Most MSPs don’t have a language problem with security; they have a translation problem. The Blacksmith Free Risk Assessment gives you a single, reusable grammar you can use to talk about both compliance and security with non‑technical clients in a way that sticks.

The problem: no shared language with clients

When you walk into a QBR and start talking about EDR, CIS 18, or “identity perimeter,” your client’s eyes glaze over. They care about outages, invoices, and insurance renewals—not frameworks. Meanwhile, compliance conversations live in a separate universe: SOC 2, HIPAA, cyber insurance questionnaires. The result is fragmented stories: security is “tools,” compliance is “paperwork,” and leadership never sees one coherent picture of risk.

What the Blacksmith Free Risk Assessment actually is

The Blacksmith Free Risk Assessment is a short, structured assessment designed specifically for MSPs and vCISOs to surface risk in a way that’s easy to discuss. It uses a concise set of questions that span key domains like identity, email, external exposure, backups, and policy maturity, plus automated external checks (such as domain‑level lookups) to ground the discussion in observable facts. Because it’s open source and licensed permissively, you can use, extend, and brand it in your own practice without legal gymnastics, and you can even point technical clients at the repo to show there’s no black box behind the curtain.

There are two live versions available:

• Completely free for anyone to use: Free MSP Risk Assessment Tool
• An enhanced, partner-only version within the Blacksmith Portal

How the assessment becomes your “security language”

The power of the tool is not just the questionnaire; it’s the fact that you can use the same model in every client conversation, so the language becomes familiar over time. Each question and external check maps naturally to three layers:

• A plain‑English business risk (“anyone can spoof your domain,” “a single ransomware incident could halt operations for days”).

• A concrete security control (MFA, email authentication, backup testing, endpoint hardening).

• A compliance hook (NIST CSF category, CIS control, or a line item on insurance and customer security questionnaires).

Because the questions are scored and grouped, you can point to “low‑maturity areas” instead of rattling off tools: “Right now your identity and email controls are at Level 1–2, while backups and asset management are closer to Level 3–4. Let’s focus here first.” Over a couple of cycles, clients start repeating your language back: “What will this change do to our email security score?” instead of “Why should we buy another product?”

Using the same artifact for compliance and security

Most tools force you to have separate conversations: a compliance dashboard over here, an EDR report over there. The Blacksmith assessment lets you fuse those into one storyline. For example:

• “You’re missing MFA for admins” becomes:

  • Security: higher risk of account takeover.

  • Compliance: gap against NIST/CIS controls and common insurer requirements.

• “SPF/DKIM/DMARC are misconfigured” becomes:

  • Security: higher phishing and spoofing risk.

  • Compliance: weak protection of customer data and brand integrity.

You can literally walk through a single report and, for each red/yellow item, show how a remediation not only reduces breach likelihood but also reduces friction with auditors, insurers, and security‑sensitive customers. Over time, leadership learns that “improving our assessment score” correlates with “fewer nasty surprises and smoother audits,” so the tool becomes shorthand for overall posture.

Turning one assessment into an ongoing narrative

The assessment really shines when you make it a rhythm, not a one‑off. Run it at onboarding to establish a baseline, then again before renewals or major board meetings. Use the same question set and scoring model every time so the story is always: “Here’s where we were, here’s where we are, here’s where we’re going next.” The incremental score changes become your talking points:

• “Last quarter, email security moved from red to yellow. This quarter, we want to get identity into the same range, which will also tick several compliance boxes you’re worried about.”

Because the tool exports into familiar formats (like Word/PDF), you can drop screenshots into decks or leave‑behind documents and build QBR agendas directly from the findings rather than inventing new slides each time. Clients come to expect that every strategic security conversation starts with the same picture — the assessment — and that everything else (stack changes, projects, budgets) is just supporting detail.

Making it your default way of “speaking security”

If you treat the Blacksmith Free Risk Assessment as your default language, rather than a pre‑sales gimmick, several things happen:

• Your team has a consistent structure for discovery, QBRs, and account planning.

• Clients build intuition about their own maturity; they can see progress in a way that doesn’t depend on you being in the room.

• Security and compliance finally share a single map, so you’re not explaining the same risk three different ways to three different audiences.

The practical next step is simple: pick one or two clients where security conversations feel messy, run the assessment with them live, and commit to using that report as the backbone of your security and compliance discussions for the next year. If you do that consistently, the tool stops being just “free” and starts being the dialect your clients use to talk about risk—with you as their interpreter.