CORNERSTONECYBER
Netskope Professional Services
Every Netskope engagement,
one architect-led partner.
From a single-day tune-up to a multi-region rollout, and the run-state that follows. Fixed-price where the outcome is clear, time-and-materials where it isn't, and a senior Netskope Architect on every one.
SWG · CASB · DLP · DSPM · NPA · UEBA · Enterprise Browser · AI Security
Architect-led delivery, every engagement
The engagement lifecycle
Four stages, from project to run. One delivery standard.
Most engagements move left to right: a targeted fixed-price start, a full implementation, retained capacity for the work that flexes, then managed run-state. Start at whichever stage fits today, every one is scoped by a Co-Director and delivered by a senior Netskope Architect.
1
Fixed-Price Catalogue
17 targeted engagements, priced ahead of time. Ship in days.
2
Implementation
Guided or Managed rollout, scoped to a hard price ceiling.
3
Retainer (T&M)
Pre-purchased capacity for work that won't sit in a fixed box.
4
Managed Services
Run-state support once the platform is live.
Project assess, plan, build, hand overcontinuous improvement Run
Fixed-price when
The outcome is well defined
A scorecard, a tuned policy set, a module lit up. Priced at scoping, delivered to a fixed deliverable and a fixed window. No change-request wrapper.
Time & materials when
The work needs to flex
Evolving scope, ongoing uplift, or run-state. Draw on a retainer across Consultant, Architect and PM roles, capacity, not a guess.
Who we are · How we work
A strategic Netskope partner, not another assessment vendor.
Architect-led delivery
Senior practitioners deliver directly. No account layer.
Cornerstone Cyber is a boutique cyber consultancy. Every Netskope engagement is delivered by a senior Cornerstone Netskope Architect with deep platform experience across SWG, CASB, DLP, NPA, UEBA and Enterprise Browser. Scoping is led by a Co-Director; delivery is led by the Architect. The advice you get is grounded in your outcome, ranked by impact, and built to be acted on, not padded.
What every engagement carries The same rules, whether the work is fixed-price or time-and-materials.
Principle 01
Priced ahead of time
Fixed price at scoping, or a transparent day rate for T&M. No surprises, no padded reports.
Principle 02
Shipped in days
Tune-ups finish within a week. Platform projects close within three. Run-state keeps improving.
Principle 03
Always an artefact
Every engagement leaves a document, a configuration change, or a tested artefact. Nothing is purely advisory.
Principle 04
No lock-in
We design, build and hand over a platform your team can run. Stay with us for run-state only if you choose to, never because you have to.
Meet the founders Two decades of enterprise, defence and regulated-industry delivery, at boutique scale.
Co-founder · Director
Shaun Struik
Architecture & Strategy
Twenty-plus years across IT, cyber and enterprise architecture, government, defence and billion-dollar enterprise, including a MedTech through IPO-readiness. Translates complex security requirements into clear, scalable solutions that fit real business constraints.
Co-founder · Director
David Badger
Delivery & Customer
A career in large-scale infrastructure across health, defence, education and government, environments where precision and compliance are non-negotiable. Keeps every engagement on time, on budget, and executed with complete confidence.
Our engagement pillars
Straight-talking partnership · Technical leadership · Outcome-focused delivery · Sustainable relationships. A named lead owns delivery and communication. Issues are escalated early with clear options. All in plain English. Clarity over complexity, outcomes over activity, trust over transactions.
Fixed-price engagement catalogue
Targeted engagements, priced ahead of time.
Seventeen offers across three tiers. Every offer is delivered by a senior Netskope Architect, scoped for outcome, and priced at a fixed $2,500 per architect day. No retainer required, no minimum spend, no change-request wrapper. All prices AUD, ex GST.
Tune-Up
Single engagements that fix one thing, fast.
$1,250 to $2,500
Lightning Audit Half day
Live tenant walk-through with a Netskope Architect; five targeted, prioritised improvement recommendations and a one-page scorecard within 24 hours.
$1,250
Steering Surgery 1 day
Traffic steering tightened, bypasses closed, client version drift resolved, so the traffic you think is inspected actually is.
