RIA_Market_Entry_Senior_Review_and_Action_Plan

Solanasis — RIA Market Entry: Senior Strategy Review & Action Plan

Version: 1.0 Date: 2026-03-13 Type: Senior Strategy Review + Consolidated Action Plan Owner: Dmitri Sunshine, Founder & CEO Purpose: Brutally honest viability review of the RIA market entry strategy, consolidating findings from all playbooks into a single actionable document. Replaces the need to cross-reference 6+ documents. Status: REVIEW DRAFT — Decisions needed (see Part 4)

---

Table of Contents

• Part 1: Senior Review — What’s Viable and What’s Not
• Part 2: The Playbook That Actually Works (6-Week Sprint)
• Part 3: Content, Trust, and Relationship Strategy
• Part 4: Decisions Needed From You

---

PART 1: Senior Review — What’s Viable and What’s Not

The Honest Summary

The RIA market opportunity is real but requires a different approach than what’s been documented. The SEC Reg S-P deadline (June 3, 2026) creates genuine urgency — RIAs under $1.5B AUM (Assets Under Management) must have cybersecurity policies, incident response plans, and data protection procedures in place. That’s 84 days away. Many are scrambling.

But — the strategies we’ve been building have a mismatch between the effort required and the revenue timeline. Here’s the breakdown:

---

Strategy-by-Strategy Viability Assessment

1. Job Board Scraping — DOWNGRADE TO “NICE TO HAVE”

Original Rating: Core GTM Smartcut Revised Rating: Optional Phase 2 tactic (Month 3+)

Why the downgrade:

• RIAs don’t hire for security roles the way tech companies do. Most RIAs are 5-50 employees. They don’t post for CISOs on Indeed. When they need security help, they ask their compliance consultant, their MSP, or their CPA. The “hiring signal” is a phantom signal in this specific market.

• Volume is too low for scraping to matter. Nationally, there might be 30-50 cybersecurity job postings from RIAs per month across all job boards. In Colorado, maybe 5-8. That’s not enough volume to justify building automation infrastructure.

• Cold email to RIAs doesn’t work. This is a trust-first industry. RIA principals manage people’s life savings — they’re deeply risk-averse about new vendors. A cold email from an unknown firm will be ignored or flagged as spam, regardless of how well it’s written.

• The effort-to-revenue timeline is 4-5 months. Month 1: build scraping system. Month 2: send emails, get a few replies. Month 3-4: navigate the RIA sales cycle. Month 5: maybe close something. With 3-6 months runway, this is too slow.

What to do with the Job Board Scraping Strategy doc: Keep it in the playbooks folder. It’s a solid playbook for Phase 2 (Month 4+) when you have RIA case studies and can cold-email from a position of credibility. It’s also useful for non-RIA verticals (law firms, healthcare, marketing agencies) where cold email is more effective and companies do post security roles on job boards.

Pro tip: The job board scraping strategy is like a great recipe you don’t have the ingredients for yet. You need the credibility ingredients first (case studies, compliance consultant endorsements, SEC-specific deliverables). Then the cold outreach becomes a multiplier instead of a cold start.

---

2. LinkedIn Sales Navigator — ALREADY DOES 80% OF WHAT FIRECRAWL WOULD DO

Key insight you may not have realized: Sales Navigator already has hiring signal detection built in. You don’t need to build a separate scraping system.

What Sales Navigator can do right now:

Sales Navigator Feature	What It Does	How It Replaces Scraping
”Posted Jobs” filter	Shows companies actively posting jobs — filterable by industry, size, location	This IS the job board scrape, but with better data (LinkedIn verified)
“Company Headcount Growth” filter	Shows companies that are growing (hiring across all roles)	Broader signal than individual job posts — catches firms building capacity
”Job Changes” alert	Notifies you when saved leads change roles	Finds new hires into security/compliance roles — they’re your champion
Account IQ (AI feature)	AI-generated company insights — priorities, pain points, strategic initiatives	Auto-researches your target accounts so you don’t have to
Buyer Intent signals	Flags accounts showing purchase-ready behavior (content engagement, profile views, news)	Real-time intent data that no scraper can match
Saved Account alerts	Track 50-75 RIA accounts — get notified of ANY hiring, news, leadership changes	Persistent monitoring without building any automation

The better workflow (15-30 minutes/week):

1. Build Saved Account list: "RIA Security Targets"
   - 50-75 RIAs in Colorado ($50M-$500M AUM, 10-150 employees)
   - One-time setup: ~2 hours

2. Build Saved Account list: "RIA Compliance Consultants"
   - 15-20 compliance consulting firms that serve RIAs
   - One-time setup: ~1 hour

3. Set alerts on both lists
   - Job postings, headcount changes, news mentions
   - Check weekly: 15 minutes

4. When a signal fires → personalized connection request
   - "I noticed [Company] is [hiring/growing/in the news for X].
     We help RIAs get SEC-compliant before the June deadline..."

