How much should an MSP charge for SOC 2 preparation?

Most vCISOs and MSPs charge between $8,000 and $15,000 per month for SOC 2 preparation services, typically structured as a 3-to-6 month engagement. The exact price depends on the client's current maturity, the number of systems in scope, and who is responsible for the actual evidence collection.

Why do managed compliance margins shrink during an audit?

Margins typically shrink because of the manual evidence collection phase. MSPs often quote a flat fee based on advisory work, but end up spending dozens of unbillable hours chasing client engineers for screenshots of access reviews, change tickets, and admin panels.

Should I price compliance services hourly or flat fee?

Flat fee or subscription pricing (Compliance as a Service) is generally more profitable than hourly billing, provided you can control your operational costs. Hourly billing misaligns incentives and makes clients hesitant to ask for help, while flat fees allow you to increase your margin by automating the backend work.

How to Price Managed Compliance Services to Protect Your Margins

Pricing managed compliance services is notoriously difficult because the scope of work almost always expands during the audit window. You might quote a flat fee for a SOC 2 readiness project, assuming the client's existing tools will handle the heavy lifting. But when the auditor asks for application-level evidence, you end up spending dozens of unbillable hours chasing engineers for screenshots.

To protect your margins, you have to build automation into your pricing model from day one. If you sell compliance as a service, your profitability depends entirely on how much of the manual evidence collection process you can eliminate.

Here is how to structure your pricing, avoid common scoping traps, and ensure your compliance practice actually makes money.

Why Do Managed Compliance Margins Shrink During Audits?

Most vCISOs and MSPs price their engagements based on the advisory work. You calculate the hours required to run a gap assessment, write the policies, and conduct a risk assessment. You add a healthy margin, present the proposal, and the client signs.

Then the observation period hits.

The client assumes "managed compliance" means you are handling everything. But you don't have access to their AWS production environment, their GitHub repositories, or their custom admin panels. When the auditor requests proof of a deployment approval for SOC 2 control CC8.1, you have to ask the client's engineering team to get it.

They ignore your Slack messages. You follow up. They send a cropped image that lacks a timestamp. You push back. They send another one, but it's for the wrong repository.

This cycle is the "screenshot tax." It is the primary reason a project that looked like a 60% margin on paper ends up barely breaking even. You are absorbing the cost of operational friction.

What Are the Standard Pricing Models for Compliance as a Service?

There are three primary ways to price compliance services. Choosing the right one dictates how you handle the manual work.

Pricing Model	How It Works	Margin Risk	Best Used For
Hourly (Time & Materials)	Billing exactly what you work. Usually $200-$350/hour.	Low risk of losing money, but caps your earning potential.	Remediation work, highly custom enterprise environments, or post-audit cleanup.
Project-Based (Flat Fee)	Fixed price for a specific outcome (e.g., $45,000 for SOC 2 Type 1 prep).	High risk if evidence collection drags on or the client is unresponsive.	Initial readiness assessments and first-time audits for startups.
Subscription (CaaS)	Recurring monthly revenue (e.g., $10,000/month) for continuous compliance.	Medium risk. Highly profitable if automated, disastrous if manual.	Ongoing Type 2 maintenance, multi-framework management (SOC 2 + ISO 27001).

Honestly, hourly billing for compliance is a trap. It punishes you for getting faster and makes clients hesitant to ask questions. The industry is moving heavily toward Subscription (CaaS) models, but to make that work, your underlying delivery costs must be predictable.

How Do You Price SOC 2 Prep Without Losing Money on Manual Work?

To quote a flat fee safely, you have to separate the advisory work from the operational work in your contract.

Define the boundary of responsibility. Your statement of work should explicitly state who is responsible for capturing evidence. If the client is responsible for capturing UI evidence from their internal tools, state that clearly. If you are responsible, you need to price that operational drag into the contract.

Baseline the tool stack. A client with no infrastructure automation is going to cost you three times as many hours as a client using modern deployment pipelines. Before quoting a price, ask what systems hold their access controls and change management data. If they manage user access via manual spreadsheets instead of an identity provider like Okta, increase your fee.

Limit the revision cycles. Auditors will reject evidence that lacks completeness and accuracy (IPE). If you have to manually validate every artifact a client uploads to ensure it has a timestamp, your hours will skyrocket. Cap the number of evidence review cycles in your agreement, or use tools that validate IPE at the point of capture.

Where Traditional Managed Service Pricing Falls Short

Many MSPs and vCISOs base their pricing on the assumption that a GRC platform will automate the entire audit. They look at a vendor's marketing, see "automated evidence collection," and assume their internal labor costs will be near zero.

This is a dangerous pricing assumption.

Traditional GRC platforms rely on APIs to check infrastructure configurations. They can verify that MFA is enabled in Google Workspace or that a database is encrypted in AWS. But APIs cannot capture application-level workflows. They cannot show an auditor what an access denied screen looks like, how a custom admin panel restricts user permissions, or the specific UI steps an engineer takes to approve a pull request.

This leaves a 20% gap of manual controls. For a standard SOC 2 audit, that means manually collecting and formatting 50 to 80 pieces of evidence every quarter.

If you priced your monthly retainer assuming the GRC tool would do 100% of the work, you are now paying your analysts to manually take, crop, and organize screenshots. The software didn't lower your cost of delivery; it just shifted the bottleneck to the UI controls.

How Does Evidence Automation Protect vCISO Margins?

The math of a vCISO practice is simple: revenue minus analyst hours equals margin. If you want to scale the practice, you either have to charge clients more (which hurts win rates) or reduce the hours required to deliver the service.

This is where automated evidence capture changes the economics of the business.

When you deploy tools that can automatically record workflows and capture validated screenshots, you fundamentally alter your cost structure. Instead of paying an analyst to spend four hours tracking down an engineering manager for CC6.1 access review evidence, a system captures it automatically, attaches the cryptographic proof, and drops it into the audit folder.

For an MSP, this means:

You can confidently offer flat-fee pricing without the risk of scope creep.
You can handle more clients per analyst, increasing revenue per headcount.
You stop acting as a project manager nagging clients, and return to acting as a strategic advisor.

Clients don't care how long it takes you to collect evidence. They care that they pass the audit and close their enterprise deals. If you can deliver that outcome using 10 hours of internal time instead of 40, your margin grows while the client's experience actually improves.

Learn More About SOC 2 Evidence Automation

For a complete guide to scaling your practice, see our guide on automating SOC 2 evidence collection, including how to eliminate the manual screenshot work that kills managed service margins.