Explore Our Services

Inquire Now

What We Offer

Cybersecurity controls implementation

To discuss a controls implementation engagement, contact us to book a discovery call.→

What it is

This is hands-on implementation work, not advisory. Axontrack assesses a client's existing security architecture, implements the controls required under applicable frameworks, and delivers the documentation and operational runbooks that support ongoing compliance and audit readiness. All work is carried out directly in the client's environment. Where infrastructure can be templated, we deliver Infrastructure-as-Code modules the client's team can maintain and extend.

Who it is for

This engagement is for engineering and security teams at Canadian defence suppliers and defence-technology firms that need controls implemented, not just recommended. Common triggers include a gap identified during a Canadian Program for Cyber Security Certification (CPCSC) readiness review, a prime contractor audit requirement, or a system being brought into a regulated environment for the first time. It suits organizations that have an internal team but lack the time or specialist knowledge to close the gap themselves.

What you get

Implemented controls delivered directly into the client's environment Infrastructure-as-Code modules where infrastructure can be templated Runbooks for ongoing operations and maintenance Internal documentation prepared for audit review Knowledge-transfer session with the client's technical team at close of engagement How we work Engagements begin with a scoping review of the client's current architecture and existing compliance documentation. From there, controls are prioritized by risk and timeline, then implemented and mapped to National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) and Information Technology Security Guidance ITSP.10.171 as applicable. All implemented controls are documented in a format that supports future self-attestation or third-party audit. Typical engagements run six to ten weeks depending on scope, though this is confirmed at the outset of each project.

CPCSC readiness and implementation

Not sure where to start? A discovery call is the right first step. →

What it is.

Axontrack supports Canadian defence suppliers in achieving Canadian Program for Cyber Security Certification (CPCSC) Level 1 self-attestation and CPCSC Level 2 third-party certification. Engagements cover gap analysis, controls implementation, and the full documentation set required for assessment against Information Technology Security Guidance ITSP.10.171, the technical standard underlying CPCSC Level 2. For suppliers also working in the United States defence market, cross-mapping to Cybersecurity Maturity Model Certification (CMMC) Level 2 is included as an integrated workstream, so clients do not need to run two separate compliance programs.

Who it is for

This engagement is for founders and operations leaders at Canadian small and medium enterprises (SMEs) in the defence supply chain. It applies whether the company is responding to an immediate contract requirement, preparing for the third-party audit cycle opening in Spring 2026, or building toward future Department of National Defence (DND) work that will require CPCSC Level 2 certification. Many clients come to Axontrack having completed a partial internal review and needing structured, audit-ready documentation and implemented controls to close what remains.

What you get

  • Gap analysis report mapped to CPCSC Level 1 and Level 2 requirements

  • System Security Plan (SSP) documented to ITSP.10.171 standards

  • Plans of Action and Milestones (POA&M) for any outstanding remediation items

  • Implemented controls mapped to ITSP.10.171

  • Audit liaison support through the Certified Third-Party Assessor Organization (C3PAO) assessment process

  • CMMC Level 2 cross-mapping where the client operates in both Canadian and United States defence markets

How we work

Engagements begin with a structured gap analysis against the thirteen baseline controls required for CPCSC Level 1 and the full ITSP.10.171 control set required for Level 2. Controls are prioritized by risk and contract timeline. We implement changes directly in the client's environment and produce the documentation required for self-attestation or third-party audit. For Level 2 clients, Axontrack is available as a liaison through the C3PAO audit process. A typical Level 1 engagement runs four to six weeks. Level 2 engagements are scoped individually based on starting posture, and the timeline is confirmed before work begins.

Advisory Engagements

To discuss an advisory engagement, contact us directly.→

What it is

Advisory engagements are for senior leadership at Canadian defence primes and defence-technology firms making strategic decisions about cybersecurity posture, supplier relationships, or compliance requirements. The work is analytical and written rather than hands-on: Axontrack assesses the situation, identifies the relevant risks and considerations, and delivers clear recommendations in formats suited to executive and board audiences.

Who it is for

This engagement is for Chief Executive Officers, Chief Information Officers, and senior operations leaders who need informed outside judgment on a specific cybersecurity question, without committing to a full implementation program. Common situations include evaluating the cybersecurity posture of a prospective supplier or partner, developing a cybersecurity policy for a new line of business or contract, and preparing board-level materials on defence compliance obligations and associated risk. Organizations new to the Canadian defence supply chain who want to understand the certification landscape before committing to a compliance program also make use of this service.

What you get

  • Written advisory report tailored to the specific question or decision

  • Executive briefing materials

  • Board-level presentations where required

  • Vendor security assessment frameworks

How we work

Each advisory engagement is structured around a defined question or decision the client needs to make. Axontrack begins with a scoping conversation to understand the context and the audience for the output, then conducts the analysis and delivers a written recommendation. All engagements are confidential and carried out under standard non-disclosure terms. Where ongoing access is useful across multiple decisions, advisory retainer arrangements are available on a monthly or quarterly basis. Typical project engagements run two to four weeks.

Get In Touch

If you're interested in working with us, complete the form with a few details about your project. We'll review your message and get back to you within 48 hours.