If you’ve ever asked a vendor “how much does a cybersecurity risk assessment cost?” you’ve probably gotten a very unsatisfying answer: “It depends.”
It does depend — but not as much as vendors make it seem. A real cybersecurity risk assessment for a typical SMB in 2026 ranges from $3,500 to $25,000, with most landing between $7,500 and $15,000. The price difference comes down to four specific things, and once you understand them, you can quote-shop with confidence.
This guide covers what you actually pay, what’s in the report, when a DIY questionnaire is fine, when you need a paid engagement, and how to tell a real risk assessment from a sales pitch.
TL;DR — Risk assessment pricing at a glance
| Type of assessment | Typical price | Time to deliver | Who it’s for |
|---|---|---|---|
| DIY questionnaire (free / under $500) | $0 – $500 | 1–4 hours of your time | Practices under 10 employees, no compliance obligation |
| Lightweight cyber-insurance assessment | $1,500 – $4,000 | 1–2 weeks | SMBs renewing cyber policies |
| Standard risk assessment (NIST CSF or CIS-aligned) | $7,500 – $15,000 | 3–5 weeks | Most regulated SMBs (HIPAA, SOC 2, FINRA) |
| Comprehensive assessment with pen testing | $15,000 – $35,000+ | 6–10 weeks | Mid-market firms, post-breach, M&A diligence, FedRAMP / CMMC prep |
What drives the price
Four variables explain almost all the variance in risk-assessment quotes:
1. Scope — How many systems, sites, users, and SaaS tenants are in scope? A 25-person single-office practice is different from a 200-person multi-state organization with 40 SaaS apps.
2. Framework — Aligning to a recognized framework (NIST CSF, CIS Controls v8, HIPAA Security Rule, SOC 2 Trust Services Criteria, CMMC) takes more time than an unstructured walk-through.
3. Depth of testing — A pure interview-and-questionnaire assessment is cheaper than one that includes vulnerability scanning, configuration reviews, and external attack-surface testing.
4. Deliverable rigor — A 4-page executive summary is a different product than a 60-page assessment report with a remediation roadmap, evidence appendix, and board-ready slide deck.
The vendor that quotes you $1,500 for a “comprehensive cybersecurity risk assessment” is almost certainly running an automated tool and emailing you the PDF. That’s not the same product as a $12,000 engagement.
What’s actually in a real risk assessment report
When you pay for a proper risk assessment, the deliverable should include all of the following. If a vendor’s sample report skips two or more of these, treat the quote with suspicion.
1. Executive summary (2–4 pages)
- Top 5 risks ranked by likelihood × impact
- Overall maturity score against the chosen framework (e.g., NIST CSF current vs target tier)
- Headline recommendations — what to fix in the next 30, 90, and 180 days
- One-page board summary
2. Asset and data inventory
- All in-scope systems (servers, endpoints, SaaS tenants, IoT)
- Data classification — what’s confidential, what’s regulated (PHI, PII, PCI, ITAR), what’s public
- Data flow diagrams for at least your top three critical processes
3. Threat and vulnerability findings
- Vulnerability scan results (external + internal)
- Configuration review findings (M365, Google Workspace, AD/Entra, network)
- Identity and access review (privileged accounts, dormant accounts, MFA coverage)
- Email security posture (DMARC, SPF, DKIM, anti-phishing config)
- Endpoint protection coverage and gaps
4. Risk register
| Risk | Likelihood | Impact | Severity | Recommended treatment |
|---|---|---|---|---|
| (Specific risk #1) | High | High | Critical | (Specific control to add) |
| (Specific risk #2) | Medium | High | High | (Specific control to add) |
A good report will have 20–60 specific risk entries, not 5 vague ones.