Cost: $0beyondyourexistingSalesNavigatorsubscription($100/month). Effort: 3 hours setup + 15-30 minutes/week monitoring. Quality: Higher than scraped data (verified LinkedIn profiles, real-time signals).

Decision: This replaces Firecrawl for RIA prospecting. Firecrawl becomes optional for non-RIA verticals later.

---

3. RIA Compliance Consultant Partnerships — THE HIGHEST-LEVERAGE PLAY

Rating: CRITICAL PATH. This is how you get first clients.

Why this works when cold outreach doesn’t:

RIAs choose cybersecurity vendors the same way they choose everything else — through trusted referrals. The research confirms this:

• RIAs find vendors by asking their compliance consultant first (these are the firms that handle their SEC filings, mock exams, and regulatory prep)
• The FINRA Compliance Vendor Directory is a secondary source — but you need clients to get listed
• Industry networking and peer referrals are the third channel

What this means for you:

The compliance consultant IS the distribution channel. They already have 20-100+ RIA clients each. They already have trust. They already know which clients are panicking about Reg S-P. And they can’t do the technical cybersecurity work themselves — that’s exactly your gap to fill.

How the partnership works:

Compliance Consultant                    Solanasis
━━━━━━━━━━━━━━━━━━━━                    ━━━━━━━━━━
Has the client relationship              Has the technical capability
Handles SEC filings & policy             Handles security testing & implementation
Knows which clients need help            Can deliver in 10 days (ORB)
Can recommend you by name                Pays 15% referral fee
Gets asked "who should we call?"         Becomes the answer

Target compliance consultants in Colorado / serving Colorado RIAs:

Firm	Why They Matter
ACA Group (formerly ACA Compliance)	Largest RIA compliance firm in the US. Colorado-based clients. If you get in here, you get deal flow.
Core Compliance & Legal Services	Mid-size compliance consulting, works with smaller RIAs ($50M-$500M AUM) — your sweet spot
RIA Compliance Consultants	Boutique firm, personal relationships, likely more open to partnerships
Oyster Consulting	Multi-service firm, cybersecurity is an add-on they don’t do in-house
Vigilant Compliance	Digital-forward compliance firm, may be interested in tech-forward partners
Local solo compliance consultants	Search LinkedIn for “RIA compliance consultant” + Colorado. These solos serve 10-30 RIAs each and are most likely to partner quickly

Outreach message to compliance consultants:

Hi [Name],

I help RIAs with the technical side of cybersecurity compliance — backup verification, incident response testing, security assessments. The kind of work that supports the policy framework you’re building for clients.

With the Reg S-P deadline 84 days out, I imagine some of your clients are asking “we have the policies, but have we actually tested our systems?”

That’s what we do — a 10-day Resilience Baseline that proves their systems can actually recover, not just that they have backup software. Fixed fee, fixed scope.

Would it make sense to chat for 15 minutes about whether this could be useful for your clients? Happy to offer a referral arrangement.

— Dmitri

Timeline to revenue through this channel:

• Week 1-2: Contact 10-15 compliance consultants. Book 3-5 calls.
• Week 3-4: Formalize 2-3 partnerships. Ask each for 1-2 warm intros.
• Week 5-6: Deliver first free assessment → convert to paid ORB.
• First revenue: Week 6-8 ($5K-$12.5K)

---

4. SEC Reg S-P Deadline — YOUR TIME-LIMITED SUPERPOWER

Rating: CRITICAL — but the clock is ticking. 84 days until June 3, 2026.

What the deadline actually requires (from SEC regulatory docs):

RIAs must have:

1. Written cybersecurity policies and procedures
2. Incident response plan (written and tested)
3. Customer data protection measures (safeguards for nonpublic personal information)
4. Vendor/third-party risk management procedures
5. Employee training on cybersecurity
6. Board/senior management oversight of cybersecurity program

What most RIAs have: A compliance policy doc their consultant wrote. Maybe antivirus software. Probably untested backups.

What most RIAs DON’T have: Proof their systems actually work. Tested incident response. Verified backup restoration. A security risk assessment with specific findings.

This is YOUR lane. The compliance consultant writes the policy. You prove the systems behind the policy actually work.

