Aegis AI
← All guides

How much does a vCISO cost? Pricing models compared

Aegis AI™ · Updated July 2026

vCISO pricing is confusing because the label covers four different delivery models, and each prices a different thing: hours, access, headcount, or output. Most published numbers are quotes for a model, not for the job. Here is how to compare them on the thing that matters: what actually happens to your security program between meetings.

Model 1: hourly consulting

You buy expert time by the hour. The strength is flexibility; the weakness is that the meter shapes behavior on both sides. Teams under-ask to control spend, and the recurring work, control validation, evidence collection, gap tracking, happens only inside billed hours. Between engagements, posture decays silently. Hourly works best for bounded questions, not for owning a program.

Model 2: the monthly retainer

A fixed fee buys a defined slice of a practitioner: some hours, some deliverables, quarterly reviews. This is the most common "vCISO service" shape, and quotes vary widely with seniority, scope, and how much doing (versus advising) is included. The question that exposes the difference between retainers: what runs on a schedule when your named practitioner is busy with another client? If the answer is nothing, you are buying advice with a subscription invoice.

Model 3: the full-time hire

An executive salary, benefits, equity, and months of ramp, for security leadership as a daily function. At scale this is the right answer. Before scale, most of what you need is the recurring work plus occasional judgment, and a full-time executive spends much of the week on work that does not require one.

Model 4: Agent-as-a-Service (how Aegis AI™ prices)

The AaaS model prices the output: the recurring program work runs continuously in software, with a human approving every material decision. Because agents do the repetition, the price does not scale with billed hours, and it is published rather than quoted:

How to compare quotes across models. Ask each vendor the same three questions. What runs on a schedule without anyone remembering to ask? What artifact exists after each cycle, and would an auditor accept it? Who approves material decisions? The first two questions price the work; the third one is where any serious answer must include a human. It does at Aegis AI™: agents do the work, your designated leader reviews and approves every material decision.

The cost that does not appear on any quote

Decay. Point-in-time engagements end, evidence goes stale, and the next audit or security questionnaire restarts the spend. The cheapest program over two years is usually the one that never stops running, which is a cadence question, not a headcount question.

Price the job after you know its size. Ten questions, instant directional read, free.

Run the free gap check → See published tier pricing →

Aegis AI™ is a vCISO platform delivered as Agent-as-a-Service by ElasticD3M, LLC. Aegis AI is not a 3rd-party auditor and does not conduct audits or attestations. Aegis AI pricing referenced is current as of publication; see ai4ciso.ai/pricing for current terms. Descriptions of other delivery models are general characterizations, not quotes. This article is general information, not legal or financial advice. ElasticD3M, LLC is a Texas limited liability company. Patent Pending.