Fractional CISO Services

Fractional CISO services from a practitioner-led firm.

Fractional CISO and virtual CISO (vCISO) are the same engagement. Senior security leadership on a retainer, faster than hiring, cheaper than full-time, deeper than a compliance platform.

Same scope as a full-time Chief Information Security Officer: SOC 2, ISO 27001, HIPAA, PCI DSS, and CMMC readiness, vendor risk, board reporting, incident response leadership. Different contract: month-to-month, sized to the company that hires us.

Book a discovery callFounding Cohort: 50% off retainer
  • Starts in 2 to 4 weeks, not 4 to 6 months
  • Month-to-month retainer, no annual contract
  • Pentest included on every Sprint
  • Senior practitioner on every engagement, not associates
Definitions

Fractional CISO, virtual CISO, full-time CISO. Which one do you need?

The terms get conflated. The differences are real. Here is the side-by-side most buyers wish someone had written for them.

Fractional / Virtual CISO

Senior leadership, fractional time

Cost
$3K – $15K / mo
Time to start
2 to 4 weeks to start
Scope
Strategy, compliance, policy, vendor risk, board reporting, IR. Same scope as full-time.
Best for
Most companies between 10 and 250 employees. The default answer for growth-stage teams with active customer-driven security demand.

Full-time CISO

Headcount and equity

Cost
$250K – $400K / yr loaded
Time to start
3 to 6 months to recruit
Scope
Full operational ownership. Sits on exec staff. Headcount under them.
Best for
Companies above ~250 employees with material risk profile, multiple frameworks in production, and budget for a security org.

Compliance platform

Tool, not a leader

Cost
$300 – $2K / mo
Time to start
Same day, mostly self-serve
Scope
Evidence automation. Policy templates. Audit prep tooling. Does not write policies, lead IR, or take board calls.
Best for
Pair with a fractional CISO. The platform tracks evidence; the CISO does the work that produces the evidence.
Scope of work

What a fractional CISO actually does for your company.

The role is the same as any senior CISO. The contract and time commitment are different. Six work areas, owned end to end.

Strategic security roadmap

A 12-month roadmap ranked by ROI per dollar spent and tied to actual business drivers: audit dates, customer contracts, board asks, M&A diligence.

Compliance readiness

SOC 2 Type I and II, ISO 27001:2022, HIPAA, PCI DSS 4.0, CMMC Level 2, NIST CSF 2.0. Gap assessments tied to production evidence, not policy PDFs.

Policy authoring

Information security, access management, secure SDLC, incident response, vendor management, BCP and DR. Written to match how your team operates.

Vendor and third-party risk

Vendor inventory, tiering by data access, contractual review, ongoing monitoring. We handle inbound security questionnaires end to end.

Board and investor briefings

Quarterly board presentations and investor diligence support in language your CFO and CRO both understand. Decks are yours to reuse.

Incident response leadership

Pre-written runbooks, semi-annual tabletop exercises, on-call leadership. On day zero, you call us. You do not read someone else's runbook template.

Fractional CISO cost

What does a fractional CISO cost?

Industry-wide, fractional CISO services run $3,000 to $15,000 per month depending on engagement depth. Standalone projects (like a SOC 2 readiness Sprint) are typically $2,500 to $10,000 fixed-fee. Our published rates:

SOC 2 Sprint

$2,500One-time

Two-week productized engagement. Pentest included. Credited toward retainer.

Start a Sprint

Strategic vCISO

$5,000per month

Monthly security reviews, policy authoring, customer questionnaire response, annual IR + DR tabletop.

Book a discovery call

Embedded vCISO

Inquirecustom scope

Hands-on leadership for audit prep, M&A, and complex programs. Weekly syncs, board briefings, on-call IR, compliance platform admin.

Inquire about availability
Founding cohort

50% off fractional CISO retainer for 12 months.

Our first 5 retainer clients lock in Strategic vCISO at $2,500/mo for a full 12 months (50% off the $5,000 list rate). Plus the SOC 2 Sprint at $500. Embedded vCISO is custom-scoped and negotiated case-by-case for cohort members. Trade: testimonial, case study rights, and willingness to take a reference call. Year two reverts to list pricing.

See founding cohort detailsCompare full pricing

Not ready to talk? Score your SOC 2 readiness.

