Offensive and defensive cybersecurity for businesses that need real security, not a retainer.
APT Security Management is a managed security services provider (MSSP) based in North Charleston, South Carolina. We provide offensive and defensive cybersecurity services to businesses of all sizes across the United States. Our team holds certifications including OSCP, CISSP, CEH, and GPEN.
We use a token-based pricing model. Clients buy prepaid service credits and spend them across any of our services with no long-term contracts required.
We build and maintain a suite of free, source-available CMMC utilities for the Defense Industrial Base. Every tool runs entirely in your browser. No accounts. No server. No data leaves your device unless you choose to submit the optional contact form.
|
Walk through all 110 CMMC 2.0 Level 2 practices. Mark each as Met, Not Met, or Not Applicable. Your Supplier Performance Risk System (SPRS) score updates in real time using DoD published weighting with a hard floor at -203. Export a branded PDF report, CSV of all controls, or a JSON state file. |
Classify every asset in your environment using a structured decision tree based on 32 CFR § 170.19(c)(1) and the CMMC Scoping Guide Level 2 v2.13. Outputs CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, Specialized Asset, or Out-of-Scope. Export to CSV, XLSX, or PDF. |
|
Answer 20 yes/no/partial questions for Level 1 or Level 2. Get a weighted readiness percentage, a domain-level heat map showing where your gaps are, and your top 3 priority actions. Exports a one-page PDF snapshot you can share with leadership. |
5-step wizard that generates a complete System Security Plan (SSP) skeleton in under ten minutes. All 110 NIST SP 800-171 Rev 2 controls pre-filled with requirement text, status checkboxes, and narrative prompts. Exports a ready-to-edit Word document and a Markdown backup. |
|
Build and validate Plan of Action and Milestones (POA&M) entries tied to NIST SP 800-171 Rev 2 practice IDs. Validates against 32 CFR 170.21 conditional certification rules: excluded practices, high-point restrictions, and the 180-day closeout window. Import gaps directly from the SPRS Calculator. Export to XLSX, Word, or PDF. |
Search all 15 Level 1 and all 110 Level 2 CMMC practices by ID (e.g. |
|
Determine whether your data qualifies as Controlled Unclassified Information (CUI) under 32 CFR Part 2002. Screens against NARA CUI Registry categories including CTI, ITAR/EAR, PII, PHI, Source Selection, and Critical Infrastructure. Maps your verdict to a CMMC obligation: Level 1, Level 2 self-assessment, or Level 2 C3PAO certification. Exports a two-page PDF determination memorandum. |
Generate a DFARS/CMMC flow-down notice letter in under five minutes. Collects your prime and subcontractor details, then auto-selects the correct FAR and DFARS clauses based on whether the sub handles CUI or FCI only. Supports prime-to-first-tier and mid-tier pass-through scenarios. Exports to Word or PDF. |
All tools are licensed under FSL-1.1-Apache-2.0. Free to use, fork, and run for any purpose other than competing commercial hosting. Each version converts to Apache 2.0 two years after release. Every tool is security-reviewed by APT after release as part of our ongoing case study series on the security of AI-generated code.
| Service | What You Get |
|---|---|
| Penetration Testing as a Service (PTaaS) | Continuous and point-in-time pentests across web, network, mobile, API, and cloud targets. Delivered by OSCP- and GPEN-certified testers. |
| External Attack Surface Management (EASM) | Ongoing discovery and monitoring of your externally exposed assets. Identifies shadow IT, expired certificates, and exploitable exposures before attackers do. |
| Managed Purple Team Services | Collaborative detection and response exercises that test both your offensive and defensive capabilities at the same time. |
| Managed Red Team Services | Full adversary simulation engagements modeled on real-world threat actors targeting your industry. |
| Service | What You Get |
|---|---|
| Managed Detection and Response (MDR / EDR / NDR / XDR) | 24/7 threat monitoring, detection, and response across endpoints, network, and cloud. Powered by Sophos, Bitdefender, and Trend Micro. |
| Managed Endpoint Security | Endpoint protection, detection, and response for your workstations and servers. |
| Managed Network Security | Firewall management, IDS/IPS, and network traffic analysis. Fortinet and SonicWall deployments supported. |
| Managed Email Security | Phishing defense, email filtering, and domain protection powered by Proofpoint. |
| Managed Cloud Security | Cloud workload protection, posture management, and misconfiguration detection. |
| Service | What You Get |
|---|---|
| Compliance as a Service (CaaS) | Audit-ready documentation, gap assessments, and ongoing compliance management for SOC 2, HIPAA, PCI-DSS, ISO 27001, NIST CSF, CMMC, and GDPR. |
| Vulnerability Management as a Service (VMaaS) | Scheduled scanning, triage, and remediation tracking with SLA-based reporting. |
| Asset Management as a Service (AMaaS) | Full asset inventory with classification, ownership, and lifecycle tracking. |
| Cybersecurity Insurance Services | Risk assessment documentation and support for your insurance application and renewals. |
Every client selects a tier that fits their communication and reporting preferences. Your tier is separate from the services you use.
|
Email-based communication and support. Scheduled, easy-to-read security reports. Streamlined onboarding with minimal overhead. Best for: Small businesses that want security managed for them without adding operational complexity. |
Secure client portal access. Role-specific reporting for both technical and non-technical staff. Scheduled status meetings so you stay informed. Best for: Growing businesses that need active security visibility without building an internal team. |
Collaborative strategy and planning sessions. Custom dashboard integrations tied to your internal systems. Proactive coordination with your IT teams. Best for: Enterprises that need a deeply integrated security partnership with executive-level reporting. |
APT uses a prepaid token system instead of traditional retainer contracts. Tokens apply to any APT service: pentests, MDR, compliance work, or consulting. Buy what you need, spend as you go. Unused tokens expire 12 months from purchase. No hidden fees. No commission-based upsells.
Schedule Your Security Review →
6650 Rivers Ave Ste 100, North Charleston, SC 29406
+1 844 554 2458 | sales@aptsecuritymanagement.com