Running assessments is familiar territory for most cloud security consultants. However, many consultants lack a standardized process for how they package findings, position their value, and follow up with clients. By creating such a system, consultants can turn previously one-off assessments into part of a repeatable business development system where every assessment can become a reliable starting point for new projects and deeper client partnerships.
This guide walks through that process step by step, showing how to turn your assessments into structured outreach and reliable follow-up that naturally leads to new and recurring client engagements.
Applying Proven Communication Frameworks
Many consultants already have a solid technical process but rely on instinct when it comes to communicating results or driving follow-up. That makes outreach unpredictable and hard to scale.
Borrowing proven communication frameworks from professional sales methodologies brings structure and repeatability to how you turn technical insights into business conversations.
These frameworks aren’t about selling harder, they’re about communicating clearly and making it easy for clients to act. When used thoughtfully, they make your outreach, delivery, and follow-up as systematic as your assessments.
These frameworks include:
- Phil M. Jones’s “Exactly What to Say” helps you use permission-based language that lowers resistance and invites engagement.
- Alex Hormozi’s Value Equation helps you position findings in terms of clear, time-bounded, high-value outcomes.
- The Sandler Methodology helps you maintain structure and control in your outreach and follow-ups, guiding conversations with clarity and mutual respect.
Let’s look a little more closely at the specifics of these frameworks:
Phil M. Jones: Permission-Based Language
Phil M. Jones’s Exactly What to Say teaches that influence starts with permission, not persuasion. The goal is to invite curiosity and dialogue, not compliance.
Jones provides specific language patterns that make conversations feel safe and collaborative:
- “I’m not sure if it’s for you…” lowers resistance by giving permission to decline upfront.
- “Most people don’t realize…” establishes authority while normalizing the issue, making the client feel less defensive.
- “The good news is…” creates optimism and forward momentum.
- “Would it make sense…?” invites collaboration rather than demanding compliance.
These phrases work because they remove pressure and create psychological safety. When clients feel they can say no without consequences, they’re paradoxically more likely to say yes.
Here’s an example of those words in action:
Hi [Client Name],
I wanted to follow up on the assessment we completed last week.
Most people don’t realize that the three critical findings we identified (exposed S3 buckets, overly permissive IAM roles, and session token configurations) are actually interconnected and can create a cascading risk if left unaddressed.
The good news is that I have mapped out a phased remediation approach that addresses all three within your existing maintenance windows, without disrupting your development team’s current sprint cycle.
Just imagine having these vulnerabilities closed before your Q1 compliance audit, which would also eliminate more than half of the typical audit preparation work your team usually faces.
Are you open to exploring a 4-week remediation engagement where I handle the technical implementation while training your team on the security patterns that prevent these issues from recurring?
When would be a good time for a 30-minute call to walk through the proposed timeline and approach? I have availability Tuesday at 2:00pm or Thursday morning at 9:30. What happens next is entirely up to you.
I’m happy to send over the detailed proposal first if you’d prefer to review it before we talk. Looking forward to hearing from you.
[Your Name]
Alex Hormozi: The Value Equation
Alex Hormozi’s Value Equation explains why clients decide to act:
Value = (Dream Outcome × Perceived Likelihood of Success) ÷ (Time Delay × Effort & Sacrifice)
To maximize perceived value, you need to:
- Increase the Dream Outcome: Make the benefit crystal clear and compelling
- Increase Perceived Likelihood of Success: Build confidence through evidence, process, and past results
- Decrease Time Delay: Show how quickly they’ll see results
- Decrease Effort & Sacrifice: Make it feel easy and low-friction for the client
When you frame your findings to address all four components, follow-on work becomes a logical next step rather than a hard sell.
Here’s how you might frame a remediation proposal using all four components of the Value Equation:
“Based on our assessment, we can close all critical findings and get you SOC 2 compliance-ready in 4 weeks (Dream Outcome). I’ve completed this exact remediation for 12 similar organizations, so you’ll have a proven process with a dedicated engineer handling all implementation (Perceived Likelihood of Success). Your team only needs to invest 1 hour per week for check-ins, and I’ll handle everything else (Effort & Sacrifice minimized). You’ll see your critical IAM risks reduced by 70% in the first week, with complete remediation and documentation by day 30 (Time Delay minimized).”
