Before you spend on guards or cameras, a security consultant tells you what you actually need. Here's what security consulting includes, the standards behind it, when to hire, and what it costs.
Most security spending happens without anyone first asking a simple question: what are we actually defending against, and what's the right response? Security consulting answers that. A consultant independently assesses your risks and vulnerabilities, then recommends a right-sized program — staffing, technology, policies — before you commit to guards or systems. It's advisory work, separate from any company that sells you security, and for the right situation it's the highest-leverage dollar you'll spend on protection. A guard company sells hours of coverage; a camera integrator sells hardware and installation. A consultant sells judgment — an objective read on where you're exposed and what to do about it, product-agnostic and unattached to the sale that follows. This guide covers what a security consultant actually does, the core services they provide, the deliverables you should expect, the credentials that separate a real consultant from a vendor in disguise, when to hire one, and what it costs.
The core of security consulting is a risk, threat, and vulnerability assessment: identify assets, characterize threats, evaluate vulnerabilities, estimate risk, and recommend prioritized, cost-justified countermeasures — often against the ASIS SRA-2024 standard. Consultants bill roughly $150–$400 an hour, $1,000–$3,500 a day, or a fixed project fee (a defined-scope site assessment often runs a few thousand to the low tens of thousands, depending on size and complexity). The value is independence — advice from someone who doesn't sell the guards, cameras, or alarms they might recommend. Hire one before a major investment, after an incident, when a new threat emerges, or when litigation or an insurer demands a documented assessment.
Consultant vs. guard company: advice vs. coverage
The distinction is the whole point, so start here. A security guard company (also called a contract guard provider) sells you labor — officers on posts, patrols, event coverage — and its business grows when you buy more hours. An integrator or alarm vendor sells and installs equipment, and its business grows when you buy more hardware and monitoring. Both are essential, and both have a legitimate financial stake in the answer to "what do you need?" A security consultant sells none of that. They are engaged to study your situation, tell you the truth about where you're exposed, and hand you a plan you can execute with whichever vendors you choose — or with the guards and systems you already have, tuned to work better. Because they don't profit from the implementation, they're free to conclude that you're overspending, that a policy fix beats another post, or that the camera system you were sold isn't earning its keep. That freedom is what you're paying for. A good consultant is product-agnostic and vendor-neutral: they'll specify what a system must do and help you bid it competitively, rather than steering you to a brand they resell.
What a security consultant does: core services
Consulting isn't a single deliverable — it's a discipline that spans strategy, design, testing, and expert testimony. The engagements below are the ones you'll encounter most often. Many overlap, and a larger project may bundle several.
Risk, threat, and vulnerability assessment (the foundation)
The engine of security consulting is the risk, threat, and vulnerability assessment (RTVA) — sometimes called an RTA or TVRA. A consultant will:
- Identify your assets — people, property, operations, reputation, and information worth protecting, ranked by how much a loss would hurt.
- Characterize the threats — who or what could cause harm, and how: theft, burglary, workplace or targeted violence, intrusion, insider risk, civil disturbance, natural hazards.
- Evaluate vulnerabilities — the gaps in your current physical, procedural, and technological defenses that a threat could exploit.
- Estimate risk — combining likelihood and consequence so you can prioritize what matters most instead of treating every exposure equally.
- Recommend countermeasures — a prioritized, cost-justified plan of specific fixes, not a wish list.
The RTVA is what most other engagements are built on: you can't design a system, write a policy, or defend a lawsuit without first knowing what you're actually facing.
Security surveys, audits, and CPTED review
A security survey (or physical-security audit) is a systematic walk-through of a site measured against good practice — perimeter, lighting, doors and locks, access points, camera coverage, signage, key control, and officer posts. Where a full RTVA weighs likelihood and consequence, a survey documents the physical and procedural state of a facility and flags deficiencies. Consultants frequently pair this with CPTED — Crime Prevention Through Environmental Design — which reduces crime through the built environment rather than by adding guards or gadgets (more on that below).
