vCISO Retainer  •  Board-Level Cyber Leadership • Policy Governance • Audit Representation

Most Texas mid-market companies
can't justify a full-time CISO.
They still need one.

A full-time CISO costs $250K–$400K all-in. That's before benefits, equity, and the 90-day ramp before they've read a single policy. CoreRecon's vCISO retainer gives you board-level cyber leadership, audit-grade policy work, and executive risk translation — at a fraction of the cost, available in two weeks.

Book a 30-min vCISO scoping call → See retainer pricing →
💼
Full-time CISO: $250K–$400K/yr all-in. 90-day onboard. One person. CoreRecon vCISO: $48K–$144K/yr. Live in 2 weeks. The entire CoreRecon SOC and analyst bench behind them.
Who It's For

Three buyer types.
All need a CISO. None need a $300K hire.

The vCISO retainer is purpose-built for organizations where cyber risk has become a board-level issue — but headcount isn't the right answer.

🎖️
Defense Contractors
Pursuing CMMC
CMMC Level 2 requires a documented security program, a System Security Plan, and someone with accountability for its implementation. A C3PAO assessor will ask who owns the program. CoreRecon's vCISO serves as your CISO of record for CMMC — signing the SSP, managing the POA&M, and representing your organization in the assessment. John Martinez holds the CMMC Registered Practitioner (RP) credential.
⚖️
Law Firms & Healthcare
with Privileged Data
Texas Bar Ethics Opinion 712 requires competent data governance. HIPAA requires a designated Security Officer. OCR audits and ransomware exfil-and-leak events have made documented information security programs mandatory — not optional. Our vCISO can be designated as your HIPAA Security Officer, drafting and owning the written WISP and policy library that regulators expect to see.
📈
Mid-Market Post-Acquisition
or Pre-IPO
M&A diligence teams and IPO counsel now run cyber risk assessments as standard procedure. PE-backed companies, platform acquisitions, and Series B+ companies facing SEC Reg S-K Item 106 disclosures need a CISO who can translate security posture into board language, manage cyber insurance renewal, and sit in the data room. Our vCISO has done all three — and we've represented clients through acquisition close.
What's Included

Eight deliverables.
All vCISO tiers. None optional.

Every CoreRecon vCISO engagement — Advisor through Command — includes these eight deliverables as the baseline. Tier determines depth and cadence.

01
Board Cyber Risk Briefings
Quarterly executive briefings translating technical risk into board language — threat landscape, current posture score, open risks, and regulatory exposure. Written and presented by your vCISO, not a slide deck from a vendor portal.
02
WISP Authorship & Maintenance
A Written Information Security Program (WISP) is required by IRS Publication 1075, FTC Safeguards, HIPAA, CMMC, and Texas §521. We author the initial WISP and maintain it as a living document — updated when regulations change, controls change, or an incident reveals a gap.
03
Policy Library Maintenance
Access control policy, acceptable use, vendor management, incident response, data classification, change management — all maintained as versioned, date-controlled documents. Auditors ask for these on day one. They exist, they're current, and they reflect your actual operations.
04
Vendor Risk Reviews
Third-party vendors are the leading breach vector for mid-market organizations. We conduct security reviews of new and critical existing vendors — SOC 2 review, questionnaire assessment, contract security clause review — so your supply chain risk doesn't become your headline.
05
M&A Cyber Diligence
Buyers need to know what they're inheriting. Sellers need to know what's in the data room. CoreRecon conducts pre-LOI and post-LOI cyber diligence assessments — evaluating the target's security program, control posture, and pending regulatory exposure. Available as a Command tier deliverable or standalone engagement.
06
Cyber Insurance Renewal Support
Carrier underwriting has gotten harder. Coalition, At-Bay, Travelers, and Beazley all require documented control evidence. Your vCISO prepares the application, responds to carrier questionnaires, and coordinates the evidence package — the same evidence we maintain year-round in your policy library.
07
Incident Communications Lead
When a breach happens, the first 12 hours determine your liability exposure. Your vCISO leads incident communications — executive brief, customer holding statement, regulator notification — and coordinates with outside counsel. Included in all tiers. No additional retainer. Available after hours.
08
Regulator & Auditor Liaison
OCR investigation. CJIS audit. NCUA examiner. C3PAO assessment. SEC inquiry. Your vCISO represents your security program directly to regulators and auditors — answering questions, producing documentation, and managing the process so your legal and executive teams aren't blind-sided by technical questions.
Retainer Pricing

Three tiers. One vCISO.
All include after-hours incident lead.

