How to Price Your vCISO Services (Models + Calculator)
Retainer, project-based, and value-based pricing for vCISO consultants — with formulas, tier templates, and real numbers you can use today.
The three main vCISO pricing models are retainer-based, project-based, and value-based — and most successful consultants use a hybrid of all three. This guide covers the mechanics of each model, how to calculate your rates, and how to package your services into tiers that clients understand and value.
If you are looking for the strategic thinking behind pricing decisions (when to raise rates, how to position against competitors), read our companion piece on vCISO pricing strategy. This article is the tactical playbook: formulas, examples, and templates you can use today.
Key takeaways
- Start by calculating your minimum viable rate: target annual income / (billable hours x utilization rate).
- Retainer pricing ($5,000–$15,000/month) creates predictable revenue and is the most common model.
- Value-based pricing anchors to client outcomes, not your time — highest margins but requires confidence.
- Package services into 3 tiers (Foundation, Growth, Comprehensive) to simplify buyer decisions.
- Review and adjust pricing every 6–12 months based on utilization, market rates, and delivery efficiency.
How to calculate your base rate
Before you can price any engagement, you need to know your floor. Here is the formula:
Minimum hourly rate formula
Target income / (Available hours x Utilization rate) = Minimum hourly rate
Let's work through an example:
- Target annual income: $250,000
- Available working hours: 2,080 (40 hours/week x 52 weeks)
- Utilization rate: 65% (realistic for a solo consultant — the rest is sales, admin, and professional development)
- Billable hours: 2,080 x 0.65 = 1,352
- Minimum hourly rate: $250,000 / 1,352 = $185/hour
That is your floor. Now add overhead (insurance, tools, professional development, taxes as a self-employed individual) — typically 25–35% on top. That brings the example to roughly $240–$250/hour. This is why the market rate for experienced vCISOs starts at $200/hour — the math demands it.
The retainer model: predictable revenue
Monthly retainers are the backbone of most vCISO practices. You agree on a fixed monthly fee for a defined scope of services. Here is how to structure one:
Define the scope
A retainer should include a clear list of deliverables and a time allocation. Example scope for a $7,500/month retainer:
- Up to 20 advisory hours per month
- Quarterly security assessment (NIST CSF 2.0)
- Ongoing risk register management
- Quarterly board-ready cybersecurity report
- Annual policy review and updates
- Incident escalation support (best-effort response within 4 hours during business days)
Set the price
Convert your hourly rate into a monthly retainer using this approach:
Retainer pricing formula
(Hours/month x Hourly rate) x Retainer premium (1.1–1.2) = Monthly retainer
The 1.1–1.2x premium compensates for the availability and commitment you are providing. A client on retainer gets priority access and guaranteed capacity — that is worth more than ad-hoc hourly work.
Example: 20 hours x $300/hour x 1.15 = $6,900/month, which you would round to $7,000 or $7,500.
Project-based pricing: defined scope, fixed fee
Project-based pricing works for engagements with a clear start, end, and deliverable. You estimate the hours, apply your rate, and quote a fixed price.
Common project pricing examples
| Project | Typical hours | Price range | Margin tip |
|---|---|---|---|
| Baseline security assessment | 30–50 hrs | $8,000–$15,000 | Templatize the report to reduce hours over time |
| SOC 2 readiness | 60–120 hrs | $15,000–$30,000 | Scope tightly — readiness, not the audit itself |
| Policy suite development | 20–40 hrs | $5,000–$12,000 | Use policy templates and customize per client |
| Incident response plan | 15–25 hrs | $4,000–$8,000 | Include a tabletop exercise to increase value |
| Vendor risk program setup | 25–40 hrs | $6,000–$12,000 | Reusable framework across clients |
The key to project profitability: as you deliver the same type of project repeatedly, your hours drop but your price stays the same. Your effective hourly rate climbs. This is why efficient tooling matters — a platform that generates assessment reports and risk registers automatically turns a 40-hour project into a 20-hour project at the same price.
Value-based pricing: anchoring to outcomes
Value-based pricing sets the fee based on the value the client receives, not the time you spend. This is the highest-margin model but requires confidence and positioning.
The principle: if your security assessment prevents a breach that would cost the client $500,000, charging $15,000 for the assessment is a bargain. If your compliance program enables the client to close a $2M enterprise deal that required SOC 2, your $25,000 program paid for itself 80x over.