5. Compliance gap analysis
- Per-framework control mapping (which controls you have, which you partially have, which you’re missing)
- Evidence column noting how each control was verified
- Ranked remediation priorities
6. Remediation roadmap
- 30-day quick wins (typically MFA cleanup, email security, backup verification)
- 90-day projects (typically EDR rollout, MDM, DLP, vendor risk program)
- 180-day strategic initiatives (zero trust architecture, SIEM, formal IR plan)
- Effort and cost estimates per item
7. Appendices
- Methodology and standards referenced
- Tools used (vulnerability scanner, configuration analyzer, etc.)
- Interview list and dates
- Raw scan data
When DIY is fine
Not every business needs a paid assessment. A free or under-$500 self-assessment is sufficient when:
- You have fewer than 10 employees
- You don’t process regulated data (no PHI, no payment cards, no government data)
- You don’t carry a cyber insurance policy that requires periodic third-party assessment
- You’re not pursuing certifications (SOC 2, HIPAA attestation, ISO 27001, CMMC)
Solid free options:
- CISA Cybersecurity Performance Goals (CPG) self-assessment — government-grade and free
- NIST CSF self-assessment — the official tier worksheet
- CIS Controls Self-Assessment Tool (CIS CSAT) — free for organizations under 100 users
When you need a paid third-party assessment
You almost certainly need a paid engagement if any of these is true:
- ✅ You’re renewing or applying for a cyber insurance policy
- ✅ You handle PHI, ePHI, payment-card data, or other regulated data
- ✅ You’re pursuing or maintaining SOC 2, HIPAA attestation, ISO 27001, FedRAMP, CMMC, StateRAMP, or PCI DSS
- ✅ You experienced a security incident in the last 12 months
- ✅ You’re being acquired, or you’re acquiring another business, and the deal team is asking for an information-security review
- ✅ Your largest customer or partner has asked for evidence of an independent security assessment
- ✅ You’re a federal contractor or subcontractor
The cyber insurance trigger is increasingly common. As of 2026, most carriers require a third-party assessment within 24 months of policy issuance for any business with $5M+ in revenue or any business holding regulated data.
Real numbers — three example engagements
Example 1 — Single-office medical practice (12 staff)
- Scope: 12 endpoints, M365 tenant, single-site network, Athenahealth EHR
- Framework: HIPAA Security Rule + NIST CSF
- Assessment depth: Configuration review + vulnerability scan + interviews; no pen testing
- Deliverable: 30-page report + executive summary + 60-day remediation roadmap
- Cost: $7,500
- Timeline: 4 weeks
Example 2 — Mid-size law firm (45 staff, 3 offices)
- Scope: 60 endpoints, M365 tenant, file servers, VPN, Clio + NetDocuments
- Framework: ABA cybersecurity guidance + NIST CSF + cyber insurance underwriting requirements
- Assessment depth: Configuration review + internal/external vulnerability scan + phishing simulation
- Deliverable: 50-page report + executive summary + remediation roadmap with cost estimates
- Cost: $14,500
- Timeline: 6 weeks
Example 3 — DOD subcontractor (75 staff, 1 site)
- Scope: 90 endpoints, M365 GCC, on-prem ERP, CUI data flow
- Framework: CMMC Level 2 + NIST SP 800-171
- Assessment depth: Full gap analysis + pen test + tabletop exercise + policy review
- Deliverable: 80-page report + Plan of Action and Milestones (POA&M) + readiness opinion for CMMC C3PAO
- Cost: $28,000
- Timeline: 10 weeks
How to evaluate quotes
When you receive proposals from three vendors, comparing them like-for-like is hard. Use this checklist:
| Question | Why it matters |
|---|---|
| What framework will you align to, and why? | Generic “best practice” assessments are weaker than framework-aligned ones |
| Is the vulnerability scan internal, external, or both? | Most real attacks come through external vectors but internal scans find different risks |
| Will the assessment include configuration review of M365 / Google Workspace / Entra ID? | Default configs are typically the largest source of findings |
| Is the assessor SOC 2, CISSP, CISA, GIAC certified? | Personal certifications matter more than firm certifications |
| Will I get a sample report from a similar engagement? | This tells you the quality of the deliverable before you sign |
| Who writes the report — the assessor or a junior? | The senior should write the executive summary and the risk register |
| Will you brief our board / leadership team on findings? | A good assessor includes a 30-minute readout |
| Will the assessment be re-usable for cyber insurance / SOC 2 / HIPAA reviews? | A well-structured report serves multiple audiences |
Red flags in vendor pitches
🚩 “We can do it in three days for $1,500.” — This is an automated scan email. Useful, but not a risk assessment.
