Skip to main content
EFROS

Transparent pricing · Recurring partnership · No hourly surprises

Pricing — built for accountability, scoped to your risk surface.

EFROS sells recurring partnership at predictable monthly fees — not hourly billing surprises. Indicative bands are published so you can self-qualify before booking a call. Final scope reflects your environment, regulatory overlay, and risk surface.

Run Free Security ScoreBook a 20-Minute CallRequest Executive Assessment

Why we publish prices

Most MSSPs hide pricing. That's a tell.

Most managed-service and managed-security providers hide their pricing behind a “contact us” form. The reason is rarely flattering: pricing reflects what the buyer looks like they can pay, not what the engagement actually costs to deliver.

We publish indicative bands because pricing transparency qualifies leads pre-call and signals confidence in our value. If our bands are out of reach for your stage, you find out in two minutes instead of two discovery calls. If they fit, we both move faster toward a real proposal.

The bands below are starting points. The proposal you receive is scoped to your actual environment — seat count, regulatory overlay, geographic spread, tooling baseline, incident history. You will see every line item, every assumption, and every third-party pass-through cost before you sign anything.

Core service tiers

Three recurring tiers, one accountable partner

Each tier is a complete program with documented SLA — not a menu of services billed by the hour. You scale up the program as your risk surface grows; you do not chase invoices line by line.

Tier 1 · Managed IT

Core IT

From $175 / user / month

Annual term, billed monthly. $2,500 monthly minimum. Onboarding fee additional.

Organizations that need accountable IT operations under one SLA — without juggling a help-desk vendor, an MSP, and an MSSP.

Includes
  • Microsoft 365 administration and tenant hardening
  • Endpoint management, patching and MDM enrollment
  • Help desk with named technician and documented SLA
  • Network management (firewall, switches, Wi-Fi, VPN)
  • Backup and disaster recovery (M365, endpoints, servers)
  • Vendor management (ISP, SaaS, hardware lifecycle)
  • Quarterly business review and roadmap
  • AI tool rollout governance baseline
Get a Core IT quote

Tier 2 · Managed IT + MSSP

Secure Operations

From $275 / user / month

Annual term, billed monthly. $5,000 monthly minimum. Includes everything in Core IT. Security tooling and SIEM / log ingestion scoped separately.

Mid-market and regulated SMBs that need a defensible security posture documented against NIST CSF, ISO 27001, or SOC 2 — not a checkbox.

Includes
  • Everything in Core IT, plus:
  • EDR / XDR deployment and tuning
  • Identity threat detection (Entra ID, conditional access)
  • Email security with MTA-STS, DMARC reject, BEC controls
  • Vulnerability management with monthly remediation cycle
  • Phishing simulation and security awareness training
  • SIEM with log retention and alert triage (business hours)
  • Compliance evidence pack (NIST CSF / ISO 27001 / SOC 2)
Get a Secure Operations quote

Tier 3 · Full enterprise

Fortress SOC

From $9,500 / month

Flat-fee security program for up to 50 users / 75 endpoints. Additional users, endpoints, cloud workloads, log volume, and response SLA scoped separately.

Organizations operating in regulated industries (healthcare, financial, defense supply chain) or carrying material breach exposure where a 24/7 accountable program is non-negotiable.

Includes
  • Everything in Secure Operations, plus:
  • 24/7 SOC analysts with documented escalation SLA
  • Proactive threat hunting and red-team exercises
  • Incident Response Retainer (Fortress tier — see /services/incident-response-retainer)
  • AI Governance baseline (NIST AI RMF + EU AI Act readiness)
  • Dedicated security architect and named IR commander
  • Board-grade quarterly risk reporting
  • Annual third-party penetration test (network + application)
  • Tabletop exercises (quarterly)
Get a Fortress quote

All recurring programs are scoped to users, endpoints, servers, cloud tenants, regulatory exposure, log volume, and required response SLA. Third-party software, hardware, SIEM ingestion, and major project work are quoted separately with line-item transparency.

The 4th peer discipline · NIST AI RMF · ISO/IEC 42001 · EU AI Act

AI Governance — entry audit and two managed tiers

AI is a regulated risk surface, not a productivity feature. Start with a fixed-fee audit; convert to Foundation or Operations once the inventory and risk map are in place.

Entry engagement

AI Risk Audit

From $7,500 one-time

Fixed-fee, 2–3 weeks. Credits toward first quarter on conversion.

Outcomes
  • Shadow AI scan across M365, browser and network
  • Vendor inventory and BAA / DPA gap analysis
  • NIST AI RMF + ISO/IEC 42001 + EU AI Act risk-tier mapping
  • Top-20 prioritized risks with remediation recommendations
  • Executive briefing and written report
Scope an audit

Recurring program

AI Governance Foundation

From $4,500 / quarter

12-month minimum. Quarterly cadence. Includes policy maintenance, vendor review, risk dashboard, and executive advisory.