How to weaponize this deadline:

Content/Asset	Purpose	Effort	Timeline
”Reg S-P Technical Readiness Checklist”	Lead magnet. One-page PDF that compliance consultants can share with clients.	3-4 hours	Week 1
”The Reg S-P Gap Most RIAs Miss” (LinkedIn post)	Thought leadership. Hook: “Your compliance consultant wrote the policy. But have you actually tested whether your systems can recover?“	1 hour	Week 1
2-minute LinkedIn video: “84 Days to Reg S-P”	Face-on-camera credibility builder. Phone-recorded, natural light, no production.	30 min to record + 30 min to post	Week 1
”Free Reg S-P Readiness Check” offer	Lead generation. 2-hour assessment for compliance consultant referrals. Converts to paid ORB.	2-3 hours per assessment	Week 2-4
Case study from free assessment	Social proof. Anonymized: “We found [X] at an RIA with [Y] AUM — here’s what we fixed.”	2 hours to write	After first assessment

Content cadence for next 84 days:

Week	LinkedIn Post	Video	Asset
Week 1 (now)	“84 days to Reg S-P”	Record first video	Publish checklist
Week 2	”The backup test that 67% of firms fail”	-	-
Week 3	”What SEC examiners actually look for”	Record second video	-
Week 4	Case study from first free assessment	-	Updated checklist with findings
Week 5-6	”60 days to Reg S-P — are you ready?”	Record third video	Incident response plan template
Week 7-8	”What we found at 3 RIAs this month”	-	-
Week 9-10	”30 days to Reg S-P — last call”	Record urgency video	-
Week 11-12	”How we helped [X] RIAs get compliant in [Y] days”	-	-

Pro tip: The Reg S-P deadline is your “growth hack.” You don’t need to convince RIAs that cybersecurity matters — the SEC is doing that for you. Your job is to be the person who shows up with the solution at the exact moment they need it. After June 3, this urgency evaporates. Use it NOW.

---

5. AI-Native Agency Model — HOW TO RUN THIS WITH YOU + CONTRACTORS

What AI handles (save 15-20 hours/week):

Task	AI Tool	Time Saved
LinkedIn post drafting	Claude (batch-generate 4 weeks at once)	3-4 hrs/week
Email template creation	Claude (write + A/B variants)	1-2 hrs/week
Prospect research	Sales Navigator Account IQ + Claude for deeper dives	2-3 hrs/week
ORB report generation	Claude (structure findings into client-ready reports)	4-6 hrs per ORB
Compliance mapping	Claude (cross-reference Reg S-P requirements with assessment findings)	2-3 hrs per engagement
Proposal/SOW drafting	Claude (fill templates from discovery call notes)	1 hr per proposal
Follow-up email sequences	Claude (personalized follow-ups based on CRM data)	1-2 hrs/week

What needs human touch (can’t automate):

Task	Who	Why
Sales calls / discovery meetings	You (Dmitri)	Trust is built person-to-person. RIAs need to feel your competence.
Compliance consultant relationship building	You	Partnership development requires personal rapport
Restore test execution	You (Phase 1) → Contractor (Phase 2+)	This is the core deliverable — must be hands-on
Security scanning and assessment	You or contractor	Technical work that requires expertise
Client relationship management	You	You are the brand at this stage

Contractor model (Phase 1: Month 1-3):

YOU (Dmitri) — 100% of time
├── Sales & business development (40%)
├── ORB delivery (40%)
├── Content & marketing (15%)
└── Admin & operations (5%)

CONTRACTORS — As-needed
├── Technical assessment execution ($75-150/hr)
│   └── When: Once you're doing 3+ ORBs/month
├── Remediation implementation ($100-200/hr)
│   └── When: After ORB identifies fixes needed
└── Content creation ($30-75/hr)
    └── When: Once content cadence is established

Contractor model (Phase 2: Month 4-6):

YOU (Dmitri) — 60% sales/relationships, 40% delivery oversight
├── Sales calls & partnerships (30%)
├── Discovery & scoping (15%)
├── Quality review of contractor deliverables (15%)
├── Content strategy & LinkedIn (20%)
└── Client relationships (20%)

CONTRACTOR 1: Technical Delivery ($75-150/hr, 20-30 hrs/month)
├── Backup restore testing
├── Security scanning
├── Configuration review
└── Follows YOUR SOP (built from ORBs 1-3)

CONTRACTOR 2: Remediation (on-demand, $100-200/hr)
├── Fix issues identified in ORB
├── Implement security controls
└── Policy/procedure documentation

CONTRACTOR 3: Content/Marketing (10 hrs/month, $30-75/hr)
├── LinkedIn post drafting (AI-assisted)
├── Lead list management in Sales Navigator
└── Email sequence management

Monthly contractor cost estimate:

• Phase 1 (Month 1-3): $500-$1,500/month (minimal, as-needed)
• Phase 2 (Month 4-6): $3,000-$6,000/month (scaling with revenue)
• Rule: Contractor cost should never exceed 35% of revenue

---

What’s Missing from Current Strategy Docs

Gap 1: No “First Client” Playbook for RIAs Specifically

Current docs say: “Get 2-3 ORBs by week 12.” Missing: How exactly do you get Client #1 in the RIA world with zero track record?

