Security that is measurable.
Pricing that is transparent.
End-to-end governance, risk, compliance, and managed security services engineered for modern enterprises — delivered by senior practitioners, priced openly, and measured by outcomes.
Managed GRC Programs
Annual subscription programs delivering continuous governance, risk, compliance, and incident response management — for organizations seeking an expert-managed program without the cost of full-time headcount.
Managed Information Security & Privacy Management
Comprehensive ongoing management of your information security and privacy program including ISMS governance, SoA and scope maintenance, System Security Plan maintenance, and continuous alignment to ISO 27001, ISO 27701, and applicable frameworks.
- ISMS governance & SoA maintenance
- System Security Plan maintenance
- Continuous ISO 27001/27701 alignment
- 40 consulting hours per quarter (160 hrs/year)
- Additional hours at standard advisory rates
Managed Risk Management Program
Ongoing implementation and operationalization of risk management systems and processes in accordance with your ISMS. Includes risk identification, treatment tracking, Risk Register maintenance, and periodic executive reporting.
- Risk identification & treatment tracking
- Risk Register maintenance
- Periodic executive reporting
- 4 consulting hours per period
- Supports ISO 31000, NIST RMF, NIST CSF, COSO ERM
Managed Cyber-Incident Response Program
Ongoing IR operations management ensuring your incident response program, procedures, plans, playbooks, and remediation activities remain current with technological, business, and regulatory changes throughout the year.
- IR program & playbook maintenance
- Regulatory change integration
- Remediation activity tracking
- 60 consulting hours annually
- Ideal as add-on following IR Program Development
Managed Vendor Compliance Management
Per-vendor annual subscription for ongoing security and privacy compliance management, tiered by vendor criticality. Includes vendor risk monitoring, assessment coordination, compliance status tracking, and governance reporting.
Volume pricing available for portfolios of 10+ managed vendors.
| Vendor Tier | Criticality | Annual Price |
|---|---|---|
| Tier-1 | Critical | $5,775 /vendor/yr |
| Tier-2 | High | $3,080 /vendor/yr |
| Tier-3 | Standard | $1,155 /vendor/yr |
Managed Detection & Response
24/7 continuous monitoring, advanced threat detection, and continuous incident response across endpoints and cloud workloads — a consolidated XDR platform combining MDR, vulnerability assessment, dark web monitoring, identity security, and external posture management.
MDR — Complete
24×7 continuous monitoring of endpoints and cloud workloads with advanced threat detection and continuous incident response — consolidating multiple technologies into one solution.
- 24/7 Managed Detection & Response
- Endpoint & Network Detection and Response
- Security Controls Validation
- Vulnerability Assessment
- External & Cloud Posture Management
MXDR Starter
Full-platform XDR subscription with 24/7 MDR, AI-powered detection, continuous penetration testing, dark web monitoring, and identity security posture management.
- AI-Based Detection & Prevention
- Continuous Incident Response (CIR)
- Continuous Penetration Testing
- Dark Web, BAS & External Surface
- Device Control & Remote Shell
- 3rd-Party & OS Vulnerability Scanning
- NTA & Rogue Device Detection
- Identity Security Posture Management
- Web Filtering & C2 Blocking
- Shadow IT Discovery
MXDR — SIEM Add-on
XDR SIEM subscription add-on expanding detection and investigation with extended data retention and raw event storage. Add to any MXDR subscription.
- 30-Day Hot Storage — Raw Event Data
- 1-Year Hot Storage — Alerts & Incident Data
- 1-Year Hot Storage — Sensor & Agent Data
- Up to 60 MB processed data / node / day
Managed Security Controls Validation for Endpoints
Annual managed validation program providing continuous assurance that endpoint security controls are operating effectively, configurations are maintained, and posture aligns with organizational and compliance standards.
- Continuous Controls Effectiveness Validation
- Configuration Baseline Monitoring
- Compliance Posture Reporting
- Annual Endpoint Security Assurance
Risk Assessment & Risk Management
Structured, framework-aligned risk assessments and continuous risk management programs designed to identify, quantify, and prioritize organizational risk exposure.