$2,500
Policy Prune 1 day
SWG, CASB Inline and DLP policies stripped of dead, shadowed and conflicting rules. Redlined set with kept / retired / merged calls, applied to the tenant.
$2,500
Client Fleet Cleanup 1 day
Stale users, broken installs and departed-staff accounts identified; fleet health restored and onboarding made cleaner.
$2,500
Expert Sprint
Multi-day focused engagements that ship a specialist outcome.
$5,000 to $12,500
Value Replay Report 2 days
Thirty days of blocked events categorised, visualised and narrated, what Netskope actually saved you last month, with a reusable template.
$5,000
Shadow AI Hunt 3 days
Every AI tool in active use mapped against your sanctioned list, with named-user exposure for HR, Legal and IT, and a sanctioning template.
$7,500
Architecture Documentation Sprint 3 days
HLD, LLD, traffic-flow diagram and integration map produced against current tenant state. Editable formats supplied.
$7,500
UEBA Tuning Day 1 day
UEBA model tuned to your real user behaviour. Alert noise down; the users who genuinely matter surfaced and prioritised.
$2,500
DLP Precision Tuning 5 days
DLP false-positive rate cut below ten per cent, validated against live traffic, with a reusable tuning playbook.
$12,500
Policy Regression Pack 5 days
50+ automated regression tests proving critical SWG, CASB and DLP policies still work, plus a one-click re-run script.
$12,500
Dynamic Risk Mesh 1 week
Netskope UEBA risk scores drive Entra dynamic groups and Conditional Access in near real time. Risk responds to behaviour, hands-free.
$12,500
Fixed-price engagement catalogue · continued
Platform projects & pre-renewal review.
Platform Project
Multi-week builds that light up modules and transform the tenant.
$20,000 to $37,500
Enterprise Browser Pilot 8 days · 2 wks
Netskope Enterprise Browser piloted with up to 50 users in one business unit. High-risk browsing isolated; recommendation for broader rollout.
$20,000
CASB API Harvest 8 days · 1-2 wks
CASB API activated for your top ten SaaS apps. Shadow-data exposure surfaced, SaaS posture baselined, remediation plan delivered.
$20,000
NPA Lighthouse 10 days · 2 wks
Netskope Private Access proven for one named app and user group. Lights up ZTNA with a clear path to replace legacy VPN.
$25,000
Tenant Restoration 12 days · 2-3 wks
Tenant rebuilt to the Cornerstone reference baseline, cleaned policy, tuned DLP, validated steering. Known-good state, full docs, 30-day review.
$30,000
Copilot Safe Launch 15 days · 3 wks
Microsoft 365 Copilot launched with regulated data fenced by Purview labels, Netskope DLP and Conditional Access. Governance playbook included.
$37,500
Pre-Renewal Review
A standalone engagement, timed before a Netskope renewal.
$7,500
Netskope Value Assurance Review 3 days
Independent review of realised value, config health and unmet opportunity. CIO one-page scorecard, health rating across SWG/CASB/DLP/NPA/UEBA, and a prioritised 12-month roadmap. Walk into renewal with evidence, not a vendor pitch.
$7,500
How pricing works
All pricing is calibrated at $2,500 per architect day, ex GST. Price is fixed at scoping, if an engagement reveals scope beyond the fixed boundary, a small follow-on is offered at the same transparent day rate. Never a surprise.
Plan it as one programme. Engagements combine well, e.g. Lightning Audit → Shadow AI Hunt → Architecture Documentation Sprint. Commit to any three Expert Sprint or Platform Project engagements together and we sequence them as a single coordinated programme, with more delivered capacity per dollar committed.
Implementation
Two delivery models. One scope of work.
Every Netskope rollout delivers the same technical outcome. The work breakdown, the policies, the tenant architecture are identical. What changes is how much of the lift your team carries.
Guided
You lead your environment.
Cornerstone owns the architecture and tuning that decide outcome. Your team runs the commodity work, with our playbook and our eyes on every step.
Best when
- You have a capable IT team that wants to own the platform after handover.
- You want enterprise-grade expertise without outsourcing day-to-day control.
- Budget discipline is a priority and internal capacity is available.
Managed
You sign off the scope. We deliver it.
