The situation
A Bengaluru-based digital lending startup (we'll call them "FinCo" — actual name redacted under the engagement NDA) had completed term sheet negotiation for a ₹120 Cr Series B led by a top-tier global VC. The diligence cover sheet had a clear line item:
"Closing condition: SOC 2 Type II report or equivalent independent security audit, dated within 90 days of close."
FinCo had:
- 65 employees (35 engineering, 8 ops, 12 sales, 10 support)
- AWS-only infrastructure, single account
- No CISO, no security engineer, no formal policies
- A two-person DevOps team that "did security on the side"
- A 14-week runway to closing
How the engagement was scoped
FinCo's CEO reached Bachao.AI on a Friday. By the following Wednesday we had:
- A 2-page Engagement Charter signed by both sides
- A named vCISO (former CISO at a listed payments company) assigned 30 hours/week
- A backup engineer for evidence collection and tooling
- A weekly cadence: Tuesday vCISO call with FinCo CTO + CEO, Thursday async update to the board
The 12-week sprint
Weeks 1–2: Current-state assessment
The vCISO ran two workshops. Output:
- Asset inventory: 47 production systems, 12 third-party SaaS, 8 contractor accounts
- Risk register: 38 risks identified. Top 5 (by residual after planned controls): privileged access, secrets management, audit logging gaps, vendor DPAs missing, backup recovery untested
- Initial gap analysis against SOC 2 CC and trust criteria: 24 of 64 controls operational, 18 partial, 22 missing
Output: 11 policies drafted and approved by FinCo CEO. Acceptable Use, Access Control, Data Classification, Incident Response, Vendor Risk Management, Encryption, Secure SDLC, Background Verification, Change Management, BCP/DR, AI Use Policy.
Each policy went through one round of review with the CTO before formal approval. Total review time on FinCo's side: ~12 hours.
Weeks 5–7: Control implementation
This was the heaviest phase. The vCISO worked alongside FinCo DevOps to:
- Roll out RBAC across all AWS accounts (replacing shared admin access)
- Migrate 47 .env-stored secrets to AWS Secrets Manager with rotation
- Enable CloudTrail organization-wide with 90-day retention
- Deploy automated MFA enforcement on all human IAM users
- Set up the first incident response tabletop (the team had never done one)
- Implement a vendor DPA collection workflow for the top 20 sub-processors
- Run the first backup restore test (took 4 hours, found 1 critical bug in the recovery script — fixed it)
Bachao.AI's vCISO recommended a mid-tier SOC 2 audit firm with India operations (₹14L all-in for Type II observation period plus reporting). FinCo's prior Big-4 quote was ₹80L.
Audit firm engagement started in week 8. The vCISO sat in every call.
Pre-audit checklist:
- Evidence repository organized by control
- Sample of 30 random employee access events pulled for the auditor
- Mock auditor interview run with the CTO and DevOps Lead
Auditor observed control operation. The vCISO defended evidence in real-time and resolved 4 minor findings during the audit itself rather than waiting for the report.
Week 12: Final report + Series B close
Type I report delivered Day 80. FinCo's investor accepted the Type I report as satisfaction of the diligence condition, with FinCo committing to deliver Type II in 6 months (audit observation already running). Series B closed Day 86.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanWhat it cost
| Line item | Cost |
|---|---|
| Bachao.AI vCISO (weeks 1–8) | ₹8L |
| Bachao.AI ongoing retainer (weeks 9–12) | ₹4L |
| SOC 2 audit firm (Type I) | ₹6L |
| SOC 2 audit firm (Type II, observation period) | ₹8L |
| Tools (AWS Secrets Manager, MDM, SIEM upgrade) | ₹3L |
| Total | ₹29L |
Savings: ₹75L. Time to compliance: 86 days vs 240 days.
What FinCo's CTO said after the engagement
"We thought a fast SOC 2 path would mean cutting corners. Bachao's vCISO didn't cut corners — they cut waste. We never built slide decks for slide deck's sake. Every artefact we produced has a job: an auditor reading it, a board member reading it, or an engineer following it. The vCISO is still on retainer because it's worth more than the cost."
Pattern this engagement followed
This is the most common shape of a vCISO engagement Bachao.AI runs:
- Compliance deadline tied to a business event (funding, customer, regulator)
- 8–12 weeks of focused work, not 6 months of advisory
- Real evidence collection, not slides
- Direct relationship with the audit firm or regulator
- Ongoing retainer after the deadline to keep posture current
Schedule a 60-minute scoping call →
Related: vCISO 90-Day Methodology · Sample vCISO Deliverables · Virtual CISO Services India 2026 Guide
