solanasis-cold-email-outbound-master-playbook-2026

Solanasis — Cold Email & Outbound Master Playbook

Version: 1.2 Date: 2026-03-25 Owner: Dmitri Sunshine, Founder & CEO Purpose: The canonical reference for composing and sending cold emails as part of an AI-native outbound engine. Everything you need to write the email, nail the subject line, and book the meeting. North Star: 20-30 personalized cold emails/day from solanashq.com, feeding the pipeline math from the Master GTM Playbook (200-300 outreach/mo → 2-4 ORBs closed). Companion docs:

• Cold Email Cheat Sheets — thought leader frameworks, copywriting formulas, subject line patterns
• Cold Email Desk Card — keep open while composing emails
• Cold Calling Master Playbook — phone is Touch 3; this playbook is Touch 1
• Cold Call Pricing Cheat Sheet — pricing for reply objections
• Discovery Call Playbook — what happens after the meeting is booked
• Estate Attorney Cold Outreach Kit — deep attorney context, compliance findings, target lists
• CPA Firm Cold Outreach Kit — CPA vertical with WISP/FTC compliance angles
• Cyber Insurance Broker Cold Outreach Kit — broker partnerships, carrier programs
• MSP Cold Email Outreach Playbook — MSP list-building workflow, full ICP
• Cold Email Setup Guide — DNS, SPF/DKIM/DMARC, Google Workspace (infrastructure)
• Manual Cold Outreach Cheat Sheet — anti-spam safety rules, domain strategy
• Master GTM Playbook — revenue math, 90-day plan, full funnel
• Problem-First Templates — timeline-hook email templates by ICP (the “relevance > personalization” approach)
• B Testing Plan — 6-week structured experiment roadmap
• ICP Pain Briefs — current pain points, stats, and language by segment

---

Table of Contents

1. Philosophy & Why Cold Email in 2026 1.5. Problem-First Messaging Philosophy
2. Apollo.io Email Sequence Setup
3. Email Tool Stack & Deliverability Infrastructure
4. Prospect Targeting by Vertical
5. Email Copywriting Frameworks
6. Subject Line Framework
7. The Multi-Touch Email Sequence Blueprint

• Email Templates — Universal Elements

8. Email Templates — Attorneys
9. Email Templates — Foundations
10. Email Templates — SMBs
11. Email Templates — CPAs
12. Email Templates — MSPs
13. Email Templates — Brokers
14. Follow-Up & Cadence Science
15. Reply-Based Objection Handling
16. Personalization Framework
17. Deliverability & Domain Reputation
18. The Daily Email Execution Ritual
19. Metrics & Benchmarks
20. A/B Testing Framework
21. AI-Native Automation Map
22. Compliance & Legal

• Quick Reference: What to Have Open While Composing
• Appendix: Key Stats for Quick Reference

---

1) Philosophy & Why Cold Email in 2026

The Data Says Write the Email

Cold email isn’t dead. It’s evolved.

Stat	Source
Average cold email reply rate: 1-5% (top performers hit 8-12%)	Woodpecker 2025 benchmark
Optimal email length: 75-100 words gets 3.8% reply rate (from 3M+ emails analyzed)	Lavender / Backlinko 2025
Pitching in the first email = -57% reply rate	Gong.io (85M emails analyzed)
Social proof in email body = +41% reply rate	Gong.io (85M emails analyzed)
Personalized emails get 32% higher reply rates than generic templates	Lavender 2025
Multi-channel outbound (email + call + LinkedIn) gets 287% higher response rates than single-channel	Launch Leads 2026
Cold email is the cheapest channel: **$0.10-0.50/touch\ast \ast vs.$2-5/call	Industry composite
Disabling email tracking = 7.4% reply rate vs. 4.4% with tracking (plain text, no pixels)	Woodpecker 2025

The phone builds trust fastest, but email scales widest. For a solo founder doing 15-25 calls/day, email is how you reach the other 50-100 prospects per week that you can’t physically call.

Why Cold Email Works for Solanasis Specifically

• Your verticals are compliance-driven. Attorneys, CPAs, and foundations have specific regulatory obligations (ABA 1.6(c), WISP, FTC Safeguards). Compliance hooks work better in writing — the prospect can read the regulation, check it, and forward it to their partner.
• Your prospects research before they call back. A managing partner who gets your email will Google you, check your LinkedIn, and read your website before responding. Email gives them that runway. A cold call doesn’t.
• AI handles 80% of email work. Claude generates personalized first lines, researches prospects, drafts follow-ups, and manages sequences. You review and send. This is the highest-leverage AI/human split in your outbound engine.

The Channel Hierarchy (Email’s Role)

Email opens the door (they see your name and compliance hook)
  → LinkedIn builds familiarity (they see your face and credentials)
    → Phone converts (they hear your voice and expertise)
      → Discovery call closes (they experience your diagnostic ability)

Email is Touch 1 for most verticals. It’s the setup for everything that follows.

Exception: Foundations. Many Executive Directors answer their own phones. Call-first works here. But email still follows the call as reinforcement.

The Cold Email vs. Cold Call Split

Factor	Cold Email	Cold Call
Best for	Opening conversations, compliance hooks, scale	Converting warm prospects, building trust
Volume	20-30/day per mailbox (safely)	15-25/day (quality calls)
Personalization	AI handles 80%	Dmitri handles 100%
When prospect responds	On their schedule (hours/days later)	In real-time (immediate rapport)
Regulatory hooks	Shine in writing (ABA, WISP, FTC)	Shine in conversation (explain the “so what”)
Cost per touch	$0.10-0.50	$2-5
Conversion path	Email → reply → meeting	Call → conversation → meeting

Use both. Email is the net; the phone is the spear.

---

1.5) Problem-First Messaging Philosophy (March 2026 Update)

Added in v1.2. Based on research from instantly.ai, Lavender, Gong, and practitioners like Jesse Ouellette (LeadMagic) and Kyle Coleman (Copy.ai). Full research: Cold Email Research. Ready-to-use templates: Problem-First Templates.

The Core Insight: Relevance Beats Personalization

The old assumption: a custom first line about their company (“I noticed your firm handles estate planning in Colorado…”) is what makes cold email work.

The new data: hitting the right problem at the right time matters more than customizing the first line. Jesse Ouellette (LeadMagic): “I actually don’t think any personalization works… what we find works is when you call something out.”

Timeline hooks — referencing specific deadlines or events relevant to the prospect’s segment — outperform generic problem hooks by 2.3x on reply rate and 3.4x on meetings booked (Digital Bloom, 10K emails analyzed).

The Relevance Hierarchy

Level	What It Means	Impact	Example
1. Relevance	Hitting the right pain point at the right time	Highest	”Reg S-P deadline is June 3 — does your RIA have an incident response plan?“
2. Signal-based context	Referencing a trigger event (breach news, hiring, tech change)	High	”After the ransomware attacks hitting dental practices this quarter…“
3. Specific observation	Something they did/said/published	Moderate	”Your LinkedIn post about vendor consolidation…“
4. Basic personalization	Name, company, industry merge tags	Table stakes	”Hi Sarah, I work with RIAs your size…“
5. No personalization	Generic template	Dead on arrival	”Dear business owner…”

The Problem-First Email Format

Every email follows a 4-line structure:

1. Timeline/Trigger Hook — Reference a specific deadline, enforcement action, or stat
2. Bridge — Connect the hook to a risk they probably haven’t addressed
3. Mechanism — One sentence: what we do and the outcome
4. Interest CTA — Single, low-friction ask (“Is this on your radar?“)

50-80 words max. One CTA. No links in Email 1. No tracking pixels.

What This Means for Existing Frameworks

The frameworks in Section 5 (PAS, BAB, AIDA, QVC, Berman 3-Line) remain valid and useful. The problem-first/timeline-hook approach is now the recommended default for Email 1. Use the other frameworks when:

• PAS — for follow-up emails where you need to agitate a known pain
• BAB — for foundation/nonprofit prospects where painting the “after” state resonates
• AIDA — for partnership conversations (MSPs, brokers) where the CTA is different
• Berman 3-Line — when you have a specific case study to reference
• QVC — for ultra-short follow-ups (Email 3-4)

ICP-Specific Compliance Deadlines (Current as of March 2026)

ICP	Hard Deadline	The Hook
Government Contractors	CMMC Phase 2: Nov 10, 2026	99% of DIB not ready; C3PAOs booked 6-9 months out
Healthcare SMBs	Proposed HIPAA Security Rule: mid-2026	All 10 of first 2025 settlements = same gap (risk analysis)
Financial Services	Reg S-P amendments: June 3, 2026	Incident response program, vendor oversight, breach notification
Nonprofits	No hard deadline (market-driven)	60% breached, 80% of donors would leave, $49B in grants terminated
Professional Services	Insurance renewal cycles	41% of apps denied; 82% of denied claims lacked MFA

Full ICP pain-point details: ICP Pain Briefs

---

2) Apollo.io Email Sequence Setup

Note: Apollo account setup, plan details, and general configuration are covered in Cold Calling Master Playbook §2. This section covers email-specific configuration only.

