vCISO Pricing Models: How to Price Your Services in 2026
There are three primary ways to price vCISO services: hourly billing ($200-$500/hr), monthly retainers ($5,000-$15,000/mo), and value-based pricing (flat fee tied to outcomes). The right model depends on your experience level, client type, and how you want to scale your practice. Most successful vCISO consultants use a combination, with retainers as the foundation and hourly or value-based pricing for project work.
Key takeaways
- Retainers ($5K-$15K/mo) are the gold standard for ongoing vCISO engagements
- Hourly ($200-$500/hr) works best for project-based and assessment work
- Value-based pricing maximizes margins for experienced consultants
- Better tooling directly increases your effective hourly rate
- Raise rates 10-15% annually tied to expanded scope and demonstrated value
- Package services into 2-3 tiers to simplify sales conversations
How do the three vCISO pricing models compare?
Each pricing model has trade-offs around revenue predictability, margin potential, and client fit. The table below summarizes the key differences to help you decide which models to use in your practice.
| Model | Typical Range | When to Use | Margin Potential |
|---|---|---|---|
| Hourly billing | $200-$500/hr | One-time assessments, gap analyses, advisory calls | Moderate (capped by hours) |
| Monthly retainer | $5K-$15K/mo | Ongoing vCISO engagements, security program management | High (scales with efficiency) |
| Value-based | $15K-$50K+ per project | SOC 2 readiness, compliance programs, security builds | Highest (rewards expertise) |
How does hourly vCISO billing work?
Hourly billing is the simplest model: you track your time and invoice the client per hour. It works well for defined projects with clear start and end points. The main advantage is transparency. Clients know exactly what they are paying for, and you get compensated for every hour of work.
Pros
- +Simple to explain and implement
- +Low barrier to entry for new clients
- +Fair compensation for scope changes
- +No risk of underpricing a project
Cons
- −Income capped by available hours
- −Unpredictable revenue month to month
- −Penalizes efficiency (faster = less revenue)
- −Time-tracking overhead adds friction
Rate-setting guidance: Start by calculating your target annual income, dividing by billable hours (typically 1,200-1,500/yr for a solo consultant), and adding a 20-30% buffer for non-billable time. A consultant targeting $300,000/yr at 1,200 billable hours needs an effective rate of $250/hr.
How does the monthly retainer model work?
Monthly retainers are the foundation of most successful vCISO practices. The client pays a fixed monthly fee for a defined scope of work, typically including a set number of advisory hours, regular deliverables (assessments, reports, risk reviews), and availability for ad-hoc questions.
Pros
- +Predictable, recurring revenue
- +Rewards efficiency (same fee, less time)
- +Clients prefer budget predictability
- +Builds long-term client relationships
Cons
- −Risk of scope creep without clear boundaries
- −Harder to sell initially (bigger commitment)
- −Requires disciplined scope documentation
- −Some months you over-deliver, others under
Structuring a retainer: Define the scope in writing. A $10,000/mo retainer might include 20 advisory hours, monthly risk register updates, a quarterly board report, and an annual assessment refresh. Anything outside that scope is billed separately or triggers a retainer increase. Always include a 60-day termination clause to protect both parties.
What is value-based pricing for vCISO services?
Value-based pricing ties your fee to the outcome delivered, not the time invested. Instead of billing $300/hr for SOC 2 readiness, you charge a flat $25,000-$40,000 for the entire project. If your efficiency and tooling let you deliver in half the expected hours, your effective rate doubles.
Pros
- +Highest margin potential
- +Directly rewards expertise and efficiency
- +Clients focus on outcomes, not hours
- +No time tracking required
Cons
- −Requires experience to scope accurately
- −Risk of loss on underestimated projects
- −Harder to adjust if scope changes
- −Some clients are skeptical of flat fees
Example: A SOC 2 readiness project that would take 80 hours at $300/hr ($24,000 hourly) can be priced at $30,000 flat. If your tooling and templates reduce delivery to 50 hours, your effective rate is $600/hr. This is where platforms like CisoDeck pay for themselves many times over.
How do you raise vCISO rates without losing clients?
Raising rates is essential for long-term practice sustainability, but it requires strategy. Consultants who never raise rates eventually find themselves underpriced and overworked. Here is how to do it effectively.
Raise rates on new clients first
Every new client should be quoted at your current market rate. If you have been charging $8,000/mo and your market rate is now $10,000/mo, new clients get the new rate immediately. This is the easiest way to increase average revenue without any difficult conversations.
Tie increases to expanded scope
Instead of a pure rate increase, add new deliverables and raise the price accordingly. If the client wants vendor risk management or incident response planning, propose an expanded retainer at a higher rate. This frames the increase as more value, not just more cost.
Give advance notice
Provide 60-90 days notice before any rate change. Frame it professionally: reference market rates, the value you have delivered, and any expanded capabilities. A 10-15% annual increase is standard in consulting and rarely triggers client departures when communicated properly.
Document your impact
Before raising rates, prepare a summary of what you have delivered: risks mitigated, compliance milestones achieved, board reports delivered, incidents handled. Concrete evidence of value makes rate discussions much easier. Clients who see clear ROI rarely push back on reasonable increases.
How does tooling affect your vCISO margins?
Your effective hourly rate is determined by two things: what you charge and how long delivery takes. You can raise rates (limited by market tolerance) or reduce delivery time (limited only by your tools and processes). Tooling is the highest-leverage way to improve margins.
