One Platform for Every Client’s Security Program
Phishing simulation, continuous attack-surface monitoring, and board-ready compliance reports — across every client on your retainer, under your brand, on billing you can price into a fixed fee.
Built for the way vCISOs actually work
A virtual CISO carries the security program for ten, twenty, or more client organizations at once — on retainer, as an embedded ongoing advisor rather than a one-time assessor. That is a different shape of work than either an internal security team or a point-in-time pen-test firm. You need consolidated visibility across every client for your own quarterly reviews, you bill per deliverable so cost predictability is non-negotiable, and you have to present tooling ROI to each client’s board separately, through each client’s procurement.
HailBytes covers exactly this: multi-tenant isolation so each client’s data stays separate, white-label reports you present as your own deliverables, and per-vCPU/hour Marketplace billing that lets you fold SAT and ASM into a fixed retainer without usage surprises. Two products, one operating model, the whole client book.
Why vCISOs run HailBytes SAT and ASM
Multi-client management
One ASM instance carries unlimited Projects with per-client RBAC and isolated scan results, so each client’s findings, assets, and history stay walled off from the rest of your book. SAT runs a clean tenant boundary per client the same way. You manage the whole portfolio from one place without ever mixing one client’s data into another’s report.
Board-ready outputs
White-label compliance PDF reports per framework — SOC 2, NIST CSF, PCI DSS, HIPAA, and more — that you can hand a client’s board or auditor directly. The evidence is generated per client, ready for each client’s quarterly review, so your reporting cycle scales with the retainer instead of becoming a manual document-assembly job.
Predictable billing
Per-vCPU/hour Marketplace billing means you can price SAT and ASM deliverables into your retainer without usage spikes. Cost tracks the instance you size, not seats or assets, so the number you quote a client at signing is the number you carry all year — the cost predictability a fixed-fee retainer depends on.
Phishing + recon as a package
Combined SAT and ASM give you a complete “security program in a box” you can deploy per client: awareness training and phishing simulation on one side, continuous external attack-surface monitoring on the other. The two deliverables most retainers are built around, from a single vendor relationship.
White-label branding
SAT supports white-label branding and ASM generates branded PDF reports — so every artifact a client sees can carry your firm’s identity, not a third-party vendor’s. You present these as your own deliverables, which is exactly what an embedded advisory relationship is supposed to look like.
Whose cloud account does each instance run in?
Both models work, and the choice is usually driven by the client’s data-sovereignty and billing preferences:
- Your account. You deploy every client instance in your own AWS or Azure account, manage the Marketplace bill centrally, and recover the cost through retainer pricing. Each client’s data stays isolated by the per-client tenant boundary (SAT) or Project (ASM). Simplest to operate — one billing relationship, central upgrades.
- The client’s account. Each client subscribes through their own Marketplace account, so billing lands on their invoice and counts toward their AWS EDP / Azure MACC commit, and data residency is unambiguous. You manage the instance through access the client delegates to you.
The MSSP resources page covers the single-instance, HA, and auto-scaling topology options in more detail if you’re standing up a larger book.
What this costs across your client book
Each client runs on its own 2 vCPU instance at ~$350/month (~$4,200/year) for SAT, regardless of that client’s headcount — the per-vCPU Marketplace meter doesn’t scale with seats. That makes the book-wide math a straight multiplication you can fold into a fixed retainer:
| Client book (2 vCPU each) | Platform cost / year | Per client / month |
|---|---|---|
| 5 clients | ~$21,000 | ~$350 |
| 10 clients | ~$42,000 | ~$350 |
| 20 clients | ~$84,000 | ~$350 |
This is the platform cost — the retainer fee you set on top is yours to price. Adding ASM (a shared instance carrying one Project per client) layers on roughly ~$700–$1,400/month across the whole book, not per client. Full sizing guidance, including a vCISO-specific table, is on the pricing page.
Going deeper
vCISO practices use HailBytes in two distinct ways, and the right next step depends on yours:
- Running it as your own tooling for the clients you advise — the pricing page covers the per-client platform cost you fold into your retainer, and the PoC process page documents how to scope a combined SAT + ASM evaluation.
- Reselling the platform to clients under your own brand — the MSSP resources and partner resell pages cover the white-label resale mechanics, multi-year discount tiers, and per-client cost attribution.
vCISO FAQ
Can a vCISO run both phishing simulation and attack surface management from one platform?
Yes. HailBytes SAT delivers phishing simulation and security awareness training; HailBytes ASM delivers continuous external attack-surface monitoring. Together they cover the two recurring deliverables most vCISO retainers are built around — awareness training and exposure management — and both run per client with isolated data and white-label reporting under your firm’s brand.
How do vCISOs price HailBytes into a fixed retainer?
Both products bill on AWS or Azure Marketplace per vCPU-hour rather than per seat, so cost tracks infrastructure, not headcount. A vCISO sizes one instance per client (or one ASM instance carrying multiple client Projects), knows the monthly cost in advance, and prices SAT and ASM deliverables into the retainer without usage spikes blowing up the margin.
Can vCISOs present HailBytes reports as their own deliverables?
Yes. SAT supports white-label branding and ASM generates branded PDF and compliance reports (SOC 2, NIST CSF, PCI DSS, HIPAA, and more). A vCISO can hand each client board-ready evidence under the vCISO firm’s own brand, separately per client, for each client’s quarterly review and procurement process. HailBytes’ own platform compliance posture is documented in the Trust Center.
Free Worksheet: vCISO Tooling & Retainer Pricing
Model per-client platform cost, choose a retainer structure, and protect your margin when tooling is part of the deal. Instant access.
Talk Through Your Client Book
Every vCISO practice is shaped differently — client count, frameworks in play, and how you package deliverables. A solutions engineer can map SAT and ASM to your retainer model before you stand up the first client instance.