Email-Specific Apollo Setup

• Connect solanashq.com mailboxes — This is your cold email domain. NEVER send cold email from solanasis.com.
  • Primary: dmitri@solanashq.com
  • Rotation: d.sunshine@solanashq.com, hello@solanashq.com
• Configure mailbox rotation — Apollo automatically rotates across connected mailboxes to distribute sending volume
• Set daily sending limits per mailbox:
  • Week 1-2 (warmup): 5-10 emails/day per mailbox
  • Week 3-4: 15-20 emails/day per mailbox
  • Week 5+: 25-30 emails/day per mailbox (steady state)
  • With 3 mailboxes at steady state: 75-90 emails/day capacity
• Enable “Finish on reply” — Stops the sequence when a prospect replies (prevents awkward follow-ups after someone responds)
• Enable “Pause on out of office” — Resumes after they return
• Enable “Skip weekends and holidays” — Professional services prospects don’t read cold email on weekends
• Set send windows:
  • Tuesday-Thursday: 8:00-10:00 AM and 2:00-4:00 PM (prospect’s local time)
  • Monday: 10:00 AM-12:00 PM only (inbox is flooded from weekend)
  • Friday: 8:00-10:00 AM only (people check out after lunch)
• Disable email tracking for Step 1 — Tracking pixels hurt deliverability (+68% reply rate without tracking — see §17). Enable tracking on Step 2+ only if needed for engagement signals.
• Configure A/B testing — Apollo supports up to 5 variants per step. Start with 2 (A/B on subject lines).

Apollo Sequence Structure

Create one sequence per vertical × tier combination:

Sequence Name	Vertical	Tier	Touches	Days
ATT-T1-Ethical-Duty	Attorneys	Tier 1	4 emails	14 days
ATT-T2-Attorney	Attorneys	Tier 2	3 emails	9 days
FND-T1-Mission	Foundations	Tier 1	4 emails	14 days
FND-T2-Foundation	Foundations	Tier 2	3 emails	9 days
SMB-T1-Resilience	SMBs	Tier 1	4 emails	14 days
SMB-T2-SMB	SMBs	Tier 2	3 emails	9 days
CPA-T1-WISP	CPAs	Tier 1	4 emails	14 days
CPA-T2-CPA	CPAs	Tier 2	3 emails	9 days
MSP-T1-Revenue	MSPs	Tier 1	3 emails	9 days
BRK-T1-Underwriting	Brokers	Tier 1	4 emails	18 days

Apollo AI Composer for Email

Apollo’s AI Composer (300,000 credits/month on Professional) can:

• Generate personalized email drafts from prospect data
• Create subject line variants for A/B testing
• Suggest follow-up timing based on engagement signals

How to use it: Feed it your template structure and let it personalize the first line and company-specific details. Always review before sending — AI-generated emails still need Dmitri’s voice check.

Apollo Plays for Email Automation

These extend the 3 starter Plays from the cold calling playbook:

Play 4: “Email Engagement → Call Task”

• Trigger: Prospect opens email 3+ times OR clicks a link
• Action: Create immediate call task + upgrade to Tier 1 sequence
• Why: Repeated opens signal interest. A call converts this.

Play 5: “Auto-Sequence on List Add”

• Trigger: New prospect added to a vertical list
• Action: Auto-enroll in appropriate Tier 2 sequence
• Why: Eliminates manual enrollment. Every new prospect gets touched.

---

3) Email Tool Stack & Deliverability Infrastructure

Current Email Stack

Tool	Cost	Purpose
Apollo Professional	$99/mo	Sequences, A/B testing, 5 mailboxes, AI Composer, prospect data
solanashq.com (Google Workspace)	$7/mopermailbox($21 for 3)	Cold email sending domain
TrulyInbox	Active (cost varies)	Email warmup service
solanasis.com	Existing	Warm/relationship emails ONLY — never cold

Monthly total: ~$120/mo for email infrastructure

Email Warmup Tools (Ranked)

You’re already using TrulyInbox. If you need to evaluate alternatives:

Tool	Cost	Strengths	Weaknesses
TrulyInbox (current)	Varies	Already integrated, familiar	Evaluate deliverability performance monthly
MailReach	$25/inbox/mo	Strongest reputation in r/sales communities, detailed reports	Higher cost per inbox
Warmbox	$19/inbox/mo	Budget-friendly, good reviews	Smaller warmup network

Rule: Run warmup continuously, even after domain is warm. Stopping warmup causes reputation to decay.

Infrastructure Deep Dives (Don’t Duplicate — Link)

• Full DNS/SPF/DKIM/DMARC setup: See Cold Email Setup Guide
• TrulyInbox evaluation and config: See Deliverability Playbook
• Domain strategy and anti-spam safety: See Manual Cold Outreach Cheat Sheet

---

4) Prospect Targeting by Vertical

Note: Full targeting criteria, Apollo filters, and ICP details are in Cold Calling Master Playbook §4. The same targeting applies to email. This section covers email-specific targeting considerations only.

Email-Specific Targeting Notes

Vertical	Email-First or Call-First?	Why	Email Decision-Maker
Attorneys	Email-first (Day 1) → Call Day 3	Attorneys read email carefully; compliance hooks work better in writing; they need time to check ABA Rule 1.6(c)	Managing Partner or “partner who handles tech”
Foundations	Call-first viable, email as reinforcement	EDs answer phones directly; but follow-up email reinforces the call	Executive Director or Director of Operations
SMBs	Email-first (Day 1) → Call Day 3	Owners/CFOs check email constantly; they forward relevant emails to their “IT person”	Owner, CEO, CFO, or “person who handles IT”
CPAs	Email-first (Day 1) → Call Day 4	Partners are analytical; they want to read and verify compliance claims before talking	Managing Partner or Firm Administrator
MSPs	Email-first (partnership angle)	MSP owners are perpetually overloaded; email respects their time. Lead with revenue/partnership.	Owner, President, or vCIO
Brokers	LinkedIn-first → Email Day 3	Broker relationships are trust-based; LinkedIn familiarity first, then email with specific value	Agency Owner or Commercial Lines Producer

Email Verification Before Sending

Non-negotiable. Before loading any list into Apollo sequences:

1. Apollo’s built-in verifier catches ~80-88% of bad emails
2. For remaining high-value prospects, cross-check with Hunter.io or NeverBounce
3. Target: <2% bounce rate per campaign
4. Remove all “risky” and “invalid” emails. Keep “valid” and “accept-all” (with caution)
5. Never send to generic emails (info@, contact@, admin@) for Tier 1 prospects — find the person

---

5) Email Copywriting Frameworks

These frameworks are your skeleton. Every cold email should follow one of these structures. The vertical-specific templates in Sections 8-13 are built on these frameworks.

Recommended default: The Problem-First / Timeline-Hook approach (see Section 1.5) is the recommended starting point for all Email 1 drafts. The frameworks below remain valuable as alternatives and for follow-up emails. Ready-to-use problem-first templates: Problem-First Templates.

The 5-Block Cold Email Framework (Solanasis Standard)

This is the default structure for every Solanasis cold email:

Block	Purpose	Target Length
1. Personalized Opener	Show you did research; connect to their specific situation	1 sentence
2. Pain/Problem	Name the specific problem they likely have (compliance gap, untested backups, etc.)	1-2 sentences
3. Credibility	One data point or peer proof that makes the problem real	1 sentence
4. Value	What you do about it — outcome-focused, not feature-focused	1-2 sentences
5. CTA	Specific, low-friction ask	1 sentence

Total target: 50-100 words. Shorter emails get higher reply rates.

Framework 1: PAS (Problem → Agitate → Solve)

Best for: Compliance-driven verticals (attorneys, CPAs) where the pain is regulatory exposure.

Step	What It Does	Solanasis Example
Problem	Name the specific pain	”Most estate firms haven’t tested whether their backups actually restore.”
Agitate	Make it feel urgent	”If client trust documents are lost in a breach, ABA Rule 1.6(c) ‘reasonable efforts’ becomes the question your malpractice carrier asks.”
Solve	Your answer (outcome, not features)	“We run a 10-day data protection review — clear snapshot of where you stand, practical roadmap for what to fix.”

Framework 2: BAB (Before → After → Bridge)

Best for: Foundations and SMBs where you’re painting a picture of the improved state.

Step	What It Does	Solanasis Example
Before	Their current reality (pain they live with)	“Right now, if your systems went down, your team would scramble to figure out what’s backed up and what’s not.”
After	The improved state	”After a 10-day Resilience Checkup, you’d have a tested restore process, a prioritized action plan, and a board-ready report.”
Bridge	How you get them there	”That’s exactly what we do for foundations managing [their cause area] — tight scope, 10 business days, no disruption.”

Framework 3: AIDA (Attention → Interest → Desire → Action)

Best for: MSPs and Brokers where the CTA is a partnership conversation, not a direct sale.

Step	What It Does	Solanasis Example (MSP)
Attention	Hook with something relevant to them	”When an MSP client gets breached, the MSP takes the blame — even when they did everything right.”
Interest	Expand with specifics	”Our Resilience Checkup documents exactly where the gaps are, so you have proof of posture before anything happens.”
Desire	Make them want it	”The findings always surface remediation work — that’s billable implementation for your team. Plus a 15% referral fee on the assessment.”
Action	Specific CTA	”Worth 15 minutes to see if it fits your client base?”

Framework 4: QVC (Question → Value → CTA)

Best for: Short follow-up emails (Email 2, Email 3) where brevity wins.

Step	What It Does	Example
Question	One provocative question	”When was the last time your firm tested a full backup restore — not checked a dashboard, but actually pulled the plug and brought everything back?”
Value	One sentence of value	”That test is the centerpiece of our 10-day review — and two-thirds of firms discover issues during it.”
CTA	Quick ask	”Worth a quick call?”

