ORB Refinement Questionnaire (Multiple Choice + Notes)
Goal: Answer these so I can tighten the ORB offering + playbook for the next 90–120 days.
How to fill out: Keep the [x] on your choice (A is pre-selected as the recommended default), and add notes where needed.
1) Ideal Customer Profile (ICP) — first 90–120 days
A) 10–150 seats SMBs/nonprofits on M365 or Google Workspace (recommended)
B) 150–500 seats (more budget, more complexity)
C) Under 10 seats (fast close, but low $)
D) Regulated-heavy orgs (HIPAA/PCI/etc.) (harder expectations)
Select one:
- A
- B
- C
- D
Why A is recommended: fast access, common tooling, urgent risk, short sales cycle.
Notes: Open to A-C but lets mostly target A. Mainly its about the client having at least 500K in revenue per year or startups with VC Funding
2) Buyer + champion (who signs / who runs)
A) Exec Director/CEO signs + Ops/IT lead is day-to-day (recommended)
B) CFO signs (risk + cost framing)
C) IT Manager signs (rare)
D) Board-led procurement
Select one:
- A
- B
- C
- D
Why A is recommended: clean decision path + someone can actually grant access.
Notes:
3) Your primary positioning hook
A) “Backups don’t matter until you restore + prove recoverability” (recommended)
B) “Cybersecurity assessment” (familiar but commoditized)
C) “Ops overhaul / tool chaos cleanup”
D) “Compliance readiness baseline”
Select one:
- A
- B
- C
- D
Why A is recommended: high urgency, simple yes, tangible proof.
Notes:
4) ORB name in public
A) Keep Operational Resilience Baseline (ORB) (recommended)
B) Rename to something less technical (e.g., “Resilience Checkup”)
C) Offer both (ORB internal, friendly name external)
D) Unsure
Select one:
- C
- A
- B
- D
Why C is recommended: executives like plain language; ORB stays consistent internally.
Public-facing name idea (if any):
5) Primary environment you want to specialize in first
A) Microsoft 365 + Entra ID (recommended if most prospects are M365)
B) Google Workspace (recommended if most prospects are Google)
C) Both equally
D) Doesn’t matter
Select one:
- C
- A
- B
- D
Why C is recommended: early-stage flexibility, but we’ll still build checklists per stack.
Notes (what you’re seeing most often):
6) Restore test — what you will guarantee in ORB Standard
A) One real restore test minimum, chosen at kickoff (recommended)
B) Two restore tests included
C) “Restore planning only” (no actual restore)
D) Restore test only if client has a specific backup product
Select one:
- A
- B
- C
- D
Why A is recommended: proof-based, time-boxed, predictable delivery.
Notes (what restore types you prefer):
7) Restore test scope (keep it safe + repeatable)
A) Restore a small, defined dataset to a sandbox/safe location (recommended)
B) Restore a production server/VM (riskier)
C) Restore a mailbox (sometimes messy)
D) Client chooses; we just document
Select one:
- A
- B
- C
- D
Why A is recommended: minimal blast radius, easy to validate, still meaningful.
Notes:
8) Access model (security + trust)
A) Read-only access wherever possible + temporary elevated access only if needed (recommended)
B) Full admin access for speed
C) Client runs screenshares; you don’t access systems
D) MSP provides everything; you only review outputs
Select one:
- A
- B
- C
- D
Why A is recommended: reduces risk, builds trust, still workable.
Notes: Much easier if we have a temp full admin acccess account
9) Evidence policy in deliverables
A) Include evidence but sanitize/blur sensitive info (recommended)
B) No evidence in deliverables; only verbal
C) Evidence only in an internal appendix not shared widely
D) Only include “high-level” screenshots (no details)
Select one:
- A
- B
- C
- D
Why A is recommended: credibility + reduces “this is just opinions” pushback.
Notes:
10) Deliverable format
A) Markdown + PDF export for exec summary (recommended)
B) Google Docs only
C) PowerPoint deck only
D) Mix: PDF for execs, spreadsheets for risk register/action plan
Select one:
- D
- A
- B
- C
Why D is recommended: exec-friendly + operationally usable.
Notes (what tools you prefer):
11) Risk register format preference
A) Markdown table (fast)
B) Google Sheets / Excel (recommended for adoption)
C) Notion database (if client uses Notion)
D) Client’s existing ticketing system (Jira/ServiceNow/etc.)
Select one:
- B
- A
- C
- D
Why B is recommended: universal + easy for clients to update/own.
Notes:
12) Time box and meetings
A) 10 business days + 3 calls (kickoff / mid-check / readout) (recommended)
B) 7 business days (faster, riskier)
C) 15 business days (more thorough, slower close)
D) Depends
Select one:
- A
- B
- C
- D
Why A is recommended: predictable, premium-feeling, still fast.
Notes:
13) “What we check” depth
A) Baseline checks + practical evidence; no deep forensics (recommended)
B) Add vulnerability scanning for all clients
C) Add phishing simulation for all clients
D) Only what client asks for
Select one:
- A
- B
- C
- D
Why A is recommended: avoids scope creep and tool complexity early.
Notes (any must-have checks?):
14) Tooling: project tracking (internal)
A) Trello (simple)
B) ClickUp (more powerful)
C) Notion (docs + tasks) (recommended if you’re already using it)
D) Google Sheets (ultra simple)
Select one:
- C
- A
- B
- D
Why C is recommended: AI-friendly docs + templates + repeatability.
