%d"):
            try:
                sub_date = datetime.strptime(sub_date_str.split(" ")[0], fmt)
                break
            except ValueError:
                pass
        if not sub_date or sub_date < CUTOFF:
            continue
 
        ein = (row.get("EIN") or "").strip()
        obj_id = (row.get("ObjectId") or row.get("OBJECT_ID") or "").strip()
        if ein and obj_id:
            rows.append((ein, obj_id))
    return rows
 
def parse_assets_from_990pf_xml(xml_bytes: bytes) -> int | None:
    """
    You will map the exact XML element path to Total Assets (EOY).
    This varies by schema version; implement via XPath or regex.
    """
    # Placeholder regex — replace with robust XML parsing.
    m = re.search(rb"<TotAssetsEOYAmt>(\d+)</TotAssetsEOYAmt>", xml_bytes)
    return int(m.group(1)) if m else None
 
# ---- OUTPUT COUNTS ----
# counts[state][bin_label] = count
counts = defaultdict(lambda: defaultdict(int))
 
# You’ll also need an EIN->state mapping from EO-BMF (download per-state CSVs and hydrate dict)
ein_to_state = {}  # load from EO-BMF state files (CO/WY/NM/KS/NE/UT)
 
# After you have (ein, assets) and ein_to_state:
def bin_label(a):
    for lo, hi in ASSET_BINS:
        if lo <= a < hi:
            return f"{lo/1e6:.0f}-{hi/1e6:.0f}M"
    return None

What you still need to fill in (explicit assumptions):

• The exact XML tag/path used for “total assets end of year” for 990‑PF in the TEOS schema version you’re parsing (the TEOS schemas and annotated forms are provided by the IRS). citeturn26search2turn26search8
• Your definition of “active”: recommended = exclude EINs listed in IRS auto-revocation dataset; optionally also exclude terminated/dissolved using additional state corporate registries (enrichment step). citeturn26search2

Underserved segments and AI-ready grantmaking positioning

Finding “ignored by cybersecurity vendors” subsegments in the data

Because the IRS datasets don’t label “underserved,” the realistic approach is to create operational proxies that correlate with low cybersecurity maturity:

Family foundations (classic underserved target)
How to find:

• Name pattern: *Family Foundation*, *Families*, etc.
• Officer surnames matching the foundation name (strong signal of family governance).
• Low compensation payouts + few/zero contractors versus assets (if you parse staffing/contractor sections).
  Why it’s underserved:
• Family foundation research emphasizes long periods with no dedicated staff and capacity borrowed from family businesses/offices. citeturn19search46
  Confidence: Medium (pattern), High (data-driven detectability once parsed).

Community foundations (more sophisticated, but sometimes easier access)
Note: Many community foundations are public charities (often file Form 990 rather than 990‑PF). The “ignored” angle is weaker—but they have peer networks, and some may welcome a “resilience baseline” as an operational quality signal.
Where they gather: Philanthropy Colorado runs a Community Foundation CEO network for peer exchange. citeturn9search11turn9search13
Confidence: Medium.

Corporate foundations (can buy independently, but procurement can be tricky)
Detection:

• NTEE category and/or “Corporate Foundations” labels (seen on some profiles).
  Caution:
• Buyers may be inside corporate governance/procurement; your wedge is often “vendor risk + donor data + brand risk.”
  Confidence: Medium.

Health conversion foundations / health-related foundations
Rationale:

• Often hold sensitive program data and community health partnerships; sometimes have more staff, but also higher expectations.
  Data clue:
• Name includes “health foundation,” health NTEE categories, or significant grant distributions with health themes in descriptions.
  Confidence: Medium.

Religious foundations
Rationale:

• Can be under-resourced; but donor privacy expectations can be very high.
  Data clue:
• Religion-related NTEE categories; “foundation” + religious keyword patterns.
  Confidence: Medium.

