A 90-day vCISO engagement that builds a working program.
For founders who know they need to mature their security program but do not have a specific compliance deadline yet. Threat-informed baseline, prioritized roadmap, real pentest, and a board briefing.
$24,000 fixed-fee for 90 days. The first month of any retainer is credited if you continue. We run two of these per quarter. Most kickoffs happen within 10 business days of the contract.
Have a SOC 2 audit booked? Start with the 2-week SOC 2 Sprint instead. Not sure which fits? See the decision tree.
Most 90-day vCISO engagements end with a slide deck. This one ends with a working program.
The standard pattern is assess, recommend, hand off. Three months of meetings and a binder. We use the same 90 days to actually close the first wave of gaps, run a real pentest, and walk into the board meeting with a program that is moving, not a plan to start moving.
Threat-informed baseline
NIST CSF assessment with a MITRE ATT&CK overlay against your actual stack. Not a self-assessment spreadsheet. We pull configuration data, not opinions.
12-month prioritized roadmap
Gaps ranked by likelihood and impact, not by ease of remediation. Owners assigned. Timelines committed. Quarterly milestones the board can read.
Full penetration test
Real engagement, not the 8-hour Sprint scan. Authentication, API, web application, and exposed infrastructure. The findings inform the roadmap. The summary becomes a customer-ready deliverable.
Board briefing and pentest summary
Day-90 deliverable is two artifacts. A board-ready deck on baseline, trajectory, and the next 12 months. A sanitized pentest summary you can hand to enterprise prospects asking for proof.
Three phases, one outcome.
Each phase has a single deliverable that has to land before the next phase begins. No drip-fed reports. No mystery.
Days 1 – 30
Days 1 – 30
Baseline
We run a threat-informed assessment grounded in evidence, not interviews. NIST CSF for breadth, MITRE ATT&CK for depth on the threats that actually target your stack. We pull data from your cloud accounts, identity provider, and source repos. By day 30 you have a real picture, not a self-rated questionnaire.
Days 31 – 60
Days 31 – 60
Roadmap and pentest
Two things happen in parallel. We turn the baseline into a 12-month roadmap, prioritized by risk and stacked by quarter. We also run a full penetration test. The pentest findings feed back into the roadmap so you ship fixes for things that actually matter, not things that sound bad in a spreadsheet.
Days 61 – 90
Days 61 – 90
Execution
Closing the highest-priority gaps. Policy updates that reflect what is actually deployed. Control implementations the engineering team will sustain. A tabletop exercise on the most likely incident scenario. By day 90, the first wave of work has shipped, not been queued for next quarter.
Day 90
Day 90
Board briefing and handoff
30-minute presentation to leadership and the board. Where you started, what is fixed, what is staged for the next 12 months. You keep the deck. You keep the sanitized pentest summary. If we continue as your retainer vCISO, the first month is on us.
The Foundation is the right entry point if…
Good fit
- You do not have a specific SOC 2 audit deadline yet, but you know you need to mature your security program.
- Your engineering team is shipping product full-time and security work has been deferred for 12+ months.
- Your board or your lead investor has asked what your security strategy is and you do not have a satisfying answer.
- You have customer questionnaires landing in your inbox and the answers are getting more complicated each quarter.
- You want a real working program with shipped controls, written policies, and a tested response plan, not a slide deck of recommendations.
One month of retainer, on us.
If you continue as a retainer client at day 90, the first month is credited in full. The Foundation becomes the discovery work for the retainer rather than a separate engagement. You start month four with momentum, not a fresh kickoff.
Ready when you are
Your next move starts with a 30 minute call.
If vCISO is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.