Framework 5: Alex Berman 3-Line Email

Best for: Ultra-short cold emails to busy executives. Three lines max.

Line	Purpose	Example
Line 1: Compliment/Observation	Show you know them	”Saw that [Firm Name] handles estate planning for high-net-worth families in Colorado.”
Line 2: Case Study	Prove you’ve done this	”We just helped a similar firm document their ABA 1.6(c) compliance posture in 10 business days.”
Line 3: CTA	One question	”Worth a conversation?”

The “Because” Principle (Applies to All Frameworks)

The word “because” increases compliance by 34-94% (Langer copier study). Always include a “because” in your reason for reaching out:

• “…because firms your size are the ones most exposed right now”
• “…because I noticed your firm handles estate planning, and malpractice carriers are starting to ask cybersecurity questions during renewals”
• “…because the FTC has been actively enforcing the Safeguards Rule against tax preparers”
• “…because after the Blackbaud breach, foundation EDs are asking these questions”

---

6) Subject Line Framework

What the Data Says

Finding	Data Point	Source
Optimal length	1-3 words highest open rate; 4-7 words best balance of opens + replies	Lavender 2025
Personalization impact	Company name in subject = +36% open rate	Woodpecker 2025
Questions vs. statements	Questions get +10-15% higher open rates	HubSpot 2025
ALL CAPS	Reduces open rate by -30%	Mailshake research
Emojis	No impact on open rate for B2B; slight negative for professional services	Reply.io 2025
”Re:” in first cold email	Deceptive — kills trust and may trigger spam filters	Industry consensus
”Quick question”	Still works, but declining — use sparingly	Gong email data
Reading level	3rd-5th grade reading level = 67% more replies than 9th+ grade	Lavender (millions of emails)

Subject Line Formulas (Ranked by Performance)

#	Formula	Example	Best For
1	[Topic] at [Company]	“Client data protection at [Firm Name]“	Attorneys, CPAs
2	Question about [specific thing]	“Quick question about your firm’s WISP”	CPAs (compliance hook)
3	[Name], [short hook]	“[Name], 10 days to board-ready reporting”	Foundations
4	[Observation/trigger]	“Saw [Firm Name]‘s estate planning focus”	Attorneys (personalized)
5	Idea for [Company]	“Revenue idea for [Company Name]“	MSPs (partnership)
6	[Mutual connection/peer] mentioned you	”Sarah at [Firm] suggested I reach out”	Any vertical (referral)
7	[Specific number/stat]	“66% of law firms lack an IR plan”	Attorneys, CPAs
8	For [Name] — [value]	“For [Name] — resilience snapshot”	Any vertical

Subject Lines by Vertical

Attorneys (estate planning):

• Primary: “Quick question about client data protection at [Firm Name]”
• A/B variant: “ABA 1.6(c) compliance at [Firm Name]”
• Follow-up: “How estate firms are handling the cybersecurity question”
• Breakup: “Closing the loop”

Foundations:

• Primary: “Quick question about [Foundation Name]‘s backup system”
• A/B variant: “Protecting [Foundation Name]‘s [data type] records”
• Personalized: “[Name], 10 days to board-ready reporting”
• Breakup: “Last note from me”

CPAs:

• Primary: “Quick question about your firm’s WISP — [Firm Name]”
• A/B variant: “FTC Safeguards compliance at [Firm Name]”
• Follow-up: “The WISP gap we keep seeing at CPA firms”
• Breakup: “Closing the loop”

SMBs:

• Primary: “Systems resilience at [Company Name]”
• A/B variant: “Quick question about [Company Name]‘s backup testing”
• Follow-up: “The $3.31M number your IT person won’t mention”
• Breakup: “Last note from me — here if timing changes”

MSPs:

• Primary: “Revenue idea for [Company Name]”
• A/B variant: “Quick question about [Company Name]‘s security offerings”
• Follow-up: “Keeping clients before they get breached”
• Breakup: “Last note — here if the timing ever lines up”

Brokers:

• Primary: “Pre-underwriting remediation for your professional services clients”
• A/B variant: “Making next renewal easier for your [CPAs / law firms]”
• Follow-up: “What we’re seeing in SMB cyber underwriting”
• Breakup: “Closing the loop”

Subject Lines to NEVER Use

Subject Line	Why It Fails
”Re:” on a first email	Deceptive. Kills trust instantly. May trigger spam.
”Fwd:” on a first email	Same — fake familiarity
ALL CAPS anything	Spam trigger. Looks desperate.
”URGENT:” or “ACTION REQUIRED:“	Spam trigger. Not your emergency.
”Free” anything	Spam filter trigger word
”Partnership opportunity”	Vague. Everyone says this.
”Touching base”	Empty. Says nothing.
”Following up” (as subject for Email 1)	Implies a prior relationship that doesn’t exist
”I’d love to…”	Self-centered. They don’t care what you’d love.
Longer than 7 words	Open rates drop sharply after 5-7 words

---

7) The Multi-Touch Email Sequence Blueprint

Note: These sequences show the email touches only. For the full multi-channel sequence (email + call + LinkedIn), see Cold Calling Master Playbook §5.

Tier 1: High-Value Prospects (4 emails over 14 days)

For managing partners at target-size firms, EDs at $10M+ foundations, MSP owners with 50+ clients.

Day	Email	Framework	Purpose
1	Email 1: The Hook	PAS or 5-Block	Compliance/pain hook + specific CTA
4	Email 2: The Evidence	QVC	One data point or case study + softer CTA
8	Email 3: The Peer Proof	BAB	Different angle (malpractice, peer firms, breakdowns)
14	Email 4: The Breakup	3-Line	Short, gracious, leave the door open

Rules for Tier 1:

• Heavy personalization (custom first line referencing their firm/website/990 data)
• A/B test subject lines on Email 1
• Phone call on Day 3 (between Email 1 and Email 2)
• LinkedIn connection request on Day 1 or 2
• AI Composer generates draft → Dmitri reviews and personalizes

Tier 2: Medium-Value Prospects (3 emails over 9 days)

For smaller firms within ICP, prospects without clear trigger events.

Day	Email	Framework	Purpose
1	Email 1: The Hook	5-Block	Compliance/pain hook + CTA
4	Email 2: The Follow-Up	QVC	Shorter, one question + one data point
9	Email 3: The Breakup	3-Line	Brief close

Rules for Tier 2:

• Moderate personalization (company name, industry, location — AI-generated)
• Phone call only if Email 1 gets opened 3+ times (Apollo Play 4 triggers this)
• LinkedIn connection request on Day 2

Tier 3: Volume Prospects (2 emails, automated)

For lower-priority prospects, data-only outreach to test messaging.

Day	Email	Framework	Purpose
1	Email 1	5-Block (templated)	Template with {{company}} and {{industry}} variables
5	Email 2: Breakup	3-Line	Brief close

Rules for Tier 3:

• Template-only personalization (merge fields)
• No phone follow-up unless they reply
• Upgrade to Tier 2 if they open 3+ times (Apollo Play 4)

Tier Assignment

Criteria	Tier 1	Tier 2	Tier 3
Attorneys	Managing partner, 5+ attorneys, Colorado	Partner, 2-5 attorneys, Colorado	Associate, out-of-state
Foundations	ED named, $10M+ assets, Colorado	ED named, $5-10M assets	$1-5M assets, no ED name
SMBs	Owner/CEO, 50-200 employees, regulated industry	Owner, 20-50 employees	10-20 employees
CPAs	Managing partner, 10+ CPAs	Partner, 3-10 CPAs	Sole practitioner
MSPs	Owner, 20+ employees, no security offerings	Owner, 5-20 employees	< 5 employees
Brokers	Agency owner, cyber specialty listed	Commercial lines producer	General lines only

Follow-Up Thread Strategy

• Email 2: Reply to Email 1 thread (uses “Re:” naturally because it IS a reply). This pushes the original email back to the top of their inbox.
• Email 3: New thread with new subject line. Gives them a fresh chance to notice you if they missed the first thread.
• Email 4 (breakup): Reply to Email 1 thread again. Clean closure on the original conversation.

---

Email Templates — Universal Elements

These elements apply to ALL vertical templates. Don’t repeat them in every section — reference this.

