← Resources
Cybersecurity / vCISO

Cybersecurity assessment tool
for vCISO consultants

Run NIS2, DORA, NIST CSF, or CMMC assessments for your clients without spending a weekend writing each report. Narratiq builds the assessment from your framework, scores every dimension, and writes the narrative — so your branded PDF deliverable is ready in 20 minutes instead of four hours.

Last updated: May 2026

Why vCISO consultants need a better assessment workflow

The vCISO market is in a structural growth period. Three regulatory frameworks — NIS2 (EU, in force since October 2024), DORA (EU financial services, in force since January 2025), and CMMC 2.0 (US defence supply chain, phased rollout through 2026) — have created sustained demand for cybersecurity readiness assessments. Mid-market and SMB clients who previously treated cybersecurity as an IT problem are now treating it as a board-level compliance obligation, and they're hiring fractional CISOs and boutique security firms to help.

The work is there. The bottleneck is delivery. A typical vCISO engagement starts with an assessment — NIST CSF, ISO 27001 readiness, NIS2 gap analysis, SOC2 readiness — and ends with a written report that maps findings to controls, prioritises remediation, and communicates risk in language a non-technical board will read. Building the assessment in Google Forms or generic survey tools, scoring it manually in Excel, then writing the report in Word and formatting it in InDesign or Canva is a 6-10 hour process per client. For a vCISO running 5-10 client engagements per month, that's 30-100 hours of non-billable work — every month.

How Narratiq fits the vCISO workflow

Narratiq compresses the assessment-to-report workflow into four steps:

  1. Define your framework once. Describe your assessment methodology in plain language — NIST CSF, NIS2 controls, CMMC level 2, your custom maturity model. The AI generates the question structure, scoring logic, and dimension weights from your description. You refine the questions to match your specific approach. Setup time per framework: 30-90 minutes.
  2. Brand the report template. Upload your firm's logo and colours, choose from executive, detailed, or one-pager layouts, and adjust the section structure if needed. The drag-drop PDF builder handles cover page, headers, footers, and page numbering.
  3. Send the assessment to your client. Each engagement gets a shareable link, optionally password-protected and time-limited. Clients fill out the assessment in a branded form on your custom subdomain.
  4. Review the AI-generated report. When the client submits, Narratiq scores every dimension, generates radar and bar charts, and writes a structured first draft of the executive summary, dimension-by-dimension analysis, and prioritised remediation recommendations — all grounded in that specific client's scores. You review, adjust the parts that need your direct expertise from the discovery conversations, and the branded PDF is ready in 20 minutes.

Frameworks Narratiq is being used for

Framework Typical use case Regulatory driver
NIST CSF 2.0 Cybersecurity maturity baseline for mid-market and SMB clients Industry standard, board reporting
NIS2 Gap analysis for EU entities in essential and important sectors EU directive, in force since October 2024
DORA Operational resilience readiness for EU financial services and critical ICT third-party providers EU regulation, in force since January 2025
CMMC 2.0 Level 1 self-assessment and Level 2 readiness for US defence contractors DoD requirement, phased through 2026
ISO 27001 Pre-certification readiness assessment, gap analysis against Annex A controls Voluntary certification, customer-driven
SOC2 Type 1 readiness for SaaS vendors, Trust Services Criteria gap analysis Customer-driven, US market
CIS Controls Implementation Group 1/2/3 readiness for resource-constrained organisations Industry standard, voluntary
Custom maturity models Firm-specific frameworks combining elements from multiple standards Client request, differentiated offer

What the AI actually writes — and what it doesn't

Narratiq's AI is built to draft the structural writing of a cybersecurity assessment report — the parts that follow the same rhythm engagement after engagement. Specifically:

  • Executive summary. A 2-3 paragraph overview written for a non-technical board audience, summarising the client's overall maturity score, top three priority gaps, and recommended next steps. Grounded in the specific client's scores, not a generic template.
  • Dimension-by-dimension analysis. For each control category (Identify, Protect, Detect, Respond, Recover in NIST CSF; or the equivalent dimensions in your chosen framework), the AI writes an interpretation of the score, what it means in practice, and where the gaps are concentrated.
  • Prioritised recommendations. Specific remediation actions ranked by impact and effort, written in the language of your framework, with the rationale for prioritisation.

What the AI does not do — and shouldn't:

  • Make compliance assertions. The AI writes about gaps, scores, and recommendations. It does not assert compliance with any standard. That assertion is the consultant's professional judgement, after review.
  • Replace your client conversations. The AI sees the assessment scores. It doesn't see what the client told you in the discovery call about budget constraints, internal politics, or the recent breach they're still recovering from. Those contextual observations are added by the consultant during review — that's the 10-20% of the report that your professional voice owns.
  • Replace technical depth where it matters. For deeply technical sections (specific control implementations, network architecture analysis, detailed remediation playbooks), the AI's output is a structural starting point. The consultant's domain expertise is what makes those sections genuinely valuable.