The answer (from this review): Compliance consultant referral → free assessment → convert to paid ORB. This is documented in Part 2 below.

Gap 2: No Exit Criteria for the RIA Pivot

Missing: If RIAs aren’t working by Month X, what’s Plan B?

Proposed exit criteria:

• Month 3 checkpoint: At least 1 RIA client (free or paid). If zero, broaden to law firms + healthcare.
• Month 4 checkpoint: At least 1 paying RIA client. If zero, RIA becomes secondary vertical.
• Month 6 checkpoint: At least 3 RIA clients + 1 retainer. If not, consider repositioning.

Gap 3: Bridge Revenue Plan is Vague

The reality: RIA sales cycles are 5-10 weeks. You may not see RIA revenue until Month 3.

Bridge revenue plan (Month 1-2):

• Marketplace gigs (Catalant, Upwork): Target $3K-$8K/month
• Network quick wins: Ad-hoc consulting at $200-250/hr (keep this to 20% of time max)
• Non-RIA ORBs: Law firms and marketing agencies have faster sales cycles — target 1-2 in Month 1

Gap 4: Competitive Positioning Isn’t Sharp Enough

Current positioning: “Operational resilience partner” (too broad for RIAs)

Sharper positioning for RIA market:

“We’re the firm that actually tests whether your systems can recover — and proves it to the SEC. 10 days. Fixed fee. No surprises.”

Why this works:

• “Actually tests” — differentiator vs. policy-only compliance consultants
• “Proves it to the SEC” — ties directly to regulatory fear
• “10 days” — urgency-compatible (84 days to deadline, you can do 8 assessments)
• “Fixed fee” — removes pricing uncertainty for risk-averse RIAs
• “No surprises” — speaks to the RIA mentality of predictability and control

---

PART 2: The Playbook That Actually Works (6-Week Sprint)

The Strategy in One Sentence

Partner with RIA compliance consultants who already have trust and client access, offer free Reg S-P assessments through them to build case studies, then convert those assessments into paid ORBs and retainers.

Week-by-Week Execution Plan

WEEK 1: Load the Gun (Foundation)

Time commitment: ~15 hours

#	Task	Time	Output
1	LinkedIn profile overhaul for RIA focus. Headline: “Cybersecurity for RIAs	SEC Reg S-P Compliance	Fractional CISO” Featured: Reg S-P checklist. About: RIA-specific language.
2	Create Reg S-P Technical Readiness Checklist. One-page PDF. What the SEC requires technically (not just policy). Include: backup restore verification, incident response test, access control audit, vendor risk assessment. Make it useful, not salesy.	4 hrs	Lead magnet PDF ready
3	Identify 15 RIA compliance consultants. LinkedIn search: “RIA compliance consultant” + Colorado. Plus national firms with CO clients (ACA Group, Core Compliance, Oyster, etc.). Save to Sales Navigator list.	2 hrs	Target list ready
4	Send connection requests to all 15 compliance consultants. Personalized note: “I do the technical side of cybersecurity for RIAs — backup testing, incident response verification. Seems like we serve the same clients from different angles. Would love to connect.”	1 hr	15 connections pending
5	Create Sales Navigator “RIA Target” account list. 50 RIAs in Colorado, $50M-$500M AUM, 10-150 employees. Enable alerts for job postings, headcount changes, news.	2 hrs	Monitoring list active
6	Record first LinkedIn video: “84 Days to Reg S-P.” Phone-recorded, natural window light, 2 minutes. Key message: “Your compliance consultant wrote the policy. Have you actually tested your systems?“	1 hr	Video posted
7	Write + schedule 2 LinkedIn posts about Reg S-P. Post 1: “The one test 67% of firms fail” (backup restore). Post 2: “What SEC examiners ask about cybersecurity.”	1.5 hrs	Content pipeline started
8	Set up booking link (Calendly/Cal.com). “15-Minute Reg S-P Readiness Chat”	30 min	Booking link live

WEEK 2: Make Contact (Outreach)

Time commitment: ~10 hours

#	Task	Time	Output
1	Follow up with compliance consultants who accepted connections. Send DM: “Thanks for connecting. Quick question — are any of your RIA clients asking about the technical side of Reg S-P compliance? Things like backup restore verification, incident response testing? That’s our specialty. Happy to be a resource.”	1.5 hrs	Conversations started
2	Book 3-5 calls with interested compliance consultants. Focus on solo consultants and smaller firms (faster to partner).	1 hr	Calls scheduled
3	Write personalized cold outreach to 20 RIA decision makers via Sales Navigator. Use “Posted Jobs” or “Company Growth” signals where available. Reg S-P deadline as the hook.	3 hrs	20 InMails/connection requests sent
4	Post LinkedIn content. 2 posts + share the Reg S-P checklist as a resource.	1.5 hrs	Content continuing
5	Research 3-5 RIA industry events in Colorado for next 60 days. FPA Colorado chapter meetings, CFA Society events, NAPFA gatherings. Register for at least 2.	1 hr	Events identified, 2 registered
6	Apply to Vanta Service Provider Program + Drata Launch Alliance. These are free partnership programs that generate inbound leads over time.	1 hr	Applications submitted
7	Bridge revenue: Apply to Catalant + 1-2 other consulting marketplaces. Focus profile on cybersecurity assessment / fractional CISO.	1 hr	Marketplace profiles live

