Complete service catalog
All 12 service lines. Every price. Total transparency.
Three tiers each. Platform licenses, audit firm fees, and pen test costs disclosed separately at every scoping call. No surprises.
Pricing overview
All 12 service lines at a glance
| Service Line | Launch | Growth ✦ Most popular | Scale |
|---|---|---|---|
| vCISO services | $2,500–$4,500/mo | $5,000–$8,500/mo | $10,000–$18,000+/mo |
| SOC 2 / ISO 27001 / 42001 | $9,000–$14,000 | $18,000–$32,000 | $35,000–$60,000+ |
| Policy & procedure development | $3,500–$6,000 | $7,000–$12,000 | $13,000–$22,000 |
| Security awareness training | $900–$1,800/mo | $1,800–$3,200/mo | $3,200–$6,000+/mo |
| Incident response & tabletop | $5,500–$9,000 | $10,000–$18,000 | $20,000–$38,000 |
| Pen testing coordination | $2,000–$3,500 | $4,000–$7,500 | $8,000–$16,000/yr |
| Vanta & Drata configuration | $2,800–$5,500 | $5,500–$10,500 | $11,000–$20,000+ |
| HIPAA & BAA support | $4,500–$8,000 | $9,500–$18,000 | $20,000–$42,000+ |
| Customer security reviews | $950–$2,000 ea | $1,600–$3,200/mo | $3,200–$6,500+/mo |
| GDPR & DPA support | $4,500–$7,000 | $8,500–$16,000 | $16,000–$36,000+ |
| Vendor risk management | $2,200–$4,500 proj | $1,800–$3,500/mo | $3,500–$7,500+/mo |
| Compliance maintenance plan | $1,500–$2,200/mo | $2,200–$4,000/mo | $4,000–$8,000+/mo |
✦ Growth is the most popular tier — designed for Series A/B companies with active compliance programs. Launch for foundations, Growth for running programs, Scale for complexity. Pen test vendor fees, audit firm fees, GRC platform licenses (est. $5K–$10K/yr), and legal counsel are client-paid and disclosed at every scoping call.
Detailed pricing
Select a service to see all three tiers
Launch
$2,500–$4,500
per month · ~6 hrs/month · Onboarding: 1–2 weeks
Overage: $185/hr
- Security roadmap (6–12 month horizon)
- Monthly risk register review
- Core policy review (up to 5 policies)
- Monthly advisory summary + action items
- Security questionnaire support (up to 2/month)
- GRC platform setup — basic configuration (Drata or Vanta, license client-paid)
- Email + 1 monthly advisory call (60 min)
Most popular
Growth
$5,000–$8,500
per month · ~10–12 hrs/month · Onboarding: 1 week
Questionnaires: up to 10/mo · Overage: $195/hr
- Everything in Launch, plus:
- Compliance program management (SOC 2 or ISO maintenance)
- Vendor risk reviews (up to 5 vendors/month)
- Security awareness program oversight
- 1 tabletop exercise per year (standard 3-hr scenario)
- Quarterly executive security report
- GRC platform optimization + evidence automation
- Customer security review support (up to 10 questionnaires/month)
- Email + Slack + bi-weekly advisory calls
Scale
$10,000–$18,000+
per month · ~18–25+ hrs/month · Onboarding: 3–5 days
Overage: $225/hr · $18K baseline for 300+ employees
- Everything in Growth, plus:
- Named senior CISO-level advisor (20+ hrs/month guaranteed)
- Board-level security presentation (quarterly)
- Advanced vendor risk management (up to 20 vendors/month)
- 2 tabletop exercises per year (standard 3-hr scenarios)
- Annual policy library review and refresh
- IR plan maintenance and annual update
- Unlimited customer questionnaire support
- Regulatory change monitoring (implementation = change order $225/hr)
- Cyber insurance alignment review (annual, included)
- M&A or fundraising security support (within monthly hours)
- Multi-framework compliance management (SOC 2 + ISO 27001 or HIPAA)
- Dedicated Slack + weekly executive sync
Launch
$9,000–$14,000
one-time · 45–70 hrs · 4–6 weeks
Overage: $185/hr
- Gap assessment against target framework (SOC 2 or ISO 27001)
- Framework selection recommendation with rationale
- Prioritized 90-day remediation roadmap
- 10 foundational policies (customized, not templated)
- Initial risk register
- GRC platform basic setup (Drata or Vanta, license client-paid)
- Audit readiness checklist and evidence tracker
- Security questionnaire starter kit
Most popular
Growth
$18,000–$32,000
one-time · 100–160 hrs · Type I: 10–14 wks · Type II track: 14–18 wks
Overage: $195/hr · Audit firm fee: est. $15K–$40K (client-paid)
- Everything in Launch, plus:
- SOC 2 Type I readiness — all Trust Services Criteria
