Virtual CISO Services
Companies between 50 and 500 people need a CISO function but rarely need a full-time hire. Our vCISO retainer gives you strategic security leadership, compliance roadmap ownership, and board-ready reporting — without the €200k+ salary line.
The CISO role, served as a retainer
Senior security leadership without the full-time cost. We act as your CISO — in board meetings, in vendor reviews, in incident escalations, in compliance audits.
Security Roadmap
Annual security strategy aligned with your business objectives. Quarterly reviews, monthly adjustments. A roadmap that survives auditor scrutiny.
Risk Register Ownership
Living risk register maintained on your behalf. Severity-ranked, mitigation-tracked, treatment-justified. Ready for any ISO 27001 or SOC 2 audit.
Incident Response Leadership
When something happens, you call us. Tabletop exercises quarterly. Real incident playbooks. Coordinated response when it matters.
Policy & Compliance
Information security policy suite, acceptable use, vendor management, data classification — authored and maintained on a documented review cadence.
Board-Ready Reporting
Monthly security report for the leadership team and quarterly briefing for the board. Board-ready plain-language summaries every month.
Vendor & Procurement Review
Security review of new vendor contracts, DPAs, data-sharing arrangements. We sign off on the security questionnaires your sales prospects send you, too.
How the vCISO retainer works
Security Posture Assessment
We start with a structured assessment of your current security posture: policies, controls, vendor landscape, compliance obligations, and prior incidents. Output is a prioritized gap list and a draft security roadmap.
Ongoing Retainer
Monthly: risk register review, policy maintenance, vendor security reviews, and a written report for your leadership team. Quarterly: board briefing and roadmap checkpoint. On-call: incident response leadership when needed.
Audit & Compliance Support
When your ISO 27001 or SOC 2 audit comes around, we represent your business in front of the auditor, coordinate evidence collection, and manage finding remediation. Most vCISO clients pair this retainer with our penetration testing and ISO/SOC 2 compliance services.
Pen testing without a strategy is just findings on a PDF
The vCISO retainer pairs naturally with our penetration testing service: pen testing identifies the technical vulnerabilities, the vCISO retainer owns turning them into a prioritized remediation program, governance, and audit evidence. Most clients run both as one engagement.
Bundled pricing: vCISO + monthly pen testing scans from one combined retainer — significantly cheaper than the €15k+/month all-in-one MDR services that bundle the same capabilities with a 24-month lock-in.
Frequently asked questions
What does a virtual CISO do?
A virtual CISO (vCISO) performs the same function as a full-time Chief Information Security Officer but on a retainer basis rather than as an employee. This includes: owning the information security strategy and roadmap; maintaining the risk register and security policies; leading incident response when breaches or security events occur; representing security in board meetings; overseeing compliance programs (ISO 27001, SOC 2, GDPR, NIS2); and reviewing vendor and supplier security arrangements.
How much do vCISO services cost?
Our vCISO retainer starts from €5,000 / month for companies up to ~150 people. Larger organizations with more complex compliance obligations or multi-jurisdiction operations are scoped individually. For context: a full-time CISO in Western Europe commands €180,000–€350,000 in total compensation. A vCISO delivers the strategic function at 10–20% of that cost.
What’s the difference between a vCISO and a managed security service (MSSP)?
A vCISO is a strategic leadership function: they own the security program, make decisions, and represent security at the executive level. An MSSP is an operational service: they monitor your environment and respond to alerts. The two are complementary. Most mature security programs need both — a vCISO to set direction and own governance, and operational tooling (SIEM, EDR, SOC) to execute on it.
Do startups need a vCISO?
Yes, if any of the following apply: you’re selling to enterprise buyers who send security questionnaires; you handle personal data subject to GDPR; you’re pursuing ISO 27001 or SOC 2 certification; you operate in a regulated industry (fintech, healthtech, legaltech); or you’ve raised institutional funding and investors expect a security posture. Startups are disproportionately targeted in phishing and supply-chain attacks because they typically have weak controls.
What’s included in the vCISO retainer?
Our standard retainer includes: initial security posture assessment; annual security strategy and roadmap; monthly risk register maintenance; monthly leadership security report; quarterly board briefing; ongoing policy authoring and review; vendor security reviews; security questionnaire completion for your sales team; and incident response leadership on-call. Penetration testing and ISO/SOC 2 preparation are available as bundled add-ons.
How quickly can you start?
We can begin a security posture assessment within two weeks of a signed engagement letter. The initial assessment takes 2–3 weeks; the full retainer begins immediately after. If you have an urgent compliance deadline or an active incident, contact us directly and we’ll expedite.
CISO-level guidance, retainer-priced
Tell us about your business and your compliance goals — we’ll come back with a tailored scope.
Contact us → Penetration Testing →