WEEK 3: Partnership Activation

Time commitment: ~12 hours

#	Task	Time	Output
1	Conduct calls with compliance consultants. Agenda: understand their client base, explain what you do (restore testing, security assessments), propose referral partnership (15% commission or mutual referral). Ask each: “Do you have 1-2 clients who’d benefit from a free Reg S-P readiness check?“	3 hrs	2-3 partnerships forming
2	Send Reg S-P checklist to all connected compliance consultants. “Feel free to share this with your clients. If anyone wants help with the technical side, I’m offering free readiness checks this month.”	1 hr	Lead magnet distributed
3	Schedule first free Reg S-P assessment. Ideally from compliance consultant referral. If no referrals yet, offer to a warm contact from your network.	1 hr	First assessment scheduled
4	Follow up on Week 2 Sales Navigator outreach. Send Value Add follow-up to any who haven’t responded.	1.5 hrs	Follow-up cadence running
5	Attend first RIA industry event. Business cards, Reg S-P checklist printouts, 2-minute elevator pitch ready. Goal: meet 5-10 people, collect 3-5 business cards.	4 hrs (including travel)	In-person contacts made
6	Post 2 LinkedIn pieces. Focus on specific Reg S-P technical requirements.	1.5 hrs	Content continuing

WEEK 4: Deliver & Prove

Time commitment: ~15 hours

#	Task	Time	Output
1	Deliver first free Reg S-P assessment (2-3 hours). Check: backup restore test, incident response plan review, access control audit, vendor security review. Document EVERYTHING — this is your first case study.	3 hrs delivery + 2 hrs documentation	Assessment complete, findings documented
2	Create anonymized case study from assessment. “We found [X critical gaps] at an RIA with [Y] AUM. Here’s what we recommended.”	2 hrs	Case study #1 ready
3	Ask for referrals from the assessment client. “Do you know 2-3 other RIA owners who might benefit from this? We’re offering complimentary readiness checks through [month].“	30 min	2-3 referral names
4	Schedule second free assessment (from referral or compliance consultant).	30 min	Second assessment on calendar
5	Send follow-up to compliance consultant partners. Share the (anonymized) case study: “Here’s what we found at a firm similar to your clients. Happy to do the same for any of yours.”	1 hr	Partnership momentum building
6	Post case study on LinkedIn. This is your most valuable content piece — real findings, real impact, real urgency.	1.5 hrs	Credibility content live
7	Follow up on all open Sales Navigator conversations. Any replies? Any meetings booked?	1 hr	Pipeline status update
8	Bridge revenue check: Any marketplace gigs landed? Any quick consulting from network?	1 hr	Revenue status check

WEEK 5: Convert & Compound

Time commitment: ~12 hours

#	Task	Time	Output
1	Deliver second free assessment. Same process, same documentation rigor.	3 hrs + 2 hrs	Second case study in progress
2	Convert first assessment to paid ORB. Follow up: “Based on what we found, I’d recommend a full Resilience Baseline — it covers everything the SEC examiners will look for. It’s a 10-day engagement, fixed fee of $[5,000-6,000] for your firm size. Want me to send the scope?“	1 hr	First proposal sent
3	Record second LinkedIn video. “What We Found at [X] RIAs This Month” — anonymized findings, real urgency.	1 hr	Video posted
4	Follow up on ALL open conversations. Compliance consultants, Sales Navigator leads, event contacts.	2 hrs	Pipeline update
5	Write SOW for first paid ORB. Use the ORB Pack v2 templates — customize for RIA.	1.5 hrs	SOW ready to send
6	Post 2 LinkedIn pieces. “60 days to Reg S-P” countdown + technical insight.	1.5 hrs	Content continuing

WEEK 6: Close First Revenue

Time commitment: ~10 hours

#	Task	Time	Output
1	Close first paid ORB. Follow up on proposal. Handle objections. Sign contract. Send invoice.	2-3 hrs	FIRST REVENUE: $5,000-$12,500
2	Send paid ORB proposals to second assessment client + any other pipeline.	2 hrs	More proposals out
3	Compliance consultant partner update. Share results, ask for more referrals. “We’ve now helped [X] firms. Can you think of 2-3 more who need this before June?“	1 hr	Referral flywheel spinning
4	Month 1 retrospective. What worked? What didn’t? Adjust for Month 2.	1 hr	Strategic clarity
5	Begin documenting SOP from first ORB. Screenshots, checklists, decision trees. This becomes the contractor playbook.	2 hrs	SOP v0.1 started
6	Plan Month 2 content and outreach. Batch-generate 4 weeks of LinkedIn content with Claude.	1.5 hrs	Month 2 content ready

