HackFirstAid IT Teams & MSPs
HACKFIRSTAID FOR IT TEAMS & MSPS

Cyber readiness for the people who get the call.

Boards advise. Executives decide. You actually run it. This site is for the sysadmin, the IT manager, the MSP tech, the IT director — the person whose phone rings when the ticket says "everything is encrypted," and whose name ends up in the post-mortem either way.

See pricing →Engage the advisory
Internal IT + MSPs, one curriculumHands-on hardening + IR runbooksHousehold coverage included
TRACK A

The Defender — You are the security team.

You didn't sign up to be the security team. You are the security team anyway. Hardening AD, M365, the VPN, the EDR console nobody watches. The IR runbook nobody wrote. The backup that nobody has ever restored from. We start there.

How HackFirstAid arms the defender →
TRACK B

The Multiplier — Your client roster is your blast radius.

You are a supply-chain target. Your RMM, your PSA, your remote-access stack. The Kaseya/SolarWinds/ConnectWise pattern keeps repeating. When one of your clients gets breached through your access, you need decision support before the lawyers do. We're here for that call.

How HackFirstAid sharpens the MSP →
WHY THIS SITE EXISTS

Three things every IT pro carries. Whether they signed up to or not.

The HackFirstAid family already covers the people who advise on governance (boards) and the people who sign for the organisation (leadership). This site is for the layer they both depend on — the practitioner who actually runs it.

01

You get the call

3 a.m. The ticket says "everything is encrypted." That's your phone ringing. There is no SOC. There is no incident commander. There is you, the runbook you didn't finish writing, and the on-call number that goes to your cell. We exist to make the runbook real before the call comes.

02

You get the blame

After the breach, somebody's name is in the post-mortem. The lawyers read it. The cyber-insurance adjuster reads it. The board reads it. Your defensible posture is the written record — the decisions you logged, the framework you followed, the things you flagged before they broke. We help you build that record before you need it.

03

You can be the one who's actually ready

The difference between an incident and a disaster is the hour you spent on the playbook six weeks ago. Hardening checklists you can ship Monday. IR runbooks written for the person who'll actually run them. Tabletops with your real team, not a vendor's slide deck. Plus a phone number that works at 3 a.m.

TRACK A · THE DEFENDER

You are the security team. Ready or not.

At every audience HackFirstAid serves — the 30-person clinic, the 4-school district, the municipal water utility, the 80-employee SMB — the IT team is the security team. There is no CISO. There is no SOC. There is you. The Defender Track is the curriculum for that reality.

Hardening baselines

What to ship Monday morning

Windows / Active Directory / Microsoft 365 / Google Workspace / VPN / endpoint hardening checklists. Living documents, refreshed quarterly as platforms drift. Specific guidance for the platforms you actually run, not a generic CIS Benchmark you'll never finish reading.

IR runbooks

Written for the person who'll actually run them

Ransomware. BEC. Account compromise. Tenant compromise. Lost laptop. Insider. Each runbook is a 30–60 minute read with a one-page action card on top. Print it. Tape it inside the on-call binder. When the call comes, the binder is what matters.

The blame framework

Defensible posture, on paper

What gets reviewed after an incident. What "defensible" actually looks like on paper. The decision log you should have been keeping. How to make sure the post-mortem doesn't name you alone. Quiet content, but the most-read in the library.

TRACK B · THE MULTIPLIER

Your client roster is your blast radius.

MSPs are supply-chain targets. The Kaseya VSA breach. The SolarWinds Orion campaign. The ConnectWise ScreenConnect campaign. The pattern is repeated, documented, and ongoing. The Multiplier Track is the MSP-specific curriculum: hardening your own house, scoping multi-tenant incidents, reading the MSA you signed before you priced for the cyber language inside it.

Your tooling is the lateral path

RMM, PSA, and remote-access hardening

ConnectWise. Kaseya. NinjaOne. Datto. SyncroMSP. Each one is an attacker's dream when configured the way the default install ships. Specific hardening guidance for the stacks MSPs actually run — including the conditional access policies most MSPs never get around to writing.

Multi-tenant IR

When one client's breach is everyone's breach

Scoping an incident that started in one client's tenant. Deciding when to notify the rest of your client base. The contractual obligations buried in the MSA you signed three years ago. The cyber-insurance posture across your book of business. Decision support before the lawyers.