Consider a consultant on a $10,000/mo retainer who spends 40 hours per month on that client. The effective rate is $250/hr. If a platform like CisoDeck reduces assessment, risk management, and reporting time by 15 hours per month, the same retainer now yields an effective rate of $400/hr. That is a 60% margin improvement for $49-$299/mo in platform costs.
Where time savings compound
Assessment delivery
Pre-built NIST CSF 2.0, SOC 2, ISO 27001, and Cyber Essentials assessments eliminate 4-8 hours of template creation per client.
Risk register management
Auto-generated risks from assessment results save 3-5 hours of manual risk identification and documentation per assessment cycle.
Board reporting
One-click PDF report generation replaces 2-4 hours of manual report formatting per client per quarter.
Multi-client operations
Centralized workspaces eliminate context-switching and file management overhead across your entire practice.
CisoDeck starts at $49/mo for up to 5 clients, $129/mo for 15 clients, and $299/mo for unlimited clients. At those price points, the platform pays for itself if it saves even 1-2 hours per month. View CisoDeck pricing.
How should you package vCISO services into tiers?
Tiered pricing simplifies the sales conversation and gives clients a natural upgrade path. Instead of negotiating custom scope for every engagement, you present 2-3 predefined packages and let the client choose.
| Tier | Example Price | Includes | Best For |
|---|---|---|---|
| Advisory | $5K-$7K/mo | Monthly advisory calls, quarterly risk review, annual assessment | Small orgs with basic needs |
| Program | $8K-$12K/mo | Everything in Advisory + board reports, policy management, vendor oversight | Mid-market, compliance-driven |
| Enterprise | $12K-$18K/mo | Everything in Program + incident response, security training, audit support | Regulated industries, complex orgs |
Most clients gravitate to the middle tier, which is exactly what you want. The advisory tier serves as a foot-in-the-door offer, and the enterprise tier anchors the mid-tier price as reasonable. This is the classic three-tier pricing psychology applied to consulting.
What pricing mistakes should vCISOs avoid?
Pricing mistakes are the fastest way to build an unsustainable practice. These are the most common errors consultants make when pricing vCISO services.
Pricing based on time instead of value
If you become more efficient, hourly billing punishes you with lower revenue. Always consider what the outcome is worth to the client, not just how long it takes you. A SOC 2 certification that unlocks $500,000 in enterprise deals is worth more than 80 hours at your hourly rate.
Not defining scope clearly
Vague scope leads to scope creep, which leads to resentment and burnout. Every retainer should have a written scope of work that lists specific deliverables, meeting cadence, and response time expectations. Anything outside the scope requires a change order.
Competing on price
Undercutting competitors to win deals attracts price-sensitive clients who will leave for a cheaper option. Compete on expertise, specialization, and quality of deliverables. If a prospect chooses a cheaper vCISO, they were not your ideal client.
Not investing in tooling
Spending $49-$299/mo on a platform that saves 10-20 hours per month is the highest-ROI investment in your practice. Every hour of manual work you automate is an hour you can spend on additional billable work or reclaim as personal time.
Frequently asked questions
- What is the most common vCISO pricing model?
- Monthly retainers are the most common pricing model for ongoing vCISO engagements. They provide predictable revenue for the consultant and predictable costs for the client. Most retainers range from $5,000 to $15,000 per month depending on scope and complexity.
- How much should I charge as a new vCISO?
- New vCISOs with 8-10 years of experience and a CISSP typically start at $175-$250 per hour or $5,000-$7,000 per month retainers. Avoid underpricing your services. Instead, start with a narrower scope and expand as you demonstrate value. Even at the lower end, your rates should reflect the strategic nature of the work.
- When should I use value-based pricing?
- Use value-based pricing when the deliverable has a clear, quantifiable outcome, such as achieving SOC 2 certification, passing a specific audit, or completing a security program build. You need enough experience to scope accurately, as underestimating effort erodes your margin. Value-based pricing rewards efficiency and expertise.
- How do I raise my vCISO rates without losing clients?
- Raise rates incrementally (10-15% per year) tied to expanded scope or demonstrated outcomes. Give 60-90 days notice and frame the increase around the value you have delivered. New clients should always be quoted at your current rate. Most clients expect annual increases and will not leave over a reasonable adjustment.
- Should I charge per client or per hour?
- Per-client retainers are generally better than hourly billing for both parties. They create predictable revenue, eliminate time-tracking overhead, and incentivize efficiency. Hourly billing works for project work (assessments, gap analyses) but creates an income ceiling for ongoing engagements.
- How does tooling affect vCISO margins?
- Purpose-built platforms like CisoDeck reduce delivery time by 30-50% by automating assessments, risk registers, and report generation. If your retainer is $10,000/mo and you reduce delivery from 40 hours to 25 hours, your effective hourly rate jumps from $250 to $400. Better tooling directly translates to higher margins.
- What should a vCISO retainer include?
- A typical retainer includes monthly security advisory hours, quarterly assessments or risk reviews, board-ready reports, policy updates, and incident response guidance. Define deliverables clearly in the scope of work to avoid scope creep. Some consultants also include a set number of ad-hoc advisory calls per month.
- How do I package vCISO services into tiers?
- Create 2-3 service tiers based on scope depth. A basic tier might include monthly advisory and quarterly reviews. A mid tier adds assessments, risk management, and board reports. A premium tier adds vendor risk management, policy development, and incident response planning. Tiered pricing lets clients self-select and makes upselling natural.