Signature (Standard Cold Email)

Dmitri Sunshine
Solanasis | Operational Resilience for Professional Services
hi@solanasis.com | 303-900-8969

Rules:

• No images, logos, or social links in cold emails (hurts deliverability)
• No HTML formatting (plain text only)
• Include phone number (gives them another way to reach you)
• Physical mailing address goes in footer for CAN-SPAM compliance when sending from solanashq.com at scale

CTA Formulas (Use One Per Email)

CTA	When to Use	Why It Works
”Would a 15-minute conversation be worthwhile?”	Email 1 (primary)	Low commitment (15 min), asks about value to them
”Worth a quick call?”	Email 2, 3 (follow-ups)	Even lower friction, shorter
”Would it make sense to see what the assessment covers?”	When prospect is unfamiliar with your service	Asks about relevance, not commitment
”Can I send you the one-pager so you have it when the time is right?"	"Not now” replies, breakup emails	Zero commitment, keeps door open
”How about [Tuesday/Thursday] at [specific time]?”	When prospect has shown interest	Specific ask = higher conversion (Blount: always propose a time)
“Is this the kind of thing [Firm Name] would want to look into before [renewal/tax season/board meeting]?”	Seasonal triggers	Ties to their calendar, creates natural urgency

Tone Calibration by Vertical

Vertical	Tone	Why
Attorneys	Formal, peer-to-peer, compliance-framed	They respect precision and professional language
Foundations	Warm, mission-aligned, respectful of budget	They care about mission first, money second
SMBs	Direct, practical, ROI-focused	Owners want bottom-line impact, not theory
CPAs	Analytical, regulation-specific, evidence-based	CPAs want numbers and citations
MSPs	Peer-to-peer, revenue-focused, technical credibility	They know IT; don’t condescend. Lead with what’s in it for them.
Brokers	Insurance-native language, loss-control framing	Use their vocabulary: “attestation,” “remediation,” “insurable posture”

Language Translation Tables

Full language translation tables are in the vertical-specific outreach kits:

• Attorneys: Estate Attorney Kit — Language Shift
• CPAs: CPA Kit — Language Shift
• Brokers: Broker Kit — Language Shift

Universal rule: Never say “cybersecurity assessment.” Say what each vertical calls it:

• Attorneys: “Data protection review”
• CPAs: “WISP validation and Safeguards review”
• Foundations: “Compliance readiness assessment”
• SMBs: “Resilience checkup”
• MSPs: “Operational Resilience Baseline (ORB)”
• Brokers: “Pre-underwriting gap remediation”

Email Formatting Rules (All Emails)

• Plain text only. No HTML, no images, no logos, no tracking pixels, no link tracking.
• Under 100 words (Email 1). Under 75 words for follow-ups.
• 5th-grade reading level (Flesch-Kincaid). Short sentences. No jargon unless it’s their jargon.
• No more than 1 link per email (your website or calendar link, not both).
• No attachments in any email. Mention the one-pager; send on reply.
• One question maximum. Multiple questions reduce reply rates.
• No bullet points in Email 1. They signal a pitch. Use them in Email 2 only if listing specific deliverables.

---

8) Email Templates — Attorneys

Deep context: Estate Attorney Cold Outreach Kit — ABA rules, compliance findings, language translation table, Colorado target list

ICP Reminder

• Firm size: 2-15 attorneys
• Practice focus: Estate planning, trusts & estates, elder law
• Location: Colorado first
• Decision maker: Managing partner or partner who “handles tech”
• Timing: March-May (malpractice renewals Q2-Q3, post-tax-season bandwidth)

Email 1: The Ethical Duty Hook (Day 1) — PAS Framework

Subject A: Quick question about client data protection at [Firm Name] Subject B: ABA 1.6(c) and [Firm Name]

Hi [First Name],

I noticed [Firm Name] handles estate planning for families in [City/Region] — sensitive work with real ABA 1.6(c) exposure.

Malpractice carriers are now asking cybersecurity questions during renewals, and 66% of law firms still lack a formal incident response plan (ABA TechReport). Most small firms haven’t documented the “reasonable efforts” that 1.6(c) requires.

We run a 10-day data protection review: clear snapshot of where your firm stands, practical roadmap for what needs attention. Minimal disruption to billable hours.

Would a 15-minute conversation be worthwhile?

Dmitri Sunshine Solanasis | Operational Resilience for Professional Services hi@solanasis.com | 303-900-8969

Email 2: The Malpractice Angle (Day 4) — QVC Framework

Subject: Re: Quick question about client data protection at [Firm Name]

Hi [First Name],

One thing I should have mentioned — we’re seeing malpractice carriers starting to require cybersecurity attestations during renewal. Firms that can show documented security posture are getting better terms.

Our 10-day review produces exactly what carriers want: a maturity scorecard, risk register, and 90-day action plan. Not a certification — documented evidence of “reasonable efforts.”

Worth a quick call if your renewal is in the next few months?

Dmitri

Email 3: The Peer Proof (Day 8) — BAB Framework

Subject: How estate firms are handling the cybersecurity question

Hi [First Name],

The biggest concern isn’t a sophisticated cyberattack. It’s the simple stuff — an associate’s email getting compromised and someone sending wire transfer instructions from a spoofed domain, or a backup that hasn’t been tested and fails when it matters.

Estate firms hold the keys to intergenerational wealth. A single breach can expose trust beneficiaries, compromise estate plans, and create malpractice liability.

Our 10-Day Resilience Checkup is built for firms like yours — tight scope, minimal disruption.

If this isn’t a priority right now, no worries. Happy to be a resource whenever.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969

Email 4: The Breakup (Day 14) — 3-Line Framework

Subject: Closing the loop

Hi [First Name],

I’ve reached out a few times and don’t want to be a nuisance. The average breach cost for professional services firms is over $200K (IBM/Ponemon). For estate firms, the reputational cost of exposed trust documents may be higher.

If client data protection ever moves up the priority list, I’m available for a no-pressure conversation. Wishing [Firm Name] continued success.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969 | solanasis.com

---

9) Email Templates — Foundations

Deep context: Foundation Prospecting Playbook — foundation economics, targeting, 5,442-prospect list

ICP Reminder

• Assets: $5M-$50M
• Types: Private, family, community, corporate foundations
• Decision maker: Executive Director or Director of Operations
• Timing: Board meeting cycles, budget planning (Q4), post-annual-report season
• Note: Foundations have 0.4% email availability rate. Most outreach is phone-first. But when you DO have email, these templates apply.

Email 1: The Restore Test Hook (Day 1) — PAS Framework

Subject A: Quick question about [Foundation Name]‘s backup system Subject B: Protecting [Foundation Name]‘s [data type] records

Hi [First Name],

I noticed [Foundation Name] works with [program area / data type] — that kind of data needs reliable protection.

Two-thirds of restore tests fail on the first attempt. For a foundation managing [donor records / scholarship records / patient records], that’s a blind spot worth closing.

We run a 10-day Compliance Readiness Assessment that includes a real restore test; results come back as a board-ready report.

Has [Foundation Name] ever tested a full restore of its [data type]?

Dmitri Sunshine CEO, Solanasis solanasis.com | 303-900-8969

Email 2: The Mission Alignment (Day 4) — BAB Framework

Subject: Re: Quick question about [Foundation Name]‘s backup system

Hi [First Name],

Every dollar spent recovering from a preventable outage is a dollar not going to [their cause area]. With $[asset amount] in assets and [data type] to protect, a quiet failure in your backup systems could set your mission back years.

Our assessment gives you a board-ready snapshot in 10 business days — what’s working, what needs attention, and a prioritized 90-day plan.

Would a quick look at the assessment scope be useful for your next board meeting?

Dmitri

Email 3: The Blackbaud Angle (Day 8) — QVC Framework

Subject: The Blackbaud breach and what it means for foundations like [Foundation Name]

Hi [First Name],

The Blackbaud breach exposed data from 13,000 nonprofits, with settlements now exceeding $56 million. Most of those organizations believed their systems were secure.

Our 10-day assessment was designed for organizations exactly like [Foundation Name] — tight scope, minimal disruption, board-ready reporting.

If the timing isn’t right now, I completely understand. Happy to be a resource whenever.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969

Email 4: The Breakup (Day 14) — 3-Line Framework

Subject: Last note from me

[First Name], I don’t want to fill your inbox. [Foundation Name]‘s work in [cause area] clearly matters, and I hope the right protections are in place. If operational resilience ever comes up at a board meeting, I’m an easy call.

Dmitri | 303-900-8969

---

10) Email Templates — SMBs

ICP Reminder

• Size: 20-200 employees
• Industries: Healthcare, financial services, legal, professional services
• Location: Colorado → Mountain West
• Decision maker: Owner, CEO, CFO, or “person who handles IT”
• Trigger events: New hire (IT/ops), recent breach in their industry, contract renewal season, insurance renewal, M&A activity, new compliance requirement (CMMC 2.0 Phase 2 starts November 10, 2026)

Email 1: The Resilience Hook (Day 1) — PAS Framework

Subject A: Systems resilience at [Company Name] Subject B: Quick question about [Company Name]‘s backup testing

Hi [First Name],

I work with [industry] companies your size on something that usually falls through the cracks: whether your systems actually come back when something goes wrong.

The average breach cost for companies under 500 employees is $3.31million—buttherealcostisusuallythe48hoursofdowntimeat$137-$427 per minute.

We run a 10-day Resilience Checkup: real restore test, security baseline, prioritized 90-day plan. You don’t need a full-time CIO. You need the right systems checked once, then maintained.

Would 15 minutes be worth it to see if it’s relevant?

Dmitri Sunshine Solanasis | Operational Resilience for Professional Services hi@solanasis.com | 303-900-8969

Email 2: The Restore Test (Day 4) — QVC Framework

Subject: Re: Systems resilience at [Company Name]

Hi [First Name],

Quick question: if your systems went down tomorrow morning, how long before you’re back up and running? And how do you know?

Most companies we work with have backups but have never tested a real restore. Two-thirds fail on the first attempt. Our 10-day assessment includes that test.

Worth a quick call?

Dmitri

Email 3: The Industry Peer (Day 8) — BAB Framework

Subject: The $3.31M number your IT person won’t mention

Hi [First Name],

80% of cyber incidents hit companies under 1,000 employees. Not because they’re easier to hack — because they’re perceived as softer targets with fewer defenses.

After a 10-day Resilience Checkup, you’d know exactly where you stand: what’s working, what’s not, and what to fix first. Practical roadmap, not a 200-page report.