AI + grants: what funders are doing and why it helps your pitch

The philanthropy sector’s AI posture is visibly shifting from “curiosity” to “governance and guardrails”:

• entity[“organization”,“Council on Foundations”,“philanthropy membership organization”] runs programming explicitly framed as responsible AI adoption for foundations (including governance and ethical adoption, for foundations and their grantees). citeturn10search0turn10search1
• entity[“organization”,“The Spencer Foundation”,“education research foundation”] publishes a policy on the use of generative AI spanning applicants, grantees, reviewers, staff, and contractors—showing that some funders are beginning to formalize AI governance within grantmaking processes. citeturn10search8
• Other funders publish specific policies: entity[“organization”,“Fibrolamellar Cancer Foundation”,“cancer research foundation”] requires disclosure and sets confidentiality expectations around AI use in grant applications and reviews. citeturn10search5
• entity[“organization”,“Wenner-Gren Foundation”,“anthropology foundation”] encourages disclosure and prohibits reviewers from using AI in ways that compromise confidentiality. citeturn10search10
• entity[“organization”,“Foundation for Food & Agriculture Research”,“agriculture research foundation”] publishes a policy explicitly prohibiting AI tools in peer review to protect confidentiality and integrity. citeturn10search46

Actionable positioning for ORB (“AI-ready” wedge):
Offer an “AI-ready” addendum to ORB that produces:

• a short AI use policy template (what data can/can’t enter AI tools; approved tools; retention rules),
• a vendor/AI risk addendum for contractors,
• and a board-ready statement aligning efficiency with confidentiality.

This aligns with the sector’s visible move toward “responsible experimentation” and “protecting data strategically,” including in programming targeted at lean funders. citeturn10search2turn10search12
Confidence: Medium (market receptivity), High (policies exist, conversation is real).

Grants and funding mechanisms that intersect with security readiness

While many cybersecurity grants target operating nonprofits (not foundations), foundations can still care because:

• foundations themselves may be eligible for certain programs, and
• foundations increasingly see security as part of operational excellence—especially for contractors and grantees.

A concrete example on the public funding side:

• entity[“organization”,“Federal Emergency Management Agency”,“us emergency management agency”]’s Nonprofit Security Grant Program explicitly includes “physical/cybersecurity” enhancements and activities in its stated purpose and materials. citeturn11search5turn11search13
  Confidence: High (program exists), Medium (typical private foundations’ eligibility/use case varies).

Competitive landscape and differentiation

Who is marketing services to private foundations today?

Foundation administration / compliance platforms
entity[“company”,“Foundation Source”,“private foundation services provider”] positions itself as a large provider of outsourced services and online tools for private foundations and explicitly focuses on administration, compliance, and related tech-enabled services (including managed website services). citeturn12search6turn12search0
Gap to exploit: their messaging is not centered on cybersecurity controls, backup restore verification, disaster recovery drills, and vendor-access governance as a stand-alone productized assessment—the space your ORB fills.

Accounting and advisory firms that include “cybersecurity” as one bullet among many
Example: entity[“company”,“PKF O’Connor Davies”,“accounting firm”] markets private-foundation advisory services and lists “cybersecurity” among multiple advisory offerings. citeturn12search8
Gap to exploit: these providers are often audit/tax-led; your advantage is a fixed-scope, operational verification sprint (restores tested, MFA enforced, DR plan built) for lean operators.

Nonprofit-focused MSPs and IT providers
Many MSPs market “nonprofits and foundations” generally (not “private foundations” specifically), bundling helpdesk + security controls. Examples include entity[“company”,“Ascend Technology Group”,“managed it services company”] and entity[“company”,“Ciprus Consulting”,“managed it services company”] that explicitly mention nonprofits and sometimes foundations while emphasizing security and co-managed IT. citeturn12search9turn12search13
Gap to exploit: MSP offers often feel like managed operations; you can position ORB as vendor-neutral verification—especially for foundations already paying an MSP but unsure if backups restore or if incident response is real.

Channel reality: foundation peer spaces often prohibit solicitation

This matters operationally for your outreach plan. entity[“organization”,“Exponent Philanthropy”,“lean funders association”] states a non-solicitation policy for its programs (explicitly not open to “solicitors” and not to be used for commercial sales pitches). Confidence: High. citeturn10search3

So your most effective channel mix will be:

• Direct outbound (email + LinkedIn) to trustees/ED/operators,
• Partnership with accountants / foundation administrators (they can introduce you),
• Educational content (non-solicitation compliant) that creates inbound intent.