Physical-security master planning
For a campus, a new headquarters, or a multi-site portfolio, a consultant develops a physical-security master plan: a multi-year design basis that sets standards for how every facility should be protected, sequences upgrades by priority and budget, and gives leadership a defensible roadmap instead of a pile of one-off purchases. This is where security is designed into a building — layered access zones, camera placement, lobby and loading-dock design — rather than retrofitted later at several times the cost.
Penetration and physical-security testing
Distinct from cyber penetration testing, physical penetration testing (often called red-teaming) puts a consultant's methods to the test in the real world: authorized attempts to tailgate through a controlled door, social-engineer a receptionist, defeat a lock, or reach a sensitive area undetected. The output isn't a stunt — it's evidence of exactly how a determined intruder would get in, so controls and training can be fixed before a real adversary finds the same gap.
Workplace-violence and active-threat planning
Consultants help organizations build workplace-violence prevention programs — threat-assessment teams, reporting channels, behavioral warning-sign training, and response protocols — and emergency and active-threat plans covering lockdown, evacuation, run-hide-fight guidance, communication trees, and coordination with law enforcement. Several states, notably California under SB 553, now require most employers to maintain a written workplace-violence prevention plan, which has made this one of the fastest-growing consulting requests.
Policy, procedure, and post-order development
A guard force is only as good as the instructions it follows. Consultants write security policies, standard operating procedures, and post orders — the site-specific playbook that tells each officer what to do at each post, how to handle incidents, when to escalate, and what to document. Clear post orders are also a legal shield: after an incident, "the officer followed a written, reasonable procedure" is a very different position than "the officer improvised."
Security technology design and RFP support
When you do need technology, a consultant designs it vendor-neutrally: access control, video surveillance, intrusion detection, and alarm systems specified by what they must accomplish, not by brand. They'll produce a design basis and specifications you can put out to competitive bid, then help you write the RFP, evaluate integrator proposals on equal footing, and inspect the finished installation against what you paid for. This alone often saves more than the consulting fee, because it turns a sole-source sales pitch into a genuine competition. (Our video surveillance guide covers the buyer side of camera systems.)
Litigation support and expert witness
In premises-liability and negligent-security lawsuits — where a plaintiff alleges a property owner failed to provide reasonable security and someone was harmed — attorneys retain security consultants as expert witnesses. The expert evaluates whether the security in place met the standard of care, whether the incident was foreseeable, and whether reasonable measures would have prevented it, then supports that opinion in reports, depositions, and trial testimony. This is specialized, credential-heavy work; the same rigor that makes a good assessment makes a defensible expert opinion.
Executive-protection program design
For high-profile principals, a consultant designs the executive-protection (EP) program — residential security, travel and advance planning, threat monitoring, and the protocols a protection detail follows — often without providing the detail itself. Designing the program independently of the firm that staffs it keeps the same conflict-of-interest discipline intact. (See our executive protection cost guide for what staffing a detail runs.)
