Pricing Built for How You Actually Work
Three engagement models — from a fixed-scope assessment to an embedded fractional CISO. Pick the one that fits the stage your organization is in.
Security Assessment
A focused, time-boxed engagement to surface where your organization actually stands against HIPAA, HITECH, and modern threat actors.
- HIPAA Security Rule gap analysis
- External network vulnerability scan
- Risk register with prioritized findings
- Executive readout & technical report
- 2 weeks of follow-up Q&A
Fractional CISO
A senior security leader embedded in your organization — owning the program, driving compliance, and standing in for a full-time CISO at a fraction of the cost.
- Dedicated CISO contact, weekly cadence
- HIPAA, SOC 2, or HITRUST roadmap
- Policy authoring & evidence collection
- Vendor & BAA risk review
- Board & audit support
- One annual pentest included
Enterprise Retainer
For hospital systems, payers, and health-tech companies running multiple workstreams who need a partner across compliance, offensive testing, and incident readiness.
- Multi-team coverage (CISO + pentest)
- Quarterly red-team simulations
- 24/7 incident response on retainer
- Multi-framework compliance (HIPAA + SOC 2 + ISO)
- Tailored SLAs & on-site support
What's Included
| Capability | Assessment | Fractional CISO | Enterprise |
|---|---|---|---|
| HIPAA gap analysis | ✓ | ✓ | ✓ |
| External vulnerability scan | ✓ | ✓ | ✓ |
| Internal pentest | — | Annual | Quarterly |
| Web application testing | Add-on | Annual | Continuous |
| Policy authoring | — | ✓ | ✓ |
| BAA & vendor review | — | ✓ | ✓ |
| Audit & board support | — | ✓ | ✓ |
| Incident response retainer | — | Add-on | 24/7 included |
| Multi-framework (SOC 2 / ISO) | — | One framework | Multiple |
| Dedicated point of contact | Project lead | Named CISO | Named CISO + team |
Common Questions
How is the final price determined?
Final pricing depends on environment size, scope of testing, frameworks in scope, and the cadence you need. After a free 30-minute scoping call we send a fixed-fee statement of work — no hourly billing surprises.
Do you require a long-term contract?
Fractional CISO retainers are typically quarterly with a 30-day exit clause. Assessment engagements are one-time projects. Enterprise retainers are scoped per relationship.
Can you bill against a security budget that's already allocated?
Yes. We frequently work inside an existing security or compliance budget line. Many clients fund our work from their HIPAA risk-analysis budget or insurance-required pentest line item.
Do you serve organizations outside healthcare?
Our specialty is healthcare and health-adjacent companies (payers, device makers, health tech SaaS), but we also serve professional services firms with strict compliance obligations.
Do you offer a free initial assessment?
Yes. The first scoping call and a high-level external posture review are free. No obligation, no sales pressure.