Twenty questions, a scored PDF in your inbox, a realistic timeline to audit. Free.

Start the scorecard
FAQ

Common questions about fractional CISO services.

Is "fractional CISO" the same as "virtual CISO" (vCISO)?

In practice, yes. The two terms are used interchangeably across the industry. "Fractional CISO" emphasizes the time commitment (a fraction of a full-time role); "virtual CISO" emphasizes the delivery model (remote, on retainer). Both refer to the same engagement: a senior security leader who owns your security program on a recurring basis without being a full-time employee. We use both terms because buyers search for both. The work is identical.

How is fractional CISO different from a full-time CISO?

A full-time CISO is a 40+ hour per week employee with full headcount, equity, and benefits. Total cost runs $250,000 to $400,000 loaded for a senior hire and 3 to 6 months to recruit. A fractional CISO works on a retainer (typically 4 to 20 hours per week depending on tier), starts within 2 to 4 weeks, and is paid as a vendor invoice. For most companies between Series A and Series C, a fractional CISO is the right answer until headcount or risk profile justifies a full-time hire.

What does a fractional CISO actually do?

Same scope as any senior CISO: security strategy, compliance program ownership, policy authoring, vendor risk reviews, board reporting, and incident response leadership. The day-to-day shifts with the phase: early in an engagement, most hours go to gap analysis and policy work; mid-engagement shifts to vendor reviews and customer questionnaires; steady state is quarterly board cadence, audit liaison, and IR readiness. Retainer clients get weekly status notes so the work is visible.

How much does a fractional CISO cost?

Industry-wide, fractional CISO services run $3,000 to $15,000 per month depending on engagement depth. Our published rate is $5,000/mo Strategic vCISO. Embedded vCISO is custom-scoped for higher-touch engagements and quoted on application. Founding cohort pricing puts Strategic vCISO at $2,500/mo for 12 months; Embedded is negotiated case-by-case for cohort members. Anyone quoting under $3,000/mo for senior advisory work is pricing for hours, not for outcomes.

When does a company need a fractional CISO?

Five common triggers: (1) a SOC 2, ISO 27001, HIPAA, or PCI audit is on the calendar, (2) an enterprise deal is blocked on a security questionnaire, (3) a board or investor asked for a documented security program, (4) a near-miss or incident exposed how thin the program really is, or (5) you are bridging the gap to a future full-time CISO hire. Underneath every trigger is the same problem: the company has outgrown ad-hoc security and needs a senior owner.

Can I cancel a fractional CISO retainer any time?

Yes. Every retainer is month-to-month with 30 days notice. No annual contracts, no minimums, no auto-renewal traps. If a fractional CISO is not earning their retainer in a given month, the client should not pay it. The Founding Cohort 12-month founder rate is a discount commitment from us, not a contract obligation from you: cancellation rules remain the same.

How does fractional CISO compare to compliance platforms like Vanta or Drata?

Compliance platforms automate evidence collection. They do not write your policies, run your incident response, sign your management representation letter, take your board call, or close the gaps the platform surfaces. A fractional CISO and a compliance platform work together: the platform tracks the evidence, the CISO does the work that produces the evidence in the first place. Most of our retainer clients use Vanta, Drata, or Secureframe; we are the human program around the tool.

How fast can a fractional CISO start?

A SOC 2 Sprint kicks off within 2 weeks of signing. Embedded retainer engagements typically start within 2 to 4 weeks. Compare to a full-time CISO hire (3 to 6 months) or a Big 4 consultancy engagement (6 to 8 weeks of contract negotiation alone). The speed is the point: most companies hire a fractional CISO because something is on fire or about to be.

Do fractional CISO services include penetration testing?

Yes. Every SOC 2 Sprint includes a focused light pentest on your application. Embedded vCISO retainer clients get an annual full-scope pentest as part of the engagement. This is unusual: most fractional CISO firms either subcontract pentests at extra cost or skip them because the founder is a paper-only consultant. Our team includes practitioner-grade offensive security background, so we run pentests in-house and tie findings directly into the security roadmap.

Ready to talk to a fractional CISO?

Three doors: start with a $2,500 Sprint, apply for a founding retainer slot at 50% off, or take the free 4-minute SOC 2 Readiness Scorecard if you want a snapshot before talking to anyone.

Start a SprintApply for founding cohortTake the scorecard