Retainer hour tracking for cybersecurity consultants.

vCISOs and cybersecurity advisors on monthly retainer work in the most event-volatile advisory environment in consulting. Most months are steady: security steering committee prep, vendor risk reviews, policy updates, and compliance advisory. Then one security event changes the entire month — ransomware containment, breach investigation, regulatory notification, executive crisis communication. A moderate incident routinely consumes 40–80 hours in 72 hours, more than most monthly retainer caps. When clients receive an invoice that is three times the normal monthly fee, the work was real and necessary — it just happened without any running visibility. HourTab gives each client a live balance URL so incident response and compliance prep hours are visible in real time, not only on the invoice.

Free forever for your first retainer · no credit card.

Why cybersecurity retainer tracking goes wrong

How it works for cybersecurity consultants

  1. 1
    Create the retainer. Enter the client name, monthly hour cap, and engagement start date. For clients with separate SOC 2 readiness projects vs. ongoing vCISO advisory under different budget owners, create separate retainers so each sponsor sees only their scope.
  2. 2
    Log security work at appropriate detail. Export from Toggl, Harvest, Clockify, or your time tracker. Log entries at scope-level detail, not technical depth: “[SOC 2 Readiness] control gap assessment: 14 controls reviewed, 6h” or “[Incident Response] Day 1: containment scope + forensics coordination + exec brief, 16h.” During an incident, update the log daily so the client sees consumption building in real time.
  3. 3
    Share the URL at engagement start. Drop the link in the engagement letter. During a security event, the live balance is the shared reference for the scope conversation: “You can see we’re at 26 of 30 hours and the incident investigation has another 3–4 days. Authorize an expansion now, or do you want to pause non-incident work to stay within cap?”

Incident response hours are visible as the event unfolds. Compliance prep investment is tracked from day one.

“The hardest invoice to explain is the one that follows an incident you successfully contained. The client is calm, the crisis is over, and a large bill arrives with no visible crisis to justify it.”

— virtual CISO advisor

A live balance URL means the client watched the incident response hours accumulate in real time. The invoice reflects what they already saw.

Frequently asked questions

How do vCISOs and cybersecurity advisors structure security retainer agreements?

Cybersecurity advisory retainers cover a monthly hour cap for ongoing security oversight, policy review, vendor risk assessment, and compliance advisory. The challenge is that the retainer must also absorb incident response, which is highly variable. A live balance URL makes both steady advisory and incident response hours visible as they accumulate.

How do I handle an incident response that exhausts months of retainer in 72 hours?

Log each phase as the incident unfolds: “Incident Day 1: containment + forensics coordination + executive briefing, 18h.” The client sees consumption building in real time during the incident. The invoice for that month’s overage comes with full context, not as a surprise.

How do I track SOC 2 or ISO 27001 preparation hours separately from ongoing advisory?

SOC 2 readiness can require 60–100 hours before the audit engagement starts. Tag entries with program labels — “[SOC 2 Readiness]” vs. “[Ongoing Advisory]” — so the client sees how compliance prep is consuming the cap relative to regular advisory and can make an informed decision about a cap expansion or separate project fee.

Is it safe for clients to see security work descriptions in their HourTab URL?

You control exactly what appears in each work log entry. Describe work at scope level, not technical detail: “Vendor security review: 3 new SaaS vendors, 6h” is client-appropriate. Never log specific vulnerability details, attack vectors, or internal system configurations. Treat it the same as a consulting invoice line item — descriptive enough to be understood, not technically disclosing.

One link per client. No more “how many hours do I have left?”