- Complete policy and procedure library (20+ policies, fully customized)
- GRC platform full configuration + evidence workflow automation
- Control implementation — hands-on execution, not advisory-only
- Vendor inventory and initial risk tiering
- Security awareness training baseline
- 1 tabletop exercise included (ransomware or data breach scenario)
- Audit support: auditor coordination, RFI response, evidence review
Scale
$35,000–$60,000+
one-time · 180–300 hrs · 14–26 weeks
Overage: $225/hr · Audit firm + certification body fees separate
- Everything in Growth, plus:
- SOC 2 Type II or ISO 27001 full readiness and certification body coordination
- ISMS design and implementation (ISO 27001)
- Statement of Applicability (SoA) — ISO 27001
- Advanced GRC configuration with custom control mapping
- Penetration test coordination (scoping + vendor management — test cost separate)
- Post-audit remediation planning and management letter drafting
- Multi-framework compliance: SOC 2 + ISO 27001, or + ISO 42001, or + HIPAA
- Cross-framework control harmonization — reduces duplication
- ISO 42001 AI governance program (AI/ML companies)
- 2 tabletop exercises included
- Trust center setup (Vanta or Drata trust page, post-audit)
Launch
$3,500–$6,000
one-time · 18–32 hrs · 2–3 weeks
Overage: $185/hr · 1 review call + 2 revision cycles
- 10 foundational security policies (customized to your environment — not templates)
- Core policies: Acceptable Use, Access Control, Incident Response, Data Classification, Business Continuity, Vendor Management, Password, Encryption, Remote Work, Asset Management
- Policy acknowledgment tracking template
- GRC platform upload (Drata or Vanta)
Most popular
Growth
$7,000–$12,000
one-time · 38–65 hrs · 3–5 weeks
Overage: $195/hr · 1 editorial refresh at 6 months
- Everything in Launch, plus:
- 25+ policies covering full SOC 2 or ISO 27001 requirements
- Procedures for each policy (operational runbooks — how, not just what)
- Role-based policy matrix (owner assignments by department)
- Policy exception and waiver process + templates
- Annual policy review schedule
- Staff-ready policy summaries (plain language for non-technical staff)
Scale
$13,000–$22,000
one-time + optional annual retainer · 70–130 hrs · 4–8 weeks initial
Overage: $225/hr · Legal firm fees client-paid · ~6 hrs/quarter retainer optional
- Everything in Growth, plus:
- Multi-framework policy alignment (SOC 2 + ISO 27001, or + HIPAA, or + GDPR)
- Policy gap analysis against current controls
- Board and executive policy approval workflow
- Full governance framework (policy → procedure → standard → guideline)
- Regulatory-specific addenda (HIPAA, GDPR, SOC 2, ISO 27001, ISO 42001)
- Legal and compliance review coordination
- Custom policy branding and formatting
- Optional annual retainer: ~6 hrs/quarter for editorial maintenance
Launch
$900–$1,800
per month · ~4–6 hrs/month · Launch: 1–2 weeks
Overage: $185/hr · Platform license (KnowBe4, Proofpoint, etc.) client-paid
- Monthly security awareness module (pre-built, industry-relevant)
- Monthly phishing simulation (standard template)
- Completion tracking and compliance reporting
- Annual policy acknowledgment workflow
- GRC platform evidence sync (Drata or Vanta)
Most popular
Growth
$1,800–$3,200
per month · ~7–10 hrs/month · Launch: 1 week
Overage: $195/hr
- Everything in Launch, plus:
- Department-specific training tracks (engineering, finance, HR, operations)
- Bi-monthly phishing simulations (intermediate campaigns)
- Monthly security newsletter (pre-templated, customizable)
- Training effectiveness metrics (click rates, completion rates, trends)
- New hire onboarding security training
- Quarterly awareness program report
- Role-based training paths (admin, developer, executive, operations)
Scale
$3,200–$6,000+
per month · ~14–25 hrs/month · Launch: 3–5 days
Overage: $225/hr
- Everything in Growth, plus:
- Fully branded, white-labeled training program
- Advanced phishing simulations (spear phishing, vishing, pretexting)
- 1 custom training module per quarter
- Insider threat awareness module
- Executive and board security briefing (annual)
- Security champions program design and management
