Frequently Asked Questions

T0–T3 are bundled engagements that cover a defined number of buckets per tier. They give you a better effective per-bucket rate in exchange for that minimum scope. T0a–T3a are a la carte per-bucket options used when you only need a small number of buckets treated at a given tier.

If you are on a bundled tier and later add buckets beyond its limit, those extra buckets are priced at 30% off the corresponding a la carte per-bucket price. This lets you grow incrementally without immediately jumping to the next full bundle.

Yes. Many teams start with T0 to get quick insight and hardened baselines, then move to T1 or T2 once they see the value and have upcoming audits.

T0 credits apply: If you upgrade within 90 days of your T0 assessment, the full T0 price you paid is credited toward your upgrade. You only pay the difference.

Example: T0 ($720) → T1 ($2,160) upgrade within 90 days = You pay $1,440 additional ($2,160 - $720 credit)

We offer earned discounts for repeat customers:

• 1st purchase: Full price
• 2nd purchase: 10% off (Bronze tier)
• 3rd purchase: 15% off (Silver tier)
• 4th+ purchase: 20% off all future purchases (Gold tier)

Loyalty discounts are applied automatically via Stripe coupons. We track your purchase history and send coupon codes after each order.

Example: If you purchase T1 ($2,160) twice, your third purchase qualifies for 15% off ($1,836 instead of $2,160).

We optimize the hardening process with automation:

• T0 Assessment: Saves ~20 hours of manual auditing work
• T1 Hardening: Hardens 15 buckets in 4-6 hours (~2-4 hours saved per bucket)
• T2 Compliance: Adds compliance profiles in 8-10 hours (~3-5 hours saved per bucket)
• T3 Enterprise: Multi-account governance in 12-16 hours (~4-6 hours saved per bucket)

arxdura delivers results in hours instead of days with fixed pricing and consistent quality.

We deploy hardened S3 buckets with security controls directly into your AWS account that you own and control. This includes:

• Customer-managed encryption keys (KMS)
• Server access logging and CloudTrail audit trails
• Bucket policies blocking unencrypted uploads and public access
• Object versioning and retention policies (depending on tier)
• Compliance-tagged configurations (HIPAA, SOC 2, GDPR)

Important: We never store your data. All resources (including your actual buckets) remain in your AWS account under your control. We provide tools and expertise—you own the infrastructure.

Simple two-step process:

1. Place your order: Complete the secure payment form with your tier selection
2. Submit project details: You'll receive an email with a link to submit your AWS account ID, bucket list, region, and compliance requirements

Once we have both pieces, we generate your configuration and queue your deployment. Most deployments complete within 24-48 hours of receiving complete project details.

Our T2 and T3 tiers include configuration and evidence generation for:

• SOC 2 Type II – Security, availability, and processing integrity controls
• HIPAA/HITECH – Healthcare data privacy and security (PHI baseline bucket)
• GDPR – Data protection and privacy rights
• PCI-DSS – Payment card industry security standards

We generate compliance evidence (Prowler scans, audit logs, mapping documents) that your auditors can actually use. T0 and T1 focus on foundational security with basic compliance posture assessment.

We use AWS IAM cross-account roles (not access keys) for temporary, least-privilege access:

• You deploy an arxduraDeployRole in your account using a CloudFormation template we provide
• This role has scoped permissions (S3, KMS, CloudTrail, IAM) required for hardening
• Access is temporary and logged in your CloudTrail audit logs
• You can revoke access at any time by deleting the role

Your AWS credentials never leave your account. We assume the cross-account role during deployment, then disassume it immediately.

Every engagement includes a comprehensive delivery package:

• Compliance Report – HTML Prowler scan results with control status
• Configuration Summary – Before/after changes applied to your buckets
• Evidence Bundle – Audit logs, CloudTrail exports, and compliance mappings ready for auditors
• Implementation Notes – What was changed, why, and how to maintain hardened state
• S3 Locations – Where evidence is stored and how to access it

All evidence is stored in S3 within your AWS account or a shared evidence bucket (your choice).

Actual hardening time by tier:

• T0: 15-30 minutes (posture scan + basic hardening)
• T1: 30-45 minutes (full hardening essentials)
• T2: 45-60 minutes (compliance-ready with evidence)
• T3: 60-90 minutes (enterprise multi-account)

Total engagement timeline (from payment to delivery): 24-48 hours including order processing, configuration generation, and deployment.

This is significantly faster than manual hardening, saving hours of manual configuration and testing work.

arxdura combines expert-level hardening with automation speed:

• Speed: 1-16 hours vs. many days for manual hardening
• Certainty: Fixed price vs. unpredictable manual work
• Evidence: Audit-ready reports vs. manual documentation
• Repeatability: Proven Terraform modules vs. ad-hoc solutions
• Ownership: You own the infrastructure—no vendor lock-in

Think of arxdura as a specialized strike team: we show up with a tested playbook, deploy to your account, and leave you with hardened buckets and auditable evidence.

Current model: Finite engagements with lasting infrastructure.

We deploy hardened buckets with built-in controls (logging, encryption, compliance policies) that continue to protect your data after the engagement ends. You own the resources and can maintain them.

Future additions: We are developing ongoing monitoring, scheduled compliance scans, and drift detection as optional add-ons. These will be announced when available.

Current status: We're establishing direct partnerships with compliance platforms (Drata, Vanta, Secureframe). These will enable partner-referred pricing and bundled compliance workflows.

Coming soon: Referral and reseller programs for MSPs, security consultants, and compliance advisors. These will offer commission-based revenue sharing and co-branding options.

Our loyalty rewards program (10-20% off repeat orders) is available now for all customers.

Absolutely. arxdura is designed to complement, not replace, your existing security relationships.

How consultants work with us:

• Client recommendation: Consultants recommend arxdura to clients for fast, repeatable hardening
• Focused delivery: We handle the technical deployment, freeing consultants for strategic guidance
• Evidence collaboration: Audit-ready reports fit seamlessly into consultant compliance workflows
• Future partnerships: We're launching a reseller program for consultants to deliver arxdura services to their clients

How this benefits you: You get faster deployment times, consistent hardening quality, and auditable evidence—while consultants focus on strategy, policy, and ongoing governance.

Many of our best engagements involve collaboration with the client's existing security team or advisors.

We bridge the gap between automated tools and expert implementation:

• Tools alone don't deploy: Prowler/Config identify issues but don't fix them in your account
• We deploy the fixes: Using proven Terraform modules with audit trails
• Tools don't generate evidence: Auditors need documentation, not just pass/fail checks
• We provide auditable deliverables: Reports, mappings, and compliance narratives
• Tools don't offer strategy: We advise on tier selection, compliance frameworks, and architecture

Think of it this way: we use Prowler and other tools to assess compliance, but our value is in the deployment, hardening, and evidence generation that tools alone cannot provide.