A TSA cybersecurity handover is the transfer of security controls, monitoring, identity, and incident response, from the seller's environment to yours. It is the workstream most likely to be underestimated and most dangerous when it is, because a gap here is an open door on Day One. It deserves its own track within the TSA exit strategy.
While a TSA runs, the seller is often quietly providing a large part of the carved-out unit's security, and nobody has written it down. The firewalls, the monitoring, the identity systems, the patching, the incident response team, all may sit inside the seller's environment, covering your business as a byproduct of how things used to be organized. It works, so it goes unnoticed.
That invisibility is the danger. Security provided by default, not by design, is security you do not control and may not even know you depend on. When the TSA ends and the seller withdraws, every control that lived on its side disappears unless you have deliberately rebuilt it. A unit that felt secure throughout the TSA can be exposed the day after exit without anyone having made a decision to expose it.
So the first task is to make the invisible visible. Treat the seller provided security as a service catalog of its own, even where the TSA does not itemize it, and assume that anything not explicitly yours is the seller's and will leave with the seller. The buyers who get hurt are the ones who discover a missing control by being attacked through the gap it left.
A clean handover starts with a complete inventory of the controls in play. What protects the perimeter, what monitors for threats, who responds to an alert at three in the morning, how identities are managed, how devices are patched, and where the logs go. For each, you need to know whether it lives in your environment or the seller's, and what happens to it at exit.
Expect the map to reveal dependencies nobody flagged. The carved-out unit may rely on the seller's security operations center, its threat intelligence, its email filtering, or its endpoint protection licensing, none of which appear in the obvious application inventory. Security tends to be infrastructure, and infrastructure is exactly what gets overlooked when teams focus on business applications during separation.
Prioritize by exposure, not by convenience. Rank the inherited controls by what a gap in each would mean: a missing monitoring feed is a blind spot, a lapsed identity system is an open door, an unpatched estate is a slow leak. The controls whose absence creates the sharpest risk are the ones to rebuild first, regardless of which are easiest. The map turns a vague unease into a sequenced plan.
Identity is the spine of the security handover. While the TSA runs, the seller may control how your people authenticate, what they can access, and how privileged accounts are governed. Standing up your own identity platform, migrating users, and reissuing access cleanly is often the largest single piece of the security workstream and the one with the least room for error.
Access has to be rebuilt, not copied blindly. Lifting the seller's permission structure wholesale carries over years of accumulated, excessive access that should have been pruned long ago. The handover is the moment to grant access on the basis of what each role actually needs, which is both better security and a cleaner audit position than inheriting the seller's sprawl.
Monitoring cannot lapse for a single day. The seller's tools that watch for intrusion, collect logs, and trigger response will stop covering you at exit, and an attacker does not wait for your replacement to be ready. Your monitoring must be live and proven before the seller's is withdrawn, with logs flowing to your own systems and a team watching them. A monitoring gap is an invitation, and the cutover is exactly when it tends to open.
The riskiest point in the whole handover is the transition itself, when controls are moving from the seller to you. For a window, responsibility is ambiguous: the seller is stepping back, you are stepping in, and a control can fall between them. Attackers and accidents both find those seams, and a carve-out is a noisy, distracted moment that invites trouble.
Manage the window by overlapping, not by switching. Wherever possible, your control should be live and verified before the seller's equivalent is turned off, so coverage is continuous rather than handed over in a single risky moment. Paying for an overlap period, even at an extension fee, is cheap next to the cost of an incident that walks through a gap you created to save a few weeks.
Name an owner for security through the window. Ambiguity about who is responsible is the root cause of cutover gaps, so the plan must state, for every control and every day of the transition, whether the seller or you are accountable. Run it like an incident bridge if needed: clear ownership, clear handover points, and no control left assuming the other party has it covered.
Exit is not done when your controls are live. It is done when the seller's access to your environment is fully revoked and proven gone. Through the TSA the seller held deep access to your systems, and any of it left active after exit is a standing risk: a credential, a connection, or an account that no longer has any business existing but still works.
Close the loop with evidence. Confirm that seller accounts are disabled, shared credentials are rotated, network connections between the environments are severed, and any seller held keys or certificates are revoked. Each of these should be verified and recorded, not assumed, because the dangerous leftover access is precisely the kind that no one remembers until it is exploited.
Finish with a security baseline you own end to end. A clean close means your controls cover the business, the seller retains no access, and you hold the evidence to prove both. That posture is what lets a buyer treat Day One as a fresh start rather than an inherited liability, and building it is a defined part of how our TSA Exit Acceleration work protects the exit.
It is the transfer of security controls from the seller's environment to yours as the TSA ends: identity and access management, monitoring and logging, incident response, patching, and perimeter protection. Much of this is provided by default while the TSA runs and disappears at exit unless you have deliberately rebuilt it, so it needs to be treated as its own workstream.
Because much of it is infrastructure provided by the seller as a byproduct of how the business used to be organized, not an itemized service. Teams focus on business applications and miss the security operations center, the email filtering, the endpoint protection, and the identity systems that quietly cover the unit. Anything not explicitly yours is the seller's and leaves at exit.
During the cutover window, when controls are moving from the seller to you and responsibility is ambiguous. A control can fall between the two parties. Manage it by overlapping rather than switching, so your control is live and verified before the seller's is withdrawn, and by naming a clear owner for every control on every day of the transition.
Proving the seller no longer has access. Confirm that seller accounts are disabled, shared credentials rotated, network connections between the environments severed, and any seller held keys or certificates revoked, with each step verified and recorded rather than assumed. A clean close means your controls cover the business and the seller retains no path back in.
Removing every seller identity and access path at exit.
Read the article →Proving a migration is correct before you cut the service.
Read the article →Scripting the repetitive mechanics of a TSA exit.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Senior operators on day one. Fixed-fee engagements. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →