Pricing
Most cybersecurity firms hide pricing behind “request a quote.” That wastes both sides’ time. The numbers below are what we actually charge, with the math behind them. The $500Kfloor is the filter — it lets cost-shoppers self-select out before the first call so the conversations we have are with serious buyers.
Partnership envelope
Floor
$500K
per year
Typical
$1M-$3M
per year, multi-year
Quarterly cap
4-6
max new partnerships, to keep bench senior
What scales the number from $500K toward $3M: environment size (50 vs. 500 vs. 2,000 endpoints), regulated-industry compliance load (one framework vs. five running in parallel), AI footprint (zero vs. 20 production AI features needing red-team + governance), federal/world-government certifications, and IR retainer hour-bank size.
What does NOT scale the number: vendor licensing markup, helpdesk per-ticket fees, “urgent” surcharges. The partnership is a flat annual envelope. Carriers, broker fees, and pass-through licensing are billed at cost with the invoice attached.
Stand-alone service pricing
Inside the partnership envelope, every service below is bundled. Outside the envelope, each is priced individually. Numbers reflect Varcoe rates against the boutique-luxury upper-quartile band, not commodity SMB MSP rates.
$500K - $3M
per year, multi-year typical
MSP + MSSP + AI + Compliance + Offensive under one envelope. One contract, one accountable principal. Six-month minimum, multi-year typical. Engagements scale up from the floor based on environment size, complexity, and practice mix.
$50K - $150K
fixed-fee, 4-8 weeks
Audit of IT, security, and AI posture. Roadmap, gap report, prioritized investments. Often the entry point that becomes a partnership.
$25K - $500K
diagnostic-first, fixed-fee on scoped intervention
For partners already mid-modernization. Pick up only the layers you need, coexist with incumbents, fixed-fee on the targeted intervention. Diagnostic-first ($25K-$60K, 3-6 weeks) before SOW.
$30K - $120K
per month, depending on environment size
Mid-market reference math: 100 seats × $310/seat × 12 = $370K/yr. 200 seats = $744K/yr. 500 seats = $1.95M/yr. Premium boutique tier ($300-$400/seat) reflects senior-only staffing, in-house SOC, on-call CISO time — not margin.
$25K - $100K
per month, programmatic with per-endpoint volume add-ons at $15-$25/endpoint/mo for high counts
24/7 SOC, MDR, detection engineering, threat hunting, IR retainer, vCISO. Senior practitioners on every alert. Containment authority pre-negotiated.
$250K
fixed-fee, 90 days
AI strategy + threat model + governance framework + one red team + eval suite + runtime guardrails + executive training.
$30K - $1M+
scoped per engagement; full transformation programs $250K-$1M+
AI product development, ISO 42001 implementation, NIST AI RMF, AI red team, AI risk assessment. Senior fractional retainers $5K-$15K/mo; comprehensive partnerships $15K-$50K/mo.
$3K - $25K
per month retainer
$3K-$12K/mo for mid-market (100-500 employees); $10K-$25K/mo for compliance-heavy or board-reporting clients. Senior leaders, $200-$300+/hr equivalent. Bundled inside the partnership.
$3K - $10K
per month stand-alone (bundled inside partnership)
Carrier-coordinated underwriting, continuous evidence package, policy-aligned MDR, renewal support, breach-counsel network. Coalition / Beazley / Chubb / Resilience / AT-Bay / AIG / Travelers / Munich Re / AXA XL / CFC. Underwriting-call participation also available ad-hoc at $5K fixed-fee per call.
$500 - $700
per hour, declared incidents; pre-paid hour bank with annual replenishment
48-hour engagement start. Insurance-carrier-accepted (AIG, Beazley, Coalition, Resilience, Travelers, Chubb, Munich Re, Hartford). Ransomware-, BEC-, insider-, cloud-IR ready. Counsel-coordinated.
$75K - $300K
fixed-fee depending on environment size + framework count
HIPAA, SOC 2, CMMC 2.0 (L1-L3), NIST 800-171, ITAR, ISO 27001, ISO 42001, FedRAMP. SOC 2 + ISO 27001 share 80% of evidence — run them in parallel. ISO 42001 + NIST AI RMF + EU AI Act share 70%.
$15K - $80K
per engagement, scope-dependent
OSCP-led manual. Web, network, cloud, API, mobile. Free retest. Court-admissible reporting. Quarterly external + annual full-scope cadence inside the partnership.
$60K - $250K
per engagement, MITRE ATT&CK-aligned
Adversary simulation, purple-team coordination available, assumed-breach assessments. Findings convert to permanent detections in the MSSP layer.
Per-vertical spend benchmarks
Calibration data, sourced from IBM Cost of a Data Breach 2025, IANS Research, Deloitte FinServ Cyber, Altss family-office registry, ABA TechReport, and equivalent industry surveys.
Healthcare + Life Sciences
Avg. healthcare firm: 7% of IT budget on security yet $7.42M average breach cost (IBM 2025). The largest spend-to-loss gap in any regulated industry.
Financial Services + Fintech
Mid-market FinServ: $2,700-$3,500 per employee per year on cybersecurity — twice the cross-industry baseline. 55-60% goes to managed services (Deloitte 2025).
