FAQ - Common questions
Pricing, timelines, what engagements include, and how we work.
Assessment
How much does an identity assessment cost?
Quick Scan $3,000 to $5,000, 1 week. Full Assessment $15,000 to $50,000, 2-4 weeks. Architecture Roadmap $15,000 to $25,000, 2-3 weeks.
What does an identity assessment include?
We look at IDP configuration, entitlement sprawl, stale accounts, MFA coverage, and compliance readiness. You get a written findings report with severity ratings and a prioritized remediation roadmap — not a 100-page document nobody reads.
What is the difference between the Quick Scan and the full assessment?
The Quick Scan is automated: read-only access, one week, you get a 10-15 page findings report. The full assessment is hands-on — we dig into lifecycle automation, compliance gaps, and entitlement sprawl in depth and deliver a prioritized remediation roadmap.
Do I need to give you admin access for the Quick Scan?
No. Read-only API access to your IDP, directories, and connected applications. We look, we do not touch.
How long does an identity assessment take?
Quick Scan 1 week. Full Assessment 2-4 weeks. Architecture Roadmap 2-3 weeks.
What do I get at the end?
Findings report with severity ratings, environment inventory, entitlement sprawl analysis, prioritized remediation roadmap. For Architecture Roadmap, also target-state architecture and phased execution plan.
Automation
How much does provisioning automation cost?
$15,000 to $40,000 scoped per workflow or bundle. Depends on application count, role logic complexity, and HR system.
How long does it take?
2 to 6 weeks. HRIS-to-IDP integration specifically 2 to 4 weeks.
What HR systems and identity providers do you work with?
Workday, BambooHR, Rippling on the HR side. Okta, Entra ID on the identity provider side.
What does joiner/mover/leaver automation cover?
Account creation and entitlement assignment at join, access adjustments at role change, deprovisioning with grace periods at departure. SCIM provisioning, audit logging, exception handling runbook.
Do I need an IDP already?
Yes. Provisioning automation connects HR to an existing IDP. If you are still evaluating platforms, start with the Assessment and Roadmap service — we will help you pick before you build on top of it.
What happens when someone leaves?
Termination events from HR trigger deprovisioning automatically same day. Access revoked across connected applications. Every action generates an auditable record.
Governance
How much does access review automation cost?
Access review automation $15,000 to $25,000. Entitlement governance build $25,000 to $35,000. Compliance automation $15,000 to $25,000. Bundles priced at scoping.
How long does governance take?
Access review automation 2-4 weeks. Entitlement governance build 4-8 weeks.
What compliance frameworks do you support?
SOC 2, SOX, ISO 27001, FedRAMP, IL4, IL5. Identity controls mapped to framework requirements with evidence pipeline.
What does entitlement governance produce?
Role and entitlement catalog, role-to-application mapping, access request and approval workflows, entitlement owner assignments, auditor-ready documentation.
How do automated access reviews work?
System pulls current entitlements on schedule, routes reviews to managers via Slack, escalates non-responses, executes approved revocations through the IDP. Evidence exports at cycle close.
Do I need governance before access review automation?
Reviews are more useful with a defined role model. We can scope standalone but will flag if the entitlement model needs work first.
Migrations
How much does an IDP migration cost?
$30,000 to $80,000+. Depends on users, applications, source and target platforms.
How long does it take?
4 to 12 weeks in defined phases: discovery, build, pilot, cutover. Each phase has rollback before the next begins.
What does a migration include?
User and group migration with attribute mapping, application re-integration, MFA re-enrollment planning, cutover runbook, post-migration validation. Rollback procedures at every phase.
Can you migrate in a FedRAMP environment?
Yes. We have run FedRAMP IDP migrations that maintained compliance throughout. Nobody got locked out.
What is M&A identity due diligence?
Before the deal closes (or right after), we assess the target company identity environment: what IDPs they run, how messy the integration will be, and what needs to happen on Day 1. Scoped to deal timelines, usually 1-3 weeks.
What does pre-IPO identity readiness cover?
Access reviews, provisioning audit trails, entitlement documentation, privileged access controls mapped to SOX requirements. 4-8 weeks, often chains into a retainer.