Skip to content
XpooseBook Exposure Call

Pricing

Every offer. Every price.

14SKUs across five surfaces — every dollar on this page comes from docs/specs/pricing-config.json in the source repo. No price on Xpoose marketing exists outside that file.

Last updated: 2026-04-19 · pricing valid through 2027-04-19

CMMC L2 — the wedge

The Grand Slam is the offer that anchors everything else. Pre-Flight is the half-step for buyers not yet ready to commit to 90 days. Managed Compliance is the keep-it-true retainer that picks up at month 4.

CMMC L2 Ready in 90 Days

Wedge

$35,000 fixed

90 days to CMMC L2 ready, fixed fee, founder-delivered.

  • SSP, policies, enclave, POA&M
  • Pass-or-Free guarantee (G1/G2/G3)
  • Prime-facing evidence binder
  • Max 3 concurrent engagements
  • Concurrent cap: 3
Read the full page →

Xpoose CMMC Pre-Flight

$8,500 fixed

A 30-day diagnostic. 100% of the fee credits to a Grand Slam.

  • Posture baseline + gap analysis
  • Written go / no-go memo
  • $8,500 credit toward Grand Slam, 180 days
  • No commitment to continue
    Talk to us

    Managed Compliance retainer

    $4,500/mo

    Monthly evidence + policy refresh + control review.

    • 6-month minimum term
    • Monthly evidence collection
    • Quarterly policy refresh
    • ~75% attach rate from Grand Slam
    • Minimum term: 6 months
    Read the full page →

    vCISO — fractional security leadership

    Three tiers of fractional CISO capacity. Same operator delivers all three; only the cadence + commitment changes.

    Xpoose vCISO Core

    $4,500/mo

    8 hours per month. The "security adult in the room" tier.

    • Monthly leadership stand-up
    • Roadmap ownership
    • Quarterly board update
    • Async on-call for written questions
    • Hours / month: 8
    • Concurrent cap: 3
    Read the full page →

    Xpoose vCISO Pro

    Most teams

    $6,000/mo

    14 hr/mo. Active build cadence — CMMC, SOC 2, board prep.

    • Everything in Core
    • Quarterly Exposure Scorecard
    • Vendor security reviews (4/mo)
    • Consigliere Tuned bundled
    • Hours / month: 14
    • Concurrent cap: 3
    Read the full page →

    Xpoose vCISO Embed

    $12,000/mo

    32 hr/mo. Effectively a part-time CISO seat.

    • Everything in Pro
    • Weekly leadership presence
    • Quarterly on-site (CONUS)
    • One concurrent client (capped)
    • Hours / month: 32
    • Concurrent cap: 1
    Talk to us

    Consigliere — on-prem AI appliance

    Per-client fork of the AI compliance brain. Same hardware in every tier; what changes is tuning and who runs the policy refresh.

    Consigliere Starter

    $1,497 once + $149/mo

    You operate the appliance. 90-day money-back.

    • Provisioned Pi 5 hardware
    • Industry playbook pack
    • Founder onboarding call
    • Self-serve OTA updates
    • Money-back window: 90 days
    Read the full page →

    Consigliere Tuned

    Most teams

    $1,497 once + $249/mo

    We tune to your environment. 4-hour support SLA.

    • Everything in Starter
    • Per-environment playbook tuning
    • 4-hour support SLA
    • Quarterly playbook refresh
    • One-time tuning fee: $2,500
    Read the full page →

    Consigliere Managed

    $1,497 once + $499/mo

    We run the appliance for you. Monthly + quarterly cadence.

    • Everything in Tuned
    • Monthly policy refresh
    • Quarterly tabletop
    • CMMC evidence artifacts
      Read the full page →

      Pentest + Incident Response

      Two adjacent surfaces. Pentest is for procurement evidence; IR is for the day something breaks.

      Pentest engagement

      $18,000–$25,000 fixed

      Time-boxed external pentest. Buyer-readable report.

      • Web app, network, or cloud config scope
      • 2-week active testing window
      • Re-test included (60 days)
      • C3PAO-aligned reporting
        Read the full page →

        Incident Response — surge

        $500/hr

        Hourly engagement when something happens.

        • 8-hour minimum
        • Active triage + containment
        • Post-incident write-up
        • No retainer needed
          Talk to us

          Incident Response — retainer

          Mature teams

          $20,000/yr

          2-hour response SLA. Pre-paid hours.

          • Annual contract
          • 2-hour SLA on declared incidents
          • Quarterly tabletop included
          • Hours roll over within year
            Read the full page →

            Academy — train the operator next door

            Two academy tracks for security-curious operators. The Cohort is the founder-led version; the Founder Edition is the self-paced course.

            Xpoose Academy — Founder Edition

            $497 fixed

            Self-paced. Lifetime access. Cohort credit if you upgrade.

            • Full curriculum, on-demand
            • Lab exercises included
            • Certificate of completion
            • Credits 100% toward Cohort within 180d
            • Money-back window: 30 days
            Talk to us

            Xpoose Operators — CMMC Cohort

            Founder-led

            $1,997 fixed

            Founder-led, time-boxed. Live sessions, peer cohort, capstone.

            • Live weekly sessions
            • Peer cohort + mentor matching
            • Capstone CMMC simulation
            • Certificate cosigned by Xpoose
            • Money-back window: 14 days
            Talk to us

            What every paid engagement includes

            • Audit-chain integrity with HMAC verification
            • CMMC AU + AC evidence collection in the Portal
            • Single sign-on via Clerk (incl. passkeys + hardware keys)
            • Cancel anytime, transparent monthly billing via Stripe
            HNW

            Discreet engagements for HNW principals + family offices

            The HNW tier isn’t listed by price on this page on purpose. Engagements are NDA-gated and start with a referral or a written request. If that’s the shape you need, get in touch.

            Contact us

            Not sure which one is yours?

            Book a 30-minute Exposure Call. We sort it before either of us commits.

            Book Exposure CallAll services →