Who we help
Startups, scaleups, and Web3 teams
VIRTUAL CISO
Security leadership on demand —
strategy → guardrails → evidence.
Strategy, governance, and hands-on execution without a full-time hire.
ISO 27001/SOC 2 enablement, DevSecOps guardrails, incident readiness, and Web3 add-ons.
Typical goals
CISO-level expertise, real risk reduction, compliance
Engagement
vCISO lead and security engineer(s), hands-on and scalable
Outcomes you can expect
ROADMAP
12-month Security Program
Risk-aligned roadmap with budget, owners, and milestones. Updated monthly.
EVIDENCE
Audit-ready at any time
ISO 27001/SOC 2 mappings, evidence index, and customer security FAQ.
GUARDRAILS
Controls that actually block drift
CI/CD checks, secrets hygiene, SSO/MFA, access reviews, and monitoring.
What we actually do
Strategy & Governance
Risk register, policies/standards, SoA, RACI, KPIs
Identity & Access
MFA/SSO baseline, least privilege, JML, access reviews
Cloud & DevSecOps
CI/CD & IaC guardrails, secrets hygiene, change control
Asset & Data Protection
Classification, backups, encryption & key mgmt, DLP-lite
Vendor Risk
Intake workflow, assessments, contract language, review SLAs
Monitoring & IR
Playbooks, alert routing, drills, post-incident reviews
Compliance Enablement
ISO 27001/SOC 2 mapping, gap-to-audit plan
Training & Culture
Role-based training, phishing drills, exec tabletop
Web3 (optional)
Multisig/treasury controls, deploy gates, timelocks, on-chain monitors
30/60/90-day plan
DAYS 1-30
Discover & Stabilize
Interviews, asset inventory, risk-register v1, ‘Top 10’ quick wins, IR plan draft.
DAYS 31-60
Build Guardrails
CI/CD checks, MFA+SSO cleanup, access review, policy pack, vendor intake, training v1.
DAYS 61-90
Prove & Report
Tabletop drill, close high-impact risks, metrics dashboard, Board report.
Deliverables you’ll receive
- Security Roadmap & Risk Register (living docs)
- Access review & Joiner/Mover/Leaver workflow
- Incident Response plan + tabletop (per quarter on Growth/Enterprise)
- Exec Reporting: monthly KPIs, risk deltas, spend vs value
- Policy Pack: InfoSec, Access, Change, Vendor, Incident, BCP/DR
- CI/CD guardrails & Secrets hygiene checklist
- Audit-Ready Folder: evidence index, ISO/SOC2 mappings, customer FAQ
- Optional: Customer security questionnaires & TPRM at scale
Packages & pricing
Transparent monthly retainers. Unused hours roll 1 month. Custom SLAs on request.
Essential
From USD4500/mo
- 1× vCISO (part-time), 8–10h/mo
- Policy pack basics, risk-register v1
- Monthly progress report
- Email/Slack: next-business-day
Growth
Most popularCustom
- vCISO + security engineer, 24–28h/mo
- ISO/SOC2 enablement; CI/CD & cloud guardrails (light)
- Quarterly tabletop exercise
- Slack same-day, business hours
Enterprise
Custom
- vCISO + engineer + analyst, 48–60h/mo
- Audit-ready pack; customer security questionnaires
- Vendor risk program; KPI dashboards
- Optional 24/7 incident hotline (+SLA)
Web3 Add-On
Popular- Multisig & key ceremonies
- Deploy gates & timelocks
- On-chain monitors with SOC/SOAR integrations
- Change-management around protocol upgrades
FAQ
How is a vCISO different from a consultant?
We own the program end-to-end: strategy, roadmap, execution, and reporting—not just advice.
Can you help with ISO 27001 / SOC 2?
Yes. We map controls, build the evidence factory, and guide you through audits with minimal disruption.
Do you cover incident response?
Every tier includes an IR plan; Growth and Enterprise include drills. 24/7 hotline is an add-on.
What about Web3 risks?
We add operational guardrails for keys, upgrades, deploys, and on-chain monitoring, integrated with your SOC/SOAR.