Engagement model

Priced for the work, not the optics.

Pistos engagements are predictable monthly fees, scaled to the size of the environment we are accountable for. No per-control surcharges. No per-framework upsell. No surprise renewals. The CISO enablement, the platform, and the practitioner delivery are included in a single, transparent number.

Aegis — CISO Enablement

One engagement. One platform. One outcome.

Aegis is the full Pistos engagement — a named, credentialed CISO, the full PCS platform, and the practitioner delivery that turns compliance obligations into a defensible program. Pistos supplies the CISO, or your internal CISO runs the program backed by PCS. Pricing scales with the size of your environment.

  • Named, credentialed CISO — Pistos-supplied or your own
  • PCS — the full Pistos Compliance Suite (Skopein, Sentinel, Mathisi)
  • Policy and procedure templates mapped to your obligations
  • Continuous regulatory currency monitoring
  • Examiner, auditor, and carrier response support
  • Executive and board reporting
30 – 100 endpoints starting at$8,000 / month
101 – 200 endpoints starting at$10,000 / month
More than 200 endpoints Call

Endpoint counts include workstations, laptops, and servers under the organization's control.

PCS — Pistos Compliance Suite

Standalone access for organizations with internal security staff.

PCS gives organizations direct access to the Pistos scanning platform — without the Aegis CISO engagement. Every finding is mapped to the regulatory frameworks that govern your industry, and every report is paired with a remediation plan an auditor will recognize. Three tiers, scaled by the scanning surface you need covered.

Tier I

$25 / endpoint / month

$750 monthly minimum

  • Local configuration scanning — Windows workstations
  • Local configuration scanning — Linux systems
  • Microsoft 365 security configuration scanning
  • Google Workspace security configuration scanning
  • Findings mapped to NY DFS, HIPAA, CMMC, NIST, and other applicable frameworks
  • Framework-aligned remediation plan with every finding
  • Continuous re-scanning and currency

Tier II

$50 / endpoint / month

$1,500 monthly minimum

  • Everything in Tier I
  • External internet-facing vulnerability scanner
  • Continuous external posture monitoring
  • Exposure findings mapped to applicable frameworks
  • Prioritized remediation guidance for external exposures

Tier III

$90 / endpoint / month

$2,500 monthly minimum

  • Everything in Tier II
  • Web application scanner — passive and active modes, 61 checks
  • Coverage of all customer-owned web application domains
  • OWASP Top 10 findings mapped to applicable frameworks
  • Remediation guidance written for the development team, not the auditor

PCS clients can transition to Aegis at any time. Most do, once the value of having a designated CISO becomes evident in front of an examiner.

Get in touch

The right starting point is a conversation.

Tell us about your environment and your obligations. We will tell you which engagement fits, and we will say so plainly if neither does.

Request a briefing