The MSP contract trapdoor

Read the MSA before you sign it

"Cyber" language in MSAs creates obligations you didn't price for. Indemnity clauses read one way at signing and another at 3 a.m. RFP responses that promise security guarantees no MSP can give. We review your language before you sign — and before you respond to the next RFP.

THE TRAINING LIBRARY

Same backbone as Boards and Leadership. Plus the hands-on content nobody else writes.

The Personal Protection and Incident Oversight modules share content with the HackFirstAid Boards and Leadership curricula — same playbooks, reframed for the IT-practitioner register. The Defender Track (hardening + IR runbooks) and the Multiplier Track (MSP operations) are new and exclusive to this site.

Module 01

Personal Protection — IT Edition

The personal-risk curriculum, reframed for IT pros. Admin credential phishing. RMM compromise. Helpdesk impersonation. Technician travel risk. Spear-phishing your spouse to land your domain admin password. Self-paced. Updated quarterly. Includes family enrollment for spouse and dependents.

Shared content backbone with the Boards "Personal Protection — Director Edition" and Leadership "Personal Protection — Executive Edition." Case studies reframed for IT-pro targeting.
Module 02

Incident Oversight — The Practitioner's Call

Decision frameworks for the calls you make before they reach the executive. When to escalate. What to scope. How to brief leadership in 90 seconds. How to write the decision log the lawyers will read later. Reframed from "the question the board asks" to "the call you make at the bridge."

Shared content backbone with Boards "Incident Oversight — Boardroom Brief" and Leadership "Incident Oversight — The Executive Call." Tabletops adapted to practitioner persona.
Module 03

Defender Track — Hardening Library + IR Runbooks

New, IT-only. Hardening checklists for AD, M365, Workspace, VPN, endpoint, backup. Living documents, refreshed quarterly. Plus the full IR runbook library — ransomware, BEC, account compromise, tenant compromise, MSP-RMM compromise, lost laptop, insider threat. Each runbook is a 30–60 min read with a one-page action card on top.

New IT-specific content. Travis-authored, peer-reviewed, refreshed quarterly. Not derived from a vendor's marketing collateral.
Module 04 · MSP tier only

Multiplier Track — MSP Operations Library

New, MSP-only. RMM hardening for the specific platforms MSPs actually run. Multi-tenant IR posture and scoping. Cyber-insurance for MSPs (your policy, your clients' policies, the gap where they meet). MSP contract red flags. Sales conversations with cyber-anxious prospects. Tier 3 (MSP / Multi-Tenant) only.

Net-new content; not present on any other HackFirstAid sibling site. Released in modules, quarterly.
FRAMEWORKS THE CURRICULUM MAPS TO
NIST CSF 2.0CIS Controls v8CSE Cyber CentreISO 27001ASD Essential 8MITRE ATT&CKCISA Bad Practices / Secure by DesignUK Cyber Essentials

Personal coverage for every IT pro's household. Included.

Your spouse, your kids, your parents. They are the lateral path to your domain admin password. Personal-tier HackFirstAid is bundled into every IT Teams subscription at no additional cost — for every named technician on the MSP tier too. Same model boards and leadership subscribers have had since day one, and for the same reason.

Manage the IT function, don't run it day-to-day? leadership.hackfirstaid.com is the better fit for the executive layer above.
Sit on a board that's asking IT questions? boards.hackfirstaid.com is the better fit for the governance layer.
PRICING

Three tiers. Same training library. Different incident-advisory access.

Pick the tier that fits your seats and your incident posture. Same content backbone across every tier — what changes is how many advisory hours you get when something is actually on fire, and whether the MSP-specific Multiplier Track is included.

