The CISO function is not a role — it is a set of responsibilities
Most companies that need security leadership cannot afford a full-time CISO. The median CISO salary in Western Europe is above €200,000. For a Series A startup or a 30-person SaaS company, that is not a hire you make in the first two years, if ever. But the responsibilities do not disappear because the title is unfilled.
The CISO function covers three distinct domains:
- Strategic: Security programme design, risk appetite setting, board reporting, regulatory positioning
- Tactical: Vulnerability management, incident response, security testing cadence, control selection
- Operational: Monitoring, alert triage, evidence collection, patch tracking, tool management
These three domains require different cognitive loads and different data inputs. Strategic decisions require judgement, context, and accountability — things that cannot be automated. Operational tasks require consistency, speed, and structured data handling — things that AI does better than humans at scale.
The 3-model vCISO architecture
At AssurePort, the internal security operations model runs on three Claude models in coordinated roles. This is not a product feature we sell — it is how we operate our own security function. We describe it here because it is a directly applicable template for any security-aware SaaS team.
Risk posture assessment, regulatory positioning, board-level security summaries, architecture decisions with security implications. Runs infrequently on complex synthesis tasks.
Vulnerability prioritisation, incident triage, pentest pipeline orchestration, finding validation, remediation synthesis. Runs on every scan, every finding, every alert.
Evidence collection, audit report generation, compliance checklist tracking, sub-processor register updates, DPA status monitoring. High volume, low latency, structured output.
This layering matches cost to task. Opus-class models for strategic synthesis cost significantly more per token than Haiku-class models for structured evidence generation. Running the wrong model for the wrong task wastes budget without improving outcomes.
The 13-feed threat intelligence input
An effective vCISO layer needs a threat intelligence input that is current, structured, and relevant to the specific technology stack. The AssurePort Threat Intel module (available as free tools at /tools) feeds 13 data streams into the tactical layer:
- DNS reputation and passive DNS history
- TLS certificate chain and validity
- HTTP security header grading
- Technology stack fingerprint (for CVE surface mapping)
- Reverse DNS and hosting reputation
- Open port and service exposure snapshot
- OSINT domain registration and registrar intelligence
- Email security configuration (SPF, DKIM, DMARC)
- Subdomain enumeration (public sources)
- Web application firewall detection
- CDN and load balancer detection
- Associated IP reputation and ASN classification
- Recent CVE surface match based on detected stack
These feeds run on-demand and are cached in Cloudflare KV (EU region) with appropriate TTLs. The structured output feeds directly into the pentest pipeline recon phase and into the tactical model context for vulnerability prioritisation.
What AI vCISO does not replace: Strategic risk decisions that require organisational context, political judgement, or accountability to a board. The question “should we accept this risk?” is a human decision. AI can prepare the analysis, surface the relevant frameworks, and draft the risk acceptance documentation — but the sign-off must be human.
Continuous posture monitoring vs periodic testing
The traditional CISO model runs security testing in discrete cycles: annual pentest, quarterly vulnerability scan, monthly patching review. The vCISO model operates continuously. The difference is not just frequency — it is the type of signal you get.
Periodic testing produces a point-in-time snapshot. Continuous monitoring produces a trend line. A trend line tells you whether your security posture is improving or degrading, and when a specific change in the system introduced a new risk. A snapshot tells you the state on one day.
For compliance purposes (ISO 27001, DORA, NIS2), both have a role. Periodic testing with a human-signed scope and a formally scoped report satisfies the human oversight requirements of TLPT and formal audit. Continuous AI monitoring satisfies the “timely identification” and “systematic process” requirements of ongoing vulnerability management.
Practical implementation for a lean team
A 10-person engineering team with no dedicated security role can implement a functional vCISO layer with three components:
- Continuous scan cadence. Monthly Web Pentest and API Pentest runs against the production surface. Quarterly GitHub SAST runs against main branch. Budget: $299/month (AssurePort Pro, 6 web scans/month + rollover).
- Threat intel baseline. Run the free AssurePort tools against your primary domain and any partner/vendor domains you depend on. Repeat after major infrastructure changes.
- Finding → remediation SLA. Define MTTR targets: Critical 24h, High 7d, Medium 30d, Low next-sprint. Track remediation status in the scan dashboard. Export the finding log monthly for audit records.
This is not a substitute for a CISO. It is a functional security operations baseline that a lean team can implement without a dedicated security hire — and that provides audit-legible evidence for ISO 27001 and DORA without a compliance consultant in the loop for every cycle.