The 90-day vCISO engagement, plainly
Most Indian startups hire a vCISO because they have a deadline. A SOC 2 audit, a Series A diligence, a SEBI CSCRF cutoff, a customer questionnaire blocking a deal. They don't have time for a six-month "discovery phase."
Bachao.AI's vCISO engagement compresses what large consultancies stretch into 6 months into a structured 90-day sprint with measurable outputs every two weeks.
This page walks through exactly what you get, when you get it, and who at Bachao.AI is on the call.
Pre-engagement: 1 week before kickoff
Before the vCISO clock starts, we do a 60-minute scoping call with the founder + technical leader. We need to understand:
- The deadline (audit date, customer ask, deal close)
- The current security state (anything documented? incident history? team size?)
- The regulatory surface (DPDP, RBI, SEBI, SOC 2, ISO 27001, fintech-specific)
- The decision-maker (founder, CTO, board, customer)
Weeks 1–2: Current-state assessment
The named vCISO leads two structured workshops:
Workshop 1 (Day 2): Asset, data, and people inventory. We walk through every system that handles customer data, every cloud account, every third-party integration. By end of day, you have a CSV of every asset + classification.
Workshop 2 (Day 5): Threat modeling and risk register. We map the top 25 risks your business is exposed to right now, ranked by business impact. Each risk gets an owner and a status (open, mitigated, accepted).
Day 10 deliverable: A 25-page Current-State Assessment Report. Goes to the founder and the board.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanWeeks 3–6: Policy, control, and roadmap sprint
This is the phase where most consultants overdeliver on slides and underdeliver on policies. We do it the other way around.
Each week ships 3 of these policies (Indian-statute-aligned, customizable to your business):
- Acceptable Use Policy
- Access Control Policy (with RBAC mapping)
- Data Classification & Handling Policy
- Incident Response Policy + playbook
- Vendor / Third-Party Risk Management Policy
- Business Continuity & Disaster Recovery Policy
- DPDP Act 2023 Compliance Procedures
- Encryption & Key Management Policy
- Secure SDLC Policy
- Background Verification Policy
- Change Management Policy
- Acceptable Use of AI / LLM Policy
Week 6 deliverable: Complete Policy Set (12 documents) + Risk Register v2 + 12-month Security Roadmap.
Weeks 7–10: Compliance closure sprint
The vCISO works with your engineering team to actually close the gaps. Not "recommend closure" — actually close them.
Typical closures:
- MFA enforcement on production access
- Centralised secrets management (replacing .env files)
- Audit log enrichment for SOC 2 CC7.2 / CC7.3
- Backup verification with documented restore test
- Vendor DPA collection (for top 20 sub-processors)
- Incident response tabletop exercise (one full simulation)
Weeks 11–12: Audit dress rehearsal + handoff
If your engagement is SOC 2 / ISO 27001 / SEBI CSCRF readiness:
- Week 11: full evidence collection sprint. We pull every audit log, every policy ack, every meeting note, every approval — into a single auditor-ready package.
- Week 12: dress rehearsal with the auditor (we sit in the call, defend the evidence, capture residual gaps).
- Week 11: customer questionnaire response (we draft, you review)
- Week 12: customer call sit-in (vCISO joins as your security executive)
What it costs
| Engagement tier | Hours / month | Monthly fee | Use case |
|---|---|---|---|
| Standard | 20–25 hours | ₹2L | Series A SaaS, 30-person team, first audit |
| Embedded | 30–40 hours | ₹4L | Series B+ fintech, regulated entity, ongoing |
| Pre-audit sprint | 40 hours/week × 8 weeks | ₹8L flat | SOC 2 Type II readiness, SEBI CSCRF |
The retention model
vCISO engagement does not end at day 90. After the 90-day sprint, clients transition to one of three models:
- Monthly retainer — 10–20 hours/month for ongoing oversight, customer security questionnaire support, quarterly board reporting
- Annual audit support — fixed 8-week engagement once a year before audit
- On-demand — pay-as-you-need for specific events (incident, due diligence, customer ask)
How to start
The first step is a 60-minute scoping call. We review your current state, your deadline, and the right tier for your situation. No hard sell. If your situation is better served by a one-time VAPT or a do-it-yourself approach, we'll say so.
Schedule a vCISO scoping call →
Related: What a vCISO Delivers in the First 30 Days · Sample vCISO Deliverables · vCISO Case Study: Bengaluru Fintech Series B
