JS Jared Smith Staff Engineer
← Back to writing

vCISO Math for AI Founders: Why 5 Hours a Month Beats a Full-Time Hire

April 6, 2026 9 min read vCISO security AI startups

A full-time CISO costs $200–400K plus equity. A vCISO costs $2–4K a month and gives you 80% of the value at 5% of the burn — until you outgrow them. The math, the deliverables to expect, and the red flags that mean you've hired the wrong one.

Don't hire a CISO. Rent one.

This is the single most actionable security advice I give to pre-Series-A founders, and the one most consistently ignored. The pattern is predictable: an enterprise prospect asks for a SOC 2 report, the founder panics, posts a security-leadership job opening with a $250K base, sources for two months, and either hires the wrong person or gives up and ships the report without leadership in place. Both outcomes are bad. Both are avoidable.

The right answer at this stage is a fractional vCISO. Five hours a month, $2–4K, retained on a recurring contract. Below, the math, what to expect, and when to graduate to a full-time hire.

The math

Let's compare the two paths concretely.

Full-time CISO at a 15-person AI startup, pre-Series-A:

  • Base salary: $220–320K (Bay Area / NYC / remote-but-competitive)
  • Equity: 0.5–1.5% (roughly $50–200K paper value at this stage)
  • Benefits and overhead: ~25% of base = $55–80K
  • Recruiter fee (if external): 20–25% of first-year comp = $50–80K one-time
  • First-year cash cost: $325–480K. Year-two onward: $275–400K.

Fractional vCISO, 5 hours a month:

  • Hourly: $400–800 depending on market and experience level
  • Monthly: $2–4K
  • Annual: $24–48K
  • No equity, no benefits, no recruiter fee
  • First-year cash cost: $24–48K. Same year-two.

The vCISO is roughly 5–10% of the cash cost of a full-time CISO and zero equity. For a pre-Series-A company where every dollar is runway, this is the difference between two months and twenty months of additional runway tied up in the security function.

You might object: "But a full-time CISO does much more than 5 hours a week." That's true. They do roughly 160 hours a month. The question is: does your 15-person AI startup, which has zero customers in regulated industries, has not yet had a security incident, and is six months from its first SOC 2 audit — does it actually have 160 hours a month of CISO-level work to do?

It does not. It has roughly 5–20 hours a month of CISO-level work, plus a much larger volume of engineering-led security execution that the engineering team is already doing or should be doing. A vCISO sized to the actual volume of CISO-shaped work is the right tool.

What a vCISO actually does (and what they don't)

The biggest source of disappointment with vCISOs is mismatched expectations. Here's what to expect for $2–4K a month.

What they do:

  • Strategic guidance. Quarterly review of your security roadmap, threat landscape, and gaps relative to your customer base. They tell you what to worry about and in what order.
  • Audit and certification readiness. They read your evidence, tell you what's missing, and prep you for the auditor's conversation. Most vCISOs have shepherded ten to fifty SOC 2 audits and know exactly which controls auditors actually scrutinize.
  • Customer security questionnaires. Enterprise prospects send 80–200 question security questionnaires. Your vCISO either fills them out or directs your team on the answers. This alone usually pays for the engagement.
  • Incident-response support. When something goes sideways, they're on the phone in two hours. They've handled incidents before. Your engineering team has not.
  • Policy authorship and review. Information security policy, acceptable use policy, vendor risk policy, incident response plan. They have templates. They customize them. They sign them. Done in days, not weeks.
  • Auditor relationship. A reputable vCISO has working relationships with multiple audit firms. Their warm intro to a CPA firm gets you a faster engagement and a better rate.

What they don't do:

  • Hands-on engineering. They don't write code, configure SSO, or set up MDM. Your engineering team does that under their guidance.
  • 24/7 monitoring. They are not your SOC. If you need real-time monitoring, you're hiring an MSSP, not a vCISO.
  • Hire and manage a security team. They might help you scope the first hire when you're ready, but they're not running people.
  • Live in your Slack. Five hours a month is five hours a month. They will not be available for ad-hoc questions multiple times a day.

Match your expectations to the contract and the relationship is wildly productive. Mismatch and you'll fire each other within four months.

When to graduate to a full-time hire

The vCISO model has a ceiling. The signals that you've hit it:

  1. You're spending 20+ hours a month on the engagement. If you've stretched a 5-hour retainer into 20 hours of effective work, you're paying overage rates and the vCISO is bottlenecked. Time to bring it in-house.
  2. Your security team is more than 2 people. A vCISO can guide one or two security ICs. Beyond that, you need a security leader with capacity to actually manage.
  3. You're regulated. If you take on PCI Level 1, HIPAA covered-entity status, FedRAMP, or financial services charters, the regulator's expectation of a named, in-house CISO becomes binding. Hire.
  4. You're past Series B and selling to F500 enterprises. At that revenue scale your customer expectations include a real CISO they can put on the phone. The vCISO can no longer carry that representational load.
  5. You've had a security incident that drew a board-level response. Boards want a named accountable person. Don't argue with that.

