What are the pricing options for vCISO service tiers?
Cynomi outlines three main vCISO service tiers, each with distinct pricing models:
Basic (Governance, Risk & Advisory):,500 to ,000 per month. Suitable for companies with less than 1,000 employees in non-regulated industries.
Intermediate (Governance, Risk, Advisory & Compliance): ,000 to ,000 per month. Designed for regulated companies with 500-3,000 employees.
Advanced (Fractional CISO): Project-based or retainer, varies widely. Example: 6-month contract = 0,000. Typically for regulated companies with 3,000+ employees.
Yes, Cynomi provides API-level access for extended functionality and custom integrations. For documentation, contact Cynomi or refer to their support team. Source: manual
What technical documentation is available for Cynomi?
Cynomi is purpose-built to enable MSPs, MSSPs, and vCISOs to deliver scalable, consistent, and high-impact cybersecurity services without increasing headcount. It automates time-consuming tasks and embeds expert-level processes to simplify complex cybersecurity operations. Source: manual
How does Cynomi support product security and compliance?
Cynomi automates up to 80% of manual processes, supports compliance readiness across 30+ frameworks, and prioritizes security over mere compliance. It provides branded, exportable reports and embeds CISO-level expertise for robust protection and transparency. Source: Unknown
What feedback have customers given about Cynomi's ease of use?
Customers consistently praise Cynomi's intuitive and well-organized interface. For example, James Oliverio (ideaBOX) said: "Assessing a customer’s cyber risk posture is effortless with Cynomi. The platform’s intuitive Canvas and ‘paint-by-numbers’ process make it easy to uncover vulnerabilities and build a clear, actionable plan." Steve Bowman (Model Technology Solutions) noted ramp-up time for new team members dropped from four or five months to just one month. Cynomi is highlighted as more user-friendly than competitors like Apptega and SecureFrame. Source: Customer Feedback
Competition & Comparison
How does Cynomi compare to competitors like Apptega, ControlMap, Vanta, Secureframe, Drata, and RealCISO?
Cynomi is purpose-built for MSPs, MSSPs, and vCISOs, while competitors often target in-house teams or require more user expertise. Key differences:
Apptega: Cynomi embeds CISO-level expertise and supports 30+ frameworks; Apptega requires more manual setup and has limited framework support.
ControlMap: Cynomi automates up to 80% of manual processes; ControlMap requires moderate to high expertise and more manual setup.
Vanta: Cynomi offers multitenant management and broader framework support; Vanta is direct-to-business focused and less flexible.
Secureframe: Cynomi prioritizes security and provides step-by-step recommendations; Secureframe is compliance-first and requires significant expertise.
Drata: Cynomi offers rapid setup and embedded expertise; Drata is premium-priced and onboarding can take up to two months.
RealCISO: Cynomi provides actionable reports, automation, and multitenant management; RealCISO has limited scope and lacks scanning capabilities.
Source: Cynomi_vs_Competitors_v5.docx, manual
What features make Cynomi stand out from competitors?
Cynomi differentiates itself with:
AI-driven automation (up to 80% of manual processes)
Scalability for MSPs/MSSPs/vCISOs
Compliance readiness across 30+ frameworks
Embedded CISO-level expertise
Enhanced, branded reporting
Security-first design
Centralized multitenant management
Competitors often require more manual setup, have limited framework support, or target in-house teams. Source: Cynomi_Platform_Documentation_QA.txt
Support & Implementation
What customer service and support does Cynomi offer after purchase?
Cynomi provides:
Guided onboarding for initial setup and integration.
Dedicated account management for ongoing support and upgrades.
Comprehensive training resources for platform familiarity and troubleshooting.
Prompt customer support during business hours (Monday-Friday, 9am-5pm EST, excluding U.S. National Holidays).
Source: manual
How does Cynomi handle maintenance, upgrades, and troubleshooting?
Cynomi offers structured onboarding, dedicated account management, training resources, and prompt customer support to ensure smooth maintenance, upgrades, and troubleshooting. Support is available during business hours. Source: manual
“MSPs are leaving money on the table. MSPs are missing out on revenue by assuming they need to offer comprehensive security and compliance services right away. Instead, they can start with a simpler, basic offering as a first step.”