- Framework-mapped training records (SOC 2, HIPAA, ISO 27001)
- Annual program benchmark against industry standards
Launch
$5,500–$9,000
one-time · 22–34 hrs · 3–4 weeks
Overage: $185/hr · 1 revision round included
- Foundational incident response plan (1 scenario: ransomware or data breach)
- Basic IR playbook (step-by-step response procedures)
- Tabletop exercise — 1 scenario, 3–4 hours facilitation
- Leadership and technical participant walkthrough
- Post-exercise findings report (top 10 gaps + remediation priorities)
- GRC platform IR evidence upload
- Cyber insurance alignment note (findings suitable for underwriters)
Most popular
Growth
$10,000–$18,000
one-time · 50–80 hrs · 4–6 weeks
Overage: $195/hr · 30-day remediation check-in included
- Everything in Launch, plus:
- Custom scenario design (SaaS breach, ransomware, insider threat, or HIPAA incident)
- Full IR program development (all core playbooks: ransomware, data breach, insider threat, DDoS)
- Business continuity and DR alignment
- Full-day tabletop facilitation (6–8 hours)
- Formal post-exercise report with gap analysis and remediation roadmap
- Communications playbook (internal, external, and customer notification templates)
Scale
$20,000–$38,000
one-time or annual program · 90–180 hrs
Overage: $225/hr · On-site available at day rate + travel
- Everything in Growth, plus:
- Multi-team exercise (technical, legal, communications, executive — concurrent)
- Crisis communications scenario integration
- Regulatory notification workflow (HIPAA 60-day, GDPR 72-hour clocks)
- Custom adversarial injects designed to stress-test specific weaknesses
- Cyber insurance alignment review (findings structured for underwriters)
- Annual program: 4 quarterly tabletop exercises (unique scenarios)
- Board-level crisis simulation (executive decision-making, media, legal)
- Annual IR program maturity assessment
- Retainer IR advisory — first 4 hours of a real incident per quarter (annual program)
Launch
$2,000–$3,500
coordination fee · 10–18 hrs · 1–2 weeks pre-test
Overage: $185/hr · Pen test vendor cost est. $8K–$30K+ (client-paid)
- Pen test vendor selection and vetting
- Scope definition and rules of engagement documentation
- Vendor contracting support
- Test day coordination (scheduling, access, technical contacts)
- Results review: plain-language remediation priorities
- GRC platform evidence upload (findings summary, remediation tracking)
Most popular
Growth
$4,000–$7,500
coordination fee · 20–40 hrs · 2–3 weeks pre-test
Overage: $195/hr · 30-day remediation check-in · Vendor cost est. $10K–$25K
- Everything in Launch, plus:
- Multi-scope coordination (web app, internal network, API)
- Detailed remediation roadmap with owner assignments and timelines
- Remediation validation support (retesting guidance)
- Annual pen test program calendar and vendor management
- SOC 2 and ISO 27001 evidence packaging for auditors
Scale
$8,000–$16,000
annual program · 40–80 hrs/year
Overage: $225/hr · Total annual vendor costs est. $20K–$60K+
- Everything in Growth, plus:
- Purple team coordination (pen test findings fed into tabletop scenarios)
- Social engineering campaign coordination (scoped separately)
- Executive summary and board presentation of findings
- Remediation validation testing coordination
- Annual pen test maturity assessment
Launch
$2,800–$5,500
one-time · 15–28 hrs · 1–2 weeks
Overage: $185/hr · Platform license: Drata est. $15K–$40K/yr, Vanta est. $10K–$25K/yr (client-paid)
- Platform audit and reset (clean slate if misconfigured)
- Core integrations: AWS/GCP/Azure, GitHub/GitLab, Okta/Google Workspace, HRIS
- Control mapping to target framework (SOC 2 or ISO 27001)
- Evidence collection automation setup
- 10 foundational policies uploaded and mapped
- Team onboarding (how to use the platform day-to-day)
Most popular
Growth
$5,500–$10,500
one-time · 30–55 hrs · 1–2 weeks
Overage: $195/hr · 90-day optimization check-in included
- Everything in Launch, plus:
- Full integration suite (all connected tools, custom connectors where needed)
- SOC 2 Type I and Type II evidence automation configuration
- Vendor risk module setup and initial vendor loading
