What is a virtual CISO (vCISO)?

A virtual CISO is a senior security leader engaged on a fractional basis instead of full-time. The role covers what a full-time Chief Information Security Officer would: security strategy, compliance program ownership, policy authoring, vendor risk, board reporting, and incident response leadership. The difference is the contract: a vCISO is a retainer or fractional engagement, typically month-to-month, sized to the company that hires them.

How is a vCISO different from a full-time CISO?

A full-time CISO costs $250K to $400K loaded in base salary, equity, and benefits, takes 3 to 6 months to recruit, and is overqualified for most companies under 250 employees. A vCISO covers the same scope at a fraction of the cost, starts in 2 to 4 weeks, and scales up or down as the company grows.

What are the engagement options?

Three productized entry points plus a custom retainer. The 2-week SOC 2 Sprint at $2,500 flat is for teams with an audit on the calendar. The 90-Day vCISO Foundation at $24,000 builds a real working security program with a pentest in days 31 to 60. The Strategic vCISO retainer at $5,000 per month is the default ongoing engagement. The Embedded vCISO retainer is custom-scoped for higher-touch work and quoted on application.

Why is everything month-to-month?

If a vCISO retainer is not worth the price in any given month, you should not pay for it. We compete with consulting firms that lock buyers into 12 to 24-month contracts and then under-staff them. Month-to-month is the hardest thing for incumbents to match. Cancellation requires 30 days notice, no fees, no termination penalties.

Which frameworks do you support?

SOC 2 (Type I and Type II), ISO 27001, HIPAA, HITRUST, PCI DSS, CMMC, NIST CSF, NIST SP 800-171, FedRAMP-adjacent work. The four most common engagements are SOC 2 (B2B SaaS), HIPAA + HITRUST (healthtech), PCI DSS (fintech), and CMMC (defense contractors).

Who actually does the work on my engagement?

Our founder personally leads every Sprint and every retainer. There is no partners-bait-and-switch pattern where the senior closes the deal and a junior runs the engagement. For specialized work (e.g. CMMC enclave architecture, deep AWS forensics), we engage vetted advisors from a bench of practitioners we have worked with before, with their participation called out in the SOW.

Virtual CISO (vCISO) Services

Virtual CISO services that ship.

Virtual CISO services from a practitioner-led firm. Compliance readiness, penetration testing, and embedded security leadership for SMBs, growth-stage startups, and established teams that need senior firepower without the long hiring cycle.

Book a discovery call Start with a $2,500 Sprint

SOC 2 readiness in 2 weeks
Embedded retainer, month-to-month
Pentest included at no extra cost

Practitioner-led.
CISSP · OSCP · CREST

Pittsburgh-based.
Clients nationwide.

Framework-agnostic.
SOC 2 · ISO 27001

Month-to-month.
Cancel anytime.

+ Free SkillsOpen-source security tools for Claude, Cursor, and any AI agent.

Platform →Skills →

How we engage

How a vCISO partnership runs.

Engagements vary in scope and duration. The working rhythm stays consistent: threat-informed discovery in parallel with offensive testing, remediation and policy work shipped alongside your team, and recurring briefings for leadership.

Kickoff

At the start of any engagement we confirm scope, get access, and agree on the two or three priorities that need to land first. Scope evolves as we go.

Discovery and offensive testing

Threat-informed assessment runs in parallel with real offensive testing. We rerun this work as scope expands or new systems land in production.

Hands-on execution

Recurring sessions where remediation gets shipped, policies get authored, and customer security questionnaires get answered. Not advice. Implementation.

Leadership briefings

Board-grade briefings on cadence. You keep the materials for your board pack. Updates evolve with the program as priorities shift.

What we deliver

Audit-ready, attacker-tested.

Compliance work and offensive testing are usually two firms with two contracts. We run both inside one engagement, so the controls we implement reflect what an attacker would actually try.

Framework-native compliance

SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC, NIST CSF. We run all of them. Most engagements start with SOC 2; frameworks stack cleanly when customer contracts require more.

Attacker-eyed security

Real pentests in every Sprint and Foundation. Continuous attack surface monitoring on retainer. Findings get prioritized by exploitability, not by CVSS severity rating.

What a retainer actually covers.

Sprints and Foundations are bounded. Retainers are not. Once we are embedded, the working areas below are continuous, not one-off. Scope shifts as your program matures, but it always covers these.

See all services

Policy authoring + access reviews

Real policies that match how your team actually operates. Quarterly access reviews with signed attestations from each system owner.

Vendor risk + customer questionnaires + trust center

Vendor inventory, tiering, and ongoing risk monitoring. Customer security questionnaires answered. Trust center kept current.

Audit support + evidence management

Auditor walkthroughs, control design defense, evidence curated across the audit window. We sit the meetings with you, not hand off a binder.

