The Front Door Problem: Why a Cybersecurity Firm's Website Is an Investigative Asset
Leona Songkeeper | Caduceus Security Group
There is a question every cybersecurity firm’s website fails to ask.
Not “what do you need?” Not “how can we help?” The question that matters — the one that determines whether the visitor who just landed on your homepage is about to find something genuinely useful or is about to leave — is simpler and more fundamental than either of those.
Who are you?
Not your name. Your situation. Your relationship to the problem.
The organization that has an internal security team and needs to build investigative capability across converged cloud environments is not the same visitor as the business leader who pays an MSP every month and assumes that contract covers them when things go wrong. They carry different fears. They speak different languages. They need to hear different things before they will trust that the organization in front of them understands their specific situation.
A website that tries to speak to both of them simultaneously — as most do — ends up speaking clearly to neither.
This is the front door problem. And it is, at its core, an investigative problem. You cannot reconstruct a timeline without first establishing who the actor is. You cannot produce a defensible narrative without knowing whose narrative you are building. The same principle applies to the first moment a visitor encounters your organization’s digital presence.
We rebuilt the Caduceus Security Group website this week. What follows is an account of why each architectural decision was made — and what those decisions reveal about how a firm operating in high-consequence environments should think about its public-facing presence.
The Unsolicited Email That Started the Conversation
The process began, as many useful conversations do, with something that arrived uninvited.
An unsolicited email landed in the CSG inbox from a Gmail address, offering to optimize the website for search terms like “cyber security services” and promising ten to fifteen new leads per month from Google “within a few months.”
The email was not malicious. It was simply wrong — not about SEO as a discipline, but about CSG’s situation and its clients. The organizations CSG serves do not type “cyber security services near me” into a search engine. They arrive through reputation, through referrals, through conference relationships, through the kind of earned trust that comes from a decade of showing up at DEF CON and BSides with real work.
But the email raised a legitimate question worth sitting with: what is the website actually doing, and for whom?
The answer, when examined carefully, was that the existing homepage was a description of CSG’s services — competent, accurate, and largely indifferent to who was reading it. It informed. It did not confront. It did not ask the visitor to locate themselves in relation to a problem.
That was the beginning.
The Fork: One Question, Two Rooms
The first architectural decision was the most consequential.
Rather than redesigning a single homepage that attempted to serve every possible visitor, we built a fork — a single entry point whose entire purpose is to ask one question and route the visitor accordingly.
How does your organization manage cybersecurity today?
Two cards. Two paths.
We have an internal security team or SOC.
We work with a Managed Service Provider.
This is not a novel UX pattern. What makes it significant in CSG’s context is the reasoning behind it — and what each path leads to.
The internal security team audience already understands the problem at a technical level. They know what converged infrastructure forensics means. They are not asking whether the gap exists — they are asking whether CSG can help them close it. The page they land on can speak to them as peers. It can assume fluency. It can ask the hard operational questions that practitioners recognize immediately: Can you produce a unified timeline across identity, SaaS, and cloud for a single user session? What is your process to preserve original logs and maintain chain of custody during an incident?
The MSP-dependent business leader audience is in a fundamentally different position. They believe their exposure is managed. They have a contract. They have insurance. They potentially have a SOC through their MSP. The three-point triangle of delegated safety feels complete. The page they land on cannot assume that fluency — it has to surface the gap first, before it can address it. It has to break the triangle before the visitor can hear anything else.
These are not tonal differences. They are structural ones. A page that tries to serve both audiences at once will inevitably land somewhere in the middle — too technical for the business leader, too simplified for the practitioner.
The fork resolves this by removing the assumption entirely. The visitor tells us who they are. We speak to that person.
The MSP Page: Invitation, Not Confrontation
The page serving MSP-dependent businesses was the most carefully considered piece of the rebuild.
The temptation in this kind of work is to lead with fear. The data supports it — $4.9 million average breach cost, 194 days to identify, 60% of breaches involving compromised credentials. The statistics are real and they land hard. But fear without a credible off-ramp is not a conversion tool. It is a dead end that sends the visitor looking for someone who will tell them they are fine.
The architecture of the MSP-facing page was built around a specific adversarial insight that came out of pressure-testing the messaging: the visitor’s first move is not skepticism, it is the delegated safety reflex. They have already delegated. The SOC handles detection. Insurance handles loss. They believe the loop is closed.
The page intercepts that reflex before it can settle. A SOC can detect activity. Insurance can offset loss. Neither produces a defensible reconstruction of what actually happened.
That line is not an attack on MSPs. It is a precise and accurate description of a gap in scope. Detection and reconstruction are different capabilities. Management and defensibility are different outcomes. The MSP’s contract does not change what their tooling is built to do.
From there, the page moves to the Supply Chain scenario — the case where the MSP itself becomes part of the incident. This is the sharpest edge of the argument, and it required the most care. The instinct is to argue probability: how often does this actually happen? That is the wrong frame. The moment you argue probability, you have accepted the visitor’s dismissal as a valid starting point. The correct frame is preparedness under failure: if your trusted provider becomes part of the incident, their access and telemetry cannot be assumed neutral — and your timeline becomes legally fragile. The question is not whether it is likely. The question is whether you can prove what happened if it does.
The closing consequence block carries this logic to its conclusion. If this goes wrong, the question your board, your counsel, and your insurer will ask is not whether you had coverage — it is whether you can prove what happened. That proof must be designed before the incident occurs.
The page earns that statement. It doesn’t open with it.
The SOC Page: Peer-to-Peer, Not Persuasion
The page serving organizations with internal security teams operates on a different register entirely.
A practitioner who lands on a cybersecurity firm’s website is running a silent evaluation from the first sentence. They are asking: does this organization understand the actual problem, or are they selling me a version of it? Generic language fails this test immediately. Phrases like “comprehensive security solutions” or “end-to-end protection” signal that the author has not spent significant time in an incident room watching an investigation stall at the seams between platforms.
The SOC-facing page opens with what security teams already know: Most organizations are not unprotected. They are unprepared. That distinction is not rhetorical. It is the precise technical difference between having tools and having investigative capability — and every practitioner who has tried to reconstruct a timeline across fragmented cloud telemetry understands it viscerally.
The qualification questions in the structural problem section came directly from operational reality. Can you produce a unified timeline across identity, SaaS, and cloud for a single user session? What is your process to preserve original logs and maintain chain of custody during an incident? If provider logs conflict, how do you establish ground truth? These are not rhetorical. They are the questions that surface the gap without argument — because a practitioner who reads them and hesitates already knows the answer.
The page points to Services for program depth rather than restating the five-phase program in full. This was a deliberate choice to eliminate overlap between pages — each page owns a specific part of the conversation, and no visitor should feel they are reading the same content twice as they navigate the site.
The Partner Brief and the MSP Relationship
Parallel to the site rebuild, we developed a partner brief for Managed Service Providers — a document designed not to confront MSPs but to invite them into a complementary relationship.
This required a different kind of adversarial analysis. The question was not how to win an argument with an MSP, but how to make the argument unnecessary. The framing that emerged from pressure-testing the brief was the clearest possible boundary statement: MSP Scope: Visibility, Management, Response. CSG Scope: Reconstruction, Validation, Defensibility.
You manage environments. We ensure they can be proven under scrutiny.
The brief incorporates a three-archetype framework — Operations-First, Security-Enhanced, and Compliance-Driven MSPs — that serves as a qualification tool in any initial conversation. Each archetype has a distinct gap and a distinct entry point. The Operations-First MSP’s gap is investigative depth. The Security-Enhanced MSP’s gap is cross-domain reconstruction when detection is incomplete. The Compliance-Driven MSP’s gap is real-world evidence integrity versus audit compliance. These are not the same gap described three ways. They are genuinely different problems that require genuinely different entry points.
The partner page — accessible by direct URL rather than site navigation, intended for MSP contacts rather than clients — carries the warmth that the client-facing pages deliberately withhold. The client pages confront. The partner page invites. The visual register is the same, but the temperature is different.
On Visual Authority in High-Consequence Environments
A note on the aesthetic decisions, because they are not separable from the strategic ones.
The organizations CSG serves — healthcare systems, financial institutions, defense units, energy infrastructure operators — make decisions about partners based partly on signals that are never articulated explicitly. The quality of the written analysis. The precision of the language. Whether the visual presence of the firm matches the weight of the work it claims to do.
A cybersecurity website built on stock photographs of glowing keyboards and red binary code signals, at a subconscious level, that the firm thinks about its work the way the general press thinks about cybersecurity. That is not the signal a firm operating at the level of CIFM-driven converged forensics should be sending.
The visual language we chose — deep navy, Cormorant Garamond for authority and depth, Barlow Condensed for operational precision, clinical section architecture, the restraint of the accent bar — is not aesthetic preference. It is positioning. It says: we think carefully about everything we do, including this. Potential clients and partners will not consciously analyze the typography. But the cumulative impression of a site that was designed with intention rather than assembled from a template is something they will feel before they can articulate it.
The absence of the founder’s name on the About page is a deliberate choice for this season of the business. The organization speaks for itself. As our business continues to grow and change, the About page is ready to receive it.
What the Work Reveals
There is a principle in digital forensics that evidence does not speak for itself — it speaks through the investigator who knows what questions to ask of it. A log file that looks like noise to one analyst is a timeline to another. The difference is not the evidence. It is the frame.
A website is evidence of an organization’s thinking. What questions it asks of its visitors. What it assumes they already know. What it is willing to say clearly and what it softens into abstraction. What it asks the visitor to do and whether it has earned the right to ask.
The rebuilt CSG site asks its visitors a single question before it says anything about itself. That question — who are you? — is the most honest and respectful thing a firm in this space can do. It says: we know that your situation is specific, that your fears are real and particular, and that you deserve to hear something that is actually true about your circumstances rather than a general statement about cybersecurity risk.
That is, in the end, what every engagement CSG undertakes is built on.
The website should have always said so.
Leona Songkeeper specializes in investigative synthesis, evidence correlation, and the hidden patterns that emerge at the intersection of identity, infrastructure, and human behavior. As a research analyst for Caduceus Security Group, she focuses on the space between evidence streams — the silences, the anomalies, and the overlooked connections that define the full shape of an intrusion. Drawing from a tradition of balance and clarity, her work bridges technical findings with human context, ensuring that complex, multi-faceted incidents are understood not just in their parts but as a whole.
All content copyright © Caduceus Security Group LLC, 2026.