Aligned to: ISO 27001 · ISO 27005 · NIST RMF · NIST CSF · COSO ERM · FAIR · SOC 2 · HIPAA · PCI DSS · CMMC
Annual Risk Assessments Fixed-Fee
| Deliverable | Low Baseline Up to 50 hours |
Moderate Baseline Up to 120 hours |
High Baseline Up to 240 hours |
|---|---|---|---|
| Initial Risk Assessment | $19,250 | $46,200 | $92,400 |
| Annual Update | $15,400 (40 hrs) | $30,800 (80 hrs) | $61,600 (160 hrs) |
| Risk Register & Remediation Roadmap | ✓ | ✓ | ✓ |
| Executive Reporting | ✓ | ✓ | ✓ |
| Compliance Readiness Evaluation | Basic | Detailed | Comprehensive |
| Control Effectiveness Reviews | — | ✓ | ✓ |
| Multi-Framework Mapping | — | — | ✓ |
Periodic Controls Gap Assessments
| Assessment | Low Baseline Up to 20 hours |
Moderate Baseline Up to 30 hours |
High Baseline Up to 60 hours |
|---|---|---|---|
| Periodic Controls Gap Assessment | $7,700 | $11,550 | $19,250 |
| Risk-Informed Sampling Methodology | ✓ | ✓ | ✓ |
| Control Testing & Gap Analysis | Core controls | Extended scope | Enterprise-wide |
| Remediation Recommendations | ✓ | ✓ | ✓ |
Risk Committee & Executive Posture Reporting
| Report | Low Baseline | Moderate Baseline | High Baseline |
|---|---|---|---|
| Periodic Risk Committee Posture Update | $2,695 | $3,750 | $9,625 |
| BOD / Investor Periodic Performance Reporting | $7,700 — Fixed-fee per reporting cycle | ||
Risk Management Program Documentation
| Service | SKU | Billing | Price |
|---|---|---|---|
| Risk Management Program (CONOPS) Development Governance structure, operating model, methodologies, roles, risk treatment. Up to 40 hrs. |
ISG-GRC-RMP-CNPS-26-S01 | One-Time | $15,400 |
| Risk Management Program (CONOPS) Review & Update Periodic alignment review. Up to 12 hrs. |
ISG-GRC-RMP-CNPU-26-S01 | One-Time | $4,620 |
| Manage Risk Register & Plan of Actions & Milestones Ongoing risk register administration, prioritization, remediation tracking, POA&M, executive reporting. |
ISG-GRC-M-RMP-RRM-26-H01 | Hourly | $385/hr |
| Cyber-Risk Advisory On-demand strategic guidance across cybersecurity, risk, compliance, privacy, and resilience. |
ISG-GRC-RMP-RSKA-26-H01 | Hourly | $385/hr |
| Operational Risk Analysis & Update Independent GRC and operational risk assessments identifying control gaps and remediation priorities. |
ISG-GRC-RMP-RSKU-26-H01 | Hourly | $385/hr |
| Business Impact Assessment & Analysis Structured BIA identifying critical processes, operational dependencies, and recovery requirements. |
ISG-GRC-RMP-BIAA-26-H01 | Hourly | $385/hr |
Cyber Incident Response Program
Comprehensive incident response program design, planning, playbook development, tabletop exercises, and real-time incident command services.
Aligned to: NIST SP 800-61 · ISO 27035 · SEC cyber disclosure rules · CMMC · cyber insurance requirements
Program Development
| Service | Billing | Price |
|---|---|---|
| Cyber-IR Program (CONOPS) Development Governance model, command structure, stakeholder responsibilities, and communications framework. Foundation for all IR plans and playbooks. ISG-GRC-CIRP-CNPS-26-S01 |
One-Time | $11,550 |
| Cyber-IR Program (CONOPS) Review & Update Annual alignment review against current business operations, technology, and threat landscape. ISG-GRC-CIRP-CNPU-26-S01 |
One-Time | $4,620 |
| Cyber-Incident Response Plan Development Comprehensive CIRP establishing incident governance, escalation, communication protocols, containment, and recovery. Satisfies regulatory and audit requirements. R-ISG-M-CIRP-PLAN |
One-Time | $15,400 |
| Cyber-IR Plan Review & Update Periodic review ensuring the IR Plan reflects current operations, technology stack, and lessons learned. ISG-GRC-CIRP-PBKU-26-S01 |
One-Time | $3,850 |
| Cyber-IR Playbook Development Detailed step-by-step playbooks for ransomware, data breach, BEC, DDoS, insider threat. ISG-GRC-CIRP-PLBK-26-S01 |
One-Time | $7,700 |
Testing & Exercises
Cyber-IR Tabletop Exercise (TTX)
Facilitated scenario-based exercises evaluating organizational readiness, decision-making, and communications. Includes custom scenario development, facilitation, after-action reporting, and corrective action recommendations.