---

Revenue Projections (Revised, Conservative)

Timeframe	Revenue Source	Amount	Confidence
Week 1-4	Bridge revenue (marketplace, network)	$0-$4K	Low-Medium
Week 5-6	First ORB (founding client pricing)	$5K-$6K	Medium-High (if compliance consultant channel works)
Week 7-8	Second ORB + continued bridge	$5K-$10K	Medium
Month 3	2-3 ORBs + first retainer discussions	$10K-$25K	Medium
Month 4-6	ORB pipeline + 1-2 retainers starting	$12K-$30K/month	Medium (compounding)
Month 12 target	$20K-$30K MRR	Blended ORB + retainer	Medium-High (if execution stays consistent)

---

PART 3: Content, Trust, and Relationship Strategy

The Trust-Building Hierarchy (What Actually Works for RIAs)

RIAs build trust through layers of social proof, not cold outreach. Here’s the hierarchy from most trusted to least:

TIER 1 — IMMEDIATE TRUST (Close deals)
├── Referral from their compliance consultant
├── Referral from another RIA principal they know
├── Referral from their CPA or attorney
└── Spoken at an event they attended

TIER 2 — CREDIBILITY SIGNALS (Get meetings)
├── Case studies with RIAs similar to them
├── Content that demonstrates deep RIA knowledge
├── Listed on FINRA Compliance Vendor Directory
├── Compliance platform partnership badge (Vanta/Drata)
└── Relevant certifications (CompTIA Security+, CISSP)

TIER 3 — AWARENESS (Get on their radar)
├── LinkedIn content about SEC/Reg S-P
├── Industry event attendance
├── Shared connections in their network
└── Published in RIA-focused publications

TIER 4 — NOISE (Rarely works for RIAs)
├── Cold email from unknown vendor
├── Cold LinkedIn InMail
├── Generic "cybersecurity tips" content
├── Paid advertising
└── Job board scraping outreach

Your strategy targets Tiers 1-2 simultaneously:

• Tier 1: Compliance consultant partnerships (referrals)
• Tier 2: Free assessments → case studies → LinkedIn content

This is how you build trust in 6 weeks instead of 12 months.

---

What RIA Decision Makers Actually Read & Follow

Source	Who Reads It	Your Play
Their compliance consultant’s recommendations	Everyone at the firm	BE the recommendation (partnership strategy)
SEC / FINRA official guidance	Compliance officers, managing partners	Create content that translates SEC-speak into action items
WealthManagement.com, RIA Intel	Managing partners, senior advisors	Long-term goal: get quoted/featured. Short-term: share their articles + add your take
Kitces & Carl podcast	RIA leaders, financial planners	Listen to understand their language and concerns. Reference in your content
LinkedIn (people they already follow)	Varies	Get connected to compliance consultants + RIA leaders first, then your content appears in their feed via shared connections

Key insight: RIA principals don’t browse cybersecurity content. They see it when someone they trust shares it or when a regulatory event forces them to search for it. Your content strategy should be designed to be shared BY compliance consultants, not found by RIAs directly.

---

LinkedIn Content Strategy — The “Share-Worthy” Framework

Every post should pass the “Compliance Consultant Share Test”:

“Would a compliance consultant share this with their RIA clients and say ‘you should read this’?”

Content that passes the test:

• Specific Reg S-P technical requirements explained in plain language
• Real findings from assessments (anonymized): “We tested the backups at an RIA. Here’s what happened.”
• SEC examiner checklists / what they actually look for
• Step-by-step guides compliance consultants can reference
• Stats and data points that create urgency

Content that FAILS the test:

• Generic “5 cybersecurity tips” posts
• Fear-mongering without actionable advice
• Sales pitches disguised as content
• Long thought-leadership pieces about “the future of cybersecurity”
• Anything about crypto, blockchain, or trendy security topics

Posting cadence:

• 2-3 posts per week (quality > volume)
• 1 video every 2 weeks (phone-recorded, 2 minutes max)
• 1 longer-form piece per month (LinkedIn article or shared PDF)
• Daily engagement: 10-15 minutes commenting on compliance consultant posts and RIA leader posts

Pro tip: When your compliance consultant partner shares your content or tags you in a post, that’s 10x more valuable than anything you post yourself. Make it easy for them to share: send them your posts and say “feel free to share this with clients who are asking about Reg S-P.”