Outcomes
  • Quarterly AI inventory sync and policy maintenance
  • 5 vendor reviews per year with BAA / DPA tracking
  • Annual progress report against NIST AI RMF
  • AI Risk Score dashboard with trending
  • 2 hours / month strategic consult
Scope Foundation

Managed program

AI Governance Operations

From $6,500 / month

12-month minimum. Monthly cadence with DLP enforcement, vendor governance, board reporting, and AI incident escalation.

Outcomes
  • Monthly inventory sync and expanded vendor reviews (12+ / year)
  • BAA negotiation and AI vendor onboarding management
  • Monthly board-grade reports with material-risk register
  • Annual AI Pen-Test (OWASP LLM Top 10 methodology)
  • DLP / M365 Purview policy enforcement
  • AI incident escalation and forensics liaison
  • 8 hours / month strategic consult
Scope Operations

Specialized stacks and add-ons

Five revenue lines for specific risk surfaces

These are productized engagements layered on top of (or alongside) the core tiers. Vertical stacks bundle Tier 1/2/3 with industry-specific controls; standalone services close discrete risk gaps.

Fraud Prevention B2B

From $3,500 / month

Executive identity monitoring, BEC controls, payment-verification workflow and wire-fraud IR for SMBs, family offices and regulated professional-services firms.

Talk to a specialist

AI Voice / Call Analytics

From $25 / seat / month + setup

3CX-native AI transcription, sentiment, QA scorecards and compliance archive (HIPAA / GDPR / SEC / SOC 2). Deployed and operated by a 3CX Silver Partner.

Talk to a specialist

Logistics Stack

From $6,500 / month

Bundled Tier 1/2/3 + AI Voice + IR Retainer + TMS / dispatch integration + DOT cyber compliance binder. Built for 3PLs, brokers and dispatch operations.

Talk to a specialist

Healthcare Stack

From $7,500 / month

Bundled HIPAA-compliant Managed IT + AI Governance for clinical scribes (Abridge, Suki, DAX, Heidi) + PHI DLP + clinical IR Retainer. Built for multi-site clinics.

Talk to a specialist

AI Pen-Test

From $12,500 / engagement

Adversarial testing for prompt injection, jailbreak resistance, training-data exfiltration, model theft, output integrity, and agent guardrail bypass. Fixed-fee engagement.

Talk to a specialist

Pricing methodology

How pricing is structured

We avoid pricing models that incentivize the wrong behavior. Hourly billing rewards inefficiency; fixed-fee rewards execution. Here is the structure behind the bands.

Per-user vs flat-fee

Core IT and Secure Operations are billed per active user, scoped to your seat count at the start of each quarter. Fortress SOC and AI Governance Operations are flat-fee programs with metered components (seat band, vendor count, log volume) defined in the engagement letter.

What drives custom adjustments

Indicative bands reflect a non-regulated environment with one geographic location and standard tooling. Premium adjustments apply for regulated industry overlays (HIPAA, PCI-DSS, CMMC, FedRAMP), dedicated team requirements, multi-region operations, or non-standard infrastructure (OT, ICS, air-gapped, multi-tenant SaaS).

Annual vs monthly billing

Standard term is 12 months billed monthly. Multi-year terms (24 / 36 months) carry indicative discounts. Month-to-month is available at a premium for short-engagement scenarios (M&A diligence, pre-launch programs, IR retainer top-ups).

Onboarding fees

Onboarding is a separate fixed-fee covering discovery, tenant baseline, agent deployment, runbook authoring, and the first 30 days of stabilization. Onboarding fees are disclosed in the proposal and not bundled into the recurring fee — so you see exactly what you are paying for and when.

Anti-surprise disclosure

What's NOT included

Buyers hate hidden costs. We disclose every category of cost that sits outside the recurring fee — so the only number on your invoice that surprises you is the one we tell you about in advance.

  • Third-party software licenses

    Microsoft 365 / E5, EDR endpoint licenses (CrowdStrike, SentinelOne, Defender for Endpoint P2), SIEM ingestion, AI assistants (Copilot, ChatGPT Enterprise, Claude Enterprise) — pass-through at vendor invoice cost or, where requested, billed with a transparent procurement markup disclosed in writing.

  • Hardware

    Laptops, servers, firewalls, switches, access points, phones — sourced through vendor partners (Cisco, Microsoft, HP, Lenovo, 3CX) at cost-plus pricing disclosed per quote. We do not mark up hardware silently.

  • Project work beyond included hours

    Major migrations, M&A IT integrations, data-center moves, custom application deployments, network redesigns — scoped and quoted as fixed-fee projects separate from the recurring fee. Block-of-hours retainers available for ongoing project capacity.