🚩 The vendor is also pitching you the products they want you to buy. — There’s a structural conflict. You can still use them, but get a second opinion on the risk register.
🚩 No sample report shared. — Either they don’t have one or it’s embarrassing. Either way, walk.
🚩 The assessor list doesn’t include who’s actually doing the work. — You want to interview the lead assessor before signing, not the salesperson.
🚩 “It’s a confidential methodology.” — Real assessors map to NIST, CIS, ISO, or HIPAA. Anyone hiding their methodology is hiding cookie-cutter scanning.
What you do with the report
Buying the report is the first step. The value is in what you do next.
- Read the executive summary with your leadership team. Don’t delegate this.
- Pick the top 3 risks to remediate in the next 30 days. Resist the urge to do everything.
- Assign owners and deadlines for the 30-day items. Track in a shared document.
- Schedule the 90-day projects with realistic resourcing.
- Re-test the top risks at 90 days with your assessor or your IT partner. Confirm they’re closed.
- Plan the next assessment — typically annually, more often if you’re in regulated industries or had an incident.
A risk assessment that sits on a shared drive after delivery is a wasted purchase. The point is to drive remediation, not to satisfy a checklist.
How ACS handles risk assessments
If you’ve reached this section, you might be evaluating who to engage. Briefly:
- Framework — We align every assessment to NIST CSF v2, plus the relevant regulatory framework (HIPAA, SOC 2, CMMC, FINRA, etc.)
- Depth — Standard assessments include external + internal vulnerability scanning, full M365 / Google Workspace configuration review, identity and access review, and email security posture review
- Deliverable — 30–80 page report depending on scope, plus executive summary, risk register, remediation roadmap, and a 60-minute leadership briefing
- Cost — $7,500 to $25,000 for most SMB engagements; we provide a fixed quote after a 30-minute scoping call
- Timeline — Typical 4–6 week engagement from kickoff to leadership briefing
Schedule a 30-minute scoping call →
Or call 1-650-300-7557.
Frequently asked questions
Is a free questionnaire enough for cyber insurance?
Usually no. Most carriers want a third-party assessment if your revenue is over $5M or if you process regulated data.
Can my MSP do the risk assessment?
They can, but it’s a conflict of interest if they also operate your environment. Many regulated industries (finance, government, healthcare in some states) require independence. A useful pattern: use your MSP for ongoing monitoring and a different firm for the annual assessment.
How long is a risk assessment valid?
Most frameworks treat assessments as valid for 12 months. After significant changes (M&A, new product launch, major IT migration, security incident), the assessment should be refreshed even if it’s not yet a year old.
Do I need pen testing on top of the risk assessment?
For most regulated SMBs, yes — at least annually. CMMC, SOC 2 Type 2, and PCI DSS all require it. HIPAA does not strictly require pen testing but heavily recommends it.
What’s the difference between a risk assessment and a security audit?
Loosely: a risk assessment is forward-looking (what could go wrong, what should we fix), while an audit is point-in-time verification of specific controls (do these controls exist and operate as designed). Both have a place; you typically run a risk assessment first, then audits against the controls you’ve implemented.
Related reading
- Managed Cybersecurity Services
- Penetration Testing
- IT Compliance Checklist: HIPAA, SOC 2, CMMC
- Cyber Insurance Requirements: IT Controls You Need to Qualify
This article reflects 2026 market pricing for cybersecurity risk assessments based on engagements ACS has delivered and quotes we’ve reviewed for clients. Pricing varies by region, scope, and assessor; the ranges in this article should be used as a benchmark, not a fixed quote.