Colorado target list and outreach execution

How the Colorado shortlist was built

Because this report prioritizes specific, findable organizations, the Colorado list is drawn from ProPublica Nonprofit Explorer organization profiles that show 990‑PF filings and end-of-year assets within (or very near) the $5M–$50M band. Profiles include EINs and locations and often include extracted financials and named officers. Confidence: High (source), Medium (for some rows where the 990‑PF confirmation requires opening the filing link). citeturn15search2turn17search0turn26search1

Prioritization logic for outbound

Within your $5M–$50M band, prioritize foundations that have at least one of:

• Evidence of a paid ED/administrator (higher likelihood of acting quickly),
• Multi‑trustee/co‑trustee structures (coordination and access risks),
• Meaningful annual revenue/expenses relative to assets (operational motion),
• Recent filing dates (signals active operations).

Colorado foundations in the $5M–$50M band

Clickable roster (targets represented in the CSV below):

1. entity[“organization”,“Aaron Rashti Family Foundation Inc”,“greenwood vlg, co, us”]
2. entity[“organization”,“Ball Foundation”,“broomfield, co, us”]
3. entity[“organization”,“Brandon And Wendy Johnson Family Foundation”,“denver, co, us”]
4. entity[“organization”,“Clay Mathematics Institute Inc”,“denver, co, us”]
5. entity[“organization”,“Colorado Springs Osteopathic Foundation”,“colorado springs, co, us”]
6. entity[“organization”,“Colorado Health Institute”,“co, us”]
7. entity[“organization”,“Domanica Foundation”,“lakewood, co, us”]
8. entity[“organization”,“Frederic C Hamilton Family Foundation”,“greenwood vlg, co, us”]
9. entity[“organization”,“Harmes C Fishback Foundation Trust”,“englewood, co, us”]
10. entity[“organization”,“Harold W And Mary Louise Shaw Foundation”,“colorado springs, co, us”]
11. entity[“organization”,“Hill Foundation”,“co, us”]
12. entity[“organization”,“J F M Foundation”,“denver, co, us”]
13. entity[“organization”,“Kenny Foundation Inc”,“denver, co, us”]
14. entity[“organization”,“Maffei Foundation”,“englewood, co, us”]
15. entity[“organization”,“Mary M Dower Benevolent Corporation”,“englewood, co, us”]
16. entity[“organization”,“Precourt Foundation”,“greenwood vlg, co, us”]
17. entity[“organization”,“Rifkin Foundation”,“denver, co, us”]
18. entity[“organization”,“Seay Foundation”,“colorado springs, co, us”]
19. entity[“organization”,“Sheila Fortune Foundation”,“co, us”]
20. entity[“organization”,“Solich Fund”,“co, us”]
21. entity[“organization”,“Sachs Foundation”,“colorado springs, co, us”]
22. entity[“organization”,“The Boedecker Foundation”,“co, us”]
23. entity[“organization”,“Tuchman Family Foundation”,“greenwood vlg, co, us”]
24. entity[“organization”,“Warburton Way Foundation”,“co, us”]
25. entity[“organization”,“W J D Foundation”,“englewood, co, us”]

Note: some entries have “CO, US” rather than a city because the city detail wasn’t visible in the extracted snippet available in this session; the CSV includes a source_url for verification and enrichment.

