Transparent pricing. Senior execution.
Four service products designed to match where your company is and what is driving urgency. Every engagement is scoped precisely — no retainer-for-retainer's-sake.
Fractional CISO Retainer
Ongoing security program leadership for technology companies that need a senior security executive — without the $300K full-time commitment.
What's Included
- Monthly security program status review and roadmap update
- Risk register review and prioritization
- Quarterly board or executive security reporting
- Security policy and procedure development
- Vendor security assessment and third-party risk management
- Incident response advisory and on-call guidance
- Compliance framework monitoring (SOC 2, ISO 27001, HIPAA, PCI DSS)
- Up to 2 hours ad-hoc advisory included; additional at $350/hr
Deliverables
- Written monthly security program status report
- Updated risk register with prioritized action items
- Executive security summary (board-ready on request)
SOC 2 / ISO 27001 Readiness Sprint
Structured readiness program with a hard audit deadline. Four consecutive SOC 2 Type II audits with zero exceptions — across two different organizations.
What's Included
- Gap assessment against SOC 2 TSC or ISO 27001:2022 controls
- Risk assessment and remediation roadmap
- Policy and procedure development (all required domains)
- Control design and documentation
- Audit evidence collection setup
- Auditor selection support
- Pre-audit internal readiness walkthrough
- Post-audit findings remediation support
Deliverables
- Gap Analysis Report with prioritized remediation roadmap
- Control Documentation Package
- Audit Readiness Report + Evidence Package
AI Security Governance Framework
EU AI Act enforcement begins August 2026. Only 6% of organizations have an advanced AI security strategy. This engagement builds the framework before regulators or customers force it.
What's Included
- AI tool and use case inventory across the organization
- Risk assessment against NIST AI RMF and EU AI Act requirements
- AI Acceptable Use Policy development
- Data governance controls for AI training and inference data
- Vendor AI risk assessment framework and questionnaire
- Executive and board briefing on AI risk posture
- Alignment mapping to applicable regulatory frameworks
Deliverables
- AI Use Case Registry
- AI Acceptable Use Policy (draft, ready for legal review)
- AI Risk Assessment Methodology
- Vendor AI Security Assessment Questionnaire
- Board-ready AI Risk Summary
Incident Response Planning & Tabletop Exercise
Cyber insurance now requires documented IR plans. This engagement builds the plan, assigns the roles, and validates it with a live tabletop exercise.
What's Included
- Review or development of Incident Response Plan (NIST SP 800-61 aligned)
- Role and responsibility matrix development
- Communication templates (internal, customer, regulatory, media)
- Tabletop exercise design (2–3 hours with key stakeholders)
- Tabletop exercise facilitation
- Post-exercise gap analysis
Deliverables
- Complete Incident Response Plan
- Role assignment matrix and contact directory
- Communication templates package
- Post-exercise findings report with prioritized action items
Hourly Advisory
Senior security guidance when you need a specific question answered or a decision reviewed. Often the starting point for retainer relationships.
What's Included
- Any security topic within scope of expertise
- Written summary of recommendations upon request
- Follow-up questions via email for 5 business days after session
Deliverables
- Varies by engagement — discussed at booking
Board / Fractional Advisor
Security credibility and governance for early-stage startups that need to answer investor and customer security questions — not a full program yet.
What's Included
- Monthly advisory session (2 hours)
- Investor and customer security questionnaire support
- Security roadmap for future compliance programs
- Ad-hoc email advisory (reasonable scope)
Deliverables
- Security posture summary for investor/board use