No annual contract required. Engagements run month-to-month. Most clients start at Advisor and scale to Embedded within 90 days once they see what's possible. Command is for organizations with active audit, regulatory, or M&A timelines.

vCISO Advisor
$4,000 / month
8 hours / month
  • Quarterly board cyber risk briefing (written + presented)
  • Policy library access — review existing policies, flag gaps
  • Annual WISP review & update
  • Vendor risk review — up to 2 per quarter
  • Cyber insurance renewal support
  • After-hours incident communications lead
  • Email & async support between sessions
Most Popular
vCISO Embedded
$8,000 / month
20 hours / month
  • Everything in Advisor
  • Monthly leadership team attendance (call or on-site)
  • Full WISP ownership — authored, maintained, versioned
  • Complete policy library authorship & maintenance
  • HIPAA Security Officer designation (healthcare orgs)
  • CMMC CISO of record designation (defense contractors)
  • Vendor risk reviews — unlimited
  • Annual risk assessment
Audit & M&A Ready
vCISO Command
$12,000 / month
40 hours / month
  • Everything in Embedded
  • Weekly cadence — standing call + ad-hoc availability
  • Full audit & regulator representation (OCR, NCUA, C3PAO, SEC)
  • M&A cyber diligence — buy-side & sell-side included
  • Board meeting attendance — in person or virtual
  • Expert witness & testimony support
  • SEC Reg S-K Item 106 disclosure review
After-hours incident communications lead is included in all tiers. This is not a phone tree — it's your vCISO personally leading the first 12-hour breach response. When the call comes in at 2am, John Martinez picks up. That's not a guarantee most $300K FTE CISOs can make either.
vCISO vs. Full-Time CISO

The math most boards
don't run until it's too late.

A full-time CISO sounds like the responsible choice. Here's what the comparison actually looks like on the five dimensions that matter.

Dimension CoreRecon vCISO Full-Time CISO (FTE)
Loaded Annual Cost $48K–$144K/yr (Advisor to Command retainer). No benefits, equity, PTO, recruiting, or severance. $250K–$400K/yr all-in. Base salary ($175K–$280K) + benefits (30%) + equity + recruiting ($30K–$60K) + ramp cost. Texas CISO market is tight — good luck in 90 days.
Time to Onboard 2 weeks. First board briefing within 30 days. WISP draft within 60 days. 90+ days to hire. 30–60 days to onboard. First deliverable typically at 6 months. CMMC or audit deadlines don't pause for that timeline.
Bench Depth Your vCISO is backed by the entire CoreRecon SOC — analysts, threat hunters, incident responders, compliance specialists. One person in your org, a full team behind them. One person. When they're on PTO, sick, or exit, your security program stops. No bench. No redundancy. High bus factor.
Bus Factor Zero. CoreRecon is institutionally accountable. Your security program doesn't depend on one employee's decision to stay. One. FTE CISOs have the highest turnover in tech leadership — average tenure under 3 years. Your program leaves with them.
Regulatory Breadth CMMC RP-credentialed. HIPAA Security Officer designation available. Working knowledge of NCUA, FTC Safeguards, TX HB 300, CJIS, SEC Reg S-K, ITAR. Multi-framework coverage in one retainer. Depends entirely on the individual's background. CMMC expertise costs more. Healthcare + defense dual expertise is rare. You hire one person's knowledge.
🎖️
USMC Veteran
CMMC RP
23+ Yrs Ops
Texas-Based
Who Delivers It
John Martinez
Founder & Virtual CISO — CoreRecon

John Martinez is a United States Marine Corps veteran with 23+ years in MSP and MSSP operations. He built and ran security programs for defense contractors, Texas municipalities, healthcare organizations, and oil & gas operators before founding CoreRecon.

He holds the CMMC Registered Practitioner (RP) credential and has served as CISO of record for organizations preparing for C3PAO assessment. He has represented clients in OCR investigations, NCUA examinations, and post-breach legal proceedings. He has conducted cyber diligence for both buy-side and sell-side M&A transactions.

When you engage CoreRecon's vCISO retainer, you work with John directly — not a junior consultant assigned after the sales call. He attends your board meetings. He fields your regulator's questions. He picks up the phone at 2am when the breach call comes in.

