Multi-tenant by design
Every client is an isolated tenant with its own scans, register, frameworks, evidence, and dashboards — managed from one console.
- One console, a whole book of clients
- Per-tenant data isolation
- Onboard a new client in minutes
For MSPs — vCISO as a managed service
Selling a virtual CISO service used to mean expensive expert hours per client. When MerlinAI, the scanners, and AI mapping do the writing, mapping, and evidence work, one analyst can cover a whole book of clients — a high-value retainer you can deliver without adding headcount.
Built by operators who ran a Security Operations Center for banks and governments — not a template vendor.
Author: Menachem Tauman — Co-Founder & CEO, former CISO, 28 years in IT & cybersecurity. Written to our editorial policy.
Illustrative only — figures are placeholders to show the model, not a Fortress quote or guarantee. Owner to set real pricing and margin numbers.
Protecting 200,000+ assets in production.
Why vCISO becomes profitable
The same platform SMBs run themselves is a revenue line for you. MerlinAI and the scanners absorb the delivery work, so a high-value retainer costs you almost nothing extra to deliver — and your analyst spends their time advising, not assembling.
What you resell
The scanners and AI feed a complete GRC platform — the register, the frameworks, the plan, the report — everything a virtual CISO delivers, in one multi-tenant place. No new hires, no stitched-together tools.
Every client is an isolated tenant with its own scans, register, frameworks, evidence, and dashboards — managed from one console.
The board-ready view you present on the quarterly review: posture, top exposures, and readiness — ready to hand to the client’s board.
One control set mapped across every major standard for each client. Satisfy one control, advance several frameworks at once.
Turn every client’s open risks into a prioritized work plan — the deliverable a vCISO retainer sells, sequenced by risk reduced per dollar.
Scanner findings land here automatically for each client — scored, owned, and tracked, inherent vs. residual, with a clear treatment status.
Continuous control monitoring collects each client’s proof as it goes, so their audits become an export instead of a fire drill — and a reason they stay.
Get to revenue in three steps
Spin up a tenant, then let Fortress scan their attack surface, cloud, and vendors. Assets, findings, and controls populate on their own — no questionnaire required.
MerlinAI ties every finding to the right controls across NIS2, ISO 27001, SOC 2 and more, drafts the treatment plans, and collects evidence. Your team reviews and confirms.
Present the CISO Dashboard, run treatment plans, and export board reports — on a monthly retainer you invoice like any managed service.
Questions MSPs ask
A new high-margin service line
Turn compliance into a recurring retainer your existing team can deliver. See how one analyst runs GRC and vCISO for a whole book of clients on one multi-tenant platform.
vCISO AS A SERVICE
Why GRC and vCISO are the next high-margin service lines for MSPs and how to productize them.
COMPLIANCE AUTOMATION
Mapping continuous controls to SOC 2, ISO 27001, HIPAA, and DORA without a GRC team.
All Fortress posts are written by named operators and follow our editorial policy.