  • Industry-specific compliance projects

    SOC 2 Type I / II readiness, HIPAA risk analysis (45 CFR § 164.308), PCI-DSS attestation prep, CMMC certification scoping, EU AI Act conformity assessment — scoped as separate fixed-fee engagements with deliverables.

  • Specialized incident response beyond retainer hours

    IR Retainer tiers include incident hours per the matrix at /services/incident-response-retainer. Overage hours and forensic-specialist engagement (mobile, ICS, deep cloud forensics) bill at the retainer overage rate disclosed in the engagement letter.

Pricing FAQ

Why don't you publish exact prices?

Because pricing is scoped to your risk surface — number of users, regulatory overlay, tooling baseline, geographic spread, and incident history. Published bands are indicative starting points; the proposal reflects what your environment actually requires. Pricing transparency at the band level qualifies leads pre-call without forcing us to misrepresent fixed prices for variable scope.

Is there a minimum contract length?

Standard term is 12 months on all recurring tiers (Core IT, Secure Operations, Fortress SOC, AI Governance Foundation, AI Governance Operations). Month-to-month is available on Core IT only at a premium and is typically used for M&A diligence, pre-launch programs, or short-engagement transitions. AI Risk Audit and AI Pen-Test are fixed-fee one-time engagements with no recurring commitment.

Do you charge onboarding fees?

Yes. Onboarding is a separate fixed-fee, disclosed in the proposal, scoped to environment size and complexity. It covers discovery, tenant baseline, agent deployment, runbook authoring, and the first 30 days of stabilization. Onboarding is not bundled into the recurring fee — so you see exactly what you are paying for and when. Typical onboarding fees range from ~$5,000 (small Core IT environment) to ~$50,000+ (multi-site, multi-region, regulated Fortress SOC deployment).

How is per-user pricing structured?

Per-active-user billed against your seat count at the start of each quarter, with a quarterly true-up. The published bands ($175/user for Core IT, $275/user for Secure Operations) apply to active users in scope, subject to the monthly minimums ($2,500/mo for Core IT, $5,000/mo for Secure Operations) which prevent the model from breaking on very small seat counts. Fortress SOC is flat-fee for up to 50 users / 75 endpoints with metered additions above that band, defined in the engagement letter.

Can I downgrade tiers?

Tier downgrades are available at the next billing anniversary with 60-day notice. Mid-term downgrades are subject to scope renegotiation — typically possible without penalty if the environment has materially changed (M&A divestiture, headcount reduction, regulatory scope contraction). We document the path in the engagement letter so the decision is not a surprise on either side.

Do you offer multi-year discounts?

Yes. 24-month commitments typically carry a 5-10% discount on recurring fees; 36-month commitments carry a 10-15% discount. Exact discount bands are disclosed in the proposal and depend on tier, scope, and payment terms (annual prepay carries the largest reduction). We do not offer multi-year discounts on AI Risk Audit, AI Pen-Test, or other fixed-fee one-time engagements.

What's the typical first-month cost?

First-month invoice composition: onboarding fee (one-time, fixed) + first month of recurring tier fee + any pre-purchased third-party licenses (M365, EDR, SIEM ingestion) + any hardware procured through EFROS. Every line is itemized in the engagement letter before signature. There are no setup-fee surprises after the proposal is countersigned.

Do you offer retainer-vs-project pricing?

Both. Project work with defined scope is quoted as fixed-fee (migrations, M&A IT integrations, compliance attestation prep, AI Risk Audit, AI Pen-Test). Ongoing capacity for unscoped work is sold as a block-of-hours retainer at a documented hourly rate disclosed in the engagement letter. Recurring program tiers (Core IT, Secure Operations, Fortress SOC) cover all included-scope work without hourly billing — the project / retainer construct is only used for work outside the recurring scope.

What about non-profit / education pricing?

Eligible 501(c)(3) non-profits and accredited educational institutions receive a 10-15% discount on recurring tiers, subject to verification of status. The discount does not apply to third-party software pass-through (Microsoft 365 nonprofit pricing already applies through Microsoft directly), hardware, or fixed-fee one-time engagements. Faith-based and community-mission organizations within these categories are eligible on the same terms.

How does pricing differ for HIPAA / PCI / CMMC environments?

Regulated overlays carry a documented premium reflecting the additional controls, evidence work, BAA / DPA management, and audit-support burden. Typical premium bands: HIPAA +10-15%, PCI-DSS +15-20% (scope-dependent), CMMC L2 +20-30%, CMMC L3 quoted separately. The premium is disclosed line-by-line in the proposal — never folded silently into the base rate. Multi-overlay environments (e.g. healthcare payment processor with HIPAA + PCI scope) compound additively but rarely above +35% total.

Move forward without the discovery-call dance

Start with a free score, book a 20-minute call, or request a full engagement scoped to your environment.

Run Free Security ScoreBook a 20-Minute CallRequest Executive Assessment