"Every MSSP can sell you a dashboard. Very few can sit in a C3PAO assessment and defend your SSP line by line. That's what the vCISO retainer is for — being the person in the room who actually owns it." — John Martinez, Founder, CoreRecon
Run the Numbers First

See the 3-year math before
you schedule the call.

Full-time CISO loaded cost (base + benefits + recruiter + tools) vs. CoreRecon retainer. IBM CODB breach model. Compliance penalty exposure. 3-year TCO chart. Tier recommendation. Free, instant, no demo required.

Calculate vCISO ROI →

Already know the numbers?   Book your 30-min scoping call →

No commitment  •  2-week onboard  •  Month-to-month  •  CMMC RP-credentialed

Frequently Asked Questions

What executives and GCs
actually ask before signing.

Yes. CoreRecon's vCISO can serve as your designated CISO of record for CMMC Level 2 purposes — signing the System Security Plan (SSP), managing your POA&M, and representing your security program to a C3PAO assessor.

John Martinez holds the CMMC Registered Practitioner (RP) credential required to support CMMC assessment preparation. Our vCISO Embedded and Command tiers include full SSP ownership, POA&M management, and the C3PAO readiness documentation package.

Yes. CoreRecon's vCISO can be formally designated as your HIPAA Security Officer, responsible for implementing and maintaining the Security Rule safeguard program. This includes conducting annual risk analyses, managing the sanction policy, and representing your organization in OCR communications.

We draft and maintain the required written policies and procedures under our Embedded and Command tiers. OCR expects to see a named Security Officer with documented program ownership — we provide exactly that, and we maintain the artifact trail that survives a Phase 2 audit.

No. The vCISO is a strategic and governance function — not a replacement for your IT team or managed IT provider. We operate at the executive level: setting policy, managing risk, reporting to your board, and interfacing with auditors and regulators.

Your IT team handles day-to-day infrastructure. The vCISO ensures their work is governed by a documented security program that satisfies regulators, insurers, and auditors. Most engagements run alongside an existing IT MSP without conflict — we often improve the working relationship by clarifying what security requires vs. what IT owns.

This is more common than you'd think. We frequently serve as a senior advisor to an existing security lead who needs board communication support, policy expertise, or fractional capacity for an M&A diligence engagement or audit cycle.

In these cases, we structure the engagement as a named advisory retainer rather than a vCISO of record arrangement. The vCISO Advisor tier ($4K/mo, 8 hrs/mo) is purpose-built for this — your CISO gets CoreRecon bench depth and CMMC RP-credentialed backup without an org chart conflict.

Multi-state operations are standard for our vCISO practice. We maintain working knowledge of Texas-specific frameworks (TX HB 300, TX §521, TCEQ) alongside federal and cross-state obligations (HIPAA, GLBA, CMMC, NIST CSF, FTC Safeguards).

For multi-entity structures — holding companies, PE portfolio firms, affiliated practices — we scope the engagement to cover the security program at the parent level with documented entity-level extensions. We've run security programs across up to six affiliated entities under a single Command retainer without requiring separate engagements for each entity.

Yes. John Martinez is available for testimony, expert witness preparation, and legal support in breach-related proceedings — available under the Command tier or as a separate retained engagement in coordination with outside counsel.

Our vCISO retainer includes incident communications lead for all tiers — meaning we draft the executive brief, customer holding statement, and regulator notification at the time of the incident, not after your outside counsel instructs you to.

Having documented pre-incident security program artifacts (WISP, risk assessments, training records, policy versions) from an active vCISO retainer is the single most important factor in limiting liability exposure in breach litigation. We maintain those artifacts as a core deliverable of every engagement. When your attorney asks "what did you have in place before the breach?" the answer is a binder, not a shrug.

Free Interactive Tool
What Would an In-House Security Team Actually Cost You?
Endpoint count, analyst salaries, SIEM + EDR + SOAR stack, overhead. Get the real annual number — and the CoreRecon delta — in 60 seconds.
Run the Calculator →
2-Minute Diagnostic · Free
Which Regulations Actually Apply to Your Organization?
Answer 7 questions. Get a ranked map of every federal and Texas regulation you're subject to — with deadlines, penalties, and the CoreRecon tier that covers each one. Your vCISO will work from this map.
Run the 2-Minute Mapper →