Engagement types at a glance
Here's how the common consulting engagements map to what they deliver and when you'd reach for each:
| Engagement | What it delivers | When you need it |
|---|---|---|
| Risk / threat / vulnerability assessment | Written report: assets, threats, vulnerabilities, risk ratings, prioritized recommendations | Before a major investment, after an incident, or as a baseline for any program |
| Security survey / audit | Documented physical & procedural deficiencies against good practice | Periodic check-up of an existing site; insurer or corporate requirement |
| CPTED review | Environmental-design fixes (lighting, sightlines, access, landscaping) | New construction, renovation, or a crime problem at an existing site |
| Physical-security master plan | Multi-year design basis and prioritized roadmap across facilities | New HQ, campus, or multi-site portfolio needing consistent standards |
| Physical penetration test | Evidence of how an intruder actually breaches; gap findings | To validate controls and training at a high-value or sensitive site |
| Workplace-violence / emergency plan | Written prevention and active-threat response program | Statutory requirement (e.g., CA SB 553), post-threat, or policy gap |
| Policies & post orders | Site-specific SOPs and officer instructions | New guard contract, inconsistent operations, or liability exposure |
| Technology design & RFP support | Vendor-neutral specs, competitive bid package, install inspection | Buying access control, cameras, or alarms without vendor bias |
| Litigation / expert witness | Standard-of-care opinion, reports, deposition & trial testimony | Premises-liability or negligent-security litigation |
The standard behind good assessments
The US benchmark is the ASIS Security Risk Assessment Standard (ASIS SRA-2024), an ANSI-approved American National Standard published in 2024 that replaced the earlier RA.1-2015 standard. It defines how to establish and sustain a risk-assessment program, the competencies an assessor should have, and how to guard against cognitive bias in the analysis. It's a methodology standard, not a price list — but asking whether a consultant works to a recognized standard is one of the fastest ways to gauge rigor. A consultant who follows a repeatable, documented method will give you a report that holds up to scrutiny from leadership, an insurer, or a court; one who "just knows security" from experience alone may not.
What you get: deliverables
A consulting engagement should produce documents you can act on and put out to bid — not a verbal debrief. Expect some combination of:
- A written assessment report — asset inventory, threat and vulnerability findings, and risk ratings, with an executive summary leadership can absorb quickly.
- A risk register — each identified risk logged with its rating, owner, and the countermeasure that addresses it, so nothing falls through the cracks.
- A prioritized recommendations matrix or roadmap tying each measure to the risk it reduces, its rough cost, and its urgency.
- A security master plan or design basis for larger, multi-year programs.
- Physical-security system design specs (access control, cameras, alarms) you can competitively bid.
- Policies, procedures, post orders, and emergency/continuity plans.
The value is a documented, objective basis for your security decisions and budget — one you can defend to leadership, insurers, or a court, and one that outlives the consultant's involvement. A strong report is also readable: an executive summary that a busy board can act on, findings tied to evidence rather than opinion, and recommendations sequenced so you know what to do first with a limited budget. If a draft is a wall of generic best practices with no ranking and no cost context, push back — a report you can't prioritize from isn't finished.
Credentials to look for
Security consulting is largely unregulated as a title — anyone can print "security consultant" on a card — so credentials and independence do the vetting that licensing doesn't. The most respected certifications come from ASIS International, the leading professional body for the field:
- CPP (Certified Protection Professional) — ASIS's flagship, board-certified credential in overall security management. The general mark of a seasoned, broad-based consultant.
- PSP (Physical Security Professional) — focused on physical-security assessment and the design of integrated systems (access control, CCTV, intrusion detection). Ideal for survey, master-planning, and technology-design work.
- PCI (Professional Certified Investigator) — investigations, evidence, and case management; relevant for incident and litigation-support work.
Beyond ASIS marks, look for a CPTED practitioner credential for environmental-design work, relevant sector experience (healthcare, retail, education, industrial — each has its own threat profile and regulations), and, for expert-witness work, a documented testimony history. Credentials aren't everything, but combined with references and a sample report they tell you whether you're hiring a professional or a salesperson.
When the company assessing your risk is also the company that sells guards, cameras, or alarms, the recommendation is rarely "you're overspending" — it's almost always "you need more of what we sell." That isn't necessarily dishonest, but it isn't independent, and independence is the entire value of consulting. A genuine consultant's incentive is to be right, not to close an implementation sale. Before you sign, ask directly: Do you sell, install, or take referral fees from any of the products or services you might recommend? If the answer is yes, you may be buying a sales pitch wearing a report's clothing. Keep the assessment separate from the contract to implement it.
