Most cybersecurity firms treat their pricing like a secret. The logic is the same it's always been: if you have to call to find out what things cost, they control the conversation. Assessment work has real, definable costs based on the size of your environment. Here they are.
Search for a cybersecurity firm in any market. Find their website. On nine out of ten of them, the pricing page is a contact form. "Every business is different." "We build custom engagements." "A member of our team will reach out."
You know what that translates to? We'd rather size you up before we give you a number.
You're a business owner with a real budget, comparing real options. You deserve actual numbers before you pick up the phone. So here they are: our rate, our methodology, our prices by environment size, and exactly what you get.
One thing to understand up front: assessment pricing varies by the size of your environment, which is why most firms won't publish it. We will, because the methodology is transparent. Our work is billed at $250 per hour. Every engagement is scoped, priced as a fixed project, and confirmed in writing before any work begins.
Your price is determined by two things: the number of users and the number of sites. We publish the estimated hours and the fixed project price for every configuration. No surprises, no hidden fees, no negotiation.
| Environment | Estimated Hours | Project Price |
|---|---|---|
| 1–10 users, 1 site | 14 hours | $3,500 |
| 1–10 users, 2 sites | 18 hours | $4,500 |
| 10–20 users, 1 site | 20 hours | $5,000 |
| 10–20 users, 2 sites | 24 hours | $6,000 |
| 20–50 users, 1 site | 28 hours | $7,000 |
| 20–50 users, 2 sites | 34 hours | $8,500 |
| 20–50 users, 3+ sites | 40 hours | $10,000 |
| 50–100 users, 1 site | 36 hours | $9,000 |
| 50–100 users, 2 sites | 44 hours | $11,000 |
| 50–100 users, 3+ sites | 52 hours | $13,000 |
All engagements are scoped and confirmed before work begins. Payment is due at signing. On-site visits are available; travel outside the Greater Pittsburgh Region is billed separately at cost.
A Baseline assessment is a full engagement. Every tier, regardless of size, delivers the same complete set of deliverables.
Need the gaps closed, not just identified? We offer remediation as a separate project engagement scoped directly from your assessment findings. Pricing is based on what the findings actually require. Ask us about this during your initial conversation.
Many MSPs offer free security assessments. Those are sales tools. Their goal is to document your environment well enough to build a managed services proposal. The question they're answering is: what can we sell this client?
That is a different product than what we deliver.
A free MSP assessment is not scored against a recognized standard. It has no documented, repeatable methodology. It will not satisfy a cyber insurance carrier, an auditor, or a compliance framework, because it was not designed to. It was designed to close a managed services sale. There is also a structural conflict of interest: the firm assessing your environment profits from finding problems they can sell you a solution to.
Our assessment is independent. We are not selling you a managed services contract on the back of it. The score we produce is built on CIS benchmarks, the same standards your insurance carriers, auditors, and regulators already reference. It answers a different question: how secure are you actually?
That independence is part of what you are paying for.
Compliance mapping and advisory services are project-based or retainer engagements. No ongoing subscription is required. You engage us for the work you need, scoped and quoted before we start.
We take your assessment results and map your controls to the framework that applies to your business, producing the evidence package your auditors, insurers, or clients need.
| Bundled with assessment | $1,500 to $2,500 per framework |
| Standalone engagement | $2,500 to $4,500 per framework |
Bundled rate applies when compliance mapping follows a Baseline assessment. Standalone rate covers the additional scoping work required without a prior assessment on file.
Frameworks: HIPAA Security Rule, NIST CSF, CMMC Level 1 and 2, PCI-DSS, SOC 2 readiness.
Strategic security leadership without a full-time hire. Security strategy, board reporting, vendor evaluation, policy oversight, and compliance program management.
| Hourly advisory | $250/hr, minimum 4 hours |
| Advisory retainer | $1,000/month (4 hrs/month) |
| Active retainer | $2,000/month (8 hrs/month) |
Retainer hours do not roll over. Additional hours beyond the retainer are billed at $250/hr.
We promised you honest pricing. That means telling you what's extra too.
A security assessment and a penetration test are different engagements. Our assessment is a non-invasive CIS benchmark scan: it measures how your systems are configured against security standards. A pen test actively attempts to exploit discovered vulnerabilities. If your situation requires a pen test, we will tell you clearly and quote it as a separate engagement.
Remote delivery is the default for all assessments and advisory work. On-site visits within the Greater Pittsburgh Region are included when the scope requires them. Travel outside that area is billed at cost plus a day rate, quoted before any travel is confirmed.
We do not procure or mark up hardware. If your remediation roadmap calls for new equipment, you source it directly. We will spec it and guide the decision, but the purchase is yours.
Assessment deliverables are defined clearly in writing before work begins. Material changes to scope after signing are treated as change orders and quoted separately before any additional work starts.
Our work is billed at $250 per hour. The project price is the estimated hours for your environment size multiplied by that rate. Before any work begins, we confirm the scope in a short discovery call, provide a written quote at the fixed project price, and do not start until you have signed. If something about your environment changes the estimate, we tell you before we commit to a number.
The tiers cover the most common configurations. If yours is different, we scope it in a discovery call and quote it based on actual estimated hours. The methodology is the same. The price is tailored to what the work actually requires.
Free assessments from MSPs are sales tools. They document your environment to build a managed services proposal. They are not scored against a recognized standard, they have no documented methodology, and they will not satisfy a cyber insurance carrier, an auditor, or a compliance framework. They answer the question "what can we sell you?" Our assessment answers the question "how secure are you actually?" and produces evidence that holds up outside of the relationship with us.
Yes, and that is the most efficient way to do it. When compliance mapping follows a Baseline assessment, the foundational work is already complete. We map your results to your required framework without starting over. The bundled rate reflects that efficiency.
No. An assessment is a standalone project. You pay at signing, we do the work, we deliver the report. No ongoing commitment required. Advisory and compliance mapping can also be scoped as one-time projects. The retainer option is available if you want ongoing access, not because it is required.
Because it is the number that determines everything else. If you know the rate and understand the scope, you can verify the math and know whether the price is reasonable. We would rather you come to us informed than discover the rate later and wonder if you were managed.
You know what we charge and how we determine it. The next step is a 15-minute conversation about your specific situation: how many users, how many locations, and what you are trying to solve for. We will confirm the scope, give you a fixed quote, and you can decide if it makes sense.
Start a Conversation