If now isn’t the right time, I’ll leave it here. Happy to be a resource whenever.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969

Email 4: The Breakup (Day 14) — 3-Line Framework

Subject: Last note from me — here if timing changes

[First Name], I’ve reached out a couple of times and don’t want to be a nuisance. If systems resilience or IT strategy ever comes up at [Company Name], I’m an easy call: 303-900-8969.

Wishing you continued growth.

Dmitri

---

11) Email Templates — CPAs

Deep context: CPA Firm Cold Outreach Kit — WISP/FTC compliance, language translation table, timing advantage

ICP Reminder

• Firm size: 3-25 CPAs
• Practice focus: Tax preparation, wealth management accounting, small business accounting
• Location: Colorado first
• Decision maker: Managing partner or firm administrator
• Timing: April 16-June 30 is prime (post-tax-season breathing room, annual planning mode)

Email 1: The WISP Compliance Hook (Day 1) — PAS Framework

Subject A: Quick question about your firm’s WISP — [Firm Name] Subject B: FTC Safeguards compliance at [Firm Name]

Hi [First Name],

Most CPA firms we talk to have a WISP that was created from a template and never updated — or no formal program at all. The FTC Safeguards Rule requires a living document with specific controls. Penalties reach $100,000 per violation.

We run a focused 10-day Safeguards review: clear snapshot of where [Firm Name] stands against IRS and FTC requirements. The deliverable works for compliance evidence, insurance renewals, and internal planning.

Would a 15-minute conversation be useful?

Dmitri Sunshine Solanasis | Information Security for Professional Services hi@solanasis.com | 303-900-8969

Email 2: The FTC Enforcement (Day 4) — QVC Framework

Subject: Re: Quick question about your firm’s WISP — [Firm Name]

Hi [First Name],

One data point getting attention: the FTC has been actively enforcing the Safeguards Rule against tax preparers specifically. The rule requires firms not just HAVE a security program, but maintain it as a “living document” with regular risk assessments, access controls, encryption, and breach response procedures (16 CFR 314.4).

Our 10-day review produces documentation that addresses FTC enforcement + IRS compliance + malpractice insurance gaps simultaneously.

Worth a quick call to see if the timing makes sense?

Dmitri

Email 3: The Identity Theft Angle (Day 8) — BAB Framework

Subject: The WISP gap we keep seeing at CPA firms

Hi [First Name],

The IRS reported 294,138 identity theft tax returns in 2023 alone. Many originated from compromised preparer systems — not from the taxpayers themselves.

The biggest risk isn’t a sophisticated attack. It’s the basics: a staff member’s email compromised during tax season, a backup that hasn’t been tested, no documented breach response procedure.

Our 10-day review checks your actual controls against what the IRS and FTC require, tests your backup recovery, and gives you a prioritized action plan. Tight scope, minimal disruption — especially important coming out of tax season.

If this isn’t the right time, I understand. Happy to be a resource whenever.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969

Email 4: The Breakup (Day 14) — 3-Line Framework

Subject: Closing the loop

Hi [First Name],

WISP compliance and FTC Safeguards enforcement aren’t going away — they’re accelerating. If [Firm Name] ever wants a clear-eyed look at where things stand, I’m an easy call.

Wishing your firm a productive post-season.

Dmitri | 303-900-8969

---

12) Email Templates — MSPs

Deep context: MSP Cold Email Outreach Playbook — full ICP, list-building workflow, 3-email sequences with A/B variants, execution cadence

ICP Reminder

• Size: 5-50 employees
• Client base: 20-200 SMB clients
• Geography: Colorado first → Mountain West → national
• Services: Break/fix, managed IT, cloud management, help desk (NOT security-focused MSPs)
• Decision maker: Owner, President, CEO (at small MSPs, owner = everything)
• Tone: Peer-to-peer, revenue-focused, technical credibility. They know IT. Don’t condescend.

Email 1: The Revenue Hook (Day 1) — AIDA Framework

Subject A: Revenue idea for [Company Name] Subject B: Quick question about [Company Name]‘s security offerings

Hi [First Name],

I run Solanasis — we do a 10-day Resilience Checkup for SMBs: security baseline + a real restore test + a prioritized 30/60/90 plan.

Here’s why I’m reaching out specifically: the findings always surface remediation work — patching, config fixes, backup improvements, access controls — that’s a natural fit for an MSP to implement.

We assess and plan. You deliver and manage. Clean handoff, no overlap.

Would a 15-minute call make sense to see if it fits your client base?

Dmitri Sunshine Founder, Solanasis solanasis.com | 303-900-8969

Email 2: The Client Retention Angle (Day 4) — QVC Framework

Subject: Keeping clients before they get breached

Hi [First Name],

One pattern I keep seeing: SMBs get breached, panic, and blame their MSP — even when the MSP did everything right. The problem is usually something upstream nobody tested.

Our Resilience Checkup gives your clients (and you) documented proof that their backup actually restores and their security baseline is solid. If something IS broken, you get paid to fix it.

We offer a 15% referral fee on assessments, capped at $2,500. Happy to share the one-pager if you’re curious.

Dmitri

Email 3: The Breakup (Day 9) — 3-Line Framework

Subject: Last note — here if the timing ever lines up

Hi [First Name],

Quick summary: you refer a client, we assess in 10 days, the findings create work for your team, you earn a 15% referral fee. Non-competitive by design — we don’t do managed services.

If this is ever relevant, I’m an easy call: 303-900-8969.

Dmitri

---

13) Email Templates — Brokers

Deep context: Cyber Insurance Broker Cold Outreach Kit — dual-track strategy (cold outreach + carrier programs), language translation table, partner program applications

ICP Reminder

• Target: Cyber insurance brokers, agency owners, commercial lines producers
• Geography: Colorado first (local trust matters for brokers)
• Angle: You are a “loss control partner” — not a security vendor
• Key requirement: You MUST have your own cyber liability insurance before reaching out
• Tone: Insurance-native language. “Attestation,” “remediation,” “insurable posture,” “underwriting-ready.”

Email 1: The Pre-Underwriting Pitch (Day 1) — AIDA Framework

Subject: Pre-underwriting remediation for your professional services clients

[Name],

When your CPA or law firm clients get flagged during cyber underwriting — no EDR, untested backups, missing IR plan — what happens next?

We do pre-underwriting security remediation for professional services firms. Flat fee. 10 business days. Full attestation documentation for your underwriting file.

Big MDR platforms handle enterprise. Your smaller clients need hands-on remediation from someone who understands FTC Safeguards, ABA 1.6(c), and SEC Reg S-P.

Would 15 minutes make sense?

Dmitri Sunshine Solanasis | Operational Resilience, Proven 303-900-8969 | solanasis.com

Email 2: The Evidence Email (Day 5) — QVC Framework

Subject: Re: Pre-underwriting remediation for your professional services clients

[Name],

Quick follow-up. Here are the specific controls we remediate — the ones carriers check hardest in 2026:

• MFA enforcement across all systems
• EDR/MDR deployment and configuration
• Backup testing — actual restore verification
• Written incident response plan with roles
• Written Information Security Plan (WISP)
• Vendor access and credential review
• AI-use policy documentation (new for 2026)

We produce a bound attestation package for your underwriting file. Worth 15 minutes?

— Dmitri

Email 3: The Insight Email (Day 10) — BAB Framework

Subject: What we’re seeing in SMB cyber underwriting

[Name],

One number: 70% of the SMBs we assess have backups that have never been tested with a real restore. They think they’re covered. When we test, it fails — wrong configurations, outdated snapshots, untested procedures.

That’s the gap between “we have backups” and “we can actually recover.” And it’s the #1 thing that surprises underwriters.

If this resonates with what you’re seeing, I’d love to compare notes — even if there’s no partnership fit.

— Dmitri

Email 4: The Graceful Close (Day 18) — 3-Line Framework

Subject: Re: Pre-underwriting remediation for your professional services clients

[Name],

If your professional services clients ever need pre-underwriting remediation — especially CPAs on FTC Safeguards or attorneys on ABA compliance — we’re an easy call. 10 business days, flat fee, full documentation.

Appreciate your time.

— Dmitri | 303-900-8969

---

14) Follow-Up & Cadence Science

What the Data Says About Follow-Ups

Finding	Data Point	Source
Most replies come from follow-ups	55-60% of replies come from Email 2-4, not Email 1	Woodpecker 2025
Optimal cadence	3-7-7 day spacing captures 93% of all replies	Woodpecker 2025
Optimal number of follow-ups	3-4 total emails is the sweet spot; beyond 4th email = 1.6% spam rate	Reply.io benchmark
Reply rate by email number	Email 1: ~2-3%, Email 2: ~3-4%, Email 3: ~2-3%, Email 4+: <1%	Woodpecker 2025
Breakup emails get replies	12-15% of all positive replies come from the breakup email	Close.com research
Follow-up after voicemail	Voicemails double email reply rate when sent same day	Gong.io 2025

Hook Type Performance (What to Lead With)

This data from Digital Bloom’s 10,000+ cold email study changes how you write openers. Timeline hooks outperform problem hooks by 2.3x.

