One Platform for Every Client’s Security Program
Phishing simulation, continuous attack-surface monitoring, and board-ready compliance reports — across every client on your retainer, under your brand, on billing you can price into a fixed fee.
Built for the way vCISOs actually work
A virtual CISO carries the security program for ten, twenty, or more client organizations at once — on retainer, as an embedded ongoing advisor rather than a one-time assessor. That is a different shape of work than either an internal security team or a point-in-time pen-test firm. You need consolidated visibility across every client for your own quarterly reviews, you bill per deliverable so cost predictability is non-negotiable, and you have to present tooling ROI to each client’s board separately, through each client’s procurement.
HailBytes covers exactly this: multi-tenant isolation so each client’s data stays separate, white-label reports you present as your own deliverables, and per-vCPU/hour Marketplace billing that lets you fold SAT and ASM into a fixed retainer without usage surprises. Two products, one operating model, the whole client book.
Why vCISOs run HailBytes SAT and ASM
Multi-client management
One ASM instance carries unlimited Projects with per-client RBAC and isolated scan results, so each client’s findings, assets, and history stay walled off from the rest of your book. SAT runs a clean tenant boundary per client the same way. You manage the whole portfolio from one place without ever mixing one client’s data into another’s report.
Board-ready outputs
White-label compliance PDF reports per framework — SOC 2, NIST CSF, PCI DSS, HIPAA, and more — that you can hand a client’s board or auditor directly. The evidence is generated per client, ready for each client’s quarterly review, so your reporting cycle scales with the retainer instead of becoming a manual document-assembly job.
Predictable billing
Per-vCPU/hour Marketplace billing means you can price SAT and ASM deliverables into your retainer without usage spikes. Cost tracks the instance you size, not seats or assets, so the number you quote a client at signing is the number you carry all year — the cost predictability a fixed-fee retainer depends on.
Phishing + recon as a package
Combined SAT and ASM give you a complete “security program in a box” you can deploy per client: awareness training and phishing simulation on one side, continuous external attack-surface monitoring on the other. The two deliverables most retainers are built around, from a single vendor relationship.
White-label branding
SAT supports white-label branding and ASM generates branded PDF reports — so every artifact a client sees can carry your firm’s identity, not a third-party vendor’s. You present these as your own deliverables, which is exactly what an embedded advisory relationship is supposed to look like.
Going deeper
If your practice also resells the platform to clients rather than running it purely as your own tooling, the MSSP resources and partner resell pages cover the white-label resale mechanics, multi-year discount tiers, and per-client cost attribution. To scope a combined SAT + ASM evaluation for a client, the PoC process page documents the options and deliverables.
Talk Through Your Client Book
Every vCISO practice is shaped differently — client count, frameworks in play, and how you package deliverables. A solutions engineer can map SAT and ASM to your retainer model before you stand up the first client instance.