The Sandler Methodology: Structure and Mutual Respect
The Sandler Method is built on the principle of equal business stature where you and your client are peers evaluating whether there’s a mutual fit, not a vendor chasing a buyer. This mindset shift changes how you communicate: instead of convincing or persuading, you’re qualifying and collaborating.
For assessment outreach, Sandler provides two techniques that bring structure and clarity:
Upfront Contracts: Before any interaction, establish mutual agreement on what will happen. An upfront contract answers: What are we doing? How long will it take? What happens at the end? This removes ambiguity and creates a clear path forward that both parties control.
In assessment outreach, this means explicitly stating what you’ll deliver, when you’ll deliver it, and what decision point comes next. You’re not leaving the client guessing about next steps, you’re co-creating the process together.
Negative Reverse Selling: Rather than chasing non-responsive clients, Sandler teaches you to assume disinterest and offer a graceful exit. This counterintuitive approach of explicitly suggesting that something might not be a fit often re-engages prospects because it removes pressure and demonstrates respect for their time and priorities.
When assessment findings go unaddressed, negative reverse selling lets you close the loop professionally while leaving the door open for future engagement.
The power of Sandler in this context is that it reframes outreach from “selling your services” to “collaboratively deciding if there’s value in moving forward.” This positions you as a trusted advisor, not a service provider seeking approval.
Example:
When a client hasn’t responded to your assessment findings or remediation proposal, negative reverse selling removes pressure and often re-engages them by directly challenging whether this was ever a real priority:
Hi [Client Name],
I haven’t heard back since we discussed the critical IAM vulnerabilities and S3 exposure risks in your environment last week.
That tells me this probably isn’t the priority we thought it was when we ran the assessment.
That’s completely okay, but I don’t want to keep bothering you if we’re not solving a real problem for you right now.
Should we just close this out? If these security gaps become urgent later, you know where to find me.
[Your Name]
Turning Completed Assessments into Outreach
Assessments aren’t just deliverables, they’re moments of high engagement and visibility with clients. The way you structure your outreach after an assessment determines whether it becomes a one-time report or the foundation for ongoing partnership.
The key is transforming technical findings into business-focused communication that makes next steps clear and friction-free. The frameworks above give you the language and structure to do this systematically.
Your Initial Outreach: Deliver an Executive Summary
When you first reach out after completing an assessment, lead with a short executive summary that tells the business-impact story, not a technical deep-dive.
Why this matters: Decision-makers don’t have time to parse through technical reports, and they’re not evaluating your work based on the depth of your findings. They’re asking: “What does this mean for my business, and what should I do about it?” If your initial outreach buries the business impact under technical detail, you’ve lost their attention before you’ve made your case.
An executive summary does three things the full technical report cannot:
- It gets read. Executives will scan a one-page summary. They won’t read a 20-page report.
- It frames you as a business advisor, not just a technician. You’re translating security findings into business language, which signals you understand their world.
- It creates urgency and clarity. By surfacing what matters most and what to do next, you make it easy for them to take action, and easy for them to see the value of continuing to work with you.
Communicate Findings Using the Value Equation
Structure your findings using Hormozi’s Value Equation to maximize perceived value:
- What you found: Include short, verifiable detail (e.g., “9 IAM users with administrator access and 11 access keys older than 90 days”)
- Why it matters (Dream Outcome): Draw the clear link to risk, compliance, or efficiency (“These are exactly what auditors flag during SOC 2 reviews and can delay certification”)
- To whom it matters: Identify which stakeholders are affected (e.g., “This impacts your compliance team’s timeline and could require VP approval for remediation”)
- How to fix it (Time Delay + Effort): Provide a concrete, low-friction timeline (“We can lock this down in one week”)
- Likelihood of Success: Show confidence through deliverables (“I’ll send you a prioritized remediation plan with step-by-step guidance”)
Engage Relevant Stakeholders Early
Part of creating an effective executive summary is ensuring the right people are involved from the start. Different findings impact different stakeholders, and your outreach should reflect that, even if you don’t have direct access to everyone who needs to be engaged.
