Every firm we work with shares the same problem: their cybersecurity documentation does not match their cybersecurity reality. The engagements below close that gap on an annual cadence and keep it closed for as long as the relationship runs.
A full cybersecurity compliance program operated on an annual cadence, built for firms that have a Chief Compliance Officer and an outsourced IT provider but no internal cybersecurity function. We provide the function. Your CCO retains authority; your IT provider continues to operate the environment.
SEC-registered investment advisers and private fund managers with a Chief Compliance Officer, an outsourced IT provider, and no internal cybersecurity function. Annual examinations expected.
Everything in the Cyber Compliance Consultant program, plus a named Chief Information Security Officer designation for your firm. The Remote CISO is the right engagement when an insurance carrier, prime broker, custodian, or institutional investor has asked who the firm's CISO is — and the firm needs the answer to be a name, not a role.
| Engagement | Annual Cost | What It Adds |
|---|---|---|
| Cyber Compliance Consultant | $36,000 | Full compliance program operation. No named CISO. No pen testing or tabletop. |
| Remote CISO | $72,000 | Everything above, plus named CISO, AI compliance governance, annual pen test, annual tabletop, and 24-hour response. |
Not every firm is ready for an annual engagement. The work below is sold as discrete, scoped engagements with a written statement of work and a defined deliverable. Each is examination-ready and produced to the same evidentiary standard as the subscription tiers above.
| Engagement | What you receive | Fee |
|---|---|---|
| Cyber Risk & Vulnerability Threat Assessment (CRVT) | The flagship one-time assessment. External attack surface mapping, internal vulnerability scanning, M365 / Azure configuration audit, OSINT and breach exposure analysis, and policy review — combined into a single examination-ready report with executive summary, regulatory mapping, evidence archive, and remediation roadmap. | Starting at $10,000 |
| External Penetration Test | Adversarial testing against internet-facing systems — active exploitation of identified vulnerabilities to demonstrate real-world impact. Scope agreed in writing before engagement. Report includes exploitation evidence, proof-of-concept documentation, risk-rated findings, and remediation guidance. Suitable for board reporting and SEC examination. | Starting at $8,000 |
| Tabletop Exercise | Executive tabletop built against the firm's actual environment — incident scenario design, facilitated walkthrough with named participants, and written after-action report. Documented for the evidence file and the firm's cybersecurity training record. | Starting at $5,000 |
| AI Compliance Framework Build | One-time AI governance build for firms deploying AI tools without an existing framework. Includes AI use policy drafted to firm specifics, vendor AI risk assessment for up to three AI tools touching client data or firm operations, Form ADV AI disclosure review, and a written mapping of AI tool use to the firm's obligations under Rule 204-2 books and records and Rule 206(4)-7 supervision. Delivered as a complete policy document and evidence file. Additional vendor assessments beyond three available at additional cost. | Starting at $35,000 |
| M365 / Azure Configuration Audit | Benchmark scan of the firm's Microsoft 365 and Azure environment with pass / fail results mapped to SEC-relevant controls — Regulation S-P, Rule 206(4)-7, Rule 204-2. Written report with screenshots for every finding, regulatory mapping for every failure, and a prioritized remediation roadmap. | Starting at $5,000 |
| Internal Network Vulnerability Scan | Credentialed Nessus scan of the firm's internal network — patch status, exposed services, misconfigurations, and policy violations across workstations, servers, and network devices. Findings report with severity-ranked vulnerabilities, patch gap analysis, and remediation guidance mapped to SEC examination expectations. | Starting at $4,000 per location |
| External Attack Surface Assessment | OSINT, DNS and certificate transparency analysis, and breach exposure check across all internet-facing systems and services associated with the firm. Identifies exposed services, credential leaks, subdomain enumeration, and OSINT-visible risk. Written report with attack surface inventory, prioritized findings, and remediation roadmap. | Starting at $4,000 |
| Policy & Documentation Review | Review of the firm's cybersecurity policy, incident response plan, vendor risk procedures, and employee technology usage agreement against current SEC examination priorities. Written gap analysis with finding-by-finding regulatory mapping and example corrective language ready for insertion into existing documents. | Starting at $3,000 |
| Vendor Due Diligence Questionnaire | Complete due diligence on a specific third-party vendor — OSINT research, review of the vendor's security documentation and certifications, and a written assessment of the vendor's posture against the firm's obligations under Regulation S-P and Rule 206(4)-7. Completed DDQ with supporting evidence and vendor risk summary. | Starting at $2,500 per vendor |
| Incident Response Coordination Non-subscribers |
For firms not on a Cyber Compliance Consultant or Remote CISO engagement who are managing a confirmed or suspected security incident. MTradecraft provides coordination and regulatory management — initial triage, insurance carrier activation, Regulation S-P 30-day clock management, legal coordination, and post-incident documentation. Technical forensics and remediation handled by the firm's insurance-panel IR provider. | $300 / hour 4-hour minimum |
Final fee reflects scope — number of domains, locations, vendors, or systems involved. All engagements are scoped in writing before work begins. À la carte pricing reflects the full value of the deliverable; discounting is not available on one-time engagements.
A firm purchasing three à la carte engagements — M365 audit, external attack surface assessment, and policy review — starts at $12,000 and scales up from there. The Cyber Compliance Consultant engagement is $36,000 and includes all three in Q1, plus twelve months of continuous monitoring, quarterly advisory calls, breach monitoring, an annual Rule 206(4)-7 review, and a maintained evidence file. At the point a firm is buying multiple one-time engagements in the same year, the subscription is the economically rational choice.
The AI Compliance Framework Build is sold as a one-time policy and vendor assessment engagement. Firms that want ongoing AI governance — continued vendor reviews as new tools are adopted, annual policy refresh against evolving SEC guidance, and AI risk integration into the broader compliance program — should engage the Remote CISO tier, which maintains AI compliance year-round as part of the standard scope.
Some firms are not ready for a full engagement, but still need the documentation. The BrainTrust is MTradecraft's resource library — policy templates, frameworks, the AI compliance framework, incident response materials, and FieldCraft Security Awareness Training — sold as an annual membership for firms doing the work themselves.
Examination notice, insurance renewal, DDQ, custodian attestation, post-incident — every engagement starts with a real trigger. The first call is twenty minutes and there is no obligation on either side.
Click here to start a conversation →