Hook Type	Reply Rate	When to Use	Solanasis Example
Timeline hook	10.01%	Tie to a deadline or event they already care about	”With malpractice renewals coming up in Q3, carriers are adding cybersecurity questions.”
Numbers hook	8.57%	Lead with a specific, surprising stat	”66% of law firms lack a formal incident response plan.”
Social proof hook	6.53%	Reference what peers or similar firms are doing	”Three Colorado estate firms documented their ABA 1.6(c) posture with us this quarter.”
Problem hook	4.39%	Name a pain they have (the traditional approach)	“Most estate firms haven’t tested whether their backups actually restore.”

Takeaway: Default to timeline hooks for Email 1 whenever a natural deadline exists (tax season, board meetings, renewal cycles, compliance deadlines). Fall back to numbers or social proof hooks. Problem hooks — the most common approach — are actually the weakest performer.

Pro tip from Gong data: “Hope all is well” as an opener actually correlates with +24% more meetings — counterintuitive, but it signals familiarity. Use sparingly for follow-ups only (never Email 1).

The Follow-Up Rules

1. Always follow up in the same thread (except Email 3, which gets a new subject line to reset attention)
2. Each follow-up must add new value. Never just “checking in” or “bumping this up.” New angle, new data point, new question.
3. Get shorter with each email. Email 1: ~80-100 words. Email 2: ~50-75 words. Email 3: ~50-75 words. Email 4 (breakup): ~30-50 words.
4. The breakup email is not optional. It often gets the highest reply rate per email because it triggers loss aversion.
5. Never send more than 4 emails in a cold sequence. Beyond 4, you’re spam.
6. Post-voicemail email: After leaving a voicemail, send a brief email within 2 hours: “Hi [Name], just left you a quick voicemail. Here’s the gist: [one sentence summary]. Happy to connect whenever works.”

When They Don’t Reply (After Full Sequence)

• Wait 60-90 days. Then add them to a new sequence with a completely different angle.
• Trigger-based re-engagement: If Apollo shows a trigger event (job change, company news, intent signal), reach out with a fresh sequence tied to the trigger.
• Content re-engagement: If you publish a relevant blog post or report, send it as a standalone email: “Thought of you — we just published [topic]. Figured it might be relevant for [their firm].“

---

15) Reply-Based Objection Handling

Email objections are different from phone objections. On the phone, you handle them in real-time with tonality and pace. In email, you have time to craft the perfect response — but the prospect can also ghost you at any time. Keep replies short, value-forward, and end with a question.

Universal Reply Rules

1. Reply within 2 hours during business hours. Speed signals you’re paying attention.
2. Match their length. If they wrote one line, reply with 2-3 lines max. Don’t dump a paragraph on a one-line reply.
3. Never argue. Acknowledge their position, then redirect.
4. Always end with a question (keeps the thread alive).
5. If they say “unsubscribe” or “remove me,” do it immediately. No reply, no “sorry to see you go.” Just remove them.

Objection Response Bank

“We already have an IT person/MSP.”

That makes sense — most companies your size do. We’re the specialist, not the GP. MSPs keep the lights on; we test whether you’re actually resilient if something breaks. Think of it as a second set of eyes focused on risk, not operations.

Would it be worth connecting to see if there’s a gap your MSP isn’t covering?

“Not in the budget.”

Totally understand. For reference, our 10-day assessment runs $5,000-$7,500 depending on firm size, and most clients find it pays for itself in the first issue it catches.

Would it help to see what we deliver before making a budget decision?

“Send me more information.”

Happy to. I’ll send a one-pager with scope, deliverables, and pricing.

Quick question so I send the right version: what’s the one thing about your [IT setup / data protection / compliance posture] that you’d most want us to look at?

“Not the right person.”

Appreciate you letting me know. Who would be the best person to talk to about [IT decisions / data protection / compliance]?

“We’re not ready right now.”

No pressure at all. I’ll send the one-pager so you have it when timing is right.

Out of curiosity, is there a specific time of year that makes more sense? (I can follow up then.)

“How did you get my email?”

Great question. Your information is available through [Apollo / your firm’s website / Colorado Bar Association directory / IRS 990 public filings]. We research firms that fit our client profile before reaching out.

If you’d prefer not to hear from us, just say the word and I’ll remove you immediately.

“We’re too small to be a target.”

I hear that a lot. The data says otherwise — 80% of cyber incidents hit companies under 1,000 employees (Verizon DBIR). It’s not about size; it’s about the sensitivity of the data you handle.

Would a 15-minute call to see if there’s actually a gap be worth it?

“What makes you different from other cybersecurity firms?”

Fair question. Two things: (1) We focus exclusively on professional services — attorneys, CPAs, financial firms. We speak your language, not generic IT. (2) Our assessment includes a real restore test. We actually pull the plug and bring everything back. Most firms have never done that.

Worth a quick call to see if it’s relevant for [Firm Name]?

“I’ll think about it.”

Makes sense. Would it help to have our one-pager to reference? I can send it now and follow up in [2 weeks / after your renewal / post-tax-season] — whichever works best.

Positive reply / wants to meet:

Great — looking forward to it. How does [specific day] at [specific time] work? I’ll send a calendar invite with a video link.

Before we meet, is there anything specific you’d like me to prepare or look into for [Firm Name]?

---

16) Personalization Framework

March 2026 update: Research now shows that relevance (hitting the right problem at the right time) outperforms traditional personalization (custom first lines about their company). See Section 1.5 for the full Relevance Hierarchy. The tiers below still apply, but the highest-impact “personalization” is choosing the right problem to lead with — not the custom opener. Jesse Ouellette (LeadMagic): “Building a program which thrives on being more relevant yields better results than excessive personalization efforts.”

The Personalization Hierarchy (Ranked by Impact)

Tier	Type	Impact on Reply Rate	Time to Create	When to Use
Tier 1: Custom Research	Reference specific website content, recent news, 990 data, LinkedIn post, or industry event	+50-80% vs. generic	3-5 min/email	Tier 1 prospects only
Tier 2: Trigger Event	Reference job change, new hire, funding round, compliance deadline, industry breach	+30-50% vs. generic	1-2 min/email	Tier 1 and 2 prospects
Tier 3: Industry + Role	Reference their industry, firm size, and typical challenges for their role	+15-30% vs. generic	30 sec/email (AI-generated)	Tier 2 prospects
Tier 4: Name + Company	Mail merge: {{first_name}}, {{company}}, {{industry}}	+5-10% vs. generic	Automated	Tier 3 prospects

What to Personalize (The First Line)

The first line of your email is the only personalization that matters. Everything after it is your pitch (which stays consistent).

Tier 1 first lines (custom research):

• “I noticed [Firm Name] handles estate planning for high-net-worth families in [City] — some of the most sensitive work in the profession.”
• “I read [Foundation Name]‘s latest annual report on [program area] — impressive scope for a team your size.”
• “Saw your LinkedIn post about [topic] — it resonated with what we see at firms your size.”
• “Your 990 shows $[X]M in assets managed with [N] staff — that’s a lot of trust data for a lean team.”

Tier 2 first lines (trigger events):

• “Congrats on the new [title/role] at [Company] — transitions like this often surface questions about systems resilience.”
• “After the [industry breach/news event], I’ve been hearing from [vertical] firms about [specific concern].”
• “With CMMC 2.0 Phase 2 starting in November 2026, DoD contractors your size are asking these questions now.”
• “I see [Company] recently expanded to [location/team size] — growth like that usually means the systems haven’t caught up yet.”

Tier 3 first lines (industry + role):

• “I work with estate planning firms in Colorado on something most attorneys know they should address but haven’t gotten to yet.”
• “I’ve been reaching out to CPA firms about the gap between having a WISP on file and having one that holds up under scrutiny.”
• “I work with [industry] companies your size on something that usually falls through the cracks.”

Tier 4 first lines (mail merge):

• “Hi [First Name], I’m reaching out to [Company Name] specifically because [industry] companies your size are the ones most exposed.”

Where AI Handles Personalization

Personalization Task	AI Can Handle?	How
Generate Tier 1 first lines from website/990 data	Yes (80% quality)	Claude reads website/990, writes first line. Dmitri reviews.
Identify trigger events	Yes (Apollo intent data + Claude analysis)	Apollo flags intent signals; Claude drafts context.
Generate Tier 3 first lines	Yes (95% quality)	Template with variables. Minimal review needed.
Generate Tier 4 mail merge	Yes (100%)	Automated. No review needed.
Verify personalization accuracy	No	Dmitri spot-checks 1 in 5 AI-generated lines.

---

17) Deliverability & Domain Reputation

Detailed setup: See Cold Email Setup Guide for DNS, SPF/DKIM/DMARC configuration. Warmup deep dive: See Deliverability Playbook for TrulyInbox config. Daily safety rules: See Manual Cold Outreach Cheat Sheet for volume limits and red flags.