Solo Practitioner

Solo sysadmin or internal IT lead

$4,800 / year
1 technician + household
  • Personal Protection + Incident Oversight modules
  • Defender Track — Hardening Library + IR Runbooks (quarterly refresh)
  • Household coverage (spouse, dependents, parents)
  • Practitioner Brief newsletter + cross-brief opt-in
  • Data-broker remediation for the named seat
  • Annual self-service hardening audit
  • Quarterly group office hours with Travis
Start Solo →
Most popular
IT Team

In-house IT team (3–10 technicians)

$24,000 / year
Up to 10 + each household
  • Everything in Solo, for every seat
  • 1 IT-team tabletop / year
  • Annual decision-framework workshops
  • 8 hours of incident advisory / year, bookable 24/7
  • Technician-led, Travis-reviewed environment hardening review (annual)
  • Quarterly group session with Travis
  • Warm intro to vetted vCISO partner if needed
Engage IT Team →
MSP / Multi-Tenant

MSP / IT service provider

$60,000 / year
Up to 25 technicians; multi-client supported
  • Everything in IT Team, for every named technician
  • Multiplier Track — MSP Operations Library
  • 2 tabletops / year (one internal, one multi-tenant scenario)
  • Unlimited incident advisory; 3 named incidents retainered
  • Quarterly 1:1 per named technician lead
  • MSA / RFP / client cyber-attestation review (2 / year)
  • Annual MSP-infra review + 2 client environment reviews / year
Engage MSP →

Above MSP tier? Custom engagement — travis@hackfirstaid.com.

What's not included at any tier
  • Hands-on incident response. HackFirstAid doesn't deploy responders, do forensics, or run remediation in your environment. Advisory hours are decision support and runbook coaching; for IR execution, we warm-intro a vetted DFIR partner.
  • Tooling or licenses. We don't sell EDR, RMM, PSA, MDR, or backup. The Defender Track teaches you to use what you have well.
  • Legal counsel. Not a law firm. Every tier includes referrals to vetted breach-coach / regulatory-counsel partners.
  • Cyber-insurance brokerage. We'll help you read your policy and file the claim, but the policy itself is sold by your broker.
  • 24/7 SOC monitoring or managed detection. Not what this is. The vCISO referral path covers it if needed.
  • Co-branded marketing assets for MSPs. We help you understand your own posture and review your contract language. We don't produce attestation letters or sales decks for you to hand to your clients.

Prices in USD. Annual billing. Quarterly billing available on IT Team and MSP on request. Renewals at list price unless contracted otherwise. No metered usage, no overage charges, no surprise bills.

ENGAGE THE ADVISORY

Travis runs every IT engagement personally.

No SDR, no sales engineer, no junior associate. You email Travis. Travis answers. If HackFirstAid isn't the right fit for your situation — or if your problem is one a hands-on DFIR firm should be running, not a readiness curriculum — Travis will tell you that and point you to whoever is.

Email Travis →
THE HACKFIRSTAID FAMILY

One cyber-readiness stack. Eight audiences.

IT teams and MSPs sit at the intersection of every layer in the family — you manage the systems the SMBs run, the towns depend on, the schools protect, the clinics use, and the boards oversee. HackFirstAid also covers the personal lives of your technicians, the SMBs in your portfolio, the municipalities and K-12 districts you support, the medical practices you manage, and the boards and executives you report to or advise. Leadership (card 7) and IT Teams (card 8) sit together with Boards (card 6) in the governance-to-practitioner cluster.

INDIVIDUALS & FAMILIES

Plain-language cyber first aid for your household — phones, accounts, identity, and family devices.

Visit →SMALL & MID-SIZED BUSINESS

Incident triage and readiness for SMBs without a security team — ransomware, BEC, vendor breaches.

Visit →MUNICIPALITIES

First-hour playbooks for towns, cities, and utilities — built around public-service continuity.

Visit →K-12 DISTRICTS

Calm K-12 incident response — SIS outages, family communication, FERPA, and trustee hand-off.

Visit →SMALL MEDICAL PRACTICES

HIPAA, OCR, and cyber-insurer response for 1–25 provider clinics — at small-business staffing levels.

Visit →BOARDS & TRUSTEES

Governance-layer oversight — the questions to ask management before, during, and after an incident.

Visit →EXECUTIVE LEADERSHIP

Cyber readiness for the officers who sign for it — accountability, disclosure, and crisis posture.

Visit →
YOU ARE HERE · IT TEAMS & MSPS

Defender and Multiplier tracks for internal IT practitioners and managed-service providers.

This site

If you advise a board on security posture, start at boards.hackfirstaid.com for the governance-layer view. If you report to executive leadership, leadership.hackfirstaid.com covers the decision layer above you. The three sites share the same backbone — pick the register that fits your role.