Frameworks · Sturdy 30™ · CIS-Based Baseline
Enterprise-grade hygiene.
Small-business sized.
Most small businesses don't need 153 safeguards and a framework debate — they need the right 30, done well, with proof. Sturdy 30 is Lionfish's baseline built on the CIS Critical Security Controls: the prioritized safeguards that stop common attacks, satisfy what insurance carriers actually verify, and stand up the documented program state safe-harbor laws reward — all run in the Cyber Tackle Box™ without hiring a security team.
Why essential hygiene is the highest-ROI security money
Sources: CIS Community Defense Model v2.0; Coalition cyber claims data; state safe-harbor statutes (Ohio first, 2018; Texas fifth to cite CIS by name). Carriers now verify controls with evidence — a signed questionnaire you can't back up can void a claim.
Who this is for
For businesses that need protected, not certified
No customer is demanding a certificate — but the insurance application, the state law, and the attackers are all asking the same question: do the basics actually work here?
- ✓Small businesses (10–250 people) without security staff — where IT is one person or an outsourced contract, and 'compliance' has meant hoping.
- ✓Businesses facing insurance renewal — MFA, EDR, backups, and training are near-universal carrier prerequisites now, and carriers verify with evidence, not promises.
- ✓MSPs standardizing a client baseline — run Sturdy 30 across your whole book from one multi-tenant console, and sell security as a program instead of a stack of tools.
Sound familiar?
The pain we hear on every first call
- !Frameworks feel like homework. 153 safeguards, six functions, three-letter acronyms — most SMBs stall at the reading stage. Thirty prioritized items with owners is a to-do list.
- !The renewal ambush. The questionnaire lands 30 days before renewal and the scramble begins — or worse, someone signs it optimistically and the claim gets denied later.
- !Tools without a program. You bought the antivirus and the backup. Without documentation and training, it's spending — not a defensible program.
The platform
How the Cyber Tackle Box™ runs your Sturdy 30 program
Thirty safeguards, each with a policy, an owner, evidence, and training behind it — and because it's CIS-based, it upgrades cleanly to IG2, NIST CSF, or CMMC when your contracts demand more.
Right-Sized Policies
The lean policy set a small business needs — written for real operations, not copied from an enterprise binder.
30 Tracked Safeguards
Every safeguard has an owner, a status, and a date. You always know exactly how sturdy you are — and what's next.
Fix-It POA&Ms
Gaps become short, assigned action items — the plumbing of steady improvement without a security hire.
Insurance-Ready Evidence
Screenshots, configs, and training records organized to answer carrier questionnaires — and to survive a post-incident look-back.
Incident Playbooks
What to do in the first hour of a ransomware event, written down before you need it — the difference between a bad day and a closed business.
Training People Finish
52 awareness modules including our music-based series — because the #1 safeguard is still the human who doesn't click.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
Sturdy 30 questions we answer every week
What exactly is Sturdy 30?
Sturdy 30 is Lionfish's small-business security baseline: 30 prioritized safeguards drawn from the CIS Critical Security Controls — the essential-hygiene tier that community defense analysis shows blocks roughly three-quarters of common attack techniques. It's delivered as a program in the Cyber Tackle Box: policies, tracked safeguards, evidence, and training, sized for a business without security staff.
Will this satisfy my cyber insurance carrier?
It's built to. The controls carriers verify in 2026 — MFA everywhere that matters, endpoint detection, immutable tested backups, awareness training, an incident response plan — are the heart of Sturdy 30, and the platform keeps the evidence carriers and brokers ask for. Nobody can honestly promise your premium, but you'll walk into renewal bindable, documented, and positioned for the good-risk pricing.
What's this about safe-harbor laws?
A growing set of states — Ohio was first in 2018, and at least eight now have similar statutes — give businesses an affirmative legal defense against breach lawsuits if they maintained a documented security program conforming to a recognized framework like the CIS Controls. Sturdy 30's CIS foundation plus the Tackle Box's documentation trail is exactly the artifact that defense is built on. (We're practitioners, not your lawyers — we'll gladly work with counsel.)
What happens when we outgrow it?
That's the design. Because Sturdy 30 is CIS-based, it maps forward cleanly: to CIS IG2 as you grow, to NIST CSF 2.0 when the board asks, to the FTC Safeguards Rule if you're a dealership or financial firm, or to NIST 800-171/CMMC if defense contracts arrive. Nothing you build gets thrown away — the baseline becomes the foundation.
Get in touch
Get sturdy in weeks, not quarters
Tell us about your business and what's driving the timing — a renewal, a close call, a customer demand. You'll get a straight scope within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.