Prospect list CSV

foundation_name,ein,city,state,most_recent_year,total_assets_usd,annual_revenue_usd,annual_expenses_usd,notes_why_target,confidence,source_url
Brandon And Wendy Johnson Family Foundation,84-3716204,Denver,CO,2024,5636066,899707,587778,"In-band assets; explicitly a 990-PF filer; foundation-sized sensitive data + lean ops likely.",High,https://projects.propublica.org/nonprofits/organizations/843716204
Seay Foundation,43-6055549,Colorado Spgs,CO,2024,17616107,2275131,1732026,"In-band assets; classic private grantmaking foundation profile; likely lean governance.",High,https://projects.propublica.org/nonprofits/organizations/436055549
Colorado Springs Osteopathic Foundation,84-0488554,Colorado Spgs,CO,2025,9690000,878000,502000,"In-band assets; has an Executive Director listed in compensation section; local and reachable.",High,https://projects.propublica.org/nonprofits/organizations/840488554
Aaron Rashti Family Foundation Inc,75-2437335,Greenwood Vlg,CO,2024,5900000,1440000,336000,"Lower end of band; family foundation pattern; likely low IT maturity + high privacy expectations.",Medium,https://projects.propublica.org/nonprofits/organizations/752437335
Precourt Foundation,76-0430659,Greenwood Vlg,CO,2024,30600000,2610000,1680000,"Mid-band assets; meaningful annual activity; likely uses advisors/contractors.",Medium,https://projects.propublica.org/nonprofits/organizations/760430659
Tuchman Family Foundation,84-1366236,Greenwood Vlg,CO,2024,22000000,1020000,1430000,"In-band assets; family foundation pattern; Greenwood Village address common for private foundations.",Medium,https://projects.propublica.org/nonprofits/organizations/841366236
Harold W And Mary Louise Shaw Foundation,31-1577890,Colorado Spgs,CO,2024,31800000,4040000,3640000,"In-band assets; higher annual activity signals operational complexity and vendor footprint.",Medium,https://projects.propublica.org/nonprofits/organizations/311577890
Frederic C Hamilton Family Foundation,54-2099318,Greenwood Vlg,CO,2024,29800000,1870000,2390000,"In-band assets; family foundation; likely board-led buying process and sensitive donor data.",Medium,https://projects.propublica.org/nonprofits/organizations/542099318
Harmes C Fishback Foundation Trust,84-6094542,Englewood,CO,2024,10300000,500000,733000,"In-band assets; trust structure often means outsourced admin + vendor risk; good fit for restore verification.",Medium,https://projects.propublica.org/nonprofits/organizations/846094542
Maffei Foundation,45-4040790,Englewood,CO,2024,7650000,2600000,842000,"In-band assets; higher revenue suggests meaningful investment/admin activity; likely relies on outside IT/accounting.",Medium,https://projects.propublica.org/nonprofits/organizations/454040790
Mary M Dower Benevolent Corporation,84-0408049,Englewood,CO,2023,13200000,2200000,715000,"In-band assets; long-established entity; likely legacy processes and backups to validate.",Medium,https://projects.propublica.org/nonprofits/organizations/840408049
W J D Foundation,74-2398199,Englewood,CO,2023,5840000,419000,555000,"Lower-band assets; small operations; high likelihood of MSP/outsourced IT with limited verification.",Medium,https://projects.propublica.org/nonprofits/organizations/742398199
J F M Foundation,84-0833163,Denver,CO,2024,6970000,1510000,504000,"In-band assets; Denver base; likely reachable leadership; good starter outbound target.",Medium,https://projects.propublica.org/nonprofits/organizations/840833163
Kenny Foundation Inc,84-0925851,Denver,CO,2024,13100000,2210000,1040000,"In-band assets; meaningful annual activity; likely has vendors and a board that cares about continuity.",Medium,https://projects.propublica.org/nonprofits/organizations/840925851
Rifkin Foundation,74-2557691,Denver,CO,2024,12800000,1640000,1330000,"In-band assets; Denver-based; straightforward ‘risk + continuity’ pitch.",Medium,https://projects.propublica.org/nonprofits/organizations/742557691
Ball Foundation,27-4099620,Broomfield,CO,2024,29100000,1170000,1990000,"In-band assets; private grantmaking foundation category; operational governance likely.",Medium,https://projects.propublica.org/nonprofits/organizations/274099620
Domanica Foundation,52-1906206,Lakewood,CO,2023,6600000,354000,378000,"In-band assets; modest annual flow; high probability of minimal IT controls and legacy processes.",Medium,https://projects.propublica.org/nonprofits/organizations/521906206
Hill Foundation,84-6081879,,CO,2023,43532411,8895995,5911711,"High end of band; co-trustee structure appears in filing excerpt; vendor and access governance likely complex.",High,https://projects.propublica.org/nonprofits/organizations/846081879
The Boedecker Foundation,20-8495254,,CO,2022,39959952,3286332,3928361,"High end of band; paid operations leadership appears in compensation excerpt; higher maturity but strong need for assurance baseline.",High,https://projects.propublica.org/nonprofits/organizations/208495254
Solich Fund,46-1417348,,CO,2023,24295820,4309931,6529415,"Mid-band assets; meaningful annual distributions; classic ‘verify backups + DR + vendor access’ fit.",High,https://projects.propublica.org/nonprofits/organizations/461417348
Sheila Fortune Foundation,84-1467131,,CO,2022,5230245,574820,621209,"Lower band; has an Executive Director listed; likely lean but operationally active.",High,https://projects.propublica.org/nonprofits/organizations/841467131
Warburton Way Foundation,87-1989825,,CO,2023,10724838,9106782,168611,"In-band; recent filing excerpt shows large contributions; suggests donor data sensitivity + quick setup risk.",High,https://projects.propublica.org/nonprofits/organizations/871989825
Clay Mathematics Institute Inc,13-4025978,Denver,CO,2024,47200000,-1720000,2250000,"High end of band and operationally active; if filing type confirmed as 990-PF, strong fit for resilience baseline.",Low,https://projects.propublica.org/nonprofits/organizations/134025978
Sachs Foundation,84-0500835,Colorado Spgs,CO,2024,59000000,4530000,4870000,"Slightly above $50M band based on current profile; included as an optional ‘near-band’ target if you allow up to ~$60M.",Low,https://projects.propublica.org/nonprofits/organizations/840500835

