IOmergent Logo IOmergent
Connect
IOmergent / A Buyer's Guide to vCISO Models / 2026

The vCISO market,
mapped as business models.

There are dozens of virtual and fractional CISO providers, but only five business models underneath them. This guide maps each one on the Business Model Canvas, then groups them by economics and plots them on a single map. The goal is simple: help you see how the models actually differ, what each is good at, and the trade-offs that come with it, so you can choose the fit for your stage.

01

The five vCISO business models

Each model below is shown on the Business Model Canvas: the nine building blocks of how that type of provider operates. The rail underneath shows the economics that shape what you pay for, what you can expect, and what to watch for. The value proposition block is highlighted, because that is where these models differ most.

Solo / Independent Practitioner

The core ideaOne named senior expert, working directly with you. The trust is hard to beat; the limit is that one person only has so many hours.
Value Propositions
  • Direct access to one named senior leader
  • High trust, founder-to-founder
  • Far cheaper than a full-time hire
  • You get the expert, not a junior
Key Partners
  • A handful of auditors and pentest contacts
  • Compliance platforms (referral)
  • Tool vendors for hand-offs
Key Activities
  • Doing the work personally
  • Advisory, policy writing
  • Audit and SOC 2 prep
  • Board reporting
Key Resources
  • The individual's reputation
  • Decades of experience
  • Personal network
  • CISSP / CISM credentials
Customer Relationships
  • Deeply personal, high touch
  • An advisor, not a vendor
Channels
  • Personal network and referrals
  • LinkedIn and conference relationships
Customer Segments
  • SMB and early-stage startups (under 100)
  • First-time security buyers
  • One or two clients at a time
Cost Structure
  • Very low. The provider's own time, a few tool subscriptions, and insurance. Most of the cost is simply their available hours.
Revenue Streams
  • Monthly retainer $3K-$10K (10-40 hrs)
  • Project fees (readiness, assessments)
How it scales
None. Capped by hours.
Defensibility
Personal trust
Typical annual cost
$36K-$120K / yr
What to watch for
One person is a single point of failure, with no built-in backup
ExamplesIndependent ex-CISOsone-person firmsspecialist consultants
02

How the vCISO models compare

The five models sort along one line: how far the service is decoupled from human hours. The further right, the more it behaves like software, which usually means lower cost per unit but a lighter personal relationship. The further left, the more you are buying a specific person's time and judgment. Neither end is better. They fit different stages.

Comparison of the five vCISO and fractional CISO business models by scalability, defensibility, typical annual cost, what you pay for, and main trade-off.
Model How it scales Defensibility Typical annual cost What you pay for Main trade-off
Solo practitioner none Personal trust $36K-$120K / yr One senior person's time, on retainer One person is a single point of failure, with no built-in backup
vCISO-first boutique linear Method, brand, and bench $60K-$250K / yr A tiered retainer for a team and a method Quality depends on which senior you get and their availability
Scaled productized firm mixed Brand plus owned product $80K-$400K+ / yr A retainer plus an optional software subscription Running a service and a product at once can split focus
MSSP-integrated high Data, telemetry, switching cost $150K-$1M+ / yr A managed-operations contract with advisory included Advisory can be lighter than the operations beneath it; check seniority
Enterprise / GSI high Brand, clearances, relationships $250K-multi-$M Project and day-rate engagements Built for large engagements; smaller firms can be overpriced or underserved
03

Where each vCISO model fits

Two axes that matter when you are choosing: how the work is delivered (senior humans vs. product and automation) and who it is built for (volume SMB vs. bespoke enterprise). Where a provider sits tells you a lot about what working with them will feel like.

← People-led delivery Product / automation-led →
vCISO business model positioning map Solo practitioners and boutiques are people-led and serve SMB to mid-market. Enterprise and GSI firms are people-led and serve large enterprise. MSSP-integrated providers are product-led. IOmergent sits in the middle: senior strategy plus managed cloud execution for the mid-market. DELIVERY MODEL MARKET FOCUS Enterprise / bespoke SMB / volume Enterprise consulting / GSI Optiv, Coalfire, Deloitte, IBM Solo practitioner independent ex-CISOs vCISO-first boutique Fractional CISO MSSP-integrated Rapid7, SecureWorks, Arctic Wolf Scaled productized firm SideChannel IOmergent strategy + cloud execution, mid-market
IOmergent Solo Boutique Scaled productized MSSP-integrated Enterprise / GSI

Most providers make you choose: a boutique that advises but does not run anything, or an operations shop priced for the enterprise. IOmergent is built for the middle. Senior security leadership combined with managed cloud security (CSPM, SSPM, and MDR) and AI governance. You get the judgment of a boutique and the execution of an operations provider from one team, at a mid-market price.