Cyber-Incident Response Operations Command
vCISO-led real-time incident command for ransomware, data breaches, and cyber disruptions. Includes stakeholder coordination, crisis communications, recovery oversight, and post-incident improvement planning.
Information Security Program & Governance
Policies, standards, program governance, awareness, and executive reporting services that establish and maintain a mature, compliant information security program.
Aligned to: ISO 27001 · NIST CSF · SOC 2 · HIPAA · CMMC · Secure Controls Framework
Written IS Policies & Standards Fixed-Fee
| Deliverable | Low Baseline ~400 controls |
Moderate Baseline ~750 controls |
High Baseline ~1,350 controls |
|---|---|---|---|
| Written IS Policies & Standards | $5,130 | $9,120 | $18,420 |
| Policy Customization | Core library | Extended library | Enterprise-wide |
| Framework Mapping (ISO, NIST, SCF) | Single | Multi-framework | Comprehensive |
| Executive Governance Alignment | — | ✓ | ✓ |
IS Program Governance & Advisory
| Service | SKU | Billing | Price |
|---|---|---|---|
| IS Program (CONOPS) Development Governance structure, operating model, organizational responsibilities, security services, and performance framework. | ISG-GRC-ISP-CNPS-26-S01 | One-Time | $11,550 |
| IS Program (CONOPS) Review & Update Annual alignment review against current business objectives, technologies, and regulatory requirements. | ISG-GRC-ISP-CNPU-26-S01 | One-Time | $7,300 |
| CISO Support Executive-level cybersecurity leadership augmenting internal CIO, CISO, and security teams. | R-ISG-M-CISO-SUPPORT | Hourly | $385/hr |
| BOD / BOI Periodic Performance Reporting Executive governance reporting for boards, investors, and leadership — risk posture, compliance, KPIs/KRIs. | ISG-GRC-ISP-BODU-26-S01 | One-Time | $7,700 per cycle |
| Management Review Facilitation Formal ISO 27001/27701 Management Reviews including governance reporting, KPI/KRI review, audit status. 8–20 hrs scope. | ISG-GRC-ISP-SMRF-26-S01 | One-Time | $4,620 |
| Security Data Analytics & Reporting Development Security analytics dashboards, KPI/KRI frameworks, board reporting, and executive metrics. | ISG-GRC-SEA-DTAR-26-H01 | Hourly | $385/hr |
| Annual Policy Acknowledgements Campaign management, completion tracking, compliance reporting, and audit evidence collection. | ISG-GRC-ISP-PACK-26-H01 | Hourly | $185/hr |
| Security Awareness Training Management SAT programs across KnowBe4, Microsoft Attack Simulation, Proofpoint, Cofense, Hoxhunt. | ISG-GRC-ISP-SATF-26-H01 | Hourly | $285/hr |
| Phishing Simulation Campaign Implementation & Maintenance Platform-agnostic. Performance analytics, executive reporting, and continuous optimization. | ISG-GRC-ISP-SATP-26-H01 | Hourly | $285/hr |
| Security & Privacy Control Tailoring Control baseline tailoring aligned to organizational risk, regulatory requirements, and technology environment. | ISG-GRC-ISP-CTLT-26-H01 | Hourly | $385/hr |
| Security Exceptions Management Ongoing governance of security, privacy, and compliance exceptions including risk assessment and renewal tracking. | ISG-GRC-ISP-EXCP-26-H01 | Hourly | $385/hr |
| RFP Response Services Professional authoring for RFPs, RFIs, DDQs, and security questionnaires. Includes evidence mapping and QA. | ISG-GRC-RMP-RFPR-26-H01 | Hourly | $385/hr |
Privacy & Data Protection Services
End-to-end privacy program services covering data mapping, DPIAs, Data Subject Rights operations, and ISO 27701 PIMS implementation.