Notes:
15) Client workspace preference
A) Use the client’s system (Drive/SharePoint) (recommended)
B) Always use Solanasis workspace + invite client
C) Hybrid: Solanasis working folder + client final folder
D) Depends
Select one:
- C
- A
- B
- D
Why C is recommended: keeps your internal process clean but delivers in their environment.
Notes:
16) AI-native stance (how explicit are you?)
A) Mention AI only internally (don’t advertise) (recommended early)
B) “AI-native agency” is part of the pitch
C) Case-by-case
D) Don’t use AI
Select one:
- A
- B
- C
- D
Why A is recommended: avoids procurement/security objections while you build trust.
Notes:
17) AI usage guardrails you will commit to
A) No secrets/PII in AI; use AI for drafting/summaries only (recommended)
B) We will use AI with sanitized data only
C) We will use an enterprise AI environment only
D) Not sure yet
Select one:
- A
- B
- C
- D
Notes (any client requirements you expect?):
18) Pricing model (for the next 90–120 days)
A) Fixed fee with clear scope (recommended)
B) Hourly
C) Fixed fee + success bonus
D) “Pay what you can” for nonprofits
Select one:
- A
- B
- C
- D
Why A is recommended: fastest closes and least negotiation.
Target price bands you feel comfortable with (rough):
- 10–50 seats: $
- 50–150 seats: $
- 150–500 seats: $
Notes: I need help coming up with the pricing packages/tiers based on the clients size/complexity
19) Payment terms
A) 50% to start, 50% at delivery (recommended)
B) 100% upfront
C) Net-15/Net-30 invoice
D) Monthly split over 2 months
Select one:
- A
- B
- C
- D
Notes:
20) What you will not do inside ORB (scope protection)
A) No implementation beyond tiny quick fixes; remediation is separate (recommended)
B) Implement “quick wins” up to X hours included
C) Implement whatever is needed to “make it right”
D) TBD
Select one:
- B
- A
- C
- D
Why B can be good: it makes the offer more attractive if tightly capped and pre-defined.
If B: cap included implementation at:
- 2 hours
- 4 hours
- 8 hours
- None (no included)
Notes:
21) Remediation handoff (post-ORB)
A) Offer a fixed “Remediation Sprint” (2–4 weeks) (recommended)
B) Go straight to fractional retainer
C) Let their MSP implement; you stay advisory
D) Mix: sprint first, then retainer
Select one:
- D
- A
- B
- C
Why D is recommended: sprint proves value; retainer prevents drift.
Notes:
22) Fractional packaging emphasis
A) Fractional Resilience Partner (blends CISO/CIO/COO) (recommended)
B) Fractional CISO only
C) Fractional CIO only
D) Fractional COO only
Select one:
- A
- B
- C
- D
Why A is recommended: matches your brand and keeps you out of title traps.
Notes:
23) Compliance claims (keep you safe)
A) “Baseline + practical alignment to NIST/CIS” (recommended)
B) “SOC 2 readiness” as a headline claim
C) “HIPAA compliant” as a claim
D) Avoid mentioning frameworks
Select one:
- A
- B
- C
- D
Why A is recommended: credible without creating legal/contract expectations.
Notes:
24) Case studies / proof
A) Anonymized “before/after outcomes” bullets (recommended starter)
B) Formal case studies with logos
C) Testimonials only
D) None yet
Select one:
- A
- B
- C
- D
Notes (any past work you can safely anonymize?): There really isn’t any past work at this moment to use for this, as the previous work was done when i was with my old company.
25) Delivery team model (next 90–120 days)
A) You deliver most; use contractors for narrow tasks (recommended)
B) Contractors deliver most; you manage
C) Partner/MSP co-delivery
D) Solo only
Select one:
- A
- B
- C
- D
Notes (what you’d delegate first): Initially its just me but I am looking for contractors asap so i am mainly focused on how to growth hack and on sales.
26) “Fastest to revenue” channel focus
A) Direct outreach + warm referrals (recommended)
B) Marketplaces (Catalant/Upwork/etc.)
C) Partnerships with MSPs
D) Content + inbound only
Select one:
- A
- B
- C
- D
Notes (what’s most realistic this month): we want to lean heavily on our referral program and my large network.
27) Referral incentive (yes/no)
A) Yes — simple referral fee or donation option (recommended)
B) No — keep it simple
C) Only for partners
D) Unsure
Select one:
- A
- B
- C
- D
If yes: incentive structure idea (rough): Need help coming up with this based on the typical structures used.
28) Decision timeline promise (your CTA)
A) “We can start within 7–10 days once access is ready” (recommended)
B) “We can start immediately” (dangerous)
C) “We book 2–4 weeks out” (premium but slower)
D) Depends
Select one:
- A
- B
- C
- D
Notes: We may end up with a waitlist at some point - we want to be able to get the engagement started asap, so ideally within 5 biz days since it shouldn’t take them long to give us the admin access, so we can get clients locked in.
29) Red lines (things you will walk away from)
A) If client can’t provide access within 10 business days, pause/reset (recommended)
B) If they want you to guarantee “no incidents,” decline
C) If they want you to store their secrets in your systems, decline
D) All of the above
Select one:
- D
- A
- B
- C
Notes:
30) What would make this offer feel “unstoppable” to you?
A) Ultra-simple pitch + fixed fee + clear deliverables (recommended)
B) Include “quick wins implemented” to show impact immediately
C) Add a short deck + live scorecard for readout
D) Other
Select one:
- B
- A
- C
- D