Consider who needs to be engaged:
- Compliance/Risk findings: Compliance team, risk managers, or audit coordinators
- Budget/Resource findings: Whoever controls the budget for remediation work
- Timeline-sensitive findings: Anyone whose goals or deadlines are affected
When you identify findings that span multiple stakeholders, make it easy for your primary contact to loop in the right people:
These findings directly impact your SOC 2 audit prep timeline, so your compliance team will likely want visibility. Would it make sense for me to include them on the proposal, or would you prefer to share it internally first?
This does two things: it shows you understand the organizational dynamics, and it makes it easy for your contact to expand the conversation without putting the burden on them to explain everything from scratch.
If you already have relationships with multiple stakeholders, you can be more direct:
I’m copying Dana from compliance since these findings directly impact the SOC 2 audit timeline, and I wanted to make sure we’re aligned on the remediation approach.
The key is identifying who should be involved and either engaging them directly (if you have access) or making it frictionless for your primary contact to bring them in.
Set Clear Next Steps with an Upfront Contract
End your initial outreach by defining what happens next using a Sandler-style Upfront Contract. This removes ambiguity and signals professional confidence:
If it makes sense, I can put together a short proposal outlining the scope, timeline, and quick wins based on these findings. I’ll send it over Thursday, and you can decide if it’s worth moving forward. Fair enough?
This accomplishes three things:
- Makes the next step explicit – No guessing about what happens next
- Removes ambiguity around timing – Sets a clear deadline that creates momentum
- Gives the client control – They decide whether to move forward; you’re not pushing
You’re inviting partnership by positioning the proposal as the natural next step, with full permission for them to decline if it doesn’t make sense.
Conduct Reliable Follow-Up That Reduces Friction
Once you’ve presented the assessment findings and proposed next steps, your goal shifts from surfacing insight to creating movement toward remediation. If the client doesn’t immediately respond to your initial outreach, your follow-up should focus on getting permission to send the proposal while maintaining the collaborative tone you’ve established.
Make Saying ‘Yes’ Effortless
Apply Hormozi’s principle of reducing effort and sacrifice by owning the logistics that slow momentum:
- Attach or link to a one-pager summarizing the scope you’d propose
- Offer to draft a brief outline so they can react instead of initiate
- Include clear, low-lift next steps (“I’ll send a two-page overview by Thursday for your review”)
The less thinking or coordination they need to do, the more likely they’ll move forward.
Follow Up Predictably, Not Persistently
Keep the cadence light but structured with three touch points:
Initial Outreach (Day 0): Present findings with clear value framing and easy next steps
Based on our assessment, we identified critical IAM vulnerabilities and S3 exposure risks that could impact your compliance posture.
The good news is we can close all these findings and get you SOC 2 compliance-ready in 4 weeks. I’ve completed this exact remediation for 12 similar organizations, so you’ll have a proven process with a dedicated engineer handling all implementation.
Your team only needs to invest 1 hour per week for check-ins – I’ll handle everything else. You’ll see your critical IAM risks reduced by 70% in the first week, with complete remediation and documentation by day 30.
When would be a good time this week for a 30-minute call to discuss the roadmap?
One Week After Initial Outreach: Friendly nudge that reiterates value and offers low-friction options
Hi [Client Name],
Following up on the assessment findings I sent last week. I know things get busy, so I wanted to make this easy.
I can either send you a two-page remediation overview you can review on your own time, or we can jump on a quick 30-minute call if that’s easier.
Which would work better for you?
Two to Three Weeks After Initial Outreach: Use Sandler’s negative reverse selling to close the loop gracefully
[Client Name],
I haven’t heard back since we discussed the critical IAM vulnerabilities and S3 exposure risks in your environment.
