How to Start a vCISO Service Line: The MSP 30-Day Launch Guide

Most MSPs Are Already One Email Away From a vCISO Client

Your clients are asking you questions you don’t have a product for yet.

Not questions about EDR coverage or patch windows. Questions like: “My cyber-insurance renewal questionnaire wants a written ISMS — can your team do that?” Or: “My biggest customer says I need CMMC-ready documentation by Q3. What do I tell them?” Or, the clearest one: “The board asked for a security risk report. Can you produce one?”

These are not edge cases. They show up in MSP ticket queues across the country, multiple times a month, and the honest answer from most MSPs is “sort of.” You have the EDR. You have the MFA enforcement. You have the patching SLAs. What you don’t have is a deliverable that says we are your security executive — and that’s what your clients are now paying for, at $1,500–$5,000/month, to someone other than you.

This guide gives you the structure to change that. Not in six months with a new hire. In 30 days with one client.

---

Why the $5K Assessment Is the Right Entry Point

The instinct most MSPs have when building a new service line is to productize first: build the tiers, write the service description, update the website, then go find buyers. That process takes three to six months and often produces a service catalogue no one has yet validated against a real client need.

The assessment wedge flips the sequence. You sell one fixed-scope, fixed-price engagement, deliver it, and let the client’s reaction tell you what to productize. The $5,000 price point is deliberate:

• It sits below the discretionary-spend threshold for most SMB decision-makers. No procurement process, no lengthy approval chain.
• It creates a proper commercial engagement rather than a scoped consultation. The deposit (50% on signature) makes both parties accountable.
• It produces exactly the artefact that justifies the ongoing retainer. A client who has a written risk register, a 12-month roadmap, and a gap analysis needs someone to own the programme month to month. That’s you.

The assessment is the wedge. The $1,500–$3,500/month retainer is the product. Every $5,000 engagement you run is both revenue and pipeline.

---

Week 1: Pick the Client and Make the Offer

The single most common mistake MSPs make at this stage is trying to launch vCISO services at their most resistant client. Don’t. Your beachhead client has all four of these characteristics:

1. 25–250 employees. Big enough to have budget, small enough to decide fast.
2. A live compliance trigger. They’ve mentioned cyber-insurance pressure, CMMC, HIPAA, SOC 2, or a board-level request in the last 90 days. Not in theory — in an actual ticket or meeting.
3. An owner-operator or CFO decision-maker. Not a procurement-heavy enterprise. Someone who can say yes in a single conversation.
4. A strong existing relationship. You already have a standing meeting, a known technical footprint, and a track record with them.

Pick one name. Write it down. That’s your Week 1 target.

The outreach email:

Send one short email. No brochure, no price list, no deck attachment.

“We’re formalising a security advisory service this quarter. Given what you mentioned about [insurance renewal / your CMMC timeline / the board request], I’d like to walk you through what it includes — should only take 30 minutes. Worth a call next week?”

Three things this email does correctly: it makes the offer feel finite (“this quarter”), it ties it to their specific trigger rather than a generic sales pitch, and it asks for a single low-commitment step. You are not asking them to buy anything.

---

The Discovery Call: Three Questions That Close

When you get on the call, ask three questions in order. Do not pitch the service until you’ve heard all three answers.

1. “What’s driving the security conversation right now — insurance, a client requirement, the board, or something else?”
2. “If you had a clean, written answer to that in 30 days, what would it unlock for you?”
3. “Who else needs to see that answer — your broker, your biggest client, your board?”

The third question is the most important. Whoever they name is the real audience for the deliverable — and naming that audience usually makes the $5,000 spend trivially justifiable. An MSP owner who says “my insurer needs to see it” or “my largest client’s procurement team wants documentation” has just told you exactly why they need this engagement, and why they’ll close it quickly.

End the call with: “I’ll send you a one-page scope tomorrow.”

---

Week 2: Scope, Sign, and Kick Off

The one-pager. Send a single-page scope document within 24 hours of the discovery call. Not a 12-page MSA appendix. One page, containing:

• Four meetings (described briefly)
• The final deliverable (PDF, 25–40 pages, listed as contents)
• Fixed price: $5,000
• Payment: 50% on signature, 50% on delivery
• Timeline: kickoff within 5 business days of signature

If they want to negotiate scope, your answer is always the same: you can do fewer deliverables for the same price. You never reduce the price. A scope negotiation that ends in a discount signals to the client that your advisory time has no firm value — which creates a poor foundation for the retainer conversation six weeks later.

Signature on day 7–9. Sign via your standard MSA addendum. For a $5,000 SOW, the client’s own counsel rarely engages — and if they do, treat it as a strong buying signal rather than a friction point. Help them move it through quickly.

Kick-off on day 10. Two outputs from the kick-off meeting:

• A documented list of business risks in the client’s own words
• A named executive sponsor on their side — the person who will sign the retainer in week 4

---

Week 3: Assess, Interview, and Draft

You already have most of the data. Your RMM knows the patch posture. Your PSA knows the incident history. Your EDR knows the threat exposure. The work this week is organising it, not discovering it.

