Skip to main contentSkip to navigation

For MSPs — vCISO as a managed service

Sell vCISO to Every Client.
Let the AI Deliver It.

Resell GRC & vCISO compliance automation for ISO 27001, SOC 2, NIS2 & GDPR — one analyst, many clients.

Selling a virtual CISO service used to mean expensive expert hours per client. When MerlinAI, the scanners, and AI mapping do the writing, mapping, and evidence work, one analyst can cover a whole book of clients — a high-value retainer you can deliver without adding headcount.

Built by operators who ran a Security Operations Center for banks and governments — not a template vendor.

Author: Menachem Tauman — Co-Founder & CEO, former CISO, 28 years in IT & cybersecurity. Written to our editorial policy.

See the Margin Math
One analyst covers many clientsMulti-tenant, isolated per clientRecurring retainer, not one-off projects
Are you an SMB?Do your own compliance with Fortress GRC — no expert needed →

Protecting 200,000+ assets in production.

Runs on the same stack we protect customers with
SentinelOneHornetsecurityDefensXAcronisCloudflare

Why vCISO becomes profitable

One analyst. Many clients. Because the AI carries the load.

The same platform SMBs run themselves is a revenue line for you. MerlinAI and the scanners absorb the delivery work, so a high-value retainer costs you almost nothing extra to deliver — and your analyst spends their time advising, not assembling.

1
The AI absorbs the delivery hours
The busywork that made vCISO expensive — scanning, mapping, drafting, evidence — is automated by MerlinAI and the scanners. Your analyst reviews and advises instead of assembling, so each client takes a fraction of the time and you can serve more of them with the team you already have.
2
A retainer, not a project
Sell an ongoing vCISO subscription — quarterly reviews, live risk posture, board reporting — instead of one-off assessments that end. Multi-tenant means one platform serves every client.
3
Stickier accounts
A client whose compliance evidence, risk register, and audit history live in your platform doesn’t churn. GRC deepens the relationship you already own.

What you resell

A full GRC program, ready to resell

The scanners and AI feed a complete GRC platform — the register, the frameworks, the plan, the report — everything a virtual CISO delivers, in one multi-tenant place. No new hires, no stitched-together tools.

Multi-tenant by design

Every client is an isolated tenant with its own scans, register, frameworks, evidence, and dashboards — managed from one console.

  • One console, a whole book of clients
  • Per-tenant data isolation
  • Onboard a new client in minutes

CISO Dashboard, per client

The board-ready view you present on the quarterly review: posture, top exposures, and readiness — ready to hand to the client’s board.

  • Portfolio inherent vs. residual risk
  • Ranked top exposures with owners
  • Export board & auditor reports

Framework mapping, automated

One control set mapped across every major standard for each client. Satisfy one control, advance several frameworks at once.

  • NIS2, ISO 27001, SOC 2, GDPR, NIST CSF 2.0, PCI-DSS
  • Cross-framework crosswalk — "1 fix = 3 frameworks"
  • Readiness % per certification, live

Treatment Plans to bill against

Turn every client’s open risks into a prioritized work plan — the deliverable a vCISO retainer sells, sequenced by risk reduced per dollar.

  • Auto-drafted from open findings
  • Effort, cost, and expected risk drop per task
  • Assign, deadline, and track to close

Risk Register per tenant

Scanner findings land here automatically for each client — scored, owned, and tracked, inherent vs. residual, with a clear treatment status.

  • Auto-populated from ASM & cloud scans
  • FAIR-based scoring, quantified in dollars
  • Owners, due dates, accept / mitigate / transfer

Evidence & Audit Prep

Continuous control monitoring collects each client’s proof as it goes, so their audits become an export instead of a fire drill — and a reason they stay.

  • Automated evidence collection
  • Assessment questionnaires per framework
  • Audit-ready packet, on demand

Get to revenue in three steps

How you deliver it

1

Scan the client

Spin up a tenant, then let Fortress scan their attack surface, cloud, and vendors. Assets, findings, and controls populate on their own — no questionnaire required.

2

Let the AI map & draft

MerlinAI ties every finding to the right controls across NIS2, ISO 27001, SOC 2 and more, drafts the treatment plans, and collects evidence. Your team reviews and confirms.

3

Deliver & bill vCISO

Present the CISO Dashboard, run treatment plans, and export board reports — on a monthly retainer you invoice like any managed service.

Frameworks supported

Map once. Satisfy many. For every client.

NIS2ISO 27001SOC 2GDPRNIST CSF 2.0PCI-DSS

Also mapped: HIPAA · DORA · CIS Controls · CMMC — one control satisfied advances every framework it touches.

Primary sources: NIS2 · ISO 27001 · SOC 2 · GDPR · NIST CSF 2.0 · PCI-DSS

Vendor risk is in the same register — explore TPRM →

Questions MSPs ask

Frequently asked

Do I need a CISO on staff to offer this?
No. That's the point. Because the scanners and AI do the heavy lifting, your existing team can run the risk register, framework mapping, treatment planning, and board reporting a CISO would produce. One analyst can cover many clients — you deliver the outcomes of a virtual CISO without carrying the salary.
Can I manage multiple clients separately?
Yes. Fortress is multi-tenant by design. Each client gets an isolated tenant with its own scans, risk register, frameworks, evidence, and dashboards — while you manage the whole portfolio from one place.
How does this become a recurring revenue line?
Sell an ongoing vCISO subscription — quarterly reviews, live risk posture, board reporting — instead of one-off assessments that end. MerlinAI and the scanners handle scanning, mapping, drafting, and evidence, so your analyst reviews and advises rather than assembling. Each client takes a fraction of the time, so the retainer costs you almost nothing extra to deliver.
Which frameworks are covered, and does it include vendor risk?
The core six are NIS2, ISO 27001, SOC 2, GDPR, NIST CSF 2.0, and PCI-DSS, with HIPAA, DORA, CIS Controls, and CMMC also mapped — one control satisfied advances every framework it belongs to. Third-party (vendor) risk is part of the same picture: Fortress scans and assesses your client's vendors and lands that risk in the same register, so their own posture and their supply chain sit side by side.
Why do clients stay on the service?
A client whose compliance evidence, risk register, and audit history live in your platform doesn't churn. GRC deepens the relationship you already own, and continuous scanning means there's always fresh posture to review — so the retainer keeps earning.

A new high-margin service line

Add vCISO to your stack. Let the AI deliver it.

Turn compliance into a recurring retainer your existing team can deliver. See how one analyst runs GRC and vCISO for a whole book of clients on one multi-tenant platform.

I run my own compliance →
MerlinAI Compliance AssistantMulti-tenant vCISO6+ FrameworksRecurring Retainer