Designed for: GDPR · CCPA / CPRA · HIPAA · the growing landscape of US state privacy laws
Data Mapping & Data Inventory
| Deliverable | Small-Scope Single app · 26–40 hrs |
Moderate-Scope Multi-system · 110–160 hrs |
Large-Scope Enterprise · 320–400 hrs |
|---|---|---|---|
| Data Mapping & Data Inventory | $13,475 | $50,050 | $134,750 |
| Data Flow Maps | ✓ | ✓ | ✓ |
| PII Inventory | ✓ | ✓ | ✓ |
| Data Lineage Documentation | — | ✓ | ✓ |
| Multi-Entity Coverage | — | — | ✓ |
Data Protection Impact Assessments (DPIA)
| Assessment | Small-Scope 12–24 hrs |
Moderate-Scope 24–40 hrs |
Large-Scope 40–80 hrs |
|---|---|---|---|
| Data Protection Impact Assessment | $6,160 | $12,320 | $25,025 |
| Privacy Risk Analysis | ✓ | ✓ | ✓ |
| Regulatory Compliance Assessment | Core | Extended | Comprehensive |
| Privacy-by-Design Recommendations | — | ✓ | ✓ |
Data Subject Rights Operations
| Program | Small-Scope 26–32 hrs |
Moderate-Scope 42–60 hrs |
Large-Scope 90–120 hrs |
|---|---|---|---|
| Data Subject Rights Operations | $10,780 | $20,790 | $40,425 |
| DSR Workflow Design | ✓ | ✓ | ✓ |
| Fulfillment Procedures | ✓ | ✓ | ✓ |
| Governance & Compliance Reporting | Basic | Full | Full + Board |
ISMS, SSPP & Statement of Applicability
Certification-ready documentation services for ISO 27001/27701 ISMS scope, Statements of Applicability, and System Security & Privacy Plans across low, moderate, and high control baselines.
ISMS Scope & Statement of Applicability
| Service | SKU | Price |
|---|---|---|
| ISMS Scope & SoA Development ISO 27001/27701 scope statements and SoA including scope definition, control applicability analysis, and audit-ready documentation. |
ISG-GRC-SEA-SOAD-2026-S01 | $12,320 |
| Statement of Applicability (SoA) Review & Update Periodic review ensuring SoA control applicability reflects current risk assessments and certification objectives. |
ISG-GRC-SEA-SOAU-26-S01 | $4,620 |
System Security & Privacy Plan (SSPP)
| Deliverable | Low 12–20 hrs |
Moderate 24–32 hrs |
High 40–60 hrs |
|---|---|---|---|
| SSPP Development | $6,930 | $11,550 | $19,250 |
| SSPP Review & Update | $4,620 8–16 hrs | $7,700 16–24 hrs | $12,320 24–40 hrs |
| System Boundary Documentation | ✓ | ✓ | ✓ |
| Control Baseline Documentation | Foundational | Moderate tailoring | Extensive tailoring |
| Compliance Mapping | Single | Multi-framework | Comprehensive |
Business Continuity & Operational Resilience
BCP development, review, and operational resilience program design integrating continuity, disaster recovery, cybersecurity, third-party risk, and crisis management into a unified framework.
Aligned to: ISO 22301 · ISO 27001 · NIST SP 800-34 · NIST CSF · SOC 2 (Availability) · HIPAA · PCI DSS
| Service | SKU | Billing | Price |
|---|---|---|---|
| BCP Development — Moderate-Scope Defined business unit or moderate-scope organization. Recovery strategies, crisis communications, and governance processes. 28–40 hrs. |
ISG-GRC-SEA-BCDS-26-S01 | One-Time | $10,780 |
| BCP Development — High-Scope Full enterprise BCP for large or multi-department organizations. Multi-department recovery strategies, dependency mapping, and regulatory compliance documentation. 60–80 hrs. |
ISG-GRC-SEA-BCDM-26-S01 | One-Time | $17,100 |
| BCP Review & Updates — Small-Scope Review and update of existing BCPs reflecting organizational, operational, and technology changes. 8–16 hrs. |
ISG-GRC-SEA-BCDU-26-S01 | One-Time | $3,080 |
| Operational Resilience Program Development Integrates business continuity, disaster recovery, cybersecurity, third-party risk, and crisis management into a unified resilience framework. Scalable from single business units to multi-entity enterprises. |
ISG-GRC-SEA-ITOR-26-H01 | Hourly | $385/hr |
Vendor & Third-Party Risk Management
Vendor compliance management and contract review services for organizations managing third-party security, privacy, and regulatory obligations across supply chains, cloud services, and critical vendor relationships.
| Service | SKU | Billing | Price |
|---|---|---|---|
| Security Terms & Conditions Contract Reviews Professional review identifying obligations, contractual risk exposure, and negotiation recommendations for vendor contracts, DPAs, cloud services, and customer agreements. |
ISG-GRC-ISP-3PRM-26-H01 | Hourly | $385/hr |
| Audit Support & Liaison Services Professional audit coordination for internal audits, certification audits, compliance assessments, and regulatory examinations. Includes evidence management, auditor coordination, PBC tracking, and findings management. |
ISG-GRC-SEA-AUDS-26-H01 | Hourly | $385/hr |
| Asset Governance Program Development Development of Asset Governance Programs establishing policies, ownership models, lifecycle management processes, and inventory requirements. Supports vulnerability management, compliance, and operational resilience. |
ISG-GRC-SEA-ASTG-26-H01 | Hourly | $385/hr |
Security Engineering & Architecture
Hands-on technical security expertise for architecture design, cloud security, identity management, vulnerability management, DevSecOps, infrastructure hardening, and security tooling.