Cornerstone runs the whole engagement and absorbs the commodity work. Your team signs off at Discovery and Design and stays on BAU.
Best when
- Internal operational bandwidth is limited or already committed.
- You want a white-glove rollout with minimal disruption to BAU.
- Speed of clean delivery matters more than internal knowledge build.
Same scope, different shape
Guided prices lower because the customer absorbs the commodity effort; Managed prices higher because Cornerstone absorbs it, and adds a Transition phase: Learning Mode, pilot, wave-based cutover and hypercare. The scope of work, and the technical outcome, are identical. Either way, every engagement ships under a fixed-price ceiling defined in a Statement of Work before we start. If we run over our estimate, that's our risk, not yours.
Three tiers, three shapes The tier matches your starting point, not a feature list.
Tier 1 · Base
New build
Launch
New to Netskope. Nothing to migrate.
4 to 6 weeks
- Greenfield environment
- No incumbent SSE or legacy proxy
- Single site, IdP and device platform
- Policy set from Cornerstone baseline
- Under 500 seats
Tier 2 · Simple
Single cutover
Switch
Replace a legacy product in one cutover.
6 to 10 weeks
- Existing SSE, proxy or VPN to retire
- One decisive cutover, no parallel run
- Low-moderate policy complexity
- Standard IdP and MDM in place
- 500 to 2,000 seats
Tier 3 · Complex
Phased migration
Shift
Phased migration with parallel running.
10 to 12 weeks
- Multi-wave migration from legacy
- Parallel run expected across waves
- Complex policy or regulatory overlay
- Multi-site or multi-IdP estate
- 2,000+ seats or multi-region
Implementation · where we start from
Fixed-price starting points.
“From” pricing at the 500-seat Launch baseline; rollouts price up as seats, sites, integrations and tier rise. All prices AUD, ex GST.
| Line item & inclusions | Guided (from) | Managed (from) |
| Main Netskope bundles |
| Prime Fundamental Project Baseline, SWG, Premium Threat Protection | $8,300 | $14,550 |
| Prime Advantage Prime Fundamental + CASB Inline, DLP L2, UEBA L2, Advanced Analytics, DEM L1 | $10,400 | $18,550 |
| Max Fundamental Prime Fundamental + CASB Inline, CFW L1, DLP L1, UEBA L2, RBI L1, TP L1, Bandwidth Control, Log Streaming | $11,350 | $20,000 |
| Max Advantage Max Fundamental + DLP L2, CFW L2, Advanced Analytics, DEM L1, Premium TP | $11,900 | $22,850 |
| GenAI App SecurityNew Project Baseline, SWG, CASB Inline, GenAI Inline, DLP L2, DSPM | $11,350 | $20,900 |
| Top add-ons · stack on top of the selected bundle |
| CASB API Out-of-band API scanning of sanctioned SaaS tenants | $950 | $3,150 |
| NPA (ZTNA) Zero Trust access to private apps; replaces or augments VPN | $1,800 | $3,050 |
| Cloud Firewall (CFW L1) Stateful firewall for non-web ports and protocols | $800 | $1,450 |
| DLP Program 12-week program: Workshop, Monitor, Notify, Enforce | $6,900 | $11,450 |
| AI security suite New |
| Agentic Broker Governs AI-agent traffic speaking MCP to internal tools & data | $900 | $1,350 |
| AI Gateway Central control plane for access to public & private LLMs | $1,650 | $2,750 |
| AI Red Teaming Automated red-team testing of customer LLMs and AI apps | $1,450 | $2,700 |
| AI Guardrails Content moderation and guardrails on customer LLMs | $950 | $1,600 |
| Cornerstone extras · documentation | Fixed |
| As-Built Records the deployed config · default | $3,750 |
| HLD High-Level Design, signed off pre-Build · default | $2,500 |
| DLD Detailed Design, per-rule intent · optional | $5,000 |
| Training 4-hour operator handover · optional | $1,250 |
Optional by default, you only pay for what you'll use. Don't need a Detailed Design or As-Built? It comes straight off the quote. No charge for documentation you won't value.
Project Management
Formula: 13.5 setup hours + (4 hrs × engagement weeks) at $1,500/day, covering init, plan, RAID, weekly status, governance and closure.
