How many days a week?

1, 2 or 4 days/week are standard. 1-day plans suit early-stage startups (governance + policy + board reporting). 4-day plans suit mid-market firms in active regulatory cycles or M&A. We don't sell hourly — the engagement is for outcomes, with time committed up-front.

Will the vCISO sit in our office?

Hybrid by default — typically 1 day/week on-site (Mumbai · Bengaluru · Delhi NCR · Dubai · Abu Dhabi) plus remote attendance at all leadership and risk-committee meetings. Fully on-site engagements are available for sensitive sectors.

Does the vCISO own incident response?

Yes — they are your Incident Commander during High / Critical events, work alongside your IT lead, manage breach communications and regulator notifications, and bring in Macksofy DFIR forensics as needed under the same contract.

What happens when we're ready to hire a full-time CISO?

The vCISO supports the search — writes the JD, interviews shortlist, advises on package, then runs a structured 4–8 week handover. Several Macksofy vCISO engagements end in a recruited full-time CISO; that's a success metric, not a churn risk.

₹4–18 L per month depending on day-count and seniority. Quote within 48 hours of a discovery call. 12-month minimum.

Fractional CISO · India + GCC · Board-Ready

Virtual CISO (vCISO)

An experienced CISO embedded in your leadership team on a fractional basis — 1, 2 or 4 days a week. Sets policy, owns risk register, presents to the board, manages regulators, mentors your in-house team and stays accountable to outcomes, not hours billed.

Request a quote See methodology

Download sample pentest report

CERT-In format · anonymised

Engagement at a glance

Quote SLA48 hours
Typical engagement5–15 working days
RetestFree within 30 days
Reporting formatCERT-In + ISO + SOC 2 ready
Team100% in-house · OSCP / OSWE / OSEP

What this actually looks like

A vCISO engagement, in plain language.

A vCISO is not an advisor who emails recommendations. Macksofy vCISOs (15–22 years experience, prior in-house CISO roles at BFSI / fintech / SaaS) join your leadership calendar, attend your board / risk committee meetings, own the security strategy, sign off on the risk register, sit across the table from RBI / SEBI / CERT-In inspectors, and mentor your 2–6 person security team. They report to your CEO or COO, not to us. The model fits start-ups and mid-market firms who need real CISO leadership without the ₹2–4 Cr/yr fully-loaded cost.

Business impact

C-level security leadership at 25–40% of the fully-loaded in-house cost
Board + risk-committee reporting handled by someone who has done it before
Regulator-facing interlocutor (CERT-In · RBI · SEBI · DPDP Authority · DESC / NCA in GCC)
Mentorship pipeline for your in-house engineers (career-ladder, training plan)
Continuity through founder departures, fundraises and M&A diligence

Methodology

Phased delivery — every step documented.

Interactive walkthrough of how we run a vCISO engagement — tap a phase to expand its activities.

Phase 01 of 4

1 · Onboarding (Month 1)

Stakeholder interviews (board, CEO, CTO, CFO, audit, legal, ops)
Asset, vendor and regulator inventory
Current-state risk register + maturity baseline (NIST CSF · ISO 27001)
12-month security strategy + budget draft

Tooling

Industry-standard + custom.

We use the same tooling top BFSI red teams operate — combined with Macksofy in-house extensions and proprietary scripts where commercial tools fall short.

Tools we operate

Macksofy risk-register platformVanta · Drata · Sprinto (compliance automation, if client-licensed)JIRA / Linear (risk-treatment tracking)Confluence / Notion (policy stack)

Industries served

Sectors we operate in

Fintech & PaymentsSaaS & Product CompaniesBanking & Financial ServicesInsurance & InsurTechHealthcare & HealthTechE-commerce & D2CGovernment & PSUSeries-A to Series-D startups

Deliverables

What you get

12-month security strategy + budget signed off by board
Policy stack (10–14 core policies) — drafted or refreshed
Monthly risk-committee meetings chaired
Quarterly board pack (trend chart, top risks, regulator status, hiring plan)
Regulator interlocutor for CERT-In · RBI · SEBI · DPDP · DESC · NCA
Incident command during High / Critical events
Mentorship + interview support for in-house security hires
Annual maturity reassessment (NIST CSF + ISO 27001)

Case studies

Anonymized engagement snapshots.

Series-C Fintech (Bengaluru)

Scope · vCISO 2 days/week for 14 months

Finding: Built security from 1-person to 4-person team; passed SOC 2 Type 2 and SEBI CSCRF; supported successful Series-D due diligence

Strategic — avoided estimated ₹2.5 Cr/yr full-time CISO cost during pre-IPO scaling phase

Risk severity · Low

LMHC

Listed Insurance MNC (Mumbai BKC)

Scope · vCISO 4 days/week — interim coverage during in-house CISO transition

Finding: Continuity through 7-month CISO transition; chaired IRDAI inspection response; closed 14 of 17 audit observations before handover

Material — zero regulatory observation carried into the new CISO tenure

Risk severity · Medium

LMHC

GCC SaaS (Dubai)

Scope · vCISO 1 day/week + 24×7 IR on-call

Finding: Built UAE PDPL + ISO 27001 program from scratch; passed ISO certification within 9 months of engagement

Strategic — unlocked GCC enterprise sales channel previously blocked on certification gap

Risk severity · Low

LMHC

Retainer-based engagement

Senior CISO leadership, priced for your stage.

vCISO retainers run ₹4–18 L per month depending on day-count, seniority and regulatory footprint. 12-month minimum. Tell us where you are in your security journey and we'll send a scoped proposal within 48 hours.

Book a discovery call Review the methodology

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

A senior practitioner. Macksofy vCISOs are 15–22 years experienced, every one of them has held an in-house CISO or Deputy CISO role at a regulated firm. We do not staff this with junior consultants. You meet the named vCISO before contract sign-off.

Related services

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements

Virtual CISO (vCISO)

A vCISO engagement, in plain language.

Phased delivery — every step documented.

1 · Onboarding (Month 1)

Industry-standard + custom.

Sectors we operate in

What you get

Anonymized engagement snapshots.

Scope · vCISO 2 days/week for 14 months

Scope · vCISO 4 days/week — interim coverage during in-house CISO transition

Scope · vCISO 1 day/week + 24×7 IR on-call

Senior CISO leadership, priced for your stage.

Rated 4.9 ★ from 612 client reviews.

Things people ask before signing.

Often paired with this engagement.

SOC Setup & SIEM Engineering (Wazuh + ELK)

Cyber Threat Intelligence

Managed Security Services (MSSP)

Get a fixed-price proposal in 48 hours.