Pricing
Most cybersecurity firms hide pricing behind “request a quote.” That wastes both sides’ time. The numbers below are what we actually charge, with the math behind them. The $500Kfloor is the filter — it lets cost-shoppers self-select out before the first call so the conversations we have are with serious buyers.
Partnership envelope
Floor
$500K
per year
Typical
$1M-$3M
per year, multi-year
Quarterly cap
4-6
max new partnerships, to keep bench senior
What scales the number from $500K toward $3M: environment size (50 vs. 500 vs. 2,000 endpoints), regulated-industry compliance load (one framework vs. five running in parallel), AI footprint (zero vs. 20 production AI features needing red-team + governance), federal/world-government certifications, and IR retainer hour-bank size.
What does NOT scale the number: vendor licensing markup, helpdesk per-ticket fees, “urgent” surcharges. The partnership is a flat annual envelope. Carriers, broker fees, and pass-through licensing are billed at cost with the invoice attached.
Stand-alone service pricing
Inside the partnership envelope, every service below is bundled. Outside the envelope, each is priced individually. Numbers reflect Varcoe rates against the boutique-luxury upper-quartile band, not commodity SMB MSP rates.
$500K - $3M
per year, multi-year typical
MSP + MSSP + AI + Compliance + Offensive under one envelope. One contract, one accountable principal. Six-month minimum, multi-year typical. Engagements scale up from the floor based on environment size, complexity, and practice mix.
$50K - $150K
fixed-fee, 4-8 weeks
Audit of IT, security, and AI posture. Roadmap, gap report, prioritized investments. Often the entry point that becomes a partnership.
$25K - $500K
diagnostic-first, fixed-fee on scoped intervention
For partners already mid-modernization. Pick up only the layers you need, coexist with incumbents, fixed-fee on the targeted intervention. Diagnostic-first ($25K-$60K, 3-6 weeks) before SOW.
$30K - $120K
per month, depending on environment size
Mid-market reference math: 100 seats × $310/seat × 12 = $370K/yr. 200 seats = $744K/yr. 500 seats = $1.95M/yr. Premium boutique tier ($300-$400/seat) reflects senior-only staffing, in-house SOC, on-call CISO time — not margin.
$25K - $100K
per month, programmatic with per-endpoint volume add-ons at $15-$25/endpoint/mo for high counts
24/7 SOC, MDR, detection engineering, threat hunting, IR retainer, vCISO. Senior practitioners on every alert. Containment authority pre-negotiated.
$250K
fixed-fee, 90 days
AI strategy + threat model + governance framework + one red team + eval suite + runtime guardrails + executive training.
$30K - $1M+
scoped per engagement; full transformation programs $250K-$1M+
AI product development, ISO 42001 implementation, NIST AI RMF, AI red team, AI risk assessment. Senior fractional retainers $5K-$15K/mo; comprehensive partnerships $15K-$50K/mo.
$3K - $25K
per month retainer
$3K-$12K/mo for mid-market (100-500 employees); $10K-$25K/mo for compliance-heavy or board-reporting clients. Senior leaders, $200-$300+/hr equivalent. Bundled inside the partnership.
$3K - $10K
per month stand-alone (bundled inside partnership)
Carrier-coordinated underwriting, continuous evidence package, policy-aligned MDR, renewal support, breach-counsel network. Coalition / Beazley / Chubb / Resilience / AT-Bay / AIG / Travelers / Munich Re / AXA XL / CFC. Underwriting-call participation also available ad-hoc at $5K fixed-fee per call.
$500 - $700
per hour, declared incidents; pre-paid hour bank with annual replenishment
48-hour engagement start. Insurance-carrier-accepted (AIG, Beazley, Coalition, Resilience, Travelers, Chubb, Munich Re, Hartford). Ransomware-, BEC-, insider-, cloud-IR ready. Counsel-coordinated.
$75K - $300K
fixed-fee depending on environment size + framework count
HIPAA, SOC 2, CMMC 2.0 (L1-L3), NIST 800-171, ITAR, ISO 27001, ISO 42001, FedRAMP. SOC 2 + ISO 27001 share 80% of evidence — run them in parallel. ISO 42001 + NIST AI RMF + EU AI Act share 70%.
$15K - $80K
per engagement, scope-dependent
GIAC-led manual. Web, network, cloud, API, mobile. Free retest. Court-admissible reporting. Quarterly external + annual full-scope cadence inside the partnership.
$60K - $250K
per engagement, MITRE ATT&CK-aligned
Adversary simulation, purple-team coordination available, assumed-breach assessments. Findings convert to permanent detections in the MSSP layer.
Per-vertical spend benchmarks
Calibration data, sourced from IBM Cost of a Data Breach 2025, IANS Research, Deloitte FinServ Cyber, Altss family-office registry, ABA TechReport, and equivalent industry surveys.
Healthcare + Life Sciences
Avg. healthcare firm: 7% of IT budget on security yet $7.42M average breach cost (IBM 2025). The largest spend-to-loss gap in any regulated industry.
Financial Services + Fintech
Mid-market FinServ: $2,700-$3,500 per employee per year on cybersecurity — twice the cross-industry baseline. 55-60% goes to managed services (Deloitte 2025).
Family Office + UHNW
Serious single-family offices: $200K-$500K/year on cybersecurity. 245 verified Florida SFOs (Altss Q1 2025). Naples leads FL in millionaire density.
Defense Industrial Base (CMMC L2)
$138K-$500K Year 1 for CMMC L2 readiness + $50K-$100K/year sustainment. Only 0.5% of 80,000 contractors certified; Phase 2 deadline 10 Nov 2026.
Professional Services (law + accounting + consulting)
Mid-law: $1,500-$3,000 per attorney per year on cybersecurity. 29% of law firms breached in last 12 months. Only 40% carry cyber insurance.
Government modernization pricing
90-day gap + 6-month remediation package per geo. Direct-sell to UK / Canada / Australia governments + their defence contractors. EU is positioned as readiness for US firms with EU subsidiaries (NIS2, DORA, EU AI Act) — we don’t sell direct to EU governments without a local partner.
United Kingdom
£135-165K (~$170-210K)
CSM v4 / G-Cloud 15 / Cyber Essentials Plus readiness, 90-day gap + 6-month remediation. Priced ~10% above UK boutique midpoint to reflect senior-only delivery.
Canada
CAD 175-220K (~$130-160K)
CPCSC Level 1 readiness / ITSG-33 SSP. At parity with local boutiques. Five Eyes reciprocity — CMMC playbook converts with light translation.
Australia
AUD 220-280K (~$145-185K)
Essential 8 ML2 / PSPF readiness. Priced near US senior rates (not undercut). IRAP assessment itself is residency-gated and partnered out.
European Union (US firms with EU subs)
$140-180K NIS2 / $220-320K DORA
Billed and delivered US-side. EU AI Act high-risk Annex III conformity Aug 2 2026 deadline (€35M / 7%-of-turnover penalties).
Thirty minutes with Quinn. Walk through your seat count, regulated workload, AI footprint, and IR posture — we’ll quote the partnership envelope back to you on the call.
Schedule a callTrusted by partners across the practice
Reviews
The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.
“The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.”
Aaron Birnbaum
Managing Partner
“Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.”
Caroline Lombard
Threat Specialist
“I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.”
Justin Cox
Senior AWS Security Analyst
“One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.”
Soufiane Jihadi
Senior Incident Response Consultant
Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request