- Policy library upload (20+ policies, all mapped to controls)
- Custom test scheduling and reminder workflows
- Audit readiness dashboard configuration
Scale
$11,000–$20,000+
one-time + optional maintenance · 60–110 hrs · 2–4 weeks
Overage: $225/hr · Quarterly health review add-on: $1,200–$2,500/quarter
- Everything in Growth, plus:
- Multi-framework control harmonization in GRC platform
- Custom control library build (controls not natively in Drata/Vanta)
- API integrations (custom endpoints, internal tooling)
- Advanced reporting dashboards (board-ready exports)
- HIPAA BAA chain or GDPR sub-processor registry setup
- Quarterly GRC health review (optional: $1,200–$2,500/quarter)
Launch
$4,500–$8,000
one-time · 24–42 hrs · 3–5 weeks
Overage: $185/hr · Legal counsel separate
- HIPAA Security Rule gap assessment
- Initial risk assessment (required under 45 CFR 164.308)
- Core HIPAA policies (Security, Privacy, Breach Notification)
- Business Associate Agreement template (standard)
- Workforce training module baseline
- GRC platform HIPAA control setup
Most popular
Growth
$9,500–$18,000
one-time · 50–90 hrs · 6–10 weeks
Overage: $195/hr · 90-day remediation check-in · Legal counsel separate
- Everything in Launch, plus:
- Complete HIPAA Security Rule program (all required and addressable safeguards)
- Full HIPAA Privacy Rule policies and procedures
- BAA template library (standard + custom addenda for high-risk engagements)
- Downstream BAA chain management
- SOC 2 + HIPAA control harmonization (reduce duplicated work)
- Staff HIPAA training program (role-based)
- Breach risk assessment process and notification templates
Scale
$20,000–$42,000+
one-time + retainer · 100–200 hrs initial · ~6 hrs/month ongoing
Overage: $225/hr · Legal counsel separate · On-site available at day rate
- Everything in Growth, plus:
- Annual HIPAA risk analysis refresh
- OCR audit simulation and inquiry response preparation (legal counsel separate)
- Multi-entity HIPAA governance (parent/subsidiary structure)
- Cyber insurance HIPAA alignment documentation
- Executive and board HIPAA risk reporting
- HIPAA + GDPR dual compliance program (for companies with EU customers)
Launch (per questionnaire)
$950–$2,000
per questionnaire · 3–5 business day turnaround · Converts to Growth above 3/month
$185/hr for complex questionnaires (200+ questions)
- Questionnaire completion (1 at a time)
- Security response knowledge base (grows with each engagement)
- Red flag identification (compliance gaps affecting the deal)
- GRC platform response library upload
- Standard: $950–$1,200 │ Complex (100–200 questions): $1,400–$2,000
- Converts to Growth retainer above 3 questionnaires per month
Most popular
Growth
$1,600–$3,200
per month · Up to 15 questionnaires/month · 3–5 business day SLA
Overage: $150/questionnaire beyond 15/month · 1 week onboarding
- Managed questionnaire response service (up to 15/month)
- Security response knowledge base (maintained and expanded monthly)
- Standard security one-pager (customer-facing)
- Security posture summary (updated quarterly)
- Common objection guide for sales team
Scale
$3,200–$6,500+
per month · Unlimited questionnaires · 48-hr standard SLA · 24-hr priority SLA
Overage: $225/hr for government/FedRAMP scope · 3–5 days onboarding
- Everything in Growth, plus:
- Unlimited questionnaire responses per month
- Trust Center setup and ongoing maintenance (Vanta or Drata trust page)
- Custom security one-pager per product line
- Enterprise RFP security section support
- Sales team security objection training (quarterly)
- Government and FedRAMP-adjacent questionnaire support
- Customer-facing security white paper (annual)
- CAIQ (CSA STAR) completion and maintenance
Launch
$4,500–$7,000
one-time · 22–38 hrs · 3–5 weeks
Overage: $185/hr · Legal counsel for DPA review separate
- GDPR applicability assessment and gap analysis
- Record of Processing Activities (RoPA) — initial build
- Standard Data Processing Agreement (DPA) template
- Core GDPR policies (Privacy Notice, Data Retention, DSR Procedure)
- Data breach notification process and templates
- GRC platform GDPR control mapping
Most popular
Growth
$8,500–$16,000
one-time · 45–85 hrs · 5–8 weeks