Vulnerability scanning + attack surface management

Continuous scanning that catches net-new exposures between pentests. Recurring authenticated scans on internal infra.

Endpoint and identity advisory

MDM and endpoint hardening. Identity provider audit, SSO and MFA enforcement, privileged access reviews.

Incident response + tabletops

Runbooks for the most likely scenarios. Annual tabletop with engineering and leadership.

Strategic roadmap + board briefings

Threat-informed 12-month roadmap. Board-grade briefings on cadence. Updates evolve with the program.

Free resource·4 min·Scored PDF

How far is your team from a SOC 2 audit?

20 questions, practitioner-graded, realistic timeline to audit.

Get the scorecard

Pricing

Sprint, Foundation, retainer.

A full-time CISO runs $250K to $400K a year, plus equity and benefits. We deliver senior leadership at a fraction of that. Productized or month-to-month. No long contracts.

Save 15% on annual billing

SOC 2 Sprint

Two-week productized engagement. The fastest way to see how vCISO works before committing.

$2,500

One-time

Start a Sprint

Kickoff call, gap analysis, policy inventory
Light pentest on your app
Prioritized remediation roadmap
Exec readout deck and presentation
Credited in full toward month one of retainer

Recommended

Strategic vCISO

Monthly retainer with strategic guidance, customer questionnaires, policy reviews, and IR readiness.

$5,000

Per month

Book a discovery call

Monthly security reviews
Policy review and recommendations
Customer security questionnaire response
Annual IR + DR tabletop exercise
Slack and email access
48-hour response SLA

Embedded vCISO

Hands-on security leadership for audit prep, M&A, and complex programs. Custom-scoped engagement.

Inquire

Custom scope

Inquire about availability

Everything in Strategic vCISO, plus:
Weekly syncs and embedded availability
Hands-on policy authoring and remediation
Audit preparation and fieldwork support
Board and investor briefings
Compliance platform admin (Vanta, Drata, Secureframe)
Incident response leadership
Same-day response SLA

Productized program

90-Day vCISO Foundation

Productized 90-day program build for teams without a SOC 2 deadline. Threat-informed baseline, real pentest, board briefing at day 90.

$24,000

One-time, 90 days

Threat-informed baseline (NIST CSF + MITRE ATT&CK)
12-month prioritized roadmap with owners
Full pentest in days 31 to 60
Closed first wave of high-priority gaps
Board briefing and pentest summary at day 90
First month of retainer credited if you continue

Start the Foundation

Annual billing means a single invoice for 12 months and a 15% discount on the Strategic vCISO retainer. Retainers remain cancellable with 30 days notice; unused balance prorated on termination. Sprint and Foundation pricing are flat-fee, not affected by billing cadence.

See full pricing and FAQ

Frequently asked

What buyers ask first.

The short answers to the questions that come up on every discovery call. The full set is on the FAQ page.

See all 37 questions

Ready when you are

Your next move starts with a 30 minute call.

If vCISO is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.

Book a discovery call See engagement options

Virtual CISO services that ship.

How can we help?

How a vCISO partnership runs.

Kickoff

Discovery and offensive testing

Hands-on execution

Leadership briefings

Audit-ready, attacker-tested.

Framework-native compliance

Attacker-eyed security

What a retainer actually covers.

Policy authoring + access reviews

Vendor risk + customer questionnaires + trust center

Audit support + evidence management

Vulnerability scanning + attack surface management

Endpoint and identity advisory

Okta

Jamf

CrowdStrike

Incident response + tabletops

Strategic roadmap + board briefings

Sprint, Foundation, retainer.

What buyers ask first.

Your next move starts with a 30 minute call.

Virtual CISO services that ship.Your auditor will pass you. Your attacker won't.Senior security. No $300K hire.Virtual CISO services that ship. @keyframes caret-blink { 0%, 50% { opacity: 1; } 50.01%, 100% { opacity: 0; } }

How can we help?

How a vCISO partnership runs.

Engagement phases

Kickoff

Discovery and offensive testing

More engagement phases

Hands-on execution

Leadership briefings

Audit-ready, attacker-tested.

Framework-native compliance

Attacker-eyed security

What a retainer actually covers.

Policy authoring + access reviews

Vendor risk + customer questionnaires + trust center

Audit support + evidence management

Vulnerability scanning + attack surface management

Endpoint and identity advisory

Incident response + tabletops

Strategic roadmap + board briefings

Sprint, Foundation, retainer.

What buyers ask first.

What is a virtual CISO (vCISO)?

How is a vCISO different from a full-time CISO?

What are the engagement options?

Why is everything month-to-month?

Which frameworks do you support?

Who actually does the work on my engagement?

Your next move starts with a 30 minute call.

Virtual CISO services that ship.