You have 35 employees, a Series A in the bank, and two enterprise prospects asking about your security posture. Your CTO has been handling security between feature sprints. It has worked until now.
Someone on your board mentions you need a vCISO. You Google it. You find a lot of marketing and very little about what they actually do on a Tuesday morning.
Here is what a fractional vCISO engagement looks like in practice, month by month, for a SaaS startup with 30 to 50 people.
Month 1: Understand Where You Stand
The first month is about assessment and planning. No one can fix what they have not mapped.
What gets delivered:
- Security assessment. A review of your current security posture across application, infrastructure, and processes. Not a pentest. A structured evaluation of what exists, what is missing, and what is broken.
- Risk register. A prioritized list of security risks specific to your business. Not a generic checklist. Risks tied to your tech stack, your customer contracts, your data flows.
- Policy gap analysis. Which policies exist, which are missing, which exist but nobody follows. Access control, incident response, data handling, acceptable use, vendor management.
- Compliance roadmap. If you need SOC 2 or ISO 27001, here is what it takes, how long, and in what order. If you do not need it yet, here is what triggers the need.
By the end of month 1, you have a clear picture and a prioritized plan. Your CTO stops guessing about where the gaps are.
Month 2 to 3: Build the Foundation
With the assessment done, month 2 and 3 focus on closing the most critical gaps.
What gets delivered:
- Vendor security reviews. Every SaaS tool your team uses gets evaluated. Who has access to your data? What are their security certifications? Are their terms acceptable? This matters because your security posture includes your vendors.
- Security architecture guidance. Review of your cloud setup, IAM policies, network segmentation, data encryption. Not rebuilding your infrastructure. Identifying where the config is wrong and advising your engineering team on fixes.
- Employee security training. Practical, role-specific training. Developers learn about secure coding. Everyone learns about phishing and credential hygiene. Not a generic 45-minute video they click through.
- Incident response plan. A documented plan for what happens when something goes wrong. Who gets notified, what gets contained, how you communicate with customers, and how you comply with CERT-In’s 6-hour reporting requirement.
- Policy creation. The missing policies from month 1 get written. Not 40-page documents nobody reads. Practical, enforceable policies your team can actually follow.
Ongoing: Keep the Machine Running
After the first quarter, the vCISO shifts to maintenance and support. This is where the real value compounds.
- Security questionnaire responses. Enterprise prospects send 50 to 100 question security questionnaires. Your vCISO fills them out because they have done hundreds before. Deals move faster.
- Board and investor updates. Quarterly security status reports for your board. During fundraising, security due diligence answers are ready before the investor asks.
- Compliance maintenance. SOC 2 and ISO 27001 are not one-time certifications. Evidence needs collecting, controls need monitoring, auditors need liaising with. Your vCISO owns this.
- Vulnerability management oversight. Reviewing scan results, prioritizing what needs fixing, tracking remediation with your engineering team. Not running the scanners. Making sure the findings get acted on.
- Security decisions. New feature launches, new integrations, new vendors, new markets. Your vCISO weighs in on the security implications before you commit, not after.
What a Fractional vCISO Does Not Do
Setting expectations matters. Here is what falls outside the role:
- Hands-on-keyboard pentesting. A vCISO is a strategist and advisor. Penetration testing is a separate engagement with a dedicated team. See our pentest plans.
- Full-time availability. A fractional vCISO works 4 to 8 hours per week with your startup. They are not attending every standup or Slack thread in real time.
- Building your security tools. They will recommend what tools to buy and how to configure them. They will not build custom SIEM integrations or write detection rules. That is an engineer’s job.
- Replacing your CTO on security. The vCISO works with your CTO, not instead of them. Your CTO stays in the loop and retains ownership. The vCISO provides the expertise and bandwidth your CTO does not have.
Cost Comparison: Fractional vs Full-Time
| Fractional vCISO | Full-Time CISO | |
|---|---|---|
| Annual cost | INR 7 to 31 lakh | INR 40 to 80 lakh + benefits |
| Monthly cost | INR 60,000 to 2,60,000 | INR 3.3 to 6.7 lakh |
| Time to start | 1 week | 2 to 4 months hiring |
| Commitment | 3-month minimum | 12 months practically |
| Coverage | Multiple specialists | 1 person, 1 skill set |
| Risk if wrong fit | Walk away after 3 months | 6 to 12 months wasted + severance |
For a startup spending INR 15 to 30 lakh per month in burn, a full-time CISO at INR 5 lakh per month is a significant allocation. A fractional vCISO at INR 60,000 to 2,60,000 per month gives you the same strategic output at a fraction of the commitment.
For a deeper comparison across AppSec, InfraSec, and GRC roles, read Fractional Security Team vs Hiring a Full-Time CISO.
When to Upgrade From Fractional to Full-Time
The fractional model works for most startups between Seed and Series B. You outgrow it when:
- 200 plus employees. The volume of security decisions, access reviews, and incident response needs daily attention.
- Dedicated security budget. You have headcount and tools budget specifically for security, not shared with engineering.
- Multiple compliance frameworks. Managing SOC 2, ISO 27001, and DPDP Act simultaneously requires someone embedded full-time.
- Frequent security incidents. If your incident response plan activates monthly instead of quarterly, you need someone on-call every day.
Until then, fractional gives you senior expertise without the overhead. Most of the startups we work with stay fractional through Series B.
How to Start
If your CTO is still handling security and you are not sure what you need, start small.
Security on Demand (INR 9,999) gives you 4 hours with both founders. We assess where you stand, identify the critical gaps, and recommend whether you need a pentest, fractional security, or both. Fully refundable if you do not continue.
Already know you need ongoing security leadership? View fractional security details or talk to us directly.