How MSPs price vCISO services in 2026. Common pricing models, typical rate ranges, tiered packaging, and how to justify advisory-level fees to clients who have never paid for security leadership before.
The market has moved fast. 67% of MSPs and MSSPs now offer vCISO services, up from 21% in 2024, and the competitive dynamics around pricing are shifting with it. A full-time CISO costs $250,000–$350,000+ fully loaded, which is the number that frames every vCISO pricing conversation. Your clients can’t afford that hire. What they can afford is a fraction of it, delivered through your practice.
How MSPs Price vCISO Services Today
There are three pricing models in common use, and most mature practices use a hybrid. The model you choose depends on how standardized your delivery is and where your clients sit in terms of maturity.
Per-client monthly retainer
The most common model for MSPs delivering vCISO as a managed service. A flat monthly fee per client covers the agreed scope of work: assessments, remediation planning, policy management, and executive reporting on a defined cadence.
Typical ranges for SMB clients (50–500 employees):
| Service Tier | What It Includes | Monthly Range |
|---|---|---|
| Core security advisory | Annual assessment, quarterly reviews, basic policy set, executive summary | $1,000–$1,500/month |
| Full vCISO program | Continuous posture tracking, multi-framework compliance, risk register, remediation roadmaps, QBR-ready reporting | $2,000–$3,500/month |
| Strategic advisory | Everything above plus board-level reporting, BIA/BCP, vendor risk management, incident response planning | $3,500–$5,000/month |
These ranges come from what partners report in the market. vCISO costs vary significantly by region, client size, and the depth of your engagement, but the per-client retainer model is where most MSPs land because it creates predictable MRR on both sides.
Hourly or project-based
Some practices charge hourly for specific advisory work: incident response consulting, board presentations, compliance gap assessments, or vendor risk evaluations. Rates range from $150–$300/hour, depending on the complexity and the seniority of who delivers.
The challenge with hourly billing is that it doesn’t scale well and anchors the client’s perception of value to time spent rather than to outcomes delivered. Partners who start hourly often transition to retainers once they have enough clients to standardize delivery. The hourly model works best as a complement to a retainer, covering out-of-scope requests that come up between regular engagements.
Tiered packaging
Tiered pricing structures the decision for the client. Instead of negotiating scope and price from scratch for every engagement, you present three packages and let the client choose based on their needs and budget.
The tiering principle is simple: each tier adds capability that justifies a higher price. Core clients get security visibility and a baseline program. Growth clients get compliance coverage and ongoing remediation. Premium clients get strategic advisory, vendor risk, and executive reporting that supports board conversations.
Partners report that 40% see increased margins from vCISO services and 36% see increased revenue. The margin improvement comes from standardizing delivery so the labor cost per client decreases as you add accounts, while the revenue improvement comes from tiered pricing that expands scope within existing relationships.
Justifying the Price to Clients Who Have Never Paid for Security Advisory
The pricing conversation is easier when the client already understands the value of security leadership. For the 64% of SMBs operating without any CISO, this is often their first time paying for security advisory as a distinct service. The conversation requires different framing than selling managed IT.
Frame against the alternative, not the cost
A client hearing “$2,500/month for vCISO services” processes that as a new line item. The same client hearing “a fractional CISO as a Service at 10% of what a full-time hire costs” processes it as a bargain. The full-time CISO comparison ($250K–$350K+) is the anchor that makes your pricing look rational.
Lead with what they already spend on consequences
Many SMB clients don’t track what security gaps cost them. But they can estimate: the compliance audit they failed ($50K+ in remediation), the cyber insurance premium that jumped 25% at renewal, the client they lost because they couldn’t demonstrate a security program. These costs are real and recurring. Your vCISO service is the alternative to continuing to absorb them.
Show the service tier, not the price list
Don’t present pricing as a menu of line items. Present it as three tiers with clear outcomes at each level. The client chooses the outcome they need, and the price follows. “You need compliance readiness and quarterly executive reporting. That’s our Growth tier, and it runs $2,500/month.” The price is attached to a result, not a list of activities.
Use the assessment as the entry point
The assessment is the lowest-commitment way to demonstrate value. Run a security posture assessment, present findings to leadership, and let the data make the case for ongoing services. Over 50% of assessment clients convert to vCISO engagements, and the conversion rate is higher when the assessment surfaces specific, actionable risks the client didn’t know about.
What Drives Price Variation
Several factors push pricing up or down. Being explicit about these with clients builds trust and helps them understand why their neighbor’s MSP might quote differently.
Client size. A 50-person company with straightforward IT has a simpler risk surface than a 400-person company with multiple locations, cloud environments, and regulatory exposure. Assessment scope scales with complexity.
Regulatory requirements. A client who needs HIPAA, SOC 2, or CMMC compliance adds framework-specific assessment, policy alignment, and evidence management to the engagement. Multi-framework clients command higher fees because the deliverable surface is larger.
Engagement depth. Basic security advisory (assessment, remediation plan, quarterly reviews) costs less than strategic vCISO services that include board reporting, business continuity planning, vendor risk management, and incident response planning.
Your delivery efficiency. This is the variable you control. Partners who standardize methodology report 70% reduction in assessment workload. At that efficiency level, a $2,500/month client generates significantly better margins than the same engagement delivered manually. The platform investment pays for itself through delivery economics, not pricing increases.
The MRR Math
What vCISO pricing looks like across a growing practice:
| Clients | Avg Tier | Monthly MRR | Annual Revenue |
|---|---|---|---|
| 5 | Core ($1,250) | $6,250 | $75,000 |
| 10 | Mixed ($2,000) | $20,000 | $240,000 |
| 20 | Mixed ($2,250) | $45,000 | $540,000 |
| 30 | Mixed ($2,500) | $75,000 | $900,000 |
These numbers are incremental to existing managed IT revenue. The vCISO practice generates its own MRR stream, and because the delivery economics improve with standardized methodology, margins improve as client count grows rather than staying flat.
Common Pricing Mistakes
Starting too low. $500/month positions security advisory as a commodity. Clients who pay commodity prices expect commodity service and churn when something cheaper appears. Start at $1,500 minimum and let the assessment results justify the investment.
Billing hourly when you should bill monthly. Hourly billing caps your revenue at the hours you can deliver. Monthly billing creates predictable MRR and incentivizes efficiency. The faster you deliver, the better your margins. Hourly billing penalizes efficiency.
Not tiering. A single pricing option forces every client into the same conversation. Three tiers give clients a choice and naturally anchor the middle option as the default. Most clients choose the middle tier when presented with three options.
Discounting to win. Discounting sets a precedent that’s difficult to reverse. If the client can’t afford the service at your standard rate, they may not be ready for it. Better to start with a smaller scope at a lower tier than to discount a full engagement.
Ignoring platform economics. 81% of vCISO providers already use AI and automation, with 68% average workload reduction. If you’re pricing based on manual delivery costs but delivering with automation, you’re either undercharging or not capturing the margin improvement your tools create.
Reviewing and Adjusting Pricing
vCISO pricing isn’t set once. Review annually, or whenever your delivery model changes significantly.
Triggers for a pricing review: you’ve added a new capability (vendor risk, BIA/BCP), you’ve automated a previously manual process, your client base has shifted in size or complexity, or your competitors have changed their pricing. The goal is alignment between the value you deliver, the cost to deliver it, and what the market will bear.
For MSPs building or scaling a vCISO practice, platforms like Cynomi provide the delivery efficiency that makes advisory-level pricing sustainable. When assessments, policies, risk registers, and executive reports generate from a single platform, the margin per client improves with every new engagement.