In 2021, if you were offering vCISO services as an MSP, you were early. You were charging $8,000 to $15,000 a month for fractional security leadership that your SMB clients couldn’t afford to hire full-time. Your margins were healthy, your differentiation was real, and you were winning deals based on a service category most of your competitors couldn’t even explain.
That window is closing. And most of the MSPs still inside it don’t realize the door is moving.
Here’s the math. Gartner data cited by Cynomi shows vCISO adoption went from 1% in 2021 to 20% by 2022 among SMBs and non-regulated enterprises. That curve has continued. Cynomi’s own 2025 State of the vCISO report found that 27% of MSPs and MSSPs who hadn’t yet launched vCISO services were targeting 2026 as the year they’d enter the market. That cohort didn’t vanish. They’ve been building practices, hiring fractional security talent, and getting their pricing in place. Most of them are going live this quarter.
You’re about to have a lot of competition in a market you thought you had cornered.
The Pattern Plays Out the Same Way Every Time
I’ve watched this happen in managed backup, endpoint protection, and network monitoring. The sequence is predictable.
First, a handful of MSPs figure out a new service category. They charge real money for it because demand outpaces supply and buyers don’t have reference prices. Margins are 60%, 70%, sometimes higher. The early movers make good money and look smart.
Then the tooling catches up. Vendors — in this case, Cynomi, Defendify, Sepio Systems, and a growing list of others — build platforms that make delivering the service 40% faster and 30% cheaper. The barrier to entry drops. Every MSP who was watching from the sideline now has a reason to jump in.
Then comes the pricing pressure. New entrants undercut on price to win their first clients. Buyers, who now have 10 options instead of 2, start shopping. Commoditization doesn’t mean the service disappears — it means the margin does.
What was a 70% margin service becomes a 35% margin service inside 24 months. You’re still doing the same work. You’re getting paid half as much for it.
The Platform Problem
The vCISO commoditization cycle is happening faster than the managed backup version for one reason: the platforms doing the heavy lifting are better than they’ve ever been.
Cynomi’s platform automates the core deliverables of a vCISO engagement — risk assessments, security roadmap generation, compliance gap analysis, client reporting. What used to take a senior security consultant 15 hours now takes 3. That’s a legitimate efficiency gain, and it’s why so many MSPs who couldn’t previously afford to staff a vCISO practice can now enter the market.
But it’s also why the differentiation isn’t in the software anymore. Every shop running Cynomi gets the same automated risk assessment. Every shop using Defendify gets the same compliance framework. When the platform is table stakes, the competitive variable shifts to something else: quality of the security advisor, depth of client relationship, responsiveness, and the ability to translate a risk report into a decision the client actually acts on.
That last one — translation into action — is where most new entrants will fail. You can generate a 40-page security roadmap in 3 hours with the right platform. Getting a 25-person manufacturer to actually implement it is a different skill set. If your vCISO practice is built around producing deliverables, you’re going to run into serious pricing pressure. If it’s built around outcomes, you have some runway.
What the Margin Slide Looks Like in Practice
Here’s what I’d expect to see in the vCISO market over the next 12 months, based on how similar service category commoditizations have played out.
Entry-level pricing — the “just an annual security assessment and a compliance roadmap” package — will compress first. These are the offerings that platforms make easy to deliver. New entrants will price them at $1,500 to $2,500 a month to win clients, compared to the $4,000 to $6,000 that established shops are currently charging. That gap closes fast.
Mid-market engagements — $6,000 to $12,000 a month, ongoing advisory, vendor management, board reporting — will hold longer because they require actual security expertise and client relationship depth. But “hold longer” means 18 to 24 months, not indefinitely.
The high-end engagements — regulated industries, complex environments, vCISO as a genuine risk management partner — won’t commoditize on the same timeline. The tooling doesn’t automate what a HIPAA-covered health system or a DoD contractor actually needs. Those clients can tell the difference between a platform-generated report and real security leadership. They’ll pay for the latter. But there aren’t enough of them to sustain every MSP who jumped into the vCISO market in 2025 and 2026.
What You Should Do About It
Stop building your vCISO practice around deliverables. Build it around the conversation that follows the deliverable.
The security risk assessment is not the service. The risk assessment is the credibility artifact that gives you the right to tell your client’s CEO that their unpatched manufacturing systems are their biggest liability, and that you have a specific plan to fix it before their cyber insurer finds out. That conversation — direct, uncomfortable, specific — is the service. The platform helps you get there faster. It doesn’t have the conversation for you.
Specialize. The MSPs who avoid the commodity trap are the ones who go narrow. Healthcare practices, legal firms, financial advisors, government contractors — these are verticals with compliance requirements that don’t compress well into a generic platform workflow. If you understand the HIPAA Security Rule in detail, or the FTC Safeguards Rule, or CMMC Level 2, you’re worth more than the platform-delivered generalist. Know one compliance framework better than anyone else in your market and charge accordingly.
Raise your rates now, while your margins support it. This is counterintuitive, and it’s the advice nobody takes until it’s too late. Your current clients don’t know the market is about to get more competitive. They see the value they’re getting and they’re paying for it. Use this window to move them onto annual agreements at your current rate structure. Lock in the revenue. When the new entrants start undercutting in Q3, your renewals are already signed.
The Uncomfortable Truth
Here’s the part of this that channel professionals don’t like to hear: the commoditization of vCISO services is not a bad thing for the industry. It means more SMBs get access to security leadership they couldn’t afford before. It means the threat landscape gets better coverage. It means the service is doing what it’s supposed to do.
What it’s bad for is the MSP who treated “vCISO services” as a business model rather than a single capability in a broader practice. If your entire differentiation is “we offer vCISO and most MSPs don’t,” that advantage has an expiration date with your name on it.
The vCISO is not the product. The trust is the product. The vCISO is how you build it.
Figure out what you’re building toward and build that instead.