Technical data to pull:

• Patch posture and MFA coverage from your RMM
• Identity and access — who holds admin rights, where MFA gaps exist
• Backup configuration and last verified restore
• EDR deployment and unmanaged device count
• Policy library — what exists, what’s dated, what’s missing entirely

Stakeholder interviews. Two 30-minute sessions — the owner and one operations or finance lead. You’re after one thing: the gap between what they think is risky and what would actually hurt the business if it broke. That gap is the most valuable content in your report, because it tells the client something they didn’t already know.

Drafting. The first assessment takes 12–16 hours to assemble. By your third engagement, with a locked template, it takes 4–6 hours. The deliverable structure:

• Executive summary (1 page — the only page most boards read)
• Risk register (10–20 prioritised items, scored by likelihood and impact)
• Control gap analysis against NIST CSF, CIS v8, or the client’s specific framework (CMMC, HIPAA, SOC 2 where relevant)
• 12-month remediation roadmap in quarterly buckets
• Policy inventory — what exists, what needs updating, what needs creating
• Cyber-insurance attestation alignment — maps your findings to their renewal questionnaire
• Recommended ongoing programme (this is your retainer pitch in document form)

The GRC platform you use to manage client compliance controls can generate most of the framework mapping automatically. If you are building the template from scratch, reserve a full day for the first one.

---

Week 4: Present, and Close the Retainer

Send the draft report to the executive sponsor 48 hours before the presentation. You want them to have processed the findings before entering the room. Zero surprises during a board-level presentation is a professional signal that earns trust.

The presentation structure (60 minutes):

1. “Here is what your business actually looks like, security-wise.” — Use the risk register and gap analysis, not raw technical data. Frame everything in business impact, not control IDs.
2. “Here is what your insurer / client / regulator sees when they look at it.” — Map the top three risks to whatever compliance driver originally brought them to the table.
3. “Here is the 12-month plan to close the gap.” — The roadmap. Prioritised, quarterly, achievable without heroics.
4. “Here is what staying on this plan costs — and what it returns.” — This slide presents the retainer tiers. Do not skip it.

The three retainer tiers:

Tier	Price	What’s included
Foundation	$1,500/mo	Monthly security check-in, quarterly board update, policy maintenance, insurance attestation support
Growth	$2,500/mo	Foundation + monthly stakeholder report, semi-annual mini-assessment, incident-response readiness, vendor risk reviews
Executive	$3,500/mo	Growth + named vCISO, board attendance (up to 2×/yr), regulatory liaison, full IR retainer

Present all three tiers. Let the client choose. Most pick Growth. Most didn’t know Executive existed until you offered it. The tier they pick is rarely about the price — it’s about what they want to be able to say to their board, their insurer, or their biggest client.

Day 27–30: First retainer invoice goes out. You’ve booked $5,000 once and $1,500–$3,500/month recurring. The templates, meeting agendas, and report structure you used are now reusable across your next 20 clients.

---

Three Ways MSPs Lose This Engagement

Free-consulting drift. You start scoping, have three good conversations, produce a preliminary gap analysis, and six weeks later the client has the work product but no signed order form. Fix: the 50% deposit is non-negotiable before any deliverable crosses your network boundary. No deposit, no draft.

Over-engineering the report. The first engagement, most MSPs build a 60-page document. The client reads page 1 and the roadmap table. Fix: hard limit the template at 25–40 pages. The executive summary is the product; everything else is the appendix that justifies it.

Skipping the retainer slide. You deliver the report, the client says “this is exactly what we needed,” everyone shakes hands, and you leave without presenting the ongoing programme. Fix: the retainer slide is built into every presentation deck and rehearsed before every delivery meeting. You do not end the engagement meeting without naming the tiers.

---

The Pricing Table

Engagement	Price	Cadence	Target margin
Security Posture Assessment & 12-Month Roadmap	$5,000	One-time	65–75%
Foundation vCISO retainer	$1,500/mo	Monthly	75%+
Growth vCISO retainer	$2,500/mo	Monthly	75%+
Executive vCISO retainer	$3,500/mo	Monthly	70%+
Framework readiness add-on (CMMC, HIPAA, SOC 2)	$7,500–$15,000	Per framework	60–70%

An MSP that runs this sequence across ten existing clients over 12 months adds $180K–$420K in recurring margin without a new hire. The limiting factor is never the market demand. It is template quality and delivery discipline.

---

What You Do Tomorrow Morning

Three actions, in order:

1. Pick the wedge client. One name, from your existing book, who has a live compliance trigger. Write it down.
2. Send the email this week. One paragraph, their specific trigger, one ask: a 30-minute call.
3. Block the four meeting slots. Kick-off, technical review, stakeholder interviews, roadmap presentation. Before you’ve been paid for a single hour of advisory work, the calendar structure creates accountability on both sides.

If you want the templates that make this repeatable — the SOW one-pager, the assessment framework, the report skeleton, and the retainer deck — GetCybr builds and maintains them as part of a platform designed specifically for MSPs delivering vCISO services. The first engagement takes 30 days. With the right tooling, the second takes five.

Book a 20-minute walkthrough →