Engagements Are Built. Not Sold.

Three weeks from first call to program kickoff. A 90-day fixed-price scope. Quarterly cadence after that. Pricing is published below — not behind a “request a quote” button.

From Risk Discussion to Quarterly Cadence.

1

Risk Discussion

What’s prompting the call? Where are the auditors, insurers, or customers pressing? No deck. No sales pitch.

30 minutes
2

Scoped Proposal

One-page scope. Fixed price. Named deliverables. 90-day commitment.

5 business days
3

Program Kickoff

Current-state assessment. Framework selected. Risk register stood up.

Within 2 weeks
4

Quarterly Cadence

Board-ready quarterly report. Risk register review. Forward-looking roadmap.

From day 90
5

Annual Program Review

Top-to-bottom posture assessment. Framework re-scoping if needed. Renewal decision.

Year 1+

Pricing Is a Trust Signal. We Publish It.

Engagements start at $2,500/month. Most clients run $2,500–$7,500/month depending on framework scope, headcount, and cadence. There is no published rate card below $2,500 — at that scale, you don’t need a vCSO yet.

Foundation

$2,500 /month

For organizations standing up a security program for the first time.

  • 8 hours/month vCSO bandwidth
  • Quarterly board-ready report
  • Framework selection and risk register
  • Email and 24-hour response on policy questions
Most clients

Risk-Managed

$5,000 /month

For organizations with active compliance pressure (SOC 2, HIPAA, CMMC, SB 2610).

  • 16 hours/month vCSO bandwidth
  • Quarterly board reporting + monthly working session
  • Compass-backed evidence trail included
  • Vendor and third-party risk program

Operational Risk Program

$7,500 /month

For organizations running the full ESRM program with named framework ownership.

  • 20+ hours/month vCSO bandwidth
  • Monthly working session + quarterly board report
  • Full Compass platform integration
  • Incident response retainer and tabletop exercises

No multi-year lock-ins. Quarterly review. Cancel with 30 days’ notice. Hardware and software pass-through at cost when applicable.

Who We Don't Work With.

  • If you are looking for the lowest-cost vCISO on the market, we are not the right fit.
  • If you want a deck delivered and nobody to call when the auditor follows up, we are not the right fit.
  • If your security strategy is “buy more tools,” we are not the right fit.

We work with organizations that have decided security and compliance are operating disciplines — not procurement line items. If that’s the conversation you want to have, the Risk Discussion is 30 minutes.

Ready to Start the Risk Discussion?

30 minutes with us. No deck. No sales pitch. If a vCSO, vCISO, or ESRM program isn’t right for you, we’ll say so on the call.

Schedule a Risk Discussion →

Or call directly: 817-677-0515