To use value-based pricing effectively:
- Quantify the risk or opportunity. What is the cost of the problem you are solving? Regulatory fines, breach costs, lost revenue from failed security reviews.
- Frame your fee as a fraction of the value. If the value to the client is $500K, charging $20K is 4% of the risk mitigated. That is an easy yes.
- Deliver with confidence. Value pricing requires professional deliverables. If your output looks like a spreadsheet, the perceived value drops. If it looks like a polished executive report, it reinforces the premium.
The hybrid model: how to package tiers
The most effective pricing structure combines all three models into tiered packages. This simplifies the buying decision and creates natural upsell paths. Here is a proven three-tier structure:
Tier 1: Foundation ($3,000–$5,000/month)
- Annual baseline security assessment
- Risk register setup and quarterly review
- Core policy templates (information security, acceptable use, incident response)
- Monthly 1-hour advisory call
- Annual board-ready summary report
Tier 2: Growth ($6,000–$10,000/month)
- Everything in Foundation, plus:
- Quarterly assessments
- Ongoing risk register management (monthly updates)
- Quarterly board reports
- Bi-weekly advisory calls
- Vendor risk program management
- Incident escalation support
Tier 3: Comprehensive ($10,000–$15,000/month)
- Everything in Growth, plus:
- Full compliance program management (SOC 2 / ISO 27001 / HIPAA)
- Weekly advisory availability
- Security awareness program oversight
- Board meeting attendance (quarterly)
- Dedicated incident response coordination
- Monthly executive security briefing
Most clients will choose the middle tier, which is by design. The bottom tier anchors as “too basic,” the top tier anchors as “premium,” and the middle tier feels like the rational choice. Price the middle tier at your target rate.
When to add project-based add-ons
Retainer clients will occasionally need project work that falls outside the retainer scope. Price these as add-ons:
- Compliance readiness sprints (SOC 2, ISO 27001): $10,000–$25,000 on top of retainer
- Incident response surge: $300–$500/hour (premium over normal rate — urgency has value)
- Tabletop exercises: $3,000–$6,000 per exercise
- Security architecture review: $5,000–$10,000
Define these add-ons in your engagement letter so clients know the rates before they need the work. Surprises erode trust.
Reviewing and adjusting your pricing
Review your pricing every 6–12 months. The signals that it is time to adjust:
- Utilization above 80%: You are turning away work. Raise rates on new clients.
- Scope creep on retainers: If you are consistently exceeding the hours included, the retainer is mispriced. Restructure or raise the fee.
- Improved tooling or efficiency: If a new platform cuts your delivery time by 30%, your effective rate just increased. You can either take the margin improvement or reinvest it by adding more deliverables at the same price.
- Market movement: vCISO rates have trended up 5–8% annually as demand outpaces supply. Stay current.
For existing clients, give 60–90 days notice and frame rate adjustments as an investment in improved capabilities. Read our pricing strategy guide for more on the psychology of rate increases.
Deliver premium results without premium overhead
CisoDeck is the vCISO platform built for solo and boutique consultants — affordable, white-label included, no per-seat penalty.
Frequently asked questions
- What is the most common vCISO pricing model?
- The monthly retainer is the most common model, typically ranging from $5,000 to $15,000/month. It provides predictable revenue for the consultant and predictable costs for the client.
- How do I calculate my vCISO hourly rate?
- Divide your target annual income by your available billable hours (total hours x utilization rate, typically 60–70%). Then add 25–35% for overhead (insurance, tools, taxes). Most experienced vCISOs land between $200 and $500/hour.
- Should I use hourly or retainer pricing?
- Use hourly for one-off projects or ad-hoc advisory. Use retainers for ongoing relationships. Retainers are better for building a sustainable practice because they create recurring revenue and deepen client relationships.
- How many tiers should I offer?
- Three tiers is the standard: a lightweight option, a core option (where you want most clients), and a comprehensive option. This creates anchoring effects that make the middle tier feel like the best value.
- When should I raise my vCISO rates?
- When your utilization exceeds 80%, when you have not raised rates in 12+ months, when you add credentials or specializations, or when your tooling significantly improves your delivery efficiency. Apply new rates to new clients immediately; give existing clients 60–90 days notice.