The 12 Deliverability Commandments

1. Never send cold email from solanasis.com. Use solanashq.com exclusively for cold outreach. solanasis.com is for warm/relationship emails only.
2. Plain text only. No HTML templates, no images, no logos. Plain text gets 4-9x higher engagement in B2B than HTML (HubSpot/Woodpecker data). HTML emails look like marketing; plain text looks like a person.
3. Disable open/click tracking on Email 1. Tracking pixels and link rewrites hurt deliverability. Data: 7.4% reply rate with tracking off vs. 4.4% with tracking on (Woodpecker 2025). Enable tracking on Email 2+ in Apollo if needed.
4. Zero links in Email 1. No website links, no calendar links, no “click here.” Every link is a spam signal. Include links only in follow-ups after engagement.
5. No attachments. Ever. In cold emails. Mention the one-pager; send it only after they reply.
6. Keep bounce rate under 2%. Verify every list before loading into sequences.
7. Warm up continuously. Never stop warmup tools, even when domain is fully warm. Reputation decays.
8. Respect daily limits. 25-30 emails/day per mailbox at steady state. With 3 mailboxes: 75-90/day max.
9. Include unsubscribe. CAN-SPAM requires it. Apollo adds it automatically. If sending manually from Gmail, add “Reply ‘remove’ and I’ll take you off the list immediately.”
10. Include physical address. CAN-SPAM requirement for commercial email. Add Solanasis mailing address to footer.
11. No more than 1 link per email (Email 2+). More links = more spam signals. Calendar link OR website, not both.
12. Monitor Google Postmaster Tools weekly. Watch for spam rate spikes. If it exceeds 0.1%, pause cold sending and investigate.

Authentication Impact (Why SPF/DKIM/DMARC Matter)

Authentication State	Inbox Placement Rate	Source
Full SPF + DKIM + DMARC	83.75-95%	Validity/Return Path 2025
SPF + DKIM only (no DMARC)	~70-75%	Industry composite
No authentication	44.99%	Validity/Return Path 2025

Your solanashq.com must have all three configured. See Cold Email Setup Guide for step-by-step.

Domain Warmup Timeline (solanashq.com)

Week	Daily Volume (per mailbox)	Activity
1-2	3-5	TrulyInbox warmup only. Some manual emails to real contacts.
3-4	5-10	Start cold sends. Mix with warmup. Monitor bounce rate.
5-6	15-20	Increase cold sends. A/B test subject lines.
7+	25-30	Steady state. Never exceed 30/mailbox/day for cold.

Red Flags: When to Stop Sending

Signal	Action
Bounce rate > 2%	Stop sending. Re-verify list. Remove all “risky” emails.
Spam complaint (even one)	Pause 48 hours. Review targeting and messaging.
Google Postmaster spam rate > 0.1%	Pause immediately. Check content, list quality, authentication.
Emails landing in spam (check with mail-tester.com)	Check SPF/DKIM/DMARC. Check for spam trigger words. Reduce volume.
Gmail “suspicious activity” warning	Stop immediately. Contact Google support.
3+ unsubscribe requests in one day	Review targeting. You’re reaching wrong people.

Spam Trigger Words to Avoid

These words and phrases in subject lines or body text increase the likelihood of spam filtering:

Category	Words to Avoid
Urgency	”urgent,” “act now,” “limited time,” “expires,” “last chance,” “before it’s too late”
Money	”free,” “no cost,” “no obligation,” “save $,” “discount,” “lowest price,” “guaranteed”
Hype	”amazing,” “incredible,” “once in a lifetime,” “breakthrough,” “revolutionary”
Pressure	”apply now,” “click here,” “order now,” “buy now,” “don’t delete,” “what are you waiting for”
Deception	”this is not spam,” “Re:” (on first email), “Fwd:” (on first email), “as discussed” (when you haven’t)
Claims	”100%,” “risk-free,” “no strings attached,” “satisfaction guaranteed”

Safe alternatives for Solanasis: “Would a conversation be worthwhile?” / “Worth a quick call?” / “Can I send you more detail?” — all professional, low-pressure, non-triggering.

---

18) The Daily Email Execution Ritual

This section consolidates the daily workflows from Manual Cold Outreach Cheat Sheet §3 and the foundation workflow from Manual Cold Outreach Cheat Sheet §9.

Morning Block: Send (30-45 min)

1. AI Prep (10 min): Claude generates 10 prospect briefings from Apollo data — first lines, company context, which template to use, subject line variant assignment.
2. Review and personalize (5 min): Spot-check AI output. Edit first lines that feel generic. Approve subject lines.
3. Load into Apollo sequences (10 min): Add prospects to appropriate vertical/tier sequences. Or for manual sends: open Baserow, filter for next batch, send via mailto links.
4. Send 10-15 new cold emails (10 min): Mix of verticals. Don’t send all to one vertical in one batch.
5. Log in Baserow: Set Outreach Status = “Sent”, Date Sent = today, Follow Up Date = today + 3-4 days.

Midday Block: Respond (15-20 min)

6. Check for replies (5 min): Email inbox + Apollo notifications.
7. Reply to warm leads immediately (5-10 min): Positive reply = respond within 2 hours. Send calendar link or propose specific time.
8. Handle objections (5 min): Use Section 15 response bank. Keep replies short.
9. Log replies in Baserow: Update status to “Replied” / “Meeting Booked” / “Not Interested.”

Afternoon Block: Multi-Channel (15-20 min)

10. Send 5-10 LinkedIn connection requests to today’s email targets (builds multi-channel familiarity).
11. Make 3-5 phone calls to Day 3+ prospects who haven’t replied to email (follow cold calling playbook).
12. Send post-voicemail emails to anyone you left a VM for.
13. Engage on 3-5 prospect LinkedIn posts (like, comment — genuine engagement, not spam).

Friday Afternoon: Weekly Review (30 min)

14. Review email metrics: Open rate, reply rate, bounce rate, unsubscribe rate by vertical.
15. Check A/B test results: Which subject lines/angles are winning?
16. Update Baserow pipeline: Move prospects through stages, archive dead leads.
17. Plan next week’s batch: Which verticals need more volume? Any new trigger events to exploit?
18. Check warmup tool health: TrulyInbox dashboard, Google Postmaster Tools.

Weekly Volume Targets

Activity	Weekly Target
New cold emails sent	50-75
Follow-up emails (automated via Apollo)	30-50
Replies handled	5-15
Meetings booked from email	2-4
LinkedIn connections sent to email targets	25-50
Phone calls to email non-responders	15-25

---

19) Metrics & Benchmarks

Email Performance Targets

Metric	Baseline (Good)	Exceptional	Red Flag
Open rate	25-35%	40%+	Below 20% (check subject lines, deliverability)
Reply rate	3-5%	8-12%	Below 2% (check messaging, targeting)
Positive reply rate	1-3%	5%+	Below 1% (check value proposition)
Bounce rate	< 2%	< 1%	Above 3% (stop sending, re-verify list)
Unsubscribe rate	< 0.5%	< 0.2%	Above 1% (wrong targeting)
Spam complaint rate	< 0.05%	0%	Above 0.1% (STOP, investigate)
Meeting conversion (reply → meeting)	25-40%	50%+	Below 20% (improve reply handling)

Reply Rates by Hook Type (March 2026 Research Update)

Source: Digital Bloom, 10K emails analyzed.

Hook Type	Reply Rate	Positive Reply Rate	Meeting Rate
Timeline Hook	10.01%	65.36%	2.34%
Numbers Hook	8.57%	61.76%	1.86%
Social Proof Hook	6.53%	53.44%	1.25%
Problem Hook	4.39%	48.30%	0.69%

Timeline hooks outperform problem hooks by 2.3x on reply rate and 3.4x on meetings booked. This is why the problem-first templates (Section 1.5) lead with timeline/deadline hooks.

Reply Rates by Campaign Size

Campaign Size	Reply Rate
21-50 recipients	6.2%
51-200 recipients	~4.5%
500+ recipients	2.4%

Micro-segments (20-50 prospects) outperform large campaigns by 2.6x. Target precision over volume.

Pipeline Math (Email → Revenue)

Funnel Stage	Monthly Volume	Conversion
Cold emails sent	200-300	—
Opens	60-100	30-35% open rate
Replies	8-15	3-5% reply rate
Positive replies	4-8	~50% of replies
Meetings booked	3-6	~75% of positive replies
Proposals sent	2-4	~60% of meetings
ORBs closed	1-2	~50% of proposals

Revenue impact: At $5K-$19.5K per ORB, email channel alone can generate $5K-$39K/month. Combined with calls and LinkedIn, the full outbound engine targets $20K-$50K/month per the Master GTM Playbook.

What to Track in Baserow

Add these columns to your prospect tables:

Column	Type	Purpose
Email Sequence	Text	Which Apollo sequence they’re in
Email Step	Number	Which email in the sequence (1-4)
Opens	Number	How many times they opened (from Apollo)
Reply Status	Select	None / Positive / Negative / Objection / Unsubscribe
Reply Date	Date	When they replied
Subject Line Variant	Text	A or B (for A/B testing)
Vertical	Select	Attorney / Foundation / SMB / CPA / MSP / Broker

---

20) A/B Testing Framework

March 2026 update: The structured 6-week experiment plan is now documented separately: B Testing Plan. This section covers the principles; the plan covers the specific tests, variants, and tracking templates.

What to Test (In Priority Order)

Priority	Element	How to Test	Minimum Sample	Why This Order
1	Subject line	3 variants per ICP (timeline, stat, question hooks)	250 per variant	If they don’t open, nothing else matters
2	CTA style	Interest CTA vs. resource CTA	250 per variant	CTA converts readers into responders
3	Opening line	Problem-first vs. observation-first	250 per variant	First line determines if they keep reading
4	Body copy	Length and tone variations	250 per variant	Framing of value proposition
5	Send time	Morning (8-10 AM) vs. afternoon (2-4 PM)	250 per variant	Lower leverage but easy to test

Testing Rules

1. Test one variable at a time. If you change the subject line AND the body, you don’t know what worked.
2. 250 prospects minimum per variant before drawing conclusions. At 50, randomness dominates; 250 detects medium effect sizes at 95% confidence.
3. Use Apollo’s built-in A/B testing — it splits automatically and tracks results.
4. 5-7 days minimum for reply rate tests, 48-72 hours for subject line (open rate) tests.
5. Winner takes all. Once a variant wins at 95% confidence, lock it and test the next variable.
6. If no significance at 250 sends, extend to 500/variant. Do NOT extend the time window — that introduces confounds.