---

The “Inner World” Problem — How to Break In

You asked about the RIA world being very insular, very trust-dependent. Here’s the honest reality and the playbook for breaking in:

Why It’s Hard

• Small community: In Colorado, there are maybe 500-800 RIA firms. The principals all know each other. Word travels fast — both good and bad.
• High stakes: They manage people’s retirements, college funds, life savings. A bad vendor recommendation reflects on them personally.
• Vendor fatigue: They get pitched constantly by software vendors, compliance firms, insurance brokers. Another cold pitch is noise.
• Credential-heavy culture: They respect designations (CFA, CFP, CIMA). “Self-taught” can be a barrier initially.

How to Break Through (The Specific Plays)

Play 1: “The Compliance Consultant Backdoor” (Week 1-3)

You don’t need to break into the RIA inner circle directly. You need ONE compliance consultant to vouch for you. Then their 20-100 clients become warm leads.

This is borrowed credibility — the Smartcuts principle you already know. The compliance consultant has spent years building trust with RIAs. You borrow that trust through partnership.

Play 2: “The Free Assessment Trojan Horse” (Week 3-6)

Once you’re in front of an RIA principal (via compliance consultant referral), the free assessment does three things:

1. Demonstrates competence — they see you work, they see your findings
2. Creates urgency — “you have 3 critical gaps, here’s what they are”
3. Builds the relationship — 2-3 hours of face-to-face time builds trust faster than 50 LinkedIn posts

Play 3: “The Event Connector” (Month 1-3)

Attend 2-3 RIA industry events in Colorado. Don’t pitch. Instead:

• Ask questions: “What’s keeping you up at night about Reg S-P?”
• Listen and learn their language
• Offer your checklist: “I put together a Reg S-P technical readiness checklist — want a copy?”
• Follow up on LinkedIn the next day: “Great meeting you at [event]. Here’s that checklist I mentioned.”

This positions you as helpful and knowledgeable, not salesy.

Play 4: “The Content Authority” (Ongoing)

Over 2-3 months, your LinkedIn content creates ambient authority. People start seeing your name attached to Reg S-P content. When their compliance consultant says “you should talk to Dmitri at Solanasis,” they think “oh, I’ve seen his posts about Reg S-P.” That pre-awareness closes the trust gap.

Play 5: “The Referral Snowball” (Month 2+)

Every assessment (free or paid) should produce 2-3 referrals. RIA principals talk to each other. If you deliver a great experience for one firm, word spreads organically. At 2-3 referrals per client, the math compounds:

Assessment 1 → 2 referrals → Assessment 2 & 3
Assessment 2 → 2 referrals → Assessment 4 & 5
Assessment 3 → 2 referrals → Assessment 6 & 7
...
By Month 6: 15-20 firms have experienced your work directly or heard about you from a peer

That’s how you break into an insular market — not by blasting cold emails, but by making the inner circle come to you through trust, referrals, and urgency.

---

PART 4: Decisions Needed From You

D1: Job Board Scraping — Kill, Pause, or Keep?

Context: The senior review recommends downgrading job board scraping from “core strategy” to “nice-to-have for Phase 2.” The reasoning: RIAs don’t hire via job boards for security roles, the volume is too low, and cold email to RIAs won’t work without credibility first.

Options:

• A) Pause until Month 4 (Recommended). Focus all energy on compliance consultant partnerships + Reg S-P content for the next 90 days. Revisit job board scraping once you have 3+ RIA case studies and can cold-email from a position of credibility. Also useful for non-RIA verticals (law firms, healthcare) where cold email is more effective.

• B) Kill it entirely. The strategy doc stays in the playbooks folder as a reference, but you don’t invest any time or money into scraping infrastructure. Focus 100% on the partnership channel.

• C) Run a minimal version. Set up ONE manual Indeed search per week (15 minutes), track results in a spreadsheet, send manual emails to any RIA-specific hits. No Firecrawl, no automation. Just a lightweight signal-check.

• D) Keep as planned. Build the full Firecrawl + n8n + Baserow pipeline. Accept the 20-40 hour setup cost.

Why A is recommended: You preserve the strategy for later while not burning 20-40 hours of runway time on a channel that won’t produce RIA revenue in the next 90 days. The compliance consultant channel is 10x more likely to produce first revenue.

Notes:

---

D2: Firecrawl Budget — Spend or Save?

Context: Firecrawl Hobby plan is $16/month. The question is whether to subscribe now or wait.

Options:

• A) Wait until Month 4 (Recommended if you chose D1-A above). Save $16/month and put the energy into Sales Navigator, which already has hiring signal features built in.

• B) Subscribe now for non-RIA scraping. Use it to scrape law firm and healthcare job postings where cold email is more viable. Run the scraping strategy for these faster-closing verticals while pursuing RIAs through partnerships.