When to hire a security consultant
Consulting pays off in specific moments:
- Before a major investment — designing security into a new facility, renovation, or system purchase is far cheaper than retrofitting, and a design basis lets you bid it competitively.
- After an incident — an objective assessment of what failed and how to close the gap, before it happens again or turns into litigation.
- When a threat emerges — an executive threat, expansion into a higher-risk area, a layoff, or a new high-value site.
- For compliance or insurance — when a regulator, an insurer, or a statute (like California's workplace-violence rule) requires a documented assessment or plan.
- For litigation — when you need an expert to evaluate whether security met the standard of care, on either side of a negligent-security claim.
- For an independent second opinion — when you want an unbiased view separate from a firm that also sells guards or systems, or a sanity check on what a vendor is proposing.
CPTED: designing out crime
One of the most cost-effective things a consultant brings is Crime Prevention Through Environmental Design (CPTED) — reducing crime through the physical environment rather than by adding guards or gadgets. Its core principles are simple but powerful: natural surveillance (arranging sightlines, windows, and lighting so people are naturally visible and offenders feel watched); natural access control (using landscaping, entrances, and pathways to guide movement and mark private space); territorial reinforcement (clear boundaries and signage that signal ownership and legitimate use); and maintenance (well-kept spaces signal that a property is cared for and watched). Applied during design or renovation, CPTED can prevent problems that would otherwise require expensive ongoing staffing — which is exactly why bringing a consultant in early pays off. A good assessment weighs these environmental fixes alongside guards and technology, so you spend on the combination that actually lowers risk rather than defaulting to more of any one thing.
How security consulting is priced
Consultants structure fees three ways, and reputable firms will tell you up front which applies:
- Hourly — roughly $150–$400 an hour for physical-security consultants, with credentials (CPP, PSP), scarcity, and complexity pushing toward the top; senior expert witnesses can bill well above that range. Best for open-ended advisory work.
- Fixed project fee — the most common structure for a defined-scope assessment. A focused single-site risk assessment often runs from a few thousand dollars into the low tens of thousands; a comprehensive threat and vulnerability assessment for a large, multi-site, or high-risk organization can run well into the tens of thousands. A fixed fee gives you a known cost and a defined deliverable.
- Retainer — a recurring monthly fee for ongoing access to a consultant as an outsourced security advisor. Common for organizations that need continuity but don't warrant a full-time in-house security director.
Treat any specific figure as a planning estimate, not a quote — pricing swings widely with scope, site count, industry, travel, and the consultant's credentials. If cyber or IT vulnerability work is in scope, that's usually priced separately. Given that a good assessment shapes a much larger downstream security budget, and that a single avoided incident or a competitively bid system can dwarf the fee, the engagement usually pays for itself.
How to choose a consultant
Weigh candidates on a short, honest list:
- Independence — do they sell, install, or take referral fees from anything they might recommend? This is the first question, not the last.
- Credentials — ASIS CPP/PSP/PCI, a CPTED practitioner mark, relevant licensing, and (for expert work) a testimony record.
- Methodology — do they work to a recognized standard like ASIS SRA-2024, or just to "experience"? Ask them to describe their process.
- Relevant sector experience — a consultant fluent in your industry's threats and regulations (healthcare, retail, campus, industrial) will get to a right-sized plan faster. See our sector guides on corporate security and hospital and healthcare security.
- Clear scope and deliverables — the proposal should spell out exactly what you'll receive. Ask for a sample report structure and references you can call.
Consulting complements the rest of your program — see our guides to security costs and hiring a security company once you know what you need. And when you're ready to compare providers in your market, our directories for Los Angeles and Chicago are a place to start.
Ready for an independent assessment? Get free quotes from licensed security consultants, or explore security consulting services in your area.
Frequently asked questions
What does a security consultant do?+
What's the difference between a security consultant and a guard company?+
How much does security consulting cost?+
What credentials should a security consultant have?+
When should I hire a security consultant?+
Share this guide



