โœฆ Start with a Risk-Free Assessment Request Now โ†’
๐Ÿ” CISO Blueprint by Threatly

Enterprise Security.
SMB Price.

A structured governance framework โ€” guardrails, geo-residency, privacy controls, and security posture โ€” designed for growing companies without a full security team. Powered by Threatly's Fractional CISO expertise.

Tier 1

Foundations

For early-stage SMBs establishing their first security baseline. Policies, controls, and basic compliance posture.

$149
/ month ยท billed monthly
*Limited time offer
Includes up to 25 users. Additional seats at $4/user/mo.
What's included
  • โœ“ Security policy library (15+ templates)
  • โœ“ Risk register โ€” starter framework
  • โœ“ Data classification tagging (Public / Internal / Confidential)
  • โœ“ Acceptable use & BYOD policies
  • โœ“ Basic incident response playbook
  • โœ“ Vendor risk questionnaire (standard)
  • โœ“ Annual review reminders & policy versioning
  • โœ— Geo-residency controls
  • โœ— Regulatory mapping (GDPR, CCPA, etc.)
  • โœ— vCISO advisory hours
Start Free Trial
Most Popular
Tier 2

Governance Core

The full CISO Blueprint for growing SMEs. Guardrails, geo-residency, privacy controls, and audit-ready reporting.

$399
/ month ยท billed monthly
*Limited time offer
Includes up to 100 users. Additional seats at $3.50/user/mo.
Everything in Foundations, plus:
  • โœ“ Full guardrails framework โ€” AI, data, and access controls
  • โœ“ Geo-residency mapping โ€” data flow & jurisdiction controls
  • โœ“ GDPR + CCPA + PDPA privacy compliance templates
  • โœ“ Security awareness training modules (quarterly)
  • โœ“ SOC 2 Type I readiness checklist & gap analysis
  • โœ“ Phishing simulation campaigns (2x/year)
  • โœ“ Third-party risk tier scoring
  • โœ“ Audit-ready evidence pack (auto-generated)
  • โœ“ Incident response simulation (tabletop, 1x/year)
  • โœ“ vCISO advisory: 2 hours/month
Start Free Trial
Tier 3

Enterprise Shield

For regulated industries or companies with complex supply chains, board-level reporting, and advanced compliance mandates.

Custom
Contact us for pricing
Unlimited users. Custom SLA and onboarding.
Everything in Governance Core, plus:
  • โœ“ Custom regulatory mapping (HIPAA, PCI-DSS, ISO 27001)
  • โœ“ Dedicated vCISO โ€” 8 hours/month
  • โœ“ Board-ready security reporting (quarterly)
  • โœ“ Advanced geo-residency โ€” multi-jurisdiction overlays
  • โœ“ Penetration test coordination & remediation tracking
  • โœ“ Zero-trust architecture blueprint
  • โœ“ M&A security due diligence framework
  • โœ“ Supplier / third-party audit workflows
  • โœ“ Custom policy authoring service
  • โœ“ Priority incident response retainer
Contact Us

Modular Add-ons

Extend your plan with targeted capabilities as your risk profile grows.

๐ŸŒ
Geo-Residency Expansion
Add jurisdiction-specific data residency controls for EU, APAC, LATAM or additional regulatory zones beyond your base plan.
$79 / region / month
๐Ÿค–
AI Guardrails Module
Purpose-built policy framework for AI/LLM tool governance โ€” acceptable use, model risk, data leakage controls, and auditability.
$99 / month
๐Ÿ”
Privacy Impact Assessments
On-demand DPIA and PIA assessments for new products, features, or third-party integrations requiring privacy analysis.
$249 / assessment
๐Ÿ“‹
Compliance Certification Prep
Structured readiness program for SOC 2 Type II, ISO 27001, or HIPAA โ€” gap analysis, evidence collection, and auditor liaison.
$499 / month (3-mo min)
๐ŸŽฏ
Phishing Simulation +
Continuous monthly phishing and social engineering simulations with per-employee scoring and manager dashboards.
$49 / month
๐Ÿ‘ค
vCISO Hours Block
Purchase additional advisory hours for board prep, investor DD, regulatory engagement, or incident support.
$250 / hour (block of 4)

Built for real regulatory environments. Threatly's CISO Blueprint maps to leading frameworks and regional privacy laws โ€” so your governance posture is defensible, not decorative.

GDPR CCPA SOC 2 ISO 27001 HIPAA PCI-DSS NIST CSF PDPA

Frequently Asked Questions

Everything you need to know before getting started.

Can I upgrade or downgrade my plan at any time? +
Yes. You can move between tiers at any time without losing your policy library, risk register, or audit evidence. Upgrades take effect immediately; downgrades apply at the next billing cycle.
What does "geo-residency controls" actually include? +
Geo-residency controls include data flow mapping by jurisdiction, policy templates for cross-border data transfers, SCCs and adequacy decision tracking, and recommendations for storage architecture aligned to regional laws (e.g., EU data staying in EU-based infrastructure).
What are "AI Guardrails" โ€” do I need them? +
If your team uses any AI tools (ChatGPT, Claude, Copilot, etc.), you have data leakage and acceptable-use risk. AI Guardrails gives you a formal policy framework, employee guidelines, and auditability controls so you can use AI tools confidently without exposing sensitive business or customer data.
Is there a free trial? +
Yes โ€” both Foundations and Governance Core offer a 14-day free trial with full access to the plan's feature set. No credit card required. Enterprise Shield trials are structured as a scoped onboarding engagement โ€” contact us to arrange.
What payment methods are accepted? +
We accept all major credit cards, ACH transfers, and wire transfers for annual enterprise agreements. Invoicing is available for plans over $500/month. All payments are processed securely through Stripe.
How does the vCISO advisory work? +
vCISO hours are scheduled sessions with a senior Threatly security advisor โ€” not a ticketing queue. Sessions can be used for board prep, investor due diligence, regulatory engagement, policy reviews, or incident response. Hours do not roll over but can be topped up via the vCISO Hours Block add-on.
Can I cancel my subscription at any time? +
Yes. Cancel anytime and your account remains active through the end of the billing period. Your policy library and audit evidence packs are exportable in full โ€” you own your data.
How does the risk-free assessment work? +
Our complimentary security posture assessment includes a 30-minute discovery call, an evaluation of your current posture across key domains, and a prioritized findings report with recommendations. No commitment to purchase โ€” it helps you understand where you stand.