A CRM-ready entities CSV (sources, partners, competitors, communities)

entity_name,entity_type,why_it_matters_to_outbound,source_or_entry_point
ProPublica Nonprofit Explorer,Data source,"Free org profiles + 990-PF extracted financials; use for quick prospect verification and manual research.",https://projects.propublica.org/nonprofits/
IRS TEOS Bulk Data Downloads,Data source,"Official monthly-updated bulk datasets including Form 990 series XML + auto-revocation list; best for automation.",https://www.irs.gov/charities-non-profits/tax-exempt-organization-search-bulk-data-downloads
IRS Form 990 Series Downloads,Data source,"Bulk XML + index zips by year/month; gives you last-2-years filing recency pipeline.",https://www.irs.gov/charities-non-profits/form-990-series-downloads
IRS EO-BMF Extract,Data source,"Official org master file by state; join to TEOS XML for addresses/state filtering.",https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf
IRS Annual Extract of Tax-Exempt Org Financial Data,Data source,"Fast assets-based binning for 990-PF filings by calendar year (good for counts).",https://www.irs.gov/uac/soi-tax-stats-annual-extract-of-tax-exempt-organization-financial-data
Candid,Data vendor/community,"Foundation Directory and GuideStar ecosystem; paid tiers optimized for list-building; partner-location free access exists.",https://candid.org/
Foundation Directory,Data vendor/community,"Paid database for foundation prospecting; useful benchmark for what ‘good filters’ look like.",https://fconline.foundationcenter.org/
Cause IQ,Data vendor/community,"Directory-style filtering and leads; useful for discovery but validate on IRS/ProPublica.",https://www.causeiq.com/
Nonprofit Open Data Collective,Open data community,"Community tooling around IRS 990 data; may accelerate database builds (verify PF coverage).",https://github.com/Nonprofit-Open-Data-Collective
Exponent Philanthropy,Community,"Largest lean-funder community; key place to learn operational pain points; note non-solicitation rules.",https://exponentphilanthropy.org/
Council on Foundations,Community,"Foundation leadership community; strong signal that AI governance + responsible adoption is on agendas.",https://cof.org/
Philanthropy Colorado,Community,"Colorado-specific foundation network and peer groups; ideal for relationship-driven warm intros.",https://philanthropycolorado.org/
United Philanthropy Forum,Community,"Hosts policy convenings (e.g., Foundations on the Hill); watch for sponsorship/education opportunities.",https://unitedphilforum.org/
Technology Association of Grantmakers,Community,"Operational/tech-focused grantmaker community; aligns with grants management + AI governance themes.",https://tagonline.org/
Foundation Source,Competitor/adjacent,"Dominant private foundation admin/services provider; partner or compete (you: security verification baseline).",https://foundationsource.com/
PKF O'Connor Davies,Competitor/adjacent,"Private foundation accounting/advisory firm listing cybersecurity; likely competitor for advisory mindshare.",https://www.pkfod.com/industries/private-foundations/
FEMA Nonprofit Security Grant Program,Funding mechanism,"Public funding source mentioning physical/cybersecurity enhancements; can appear in foundations’ thinking.",https://www.fema.gov/grants/preparedness/nonprofit-security
Colorado Attorney General Data Protection Laws,Regulatory reference,"Colorado breach notification and security practices guidance; supports ‘reasonable security’ messaging.",https://coag.gov/resources/data-protection-laws/
Colorado Privacy Act,Regulatory reference,"Colorado privacy law explicitly covers nonprofits under thresholds; supports governance narrative.",https://coag.gov/resources/colorado-privacy-act/
Spencer Foundation AI Policy,AI governance signal,"Concrete example of a funder formalizing generative AI rules for applicants, grantees, reviewers, and staff.",https://www.spencer.org/resources/policy-on-the-use-of-generative-ai-at-the-spencer-foundation
Wenner-Gren Foundation Generative AI Policy,AI governance signal,"Policy demonstrates confidentiality-driven restrictions around AI in application/review workflows.",https://wennergren.org/article/the-wenner-gren-foundation-generative-ai-policy/
Fibrolamellar Cancer Foundation AI Policy,AI governance signal,"Requires transparency/disclosure and emphasizes confidentiality in grant workflows.",https://fibrofoundation.org/ai-use-policy/