Family Office + UHNW
Serious single-family offices: $200K-$500K/year on cybersecurity. 245 verified Florida SFOs (Altss Q1 2025). Naples leads FL in millionaire density.
Defense Industrial Base (CMMC L2)
$138K-$500K Year 1 for CMMC L2 readiness + $50K-$100K/year sustainment. Only 0.5% of 80,000 contractors certified; Phase 2 deadline 10 Nov 2026.
Professional Services (law + accounting + consulting)
Mid-law: $1,500-$3,000 per attorney per year on cybersecurity. 29% of law firms breached in last 12 months. Only 40% carry cyber insurance.
Government modernization pricing
90-day gap + 6-month remediation package per geo. Direct-sell to UK / Canada / Australia governments + their defence contractors. EU is positioned as readiness for US firms with EU subsidiaries (NIS2, DORA, EU AI Act) — we don’t sell direct to EU governments without a local partner.
United Kingdom
£135-165K (~$170-210K)
CSM v4 / G-Cloud 15 / Cyber Essentials Plus readiness, 90-day gap + 6-month remediation. Priced ~10% above UK boutique midpoint to reflect senior-only delivery.
Canada
CAD 175-220K (~$130-160K)
CPCSC Level 1 readiness / ITSG-33 SSP. At parity with local boutiques. Five Eyes reciprocity — CMMC playbook converts with light translation.
Australia
AUD 220-280K (~$145-185K)
Essential 8 ML2 / PSPF readiness. Priced near US senior rates (not undercut). IRAP assessment itself is residency-gated and partnered out.
European Union (US firms with EU subs)
$140-180K NIS2 / $220-320K DORA
Billed and delivered US-side. EU AI Act high-risk Annex III conformity Aug 2 2026 deadline (€35M / 7%-of-turnover penalties).
FAQ
Buyers complain about pricing opacity far more than pricing magnitude. Hiding numbers wastes both sides' time. The $500K floor is a filter — it lets cost-shoppers self-select out before the first call so we have substantive conversations with serious buyers.
One contract covering MSP + MSSP + AI + Compliance + Offensive. Senior practitioners on every layer, named accountable principal, 24/7 SOC, IR retainer, vCISO time, compliance evidence collection across SOC 2 / HIPAA / CMMC / ISO 27001 / ISO 42001 / FedRAMP, AI red-team, quarterly pentests. Stated openly because the work is the point.
Below ~$500K we can't fund senior-only staffing across all five practice areas. Per-seat MSP at $310/user/mo lands a 200-seat company at ~$744K/yr — the floor lines up with the math, not aspiration. Smaller engagements are scoped (Diagnostic, AI Sprint, Cyber Sprint, Partial Transformation) without the partnership envelope.
If you're already mid-modernization — MSP fine but security thin, cloud done but identity isn't — we pick up where you are. Diagnostic-first ($25K-$60K, 3-6 weeks), then fixed-fee on the scoped intervention. No annual minimum on partials. Convert to full partnership only if both sides want it.
QuantumBlack starts at ~$500K and BCG X runs $300K-$5M, but both cap at strategy + pilots. We ship production code, run the IT, monitor the SOC, run the red team, and operate the compliance program — under one contract, with the senior name on the proposal also doing the work.
Big-4 is junior-pyramid delivery despite the senior name on the proposal, audit conflicts where the same firm audits you, and 12-month sales cycles. Our delivery is 2-12 weeks first value vs. 6-18 months. No audit conflict. No cross-sell pressure. Two-call scope.
Mostly hourly with optional fixed-fee on specific tracks (Diagnostics, Sprints, Compliance programs). The partnership envelope itself is an annual retainer, not per-hour. We do not claim a default 'fixed-price' posture because most modernization work has variable scope by nature.
Pre-paid hour bank, replenished annually. Declared-incident hourly $500-$700/hr for senior IR — within market band, paid by carriers as readily as Mandiant or Kroll. 48-hour engagement start. Counsel-coordinated. Insurance-accepted with AIG, Beazley, Coalition, Resilience, Travelers, Chubb, Munich Re, Hartford.
Per-endpoint pricing optimizes for endpoint-count, not security outcome. Boutique MSSPs with senior-only analyst staffing and lower client-per-analyst ratios price programmatically — typically $25K-$100K/month with per-endpoint add-ons at the $15-$25 band on high counts. The reference math is on the page; ask for the proposal-specific number on the call.
We aren't a licensed insurance producer — we're the technical/operational layer alongside your broker. Stand-alone Cyber-Insurance Liaison program $3K-$10K/month. Underwriting-call participation $5K fixed-fee per call. Bundled inside the MSSP partnership at no separate line item. Sub-limits matter more than premium — most disappointing claims aren't denied, they're sub-limited.
Thirty minutes with Quinn. Walk through your seat count, regulated workload, AI footprint, and IR posture — we’ll quote the partnership envelope back to you on the call.
Schedule a callTrusted by partners across the practice
Reviews
The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.
“The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.”
Aaron Birnbaum
Managing Partner
“Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.”
Caroline Lombard
Threat Specialist
“I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.”
Justin Cox
Senior AWS Security Analyst
“One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.”
Soufiane Jihadi
Senior Incident Response Consultant
Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request