That tells me this probably isn’t the priority we thought it was when we ran the assessment.
That’s completely okay, but I don’t want to keep bothering you if we’re not solving a real problem for you right now.
Should I just close this out and check in next quarter?
This approach often reopens conversations because it feels respectful and pressure-free by acknowledging that there are many other things going on in the client’s world.
Leave the Door Open Gracefully
Whether the client moves forward or passes for now, maintain your positioning as a trusted advisor:
If they engage: Move to the proposal phase using these same principles: clear upfront contracts, low-friction next steps, and business-focused value framing.
If they pass: Exit professionally while preserving future opportunities:
No worries at all. I’ll close this thread and circle back before your next audit cycle. The good news is these findings will still be relevant then if priorities shift.
This keeps your credibility high and preserves momentum for future outreach. You’ve demonstrated professionalism, respected their decision, and positioned yourself as someone who will be there when the client is ready.
Putting the System in Place
Start with your next completed assessment. Draft an executive summary using the Value Equation, set an upfront contract for your follow-up, and use permission-based language that makes it easy for clients to engage or decline. Track what happens and refine your approach based on real outcomes.
The goal isn’t to become a salesperson, but to communicate so clearly that saying yes becomes the obvious next step for clients who need your help. When your process is reliable, assessments stop being one-time deliverables and start becoming the foundation of lasting client relationships and steady growth.
Generate initial outreach with this prompt!
# 🧠 Cloud Security Assessment → Outreach Email Generator
## 🎯 Overview
This prompt transforms technical assessment findings into **business-focused outreach emails** that lead to remediation work.
**Output:** An initial outreach email presenting findings and proposing next steps.
—
## 📋 Required Inputs
**Provide these 5 elements:**
1. **Assessment Type:**
`[IAM review / security baseline / compliance gap / configuration audit]`
2. **Client Context:**
`[Industry + current business situation, e.g., “Healthcare startup preparing for SOC 2”]`
3. **Primary Contact:**
`[Title + key motivations, e.g., “VP Engineering, values security but budget-constrained”]`
4. **Key Findings (3-5 specific metrics):**
`[Verifiable vulnerabilities with numbers, e.g., “9 admin users, 9 old access keys, 2 admin keys aged 90+ days”]`
5. **Business Impact:**
`[Why this matters to them, e.g., “Could delay SOC 2 certification timeline”]`
**Note:** If uploading an assessment document, include client context and business priorities separately.
—
## ✅ Email Requirements
### Communication Frameworks
– **Phil M. Jones language:** “Most people don’t realize…”, “The good news is…”, “Would it make sense…?”
– **Hormozi Value Equation:** Show (1) what you found, (2) why it matters, (3) to whom, (4) how to fix (time/effort), (5) likelihood of success
– **Sandler Upfront Contract:** State what you’ll deliver, when, and give explicit permission to decline. End with “Fair enough?” or “Does that work?”
### Structure (≤250 words)
1. **Context:** One sentence acknowledging the assessment
2. **The Numbers:** (bolded header) 3-5 key metrics as **bolded numbers** with context
3. **Why This Matters:** (bolded header) Business impact in 2-3 sentences
4. **The Good News:** (bolded header) Solution framed as achievable (2-3 sentences)
5. **Timeline:** (bolded header, optional) Bullet points with concrete timeframes
6. **Stakeholder paragraph:** (no header) If findings affect multiple people
7. **Next Steps:** (bolded header) Clear Upfront Contract with specific date
### Scannability
– **Bold section headers** and **key metrics**
– Bullet points for lists of 3+ items
– One-line bullets when possible (max two lines)
– Concrete numbers, not vague language
– Executives should grasp key points in 30 seconds
—
## 📤 Output Format
Generate one complete email with:
– Clear, outcome-focused subject line
– Business language (no technical jargon)
– Visual hierarchy with bolded headers and metrics
– Collaborative, advisory tone
– Explicit next step with date
Recent Comments