– William Birchett, Founder of The vCISO Network & President of Logo Systems
Recap from Introduction to vCISO Services: Why Service Providers want to Offer vCISO Services
vCISO services are especially attractive to MSPs and MSSPs as they address a growing need from their clients for proactive cyber resilience and compliance management while offering the potential to grow recurring revenues.
The primary benefits for clients include:
Enhanced security
Cost efficiency
Flexibility
Access to expertise
Quick implementation
Continuous improvement and effective mitigation of cyber risks.
Accessing high-level expertise without the cost of a full-time executive.
Tailoring services to meet the organization’s specific needs and scaling up or down as required.
Leveraging the experience of seasoned professionals who have worked across multiple industries.
Rapidly deploying security strategies and responses to emerging threats.
The primary benefits of offering vCISO services include:
Additional revenue streams
Opportunity to upsell more products and services to existing clients
Increased profit margins (one person managing multiple clients)
Improved client security
Greater differentiation from competition
Enhanced client engagement and loyalty: Many vendors offering vCISO services claim that providing these services enhances their client intimacy allowing them direct contact with clients’ top management.
Where to Begin: What to Offer and to Whom
You’ve decided to offer vCISO services—great! The next step is structuring them. This chapter explores the tiers of vCISO offerings (more details below). By using the following assessment, you’ll be able to identify which services to provide and to whom, and then the three tiers will take you through the specifics of what to offer in each service level. Let’s dive in.
There are two main pathways to offering vCISO Services:
Upsell to your existing clients
Expand to new clients
It may be effective to focus on existing clients first as an established relationship already exists, along with a clear understanding of their business needs. Begin by following these six steps to prioritize which clients to begin with.
Considerations to help structure your vCISO Offerings
1. Assess current offerings
Determine if you are already providing any form of vCISO services. Many MSPs and MSSPs offer partial vCISO solutions that can be expanded into comprehensive vCISO services.
2. Group clients by industry vertical
Group your clients based on their industry or vertical. This helps to understand common needs, compliance requirements, and potential security gaps within specific sectors.
3. Understand compliance requirements
Identify the compliance requirements for each industry. Clients in highly regulated industries like healthcare, finance, or government contractors will likely need more advanced security and compliance services.
4. Evaluate client size and security needs
Assess the size of your clients (e.g., number of employees) and their in-house capabilities. Smaller clients without dedicated security teams are prime candidates for basic vCISO services, while larger clients may need more comprehensive or fractional CISO services.
5. Prioritize high-potential clients
Focus on clients who have the most to gain from enhanced security services.
6. Develop a strategic upsell plan
Create tailored proposals that highlight the benefits of vCISO services, addressing specific client pain points and objectives.
You can take the below assessment to see where you are:
Do you currently manage your clients’ security?
Do you offer risk assessment or manage risk over time?
Do you support clients with compliance readiness?
Do you set a security strategy or write internal security policies?
Do you generate remediation plans?
Do you generate incident response plans?
Do you offer security awareness and training?
Do you communicate the security status to your clients’ management?
If you answered “yes” to four or more of these questions, you can most likely bundle your existing offering as a vCISO package. Surprisingly, you might be closer to a vCISO offering than you might think.
By leveraging your existing relationships, vCISO services can efficiently meet previously unmet needs, allowing you to grow your revenue through targeted upselling. This approach enables you to maximize the potential of your current clients before focusing on attracting new clients.
3 Levels of vCISO offerings
After identifying which of your existing clients are well-suited for vCISO services, you can review which vCISO offering is a good fit for them.
There are three main types of vCISO offerings:
Basic
Intermediate
Advanced
Governance, Risk & Advisory
Governance, Risk, Advisory & Compliance
Fractional CISO
Approximately 90% of MSPs fall into the first two categories of vCISO services. The third category, however, is built on relationships and trust, where the CISO must have strong confidence in the MSP or MSSP. This makes it largely dependent on the service providers’ reputation.
Many MSPs are unaware that there is a basic tier for vCISO services. They often invest in Governance, Risk and Compliance (GRC) tools and manage compliance but overlook security management. By not highlighting this capability, they miss out on potential opportunities. It’s important to understand that service providers can offer vCISO services without needing a compliance tracking tool.