Pre-Series A: vCISO. Series A through B: vCISO with the option to upgrade. Series B+: full-time, almost always.

The bad-vCISO red flags

Not all vCISOs are equal. Five flags I've learned to watch for:

  1. They've never been an in-house security leader. Career consultants who've never had to actually live with their decisions tend to over-prescribe. Look for someone who's been a Director or VP of Security at one or more real companies and decided to go fractional.
  2. They don't ask about your customers. If the vCISO doesn't immediately want to know who buys from you and what their security expectations are, they're going to give you generic advice. Your security program should be shaped by the people writing the checks, not by a checklist.
  3. They sell products. Some "vCISO" engagements are thinly disguised channel partnerships for compliance platforms or security tooling. They'll push you toward whatever they get paid to push. Ask up front: do you have any reseller, referral, or affiliate relationships with the platforms you'll recommend?
  4. They quote you "all-in flat-rate" pricing. The honest pricing is hourly with a monthly retainer minimum. Flat-rate vCISO pricing for $1,500 a month usually means you'll get attention only when you complain.
  5. They can't name three audit firms they'd recommend. A real vCISO has done a lot of audits and has opinions about who's good and who's bad. If they shrug at this question, they haven't done the volume.

How to interview a vCISO in 30 minutes

A short list of questions that surface signal fast:

  • "What's the right SOC 2 audit firm for a 15-person AI startup?" — They should name two or three with rate ranges and tradeoffs.
  • "What are the three controls auditors most often flag at a company our size?" — They should answer in 30 seconds without thinking. Common answers: access reviews, vendor management, change management documentation.
  • "Walk me through the last incident you led." — Listen for structure. Did they have a runbook? Who was in the room? What was the post-mortem? Vague answers are a flag.
  • "What would you tell my engineering team to start doing on Monday?" — They should have a concrete short list. If it's "depends on a deeper assessment," they're billing for the assessment.
  • "What gets you fired?" — Good answer: "I get fired when the auditor finds things I should have flagged in advance, or when I told you something was fine and it wasn't." Bad answer: long pause.

The deliverables to write into the contract

Don't sign a vCISO contract without specifying outcomes. Generic monthly retainers float into nothing. Concrete examples:

  • SOC 2 Type I readiness in 90 days
  • Information security policy + 4 supporting policies signed and ratified within 30 days
  • Quarterly risk register reviewed and updated
  • Customer security questionnaires turned around in 5 business days
  • Incident-response participation within 4 hours of declared incident, any time
  • Quarterly readout to founders / board with current posture and gap list

If they push back on writing these into the contract, they're not committing. Find a different vCISO.

The honest tradeoffs

To be fair to the full-time CISO model: there are real things you give up by going fractional.

You don't get a leader who's in your Slack every day, building relationships with engineers, customers, and the board over a sustained period. The institutional knowledge of an in-house leader compounds — they know which engineer cuts corners, which customer is going to ask which question, which board member wants which level of detail. A vCISO will never have that depth.

You also lose the recruiting halo. A named, in-house CISO with a strong reputation can be a meaningful asset when you're hiring senior security engineers or selling to security-sensitive customers. The vCISO does not show up on your team page.

And you lose the optionality of having someone in seat when things go sideways. If you have an incident on a Saturday, your full-time CISO is on it. Your vCISO is on it within a few hours, but those hours can matter.

The honest framing: the vCISO model trades depth-of-context for cost efficiency. At fifteen people pre-Series-A, the cost efficiency wins by a wide margin. The depth-of-context cost is small because there's not yet much context to be deep about. As the company grows, that math flips, and you should flip with it.

The takeaway

Your security program at 15 people, pre-Series-A, looks like:

  • Engineering does the engineering security work (auth, secrets, IAM, deployment hygiene). They were doing this anyway and are better at it than any external person.
  • A vCISO does the leadership, audit, and customer-facing security work. Five hours a month, $2–4K, deliverables in the contract.
  • Your founder owns the customer-facing risk story until the company outgrows them.

This setup costs you $24–48K a year and 5% of the leadership burn of a full-time CISO. It unlocks SOC 2, Vendor Risk Assessments, and enterprise customer questionnaires — the unlocks that actually move revenue. And when you outgrow it, around Series B, you graduate to a full-time hire with a much clearer view of what good looks like, because you've been working with one for two years.

The mistake is treating the security leadership question as a binary "no one" or "full-time hire" problem. There's a perfectly engineered middle option, and it's the right one for the first three years of an AI-native company's life. Use it.

All writing