Runs concurrently with delivery, so it never extends the calendar. The final number is locked in Quick Quote once bundle, tier, seats and add-ons are confirmed.
Time & materials · the retainer
Capacity for the work that won't sit in a fixed box.
Not every need maps to a catalogue card. The Cornerstone retainer is committed senior capacity, drawn down on a time-and-materials basis across any role, pooled and flexible, at transparent day rates. The more you commit, the further each dollar of capacity goes, and the higher your priority on our schedule. Available to Cornerstone customers direct. All prices AUD, ex GST.
Day rates by role
Level Two
Consultant
$2,200 / day
Hands-on configuration, tuning, testing and run-state operational work.
Level Three
Netskope Architect
$2,500 / day
Architecture, policy authoring, integration design and make-or-break decisions.
Engagement
Project Management
$1,500 / day
Planning, RAID, status, governance and closure across multi-stream work.
Retainer blocks
Commit once. Every dollar of capacity goes further.
You commit a block, then draw down its full capacity across any role at the day rates above. The larger the block, the more capacity each dollar buys.
Block 1
Commit$10,000
Draw down$10,000
Entry block
Block 2
Commit$24,375
Draw down$25,000
+$625 capacity
Block 3
Commit$47,500
Draw down$50,000
+$2,500 capacity
Block 4
Commit$69,375
Draw down$75,000
+$5,625 capacity
Block 5
Commit$90,000
Draw down$100,000
+$10,000 capacity
How the drawdown works
Your block value is a single pool. Work is delivered against the day rates above and drawn down as it's done, mix Consultant, Architect and PM time however the work demands, week to week. You see a running balance and a simple statement against each piece of work.
Why customers commit
Ongoing tuning, evolving scope, ad-hoc uplift and run-state support rarely fit a fixed box. A committed block turns that into senior capacity on standby, no per-request quoting, no change-order friction, and priority on our schedule. The larger the commitment, the further each dollar of capacity goes. Unused balance carries for 12 months.
Run-state · managed services
Once it's live, keep it sharp.
A Netskope platform earns its value in run-state, as policies drift, traffic shifts and new modules come online. Cornerstone manages the whole run-state journey for you, orchestrating delivery through our trusted partner network while we own the architecture, the relationship and the assurance. One point of accountability, enterprise-grade operations behind it. Choose how much of the day-to-day your team holds. Priced on application.
Model A
Hybrid, Shared Accountability
Your team runs day-to-day Level 1. Cornerstone manages the heavy lifting, delivered through our partner network.
Your team · Level 1
- User requests & access changes
- First-line triage of alerts
- BAU policy tweaks
- End-user communications
Cornerstone manages · Lvl 2 & 3
- Architecture & policy authoring
- DLP, UEBA & threat tuning
- Escalations & incident response
- Monthly review & value reporting
Price on application
Model B
Full Managed Service
Cornerstone manages the full run-state on your behalf, delivered through our partner network. Your team has view-only access.
Cornerstone manages
- All Level 1, 2 & 3 operations
- Policy, DLP, threat & UEBA management
- Monitoring, change execution & incident response
- Monthly value reporting + executive review
You get
- View-only dashboard access
- Full transparency on every change
- Annual Value Assurance Review
- A single Cornerstone point of contact
Price on application
Cornerstone-owned oversight
Cornerstone Architects own the design and stay across run-state assurance on both models.
Change work on your retainer
Uplift and project work draws on published retainer day rates. Transparent, never a surprise.
Built to hand back
Even full management is structured to exit cleanly. No mystery systems, no permanent dependency.
All products in run-state
Both models cover the full Netskope platform once it's live, SWG, CASB, DLP, NPA, UEBA, Enterprise Browser and the AI security suite. The right model is matched to your estate and how much of the day-to-day your team wants to hold. Run-state delivery is orchestrated by Cornerstone through our trusted partner network, so you get enterprise-grade operations with a single point of accountability. Project and uplift work draws on your retainer at the published day rates, so run-state stays transparent, and even the fully managed option is built to hand back, never to lock you in.
Let's chat
From a single tune-up to run-state, start with a conversation.
Thirty minutes with a Co-Director. No obligation, no pressure.