Engagement · vCISO · Contact Sales

A senior hand on the wheel until your framework signs.

STACK Pilot is a fixed-scope vCISO engagement that runs your compliance program end-to-end — scoping, roadmap, evidence collection, audit prep, and assessor liaison — inside STACK Compli + Compass. You get a named senior security leader plus the platform underneath, priced to your company size, target framework, and how fast you need to be done.

Book a scoping call See what's included

10frameworks

SOC 2 · ISO · EU AI Act · FedRAMP

1driver

Named Senior Lead

90dmin

Fastest Path to Audit

0decks

Strategy PDFs You'll Never Use

New to virtual CISO services?

Learn what a vCISO does and how stand-alone vCISO services differ from traditional consulting approaches.

What is a Virtual CISO? Stand-Alone vCISO Services

What it is

A vCISO that ships an attested program, not a binder

Most vCISO engagements deliver advice. STACK Pilot delivers a working program: roadmap loaded in Compass, controls and evidence tracked in Compli, a named senior leader driving the weekly cadence, and the assessor sitting at signing time. When the engagement ends, the program runs itself.

Framework Scoping

First-call gap analysis against your target framework(s). What's in scope, what's not, where the real work is — written down before the SOW.

Roadmap in Compass

Gap-to-target maturity mapped across 13 capability domains, sequenced by audit dependency and effort. The board view is live, not a quarterly slide.

Controls in Compli

Controls catalog pre-populated for the framework, evidence wired to the source systems, tasks assigned to the right humans. Day one of the engagement.

Named Senior Driver

One senior security leader runs the program — your single point of accountability. Weekly cadence with your team, monthly with leadership, quarterly with the board.

Audit Prep & Sit

Evidence-by-control walkthroughs ahead of fieldwork. Your Pilot sits the audit alongside you, handles assessor questions, and owns finding remediation.

Handoff That Holds

At wrap, your team operates the program on Compli + Compass. Optional fractional retainer keeps a Pilot on call for continuous-compliance, the next framework, or board reporting.

Framework coverage

Single framework, stacked frameworks, or AI-era additions

Pilots are scoped to one primary framework or a stacked program. We routinely run SOC 2 + ISO 27001 + ISO 42001 in parallel to share controls and evidence — one program, three attestations.

Trust & Security

SOC 2 Type I & II, ISO 27001:2022, HITRUST i1 / r2, PCI DSS v4. The first attestations most enterprises ask for.

Regulated Industries

HIPAA Security & Privacy, GLBA Safeguards, NYDFS Part 500, NIST 800-171 / CMMC L2, FedRAMP Moderate & High.

AI & Resilience

NIST AI RMF, ISO/IEC 42001, EU AI Act (High-Risk, GPAI), DORA. The frameworks where most consultants still don't have a playbook.

Who Pilot is for

Three situations Pilot is built for

If you recognize your situation in one of these, the scoping call is short.

Series A–C, no security team yet

You just lost a deal because you don't have SOC 2 — or your customer's procurement just asked for ISO 27001 and there's nobody on staff to lead it. Pilot stands up the program and gets you certified before the next renewal cycle.

Shipping AI features, EU customers

You're a High-Risk AI deployer under the EU AI Act, August 2026 enforcement is real, and your ML team has no idea what Annex IV looks like. Pilot scopes ISO 42001 + EU AI Act + NIST AI RMF as one stacked program.

Failed an audit, six months to fix it

Your assessor came back with qualified findings or material weaknesses. The board wants a remediation plan and a name on it by Friday. Pilot takes the findings, prioritizes by audit risk, and sits the re-audit with you.

How it's priced

Fixed scope, scoped on three things

No hourly meters. Pilots are fixed-fee against a defined SOW. The fee scales on company size, framework(s) in scope, and timeline pressure.

Company size

Employee count, revenue band, and whether the industry is regulated set the baseline. A 60-person SaaS and a 4,000-person bank are different engagements — same playbook, different intensity.

Framework(s) in scope

One framework vs. a stack of three changes the control mapping and evidence model. We share controls across overlapping frameworks so the second attestation costs less than the first.

Timeline pressure

90 days to audit costs more than 12 months. Aggressive timelines need more senior hours, parallel workstreams, and faster evidence collection — priced accordingly, never hidden.

Compli + Compass platform fees are included in every Pilot SOW for the duration of the engagement, with locked subscription pricing if you continue after wrap.

Frequently Asked

Questions teams ask before scoping

Straight answers about scope, staffing, and how Pilot fits with what you already have.

How is Pilot different from a Big-4 vCISO engagement?

Big-4 sells a six-figure strategy deck and exits before execution. Pilot is a fixed-scope program that stays in the platform driving controls, evidence, and audit prep until the attestation signs. You pay for the outcome, not the deck.

How is this different from buying Vanta or Drata?

Vanta and Drata sell tooling. Implementation falls on you or a third-party partner. Pilot is a named senior driver who runs the program inside Compli + Compass — tooling plus the human accountable for the outcome.

Can we keep our existing GRC tool?

Yes. Compli + Compass run alongside Vanta, Drata, Secureframe, AuditBoard, or Hyperproof. The Pilot drives whichever surface your auditor wants the evidence in.

What credentials does the Pilot hold?

Every Pilot is a senior IC or former CISO with one or more of CISSP, CISA, ISO 27001 LA/LI, ISO 42001 LA, FedRAMP 3PAO, AICPA SOC reporting experience. Match is by industry and target framework.

Do you sit our audit, or do we?

The Pilot sits the audit with you and handles assessor questions. Your team owns the answers about your systems and people; the Pilot owns the framework framing, evidence narratives, and finding remediation.

What happens after attestation?

Optional fractional retainer keeps a Pilot on call for continuous-compliance, the next framework, board reporting, or M&A diligence. Or you operate Compli + Compass yourselves at the subscription price locked at SOW signing.

Book a scoping call

Tell us what you're trying to attest, and by when

The six questions below are how we scope a Pilot. We'll come back within one business day with a 30-minute scoping call and a rough fee band — no slides, no NDA required to talk.

Your name Email Company Job title (optional) ① Company size ② Where you stand today ③ Target framework(s) ④ Timeline Phone (optional) ⑤ Existing tooling (GRC, IdP, cloud, ticketing — what we'd integrate with) ⑥ Stakeholders & what's driving this (board, customer, regulator, lost deal — context for the call)

Learn more

Understanding virtual CISO services

Explore what a vCISO does and how modern virtual leadership transforms compliance from a burden into a driver of business value.

What is a Virtual CISO?

Understand the role of a vCISO, how they differ from traditional C-suite hires, and why they're the fastest path to compliance for growing companies. Learn about credentials, responsibilities, and the value of experienced leadership on-demand.

Stand-Alone vCISO Services

Explore how standalone vCISO engagements work, what they include, and how they complement your existing team. Learn about service models, engagement structures, and how vCISOs drive outcomes in compliance programs across industries.