What the workflow looks like in practice

Consider a fractional CISO running NIS2 gap assessments for mid-market manufacturing clients in the EU. The previous workflow looked like this: build the assessment in a survey tool (3 hours per framework), score the responses in Excel after each client (1 hour), write the executive summary, the per-section analysis, and the remediation roadmap in Word (4 hours), format and brand the document (1 hour). Per client: 9 hours of non-billable work.

With Narratiq, the same vCISO defines the NIS2 framework once — typically 60-90 minutes for the first build. Every subsequent client uses the same framework. When a client submits, the AI scores every dimension, generates the maturity radar chart, and writes the first draft of the executive summary, the section-by-section narrative, and the prioritised remediation roadmap. The vCISO reviews, adds the contextual observations from discovery calls (the recent ransomware incident at a peer company that's driving the client's urgency, the fact that their CFO is the de-facto security sponsor because there's no formal IT function), and the branded PDF is ready in 20-30 minutes.

Across 8 client engagements per month, the workflow recovers approximately 60 hours per month — time that goes back into client conversations, business development, or genuinely off the clock.

Pricing for vCISO practices

Narratiq's plans map directly to typical vCISO practice sizes:

  • Solo — $149/mo. One consultant, up to 10 active client engagements, 100 AI generations per month. Fits a fractional CISO with a steady book of 5-10 mid-market clients.
  • Pro — $249/mo. Three consultants, 25 active engagements, 300 AI generations, custom subdomain and full white-labelling. Fits a small boutique security firm with two or three senior consultants.
  • Agency — $449/mo. Unlimited users, unlimited engagements, unlimited AI generations, sub-account support. Fits a growing security consulting firm with multiple practice leads and a need to manage client engagements across teams.

All plans include AI-written narrative, drag-drop PDF builder, custom branding, conditional content, weighted scoring, and the full assessment builder. There is no feature-gated AI tier and no custom-priced enterprise contract for the core report-writing workflow.

Frequently asked questions

Does Narratiq come with pre-built NIS2, DORA, or NIST CSF templates?

A starter library of vertical templates — NIST CSF 2.0, NIS2 gap analysis, DORA operational resilience, ISO 27001 readiness, SOC2 readiness, CMMC Level 2 — is on the roadmap and being built in collaboration with vCISO consultants in the early-access programme. At launch, you describe your assessment methodology in plain language and the AI generates the question structure for you. For consultants who already have a Word or Excel version of their preferred framework, this rebuild typically takes 60-90 minutes.

Is the AI accurate enough for compliance reporting?

The AI writes a first draft grounded in the specific client's scores — it doesn't make up findings or fabricate evidence. That said, every report is reviewed and finalised by the consultant before delivery. Narratiq is designed to compress the writing time, not to remove the consultant's professional judgement. For compliance-sensitive work, the consultant's review is non-negotiable — and Narratiq's workflow is built around that review step. Reports never go directly to clients without consultant sign-off.

How does Narratiq handle sensitive client data?

Client assessment data is stored encrypted at rest in Narratiq's database and processed only to generate the client's report. AI processing occurs via API with zero data retention on the model provider's side — no Narratiq client data is used to train AI models. Reports and uploaded assets are delivered through an authenticated proxy that verifies access on every request. You can export or delete client data at any time, and all data is permanently deleted 30 days after account cancellation. Detailed security documentation is available on request.

Can I white-label the assessment for my firm's branding?

Yes. The Pro plan ($249/mo) and Agency plan ($449/mo) include full white-label branding: custom logo, colours, custom subdomain (e.g. assessments.yourfirm.com), and removal of all Narratiq branding from the client-facing form and the delivered PDF report. The Solo plan ($149/mo) includes custom logo and colours on the report; full subdomain white-labelling is on Pro and above.

How long does the first assessment take to set up?

Most vCISO consultants describe their first framework build in 60-90 minutes. You start by describing your methodology in plain language — for example, "NIS2 gap assessment with the ten security measures from Article 21, scored 0-4 on maturity with weighted dimensions." The AI generates a full question set and scoring structure. You refine the questions, adjust the dimension weights, and upload your branding. The first branded PDF is typically generated during setup, so you see exactly what your client will receive before you send a single link.

Related comparisons

→ Best Pointerpro Alternative for Consultants (2026) → Narratiq vs Pointerpro: Full Comparison for Consultants (2026) → ScoreApp Alternative for Consultants Who Need PDF Reports (2026) → Agolix Alternative with AI-Powered PDF Reports for Consultants (2026) → Brilliant Assessments Alternative — AI Reports Without the $2,990 Annual Lock-in (2026) → Narratiq vs Brilliant Assessments: Full Comparison for Consultants (2026) → Narratiq vs Agolix: Full Comparison for Consultants (2026) → Narratiq vs ScoreApp: Full Comparison for Consultants (2026)

Built for vCISO consultants

Join the Narratiq waitlist. Solo plan from $149/mo at launch — all features included.

Join the waitlist →