Across: Azure · AWS · GCP · Microsoft 365 · Kubernetes · hybrid environments
| Service | SKU | Billing | Price |
|---|---|---|---|
| Security Engineering Services Security architecture, cloud security, identity management, vulnerability remediation, security tooling, and compliance control implementation across Azure, AWS, GCP, M365, Kubernetes, and DevSecOps. |
ISG-PRO-SEA-26-H01 | Hourly | $385/hr |
| Security Architecture Reviews Independent architecture assessments across cloud environments, applications, networks, identity systems, and technology platforms identifying security risks and design weaknesses. |
ISG-GRC-SEA-SPAR-26-H01 | Hourly | $385/hr |
| Secure SDLC Program Development Secure Software Development Lifecycle program design covering DevSecOps, OWASP SAMM, OWASP ASVS, and NIST SSDF. |
ISG-GRC-SEA-SDLC-26-H01 | Hourly | $385/hr |
| Vulnerability Scanning Config & Tuning Configuration, tuning, and optimization of vulnerability management platforms including Tenable, Qualys, Rapid7, Microsoft DEVA, Wiz, Orca, Prisma Cloud, Snyk, and AiVRIC CloudSignals. |
ISG-PRO-VPM-26-H01 | Hourly | $285/hr |
| IT / IS Process Engineering IT and information security process design, SOP creation, workflow development, and governance design aligned to ITIL, COBIT, ISO 27001, NIST CSF, and CMMC. |
ISG-PRO-ITS-0626-H01 | Hourly | $385/hr |
| Vulnerability Management Program Development Comprehensive program defining governance, assessment methodologies, risk prioritization, remediation workflows, and exception management. Scalable from SMB to enterprise. |
ISG-GRC-SEA-VPMD-26-H01 | Hourly | $385/hr |
| Senior Information Security Consulting Retainer Senior-level information security consulting and advisory via flexible retainer. Strategic guidance, security architecture expertise, governance support, and executive decision support. |
SR-CONSULT-RETAINER-2021 | Hourly | $385/hr |
Technology Platform Deployment & Integration
Professional implementation and deployment services for enterprise GRC and cloud security platforms — accelerating adoption and establishing continuous cloud risk management and compliance capabilities.
AiVRIC CloudSignals GRCOps & CSPM Onboarding & Support
Premier AiVRIC CloudSignals implementation by 3HUE. Includes cloud onboarding, CSPM deployment, GRC baseline configuration, compliance framework mapping, risk management enablement, dashboard setup, training, and operational support.
- 1 AWS Org · 1 M365 Tenant
- 1 Azure Tenant · 1 GCP Org
- Up to 20,000 cloud assets
- Additional environments scoped separately
M365 Modern GRC System Deployment & Maintenance
Professional deployment and ongoing maintenance of a Microsoft 365-based modern GRC system leveraging Microsoft Purview, Compliance Manager, Defender for Cloud, and integrated M365 governance.
- System configuration & framework mapping
- Policy integration & dashboard setup
- Microsoft Purview & Compliance Manager
- Defender for Cloud integration
- Maintenance support included
Standard Rate Card
2026 standard list rates for hourly professional services. All rates are applied to time-and-materials engagements, hourly services above fixed-fee thresholds, and on-demand advisory retainers.
|
GRC Advisory · Risk · Compliance · Privacy · IR Planning
Standard senior advisory rate
|
$385/hr |
|
Security Engineering · Architecture · Process Engineering
Technical professional services
|
$385/hr |
|
Incident Command & Emergency Response Leadership
Real-time crisis command premium
|
$485/hr |
|
Security Awareness · Phishing Simulation · Policy Writing
Program operations & administration
|
$285/hr |
|
Vulnerability Scanning Configuration & Platform Tuning
Platform operations
|
$285/hr |
|
Annual Policy Acknowledgements Administration
Compliance program administration
|
$185/hr |
Ready to strengthen your security posture?
Our team of senior security professionals is ready to help you build, manage, and continuously improve your information security program. Reach out for a complimentary consultation and custom scope discussion.