• C) Subscribe and build the full pipeline. If you chose D1-D above.

Why A is recommended: Sales Navigator’s “Posted Jobs” and “Company Growth” filters already do 80% of what Firecrawl would do for your use case, and the data is higher quality (LinkedIn-verified contacts).

Notes:

---

D3: First Free Assessment — Who Gets It?

Context: The 6-week sprint calls for 2 free Reg S-P assessments in Weeks 3-4. Who should get them?

Options:

• A) Compliance consultant referral (Recommended). Ask your first compliance consultant partner: “Do you have a client who’s worried about Reg S-P? I’d love to do a free readiness check for them.” This builds the partnership AND creates a case study.

• B) Someone from your existing network. Do you know any RIA owners or financial advisors personally? Even a friend-of-a-friend connection works. Warmer lead, but may not build the compliance consultant partnership.

• C) A non-RIA firm (bridge to RIA). If compliance consultant partnerships are slow to form, do a free assessment for a law firm or accounting firm that serves RIAs. You get a case study AND a referral channel.

• D) A cold outreach target from Sales Navigator. Offer the free assessment as the hook in your InMail: “Offering complimentary Reg S-P readiness checks for Colorado RIAs this month.”

Why A is recommended: It kills two birds — case study + deepened partnership. The compliance consultant sees your work firsthand and becomes a more confident referrer.

Notes:

---

D4: Pricing for Founding RIA Client — What’s the Number?

Context: Your current ORB pricing tiers are S: $5K,M:$7.5K, L: $12.5K,XL:$19.5K. For the first RIA client, you may want a “founding client” rate to reduce friction.

Options:

• A) Repackage as “SEC Cybersecurity Compliance Assessment” at $6,500 (Recommended). This is between your S and M tier but justifies premium with SEC-specific deliverables. The repackaging alone (compliance-mapped report instead of generic ORB report) justifies 30% higher than a standard S-tier ORB.

• B) Standard S-tier at $5,000. Proven price point, low friction for first sale.

• C) Founding client discount at $4,000. Gets the first case study but risks anchoring low.

• D) Premium positioning at $7,500-$8,500. “SEC Compliance Assessment + Incident Response Plan Template.” Higher ticket but may slow the first close.

Why A is recommended: It’s premium enough to maintain your $250/hrfloor(assuming25hoursofwork=$260/hr effective rate) but accessible enough for a $100M-$500M AUM RIA. The SEC-specific repackaging differentiates from a generic security assessment.

Notes:

---

D5: Email Infrastructure — Manual or Tool?

Context: For the cold outreach component (Sales Navigator leads, not compliance consultant referrals), do you need email sending infrastructure?

Options:

• A) Manual Gmail for now (Recommended). At less than 20 cold emails/week, Gmail is fine. No deliverability risk. Maximum personalization. Zero cost.

• B) Instantly.io ($30-$97/month). Built for cold email, includes warmup and analytics. Worth it when you’re sending 50+ emails/week.

• C) Lemlist ($59+/month). Good for personalized images and video in email. Better for marketing agencies than RIAs.

• D) Apollo.io ($49+/month). Combined prospecting + email. Overkill for your current volume.

Why A is recommended: Your primary channel is compliance consultant referrals (warm intros), not cold email. You don’t need email infrastructure for warm intros. When cold email volume justifies it (Month 3+), upgrade to Instantly.

Notes:

---

D6: How Much Time to Invest in the “Impact/Wealth” Long Game?

Context: You’ve expressed a deep interest in working with impact-focused RIAs and eventually bridging into family offices, PE, and impact investing. This is a 12-24 month play.

Options:

• A) 10% of time now, scaling to 30% by Month 6 (Recommended). Focus 90% on getting first clients and revenue. Use the remaining 10% to learn the impact investing landscape — read, attend events, build relationships. Once revenue is stable, increase focus.

• B) Make impact alignment the primary differentiator from Day 1. Lead with “cybersecurity for impact-focused RIAs.” Risk: the addressable market in Colorado is probably less than 20 firms.

• C) Defer entirely until Month 6. Don’t think about impact alignment until you have 5+ clients and stable revenue.

• D) Build it into the content strategy now. Mention impact alignment in LinkedIn content to attract like-minded RIAs, but don’t filter your prospect list by it.

Why A is recommended: The impact angle is genuinely differentiated and personally motivating for you — but the addressable market is too small to be your only wedge. Get revenue first from any RIA, then specialize once you have breathing room.

Notes:

---

This document replaces the need to cross-reference 6+ playbooks. The strategy is: partner with compliance consultants, weaponize the Reg S-P deadline, deliver free assessments for case studies, convert to paid ORBs, and compound through referrals. Everything else is secondary until you have $10K/month in revenue.