Overage: $195/hr · 60-day post-delivery support · Legal counsel separate
- Everything in Launch, plus:
- Full GDPR privacy program (all required policies and procedures)
- Sub-processor registry build and notification process
- Data Protection Impact Assessment (DPIA) template and process
- DPA negotiation support (legal counsel separate)
- SCCs and transfer mechanism documentation (EU-US data transfers)
- Data subject request (DSR) workflow and response templates
- GDPR + SOC 2 control harmonization
Scale
$16,000–$36,000+
one-time + retainer option · 90–170 hrs · 6–10 weeks initial
Overage: $225/hr · Legal counsel for supervisory authority inquiries separate
- Everything in Growth, plus:
- Multi-jurisdiction privacy program (GDPR + UK GDPR + CCPA/CPRA alignment)
- Binding Corporate Rules (BCR) readiness assessment
- Supervisory authority inquiry response preparation (legal counsel separate)
- Annual RoPA refresh and gap assessment
- Executive and board privacy risk reporting
- GDPR + HIPAA dual compliance (for health data across jurisdictions)
Launch (one-time project)
$2,200–$4,500
one-time project · 12–24 hrs · 2–3 weeks
Overage: $185/hr · 1 results briefing + 30-day email Q&A
- Vendor inventory build (all third-party tools and services across the organization)
- Vendor risk tiering (Critical / High / Medium / Low)
- Initial vendor risk questionnaire (standard template)
- Top 10 high-risk vendor findings report
- GRC platform vendor module setup
- Note: this project feeds directly into the Growth retainer with no duplicated work
Most popular
Growth
$1,800–$3,500
per month · Up to 10 vendor reviews/month · 1–2 week onboarding
Overage: $195/hr · Monthly call + Slack + quarterly summary report
- Ongoing vendor reviews (up to 10/month)
- Vendor questionnaire management (send, track, and follow up)
- Contractual risk review (DPAs, MSAs, security addenda)
- Vendor risk register maintenance (updated monthly)
- New vendor onboarding checklist
- Monthly vendor risk summary report
Scale
$3,500–$7,500+
per month · Up to 25+ vendor reviews/month · 1 week onboarding
Overage: $225/hr · M&A vendor risk: $5K–$15K per target (scoped separately)
- Everything in Growth, plus:
- Up to 25 vendor reviews per month (unlimited at top of range)
- Fourth-party risk identification (your vendors’ vendors)
- Critical vendor deep-dives (annual, Tier 1 vendors)
- Contract language guidance (SLAs, breach notification, indemnification)
- HIPAA BAA chain + GDPR sub-processor registry maintenance
- Annual vendor risk maturity assessment
- M&A vendor risk review ($5K–$15K per target — scoped separately)
Launch
$1,500–$2,200
per month · ~4–6 hrs/month · 1 week onboarding
Overage: $185/hr · Regulatory change implementation = change order
- Monthly GRC platform health check (Drata or Vanta)
- Evidence collection monitoring — catch gaps before auditors do
- Policy acknowledgment tracking (annual cycle management)
- Regulatory change monitoring (implementation is a change order)
- Monthly compliance status summary
Most popular
Growth
$2,200–$4,000
per month · ~6–10 hrs/month · 1 week onboarding
Overage: $195/hr · Regulatory change implementation = change order
- Everything in Launch, plus:
- Monthly evidence automation review and gap remediation
- Quarterly vendor risk review (up to 5 vendors/month)
- Quarterly compliance health report (executive-ready)
- Annual audit preparation package
- Framework change monitoring (SOC 2 COSO/TSC updates, ISO revision cycles)
Scale
$4,000–$8,000+
per month · ~12–20 hrs/month · 1 week onboarding
Overage: $225/hr · Regulatory change implementation = change order at $225/hr
- Everything in Growth, plus:
- Multi-framework evidence management (SOC 2 + ISO 27001 + HIPAA or GDPR)
- Annual audit preparation and auditor coordination
- Annual security program maturity assessment
- Board-level compliance dashboard (monthly)
- Regulatory change impact analysis (annual)
Platform licenses (Drata/Vanta: approx. $5K–$10K/yr), audit firm fees, and pen test costs are client-paid and disclosed in full at every scoping call.
Not sure which tier fits your situation?
Tell us what is driving the urgency and we will tell you exactly what you need — and what you do not.