Practitioner-led, senior-staffed, month-to-month.
vCISO.com is a practitioner-led virtual CISO firm headquartered in Pittsburgh. SOC 2 readiness Sprints and embedded vCISO retainers for SaaS, healthtech, fintech, and regulated SMB. Senior practitioners do the day-to-day work. Month-to-month, with 30 days notice.
Firm-structured, practitioner-led.
Every buyer who has been through enterprise procurement knows the questions: Who carries the insurance? What happens to our data? Who signs the contract? Here are the answers, in writing.
Professional liability insurance
E&O coverage sized for Series A to C engagements. Coverage certificate available on request during procurement review.
Documented data handling
Client data is classified, encrypted at rest and in transit, and scoped to least-privilege access by default. NDAs and DPAs on request.
Written engagement contracts
Every engagement runs under a signed statement of work with clear scope, deliverables, and termination terms. No handshake agreements.
Advisor network for specialized work
Core engagements led by our founder. For specialized work, we engage vetted advisors from a bench of practitioners we have worked with across our careers.
Four principles, in writing.
01
Paper compliance is not security.
A company can pass SOC 2 with an exploitable app. We do not take engagements where we cannot say that out loud.
02
Named principals on every engagement.
Every retainer has a named senior practitioner doing the day-to-day work. The person on your kickoff call is the same person reviewing your policies, signing your management representation letter, and answering your incident escalation.
03
Month-to-month, with 30 days notice.
If vCISO.com is not worth the retainer in a given month, clients should not pay it. Every engagement is month-to-month with 30 days notice.
04
Write the policy clients will actually follow.
We write policies that match how your team actually operates, then help enforce them. Custom-authored from interviews with your engineering and ops leads, not pulled from a template library.
Founded and led by Chase Miller.
vCISO.com's founder and principal consultant is Chase Miller, a Carnegie Mellon-trained security practitioner with over a decade of hands-on experience across offensive security, vulnerability research, and security program leadership. Chase personally leads every retainer and Sprint.
Founder and Principal
Chase Miller · Pittsburgh, PA
A decade of doing the work before founding vCISO.
After earning my MS in Information Security from Carnegie Mellon, I spent the next decade-plus in offensive security and security program leadership. I have conducted full-scope penetration tests against SaaS, fintech, and healthcare apps; led risk and vulnerability assessment teams; and built security programs from the ground up for organizations ranging from seed-stage startups to Fortune 500 enterprises.
I founded vCISO.com because most companies that need security help cannot actually get it. Startups and small businesses cannot afford a full-time CISO, and traditional consulting firms come with long contracts and enterprise overhead. vCISO.com delivers expert security leadership without the complexity.
Elite training meets real-world practice.
CISSP
(ISC)²
Certified Information Systems Security Professional. The gold standard for security leadership and technical expertise.
OSCP
Offensive Security
Offensive Security Certified Professional. Hands-on penetration testing certification that proves you can actually break things.
MS Information Security
Carnegie Mellon University
Master's degree in Information Security from the top-ranked cybersecurity program in the nation.
Organizations I have helped secure.
Based in Pittsburgh, serving the world.
Pittsburgh has transformed from its steel mill roots into a thriving tech hub. The city's hardworking, blue-collar history built a culture that values substance over flash. Today, it is home to a vibrant startup scene, especially around robotics and AI, alongside established healthcare and financial institutions. Carnegie Mellon keeps the technical standards high, while the local culture keeps expectations grounded. Remote-first from day one means I can work with great companies anywhere. Many of my clients are in SF, NYC, Austin, London, and around the world.
Ready when you are
Your next move starts with a 30 minute call.
If vCISO.com is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.