Outreach messaging that resonates with foundation operators

A foundation ED/trustee generally reacts best to risk + fiduciary duty + operational continuity, not “cybersecurity features.”

Language to use

• “Backup restore verification” (not “backup strategy”)
• “Board-grade resilience baseline in 10 days”
• “Vendor access and password hygiene for outsourced admins/MSPs”
• “Incident readiness for donor and applicant data”
• “Reasonable security practices sized to your footprint” (ties to CO’s statutory language) citeturn20search1

Language to avoid

• “Pen test,” “zero trust transformation,” “SOC2 readiness” (often overkill and sounds expensive)
• “Compliance mandate” (unless you’re specific; many foundations don’t feel regulated)

A high-performing initial email (template)
Subject: “Quick question: have you tested a restore lately?”

Body (edit to your voice):

Hi {{Name}} — I work with small foundations and lean grantmakers who handle sensitive donor/applicant data but don’t want (or need) a full-time IT/security team.

We run a 10‑day Operational Resilience Baseline: we verify that backups actually restore, map the current security posture, and leave you with a practical disaster recovery plan and vendor access checklist.

Colorado requires “reasonable security procedures” for personal identifying information and fast breach notification—most foundations are relying on vendors but haven’t validated the fundamentals. citeturn20search1turn20search0

Would a 15‑minute call next week be unreasonable to see if this is already handled, or if a quick verification sprint would reduce risk for your board?

Follow-up angle (AI-ready) Tie in the sector’s visible move toward AI guardrails:

• “We also include an ‘AI-ready’ addendum: what data can/can’t go into AI tools, and vendor rules—aligned with how funders are starting to formalize responsible AI policies.” citeturn10search0turn10search8turn10search10

Colorado-specific communities and convenings

Pragmatically, you should expect that many foundation convenings are non-solicitation environments; your goal is relationship + credibility + referrals, not pitching from the floor. citeturn10search3

High-signal places to monitor / participate (with compliance to rules):

• Philanthropy Colorado peer programming (e.g., Community Foundation CEO network). citeturn9search11turn9search13
• Exponent Philanthropy annual conference programming oriented to lean funders (note: non-solicitation; consider sponsorship + educational content). citeturn9search12turn10search3
• Council on Foundations events about responsible AI and technology governance in philanthropy. citeturn10search0turn10search1

timeline
  title 30-day outbound cadence for one foundation
  day 1  : Email 1 (restore verification hook)
  day 4  : LinkedIn connect + 1-sentence note (no pitch)
  day 7  : Email 2 (vendor access + board risk framing)
  day 12 : Phone call / voicemail (short, operational)
  day 16 : Email 3 (AI-ready addendum + 2 bullets)
  day 23 : Send 1-page ORB sample deliverable (sanitized)
  day 30 : Close-the-loop email (permission-based)

What to do next to get exact national and state counts

Run the TEOS+EO‑BMF pipeline above and produce outputs:

• counts by state and asset bin,
• and a Colorado list of 20–30 in-band prospects verified from returns filed within exactly the last 24 months.

The IRS pages you’ll rely on are explicitly designed for this:

• TEOS bulk downloads are monthly updated and include the needed datasets. citeturn26search2
• EO‑BMF is downloadable by state and is intended to be merged via EIN. citeturn26search15
• TEOS FAQs explain how the index joins to the XML (Object ID). citeturn26search4