Split-Test Codes (From Foundation Playbook)

Use this coding system across all verticals:

Code	Subject Line Style	Body Tone
A1	Direct question (“Quick question about…“)	Risk-focused
A2	Direct question (“Quick question about…“)	Value-first
B1	Protective framing (“Protecting [Company]‘s…“)	Risk-focused
B2	Protective framing (“Protecting [Company]‘s…“)	Value-first
C1	Personalized ([Name], + hook)	Risk-focused
C2	Personalized ([Name], + hook)	Value-first

---

21) AI-Native Automation Map

What AI Handles vs. What Dmitri Handles

Activity	AI %	Dmitri %	How
Prospect research	85%	15%	Apollo data + Claude generates briefings. Dmitri spot-checks.
Email draft generation	70%	30%	Claude drafts from templates + personalized first lines. Dmitri reviews voice/accuracy.
Subject line generation	80%	20%	Claude generates variants from formula library. Dmitri picks favorites.
Sequence enrollment	100%	0%	Apollo auto-enrolls via Plays or manual batch add.
Send scheduling	100%	0%	Apollo handles timing, rotation, and delivery.
Reply monitoring	50%	50%	Apollo flags replies. Dmitri reads and responds personally.
Objection handling	30%	70%	Claude can draft responses from objection bank. Dmitri personalizes and sends.
A/B analysis	90%	10%	Apollo tracks metrics. Claude analyzes winners. Dmitri decides.
List building/enrichment	80%	20%	Apollo + Claude process and segment. Dmitri approves final list.
CRM updates	50%	50%	Apollo syncs sequence data. Dmitri updates Baserow status notes.

The AI-Human Split That Matters

The emails themselves should feel like they were written by a human — because the human connection is Solanasis’s value proposition. AI handles the scale; Dmitri handles the soul.

AI writes: First draft, personalized first lines, subject line variants, follow-up drafts. Dmitri approves: Final copy, tone check, accuracy verification, reply handling. Nobody automates: Reply conversations. Every reply gets Dmitri’s eyes.

---

22) Compliance & Legal

CAN-SPAM Act (US)

Required for all commercial email sent from solanashq.com:

• Don’t use deceptive headers — “From” must be your real name/business
• Don’t use deceptive subject lines — Subject must relate to email content
• Identify the message as an ad — Not required if it’s a genuine one-to-one outreach, but err on the side of disclosure
• Include physical address — Solanasis mailing address in footer
• Include opt-out mechanism — Apollo adds unsubscribe link. For manual sends: “Reply ‘remove’ to unsubscribe.”
• Honor opt-outs within 10 business days — Do it immediately (same day)
• Monitor compliance if using a third party — You’re responsible even if Apollo sends on your behalf

GDPR (EU/UK Prospects)

If you ever email prospects in the EU or UK:

• Legitimate interest basis (B2B prospecting is generally acceptable under legitimate interest)
• Include data controller info and right to object in first email
• Honor “right to be forgotten” requests immediately
• For now: Solanasis targets Colorado → Mountain West → US. GDPR applies only if you expand internationally.

State Bar Considerations (Attorney Outreach)

• Never claim to be a “specialist” in any state where that term has regulated meaning
• Don’t use terms that imply a legal relationship — You’re a technology risk advisor, not a legal advisor
• Colorado Rules of Professional Conduct govern how attorneys can be solicited — cold email is generally permissible for B2B services, but never make claims about legal compliance outcomes
• See Estate Attorney Kit — Critical: What NOT to Claim for specific guardrails

TCPA (Phone Follow-Ups to Email Recipients)

• B2B cold calls are generally exempt from TCPA “prior express consent” requirements
• Check DNC registry before calling (Apollo screens automatically)
• Cell phone cold calls have additional restrictions — see Cold Calling Playbook §19

Record-Keeping

• Maintain a master unsubscribe list in Baserow — never re-email someone who opted out
• Keep logs of when emails were sent and to whom (Apollo retains this automatically)
• Archive any compliance-related replies (requests to remove, complaints)

---

Quick Reference: What to Have Open While Composing

Keep these open in browser tabs:

1. This playbook — email frameworks (§5), subject line formulas (§6), vertical templates (§8-13)
2. Cold Email Desk Card — quick-scan reference for mid-composition
3. Cold Email Cheat Sheets — thought leader frameworks, copywriting formulas
4. Call Pricing Cheat Sheet — if a reply asks about pricing
5. Apollo.io — prospect data, sequence management
6. Baserow — prospect pipeline, outreach status

---

Appendix: Key Stats for Quick Reference

Keep these loaded for use in emails and reply conversations:

Stat	Use When	Source
66% of law firms lack a formal incident response plan	Attorney emails, “too small” objection	ABA TechReport 2023
$5.08M average law firm breach cost in 2024	Attorney emails — legal-specific stat hits harder than generic $3.31M	IBM/Ponemon Cost of a Data Breach 2024 (legal services)
$3.31M average breach cost for companies under 500 employees	SMB emails, budget objection	IBM/Ponemon 2024 (all industries)
80% of cyber incidents hit companies under 1,000 employees	”Too small to be a target” objection	Verizon DBIR
$137-$427/min cost of downtime for SMBs	Making the math tangible in SMB emails	Industry composite
Blackbaud breach: 13,000 nonprofits, $56M settlements	Foundation emails, “we’re too small”	Public record
294,138 identity theft tax returns in 2023	CPA emails, FTC enforcement angle	GAO-24-105291
$100,000/violation\ast \ast FTCSafeguardsRulepenalty;\ast \ast$50,000/day for ongoing non-compliance	CPA emails, urgency without hype	FTC Act Section 5
Two-thirds of restore tests fail on first attempt	Universal — works for all verticals	Solanasis assessment data
CMMC 2.0 Phase 2 starts November 10, 2026	DoD contractor SMBs, trigger event	Federal Register
HIPAA proposed Security Rule expected mid-2026; eliminates “addressable” distinction	Healthcare SMBs	HHS regulatory calendar
70% of SMBs we assess have untested backups	Broker emails, peer proof	Solanasis assessment data
Reg S-P smaller entity deadline: June 3, 2026	Financial services RIAs	SEC Federal Register
99% of defense industrial base NOT fully prepared for CMMC	Gov contractor emails	CMMC.com 2025
21 OCR enforcement actions in 2025 — all 10 early settlements had same gap (risk analysis)	Healthcare emails	HIPAA Journal 2025
41% of cyber insurance apps denied on first submission	Professional services emails	Marsh McLennan 2024
82% of denied cyber insurance claims involved orgs without MFA	Insurance-pressured verticals	Coalition 2024
$49B in federal grants terminated (15,887 grants)	Nonprofit emails	DOGE tracking 2025-2026
80% of donors would stop/reduce giving after data breach	Nonprofit emails	Johnson Center 2026
6 in 10 nonprofits experienced cyberattack in last 2 years	Nonprofit emails	Industry composite 2025

Reply Rate Benchmarks by Vertical (For Target-Setting)

Vertical	Average Reply Rate	Exceptional	Source
Legal services	10%	15%+	Woodpecker / industry composite 2025
Consulting/professional services	7.88%	12%+	Reply.io 2025 benchmark
SMBs (general)	7.5%	10%+	Woodpecker 2025
Accounting/CPA	5.5%	8%+	Industry composite
Financial services	5%	8%+	HubSpot 2025 benchmark

What this means: Attorney campaigns should target higher reply rates than SMB campaigns. If attorney emails are below 5%, the messaging is wrong — not the channel.

---

Changelog

Version	Date	Changes
1.0	2026-03-24	Initial release. Consolidated 20+ email docs into single canonical reference. 22 sections + Universal Elements + Quick Reference + Appendix. Thought leader frameworks (Alex Berman, Lavender data) integrated. Templates for 6 verticals (attorneys, foundations, SMBs, CPAs, MSPs, brokers).
1.1	2026-03-24	Research integration: Added Gong 85M-email findings (pitching -57%, social proof +41%), Digital Bloom hook type data (timeline hooks 10.01% vs problem hooks 4.39%), tracking-disabled data (+68% reply rate), zero-links-in-Email-1 rule, authentication impact table, 3-7-7 cadence science, vertical reply rate benchmarks, updated law firm breach cost ($5.08M),addedFTCdailyfine($50K/day). Deliverability expanded from 10 to 12 commandments.
1.2	2026-03-25	Problem-first messaging overhaul: Added Section 1.5 (Problem-First Messaging Philosophy) with relevance hierarchy and ICP-specific compliance deadlines. Added 3 new companion docs (Problem-First Templates, A/B Testing Plan, ICP Pain Briefs). Updated Section 5 to recommend problem-first as default framework. Updated Section 16 with relevance > personalization note. Updated Section 19 with reply rates by hook type and campaign size. Updated Section 20 with increased sample sizes (250/variant) and reference to structured experiment plan. Added 8 new stats to Appendix (Reg S-P, CMMC readiness, OCR enforcement, cyber insurance denial rates, nonprofit breach/donor data).