Here’s a brief summary of the three service tiers and the types of clients they’re best suited for:
Governance, Risk & Advisory
Governance, Risk, Advisory & Compliance
Fractional CISO
Level of effort, cost, expertise
Basic
Intermediate
Advanced
Knowledge level
Strategic only (clients are usually not very strategic)
Strategic and tactical
Higher level of strategic and tactical
Demand
90% of SMBs will fall into these two buckets
90% of SMBs will fall into these two buckets
5% of SMBs
Who is it for?
Companies with less than 1,000 employees, focusing on non-regulated industries
Regulated companies with 500-3,000 employees
Regulated companies with 3,000+ employees
Industries
All industries except for government contractors, healthcare, finance, and critical infrastructure
All industries, except for organizations with complex compliance requirements
All industries, including government contractors, healthcare, finance, critical infrastructure
Pricing
$1,500 to $8,000 per month
$4,000 to $10,000 per month
Project based or retainer, varies widely
6-month contract = $100k
More lucrative because you’re dealing with larger companies
Will be working with the board and/or company CISO
Liability
Low risk
Medium risk, requires professional insurance
Medium risk, requires professional insurance
Ratio of vCISO to clients
1:30 1 vCISO for up to 30 clients
1:10 1 vCISO for up to 10 clients
1:2 1 vCISO for up to 2 clients
vCISO engagement team size
1 person
One vCISO
2 people
One vCISO + an additional team member (analyst, project manager, etc.)
Ranges between 1 person to an entire team, varies by scope
Client security/IT makeup
Client has: IT: MSP/MSSP Security: vCISO
Client has: IT: In-house or MSP/MSSP Security: vCISO
Client has: IT: In-house Security: In-house
Benefits to the vCISO
Timeline: More immediate ROI, can start working quicklyDifferentiation: Low, more of a commodityProfitable: High rate of returnEfficient: One person can manage multiple clients efficientlyClient retention: Increased client loyaltyUpselling opportunities: Initial IT assessments can uncover sensitive data and highlight potential financial impacts of data breaches. This can be used to sell higher-tier services.
Timeline: Long term, strategic advantage to specialization Differentiation: High if you specialize Profitable: Higher rate of return if you specialize in an industry vertical Efficient operations: More efficient the more you specialize Client retention: Higher client loyalty Upselling opportunities: Initial IT assessments can uncover sensitive data and highlight potential financial impacts of data breaches. This can be used to sell higher-tier services.
Timeline: Long term, relationship based engagements Differentiation: Very high, less competition when you work with bigger companies Profitable: Higher value contracts Type of work: More challenging, interesting work Efficient operations: Low efficiency
Challenges for the vCISO
Scope creep – Limiting the scope unless the client goes to a higher-value contract Differentiation – This service is more of a commodity. Difficult to stand out from the competition.
Scope creep – Ensure you’re only advising and not doing the actual security and making decisions (could also result in liability issues) Potential knowledge gaps with new regulations Balancing customization with efficiency
Must have a CISO or senior security professional (experienced vCISO) do this Not efficient
Suggested reading:
To learn more about how to scale your vCISO revenue, check out Jesse Miller’s PowerGRYD vCISO System and build a vCISO program capable of growing to 7 figures and beyond. Cynomi partners get $250/month off for the first 12 months.
MSPs can start with basic vCISO services rather than comprehensive offerings. Begin with simple, strategic security services and gradually upsell to existing clients, identifying those already receiving partial vCISO solutions that can be expanded.
Assess and segment clients:
Group clients by industry verticals to understand common needs and compliance requirements. Evaluate client size and security needs to prioritize high-potential clients for upselling strategic security services.
Build your offering in tiers:
Understand the three main service buckets for vCISO offerings: Basic (Governance, Risk & Advisory), Intermediate (Governance, Risk, Advisory & Compliance), and Advanced (Fractional CISO). 90% of MSPs will fall into the first two categories.
Weigh immediate and long-term benefits:
Understand the immediate and long-term benefits of each tier. For example, basic services offer a high rate of return and efficient client management, while intermediate services can provide higher rates of return over time, but are less efficient in the short term.
Address challenges and optimize operations:
Be aware of potential challenges such as scope creep and knowledge gaps with new regulations. Ensure a clear distinction between advisory roles and actual security implementation to avoid liability issues. Specializing in industry verticals can lead to higher returns and more efficient operations over time.
