Services
The right engagement for where your company is right now.
Whether you need to pass your first vendor questionnaire, get SOC 2 certified, or build a long-term security program — there is a fixed-scope engagement designed for that exact situation.
Not sure where to start? Book a free call
Most requested
SOC 2 Gap Assessment
Find out exactly where you stand against SOC 2 Trust Service Criteria before you commit to a full audit — and get a prioritized roadmap to close every gap.
$10,000
Fixed fee — No surprises
View details v
What you get
- Full TSC controls inventory review
- Gap analysis report (executive and technical)
- Prioritized remediation roadmap
- Auditor-readiness score
- 60-min debrief call with Giovanni
Best for
B2B SaaS companies with 50 to 200 employees that have received their first enterprise security questionnaire or are preparing to pursue SOC 2 Type I certification within 6 to 12 months.
Engagement details
- Duration: 2 to 3 weeks
- Fully remote delivery
- Fixed fee — no hourly billing
- Includes policy review
SOC 2 Readiness Program
End-to-end preparation for your SOC 2 Type I or Type II audit — from policy creation to evidence collection to auditor coordination.
From $22,000
Scoped per engagement
View details v
What you get
- Full security policy library
- Control implementation guidance
- Evidence collection framework
- Vendor and risk management support
- Auditor selection guidance
- Pre-audit readiness review
Best for
SaaS companies that have completed a gap assessment and are ready to pursue SOC 2 certification. Ideal for teams without internal security staff to manage the process.
Engagement details
- Duration: 3 to 6 months
- Fully remote delivery
- Weekly check-ins included
- GRC platform setup optional
vCISO Retainer
Fractional Chief Information Security Officer services — ongoing security program leadership without the cost of a full-time hire.
$3,500 to $10,500
Per month — Three tiers
View details v
What you get
- Ongoing security program oversight
- Vendor assessment responses
- Board and executive reporting
- Incident response planning
- Audit cycle management
- Monthly strategy sessions
Best for
Post-SOC 2 companies that need ongoing security leadership to maintain certification, respond to enterprise questionnaires, and build a mature security program over time.
Tier breakdown
- Essentials: $3,500 per month
- Growth: $5,500 per month
- Enterprise: $10,500 per month
FedRAMP Gap Assessment
Understand your readiness for federal cloud authorization before engaging a Third Party Assessment Organization (3PAO).
From $30,000
Fixed fee — Scoped by impact level
View details v
What you get
- NIST SP 800-53 control gap analysis
- FedRAMP boundary documentation review
- SSP readiness evaluation
- 3PAO engagement preparation guide
- Executive gap summary report
Best for
SaaS companies pursuing federal contracts that need to understand the gap between their current security posture and FedRAMP Low, Moderate, or High authorization requirements.
Engagement details
- Duration: 4 to 6 weeks
- Scoped by impact level
- Optional add-on: vCISO support through the FedRAMP process, $5,500–$7,500/month (billed separately)
HIPAA Gap Assessment
Identify gaps in your HIPAA Security Rule compliance before a covered entity partnership or regulatory audit puts them on the table.
$10,000 to $20,000
Fixed fee — Scoped per engagement
View details v
What you get
- Security Rule controls review
- PHI data flow mapping
- BAA readiness evaluation
- Administrative, physical and technical safeguards gap report
- Remediation priority matrix
Best for
Health tech SaaS companies handling PHI that are preparing for a covered entity partnership, responding to a vendor questionnaire, or building toward a HIPAA-compliant infrastructure.
Engagement details
- Duration: 2 to 4 weeks
- Fully remote delivery
- Optional add-on: Fractional Privacy Officer for ongoing support, $3,500–$5,500/month (billed separately)
PCI DSS and GDPR
Gap assessments for payment card security and EU data protection compliance requirements.
From $8,000
Per framework — Bundle pricing available
View details v
PCI DSS includes
- Cardholder data environment scoping
- 12 requirements gap analysis
- SAQ readiness evaluation
- QSA engagement preparation
GDPR includes
- Data processing activities review
- DPIA readiness assessment
- Controller and processor obligations gap
- SOC 2 and GDPR bundle available
Pricing
- PCI DSS Gap — $8,000–$18,000. Scoped by cardholder data environment.
- GDPR Gap — $9,000–$18,000. Scoped by processing activities and data volume.
- SOC 2 + GDPR Bundle — from $16,500. One engagement, shared evidence, no duplicate work.
Not sure where to start?
Match your situation to the right service.
Most engagements start with a gap assessment. Here is a quick guide based on what is actually happening at your company right now.
“An enterprise prospect is asking for SOC 2.”
Start with the SOC 2 Gap Assessment. You will know within 3 weeks exactly what needs to happen before you can answer that questionnaire with confidence.
SOC 2 Gap Assessment“We already have a gap report. Now what?”
Move directly to the SOC 2 Readiness Program. You have the map — now you need someone to run the process and get you to the audit finish line.
SOC 2 Readiness Program“We are SOC 2 certified but need ongoing support.”
The vCISO Retainer is built for this. Maintain your certification, respond to enterprise assessments, and build the program your clients expect to see.
vCISO Retainer“We are selling to the federal government.”
FedRAMP is a multi-year process. Start with a gap assessment to understand your current posture before engaging a 3PAO or a federal agency directly.
FedRAMP Gap AssessmentLet’s talk
Still not sure which service fits?
That is exactly what the free call is for.
Thirty minutes. No sales pitch. Giovanni reviews your situation and tells you exactly what you need to do next — even if it’s not one of these services, and even if it’s nothing at all right now. You’ll walk away knowing where you stand, what it will take, and what it’s worth. That’s true whether or not we ever work together.