Y2 — Pricing & Packaging Sheet
Asset: Y2 | Workstream: [GTM] | Ownership: [SO] | Owner: Sagar
Status: drafted — structure final, numbers illustrative
Source of truth for commercial structure: claude.md §3.8.
⚠️ PRICING NUMBERS ARE PLACEHOLDERS
Per claude.md §3.8: the commercial structure is the durable decision; the
numbers are illustrative starting hypotheses. Every figure below is bracketed
$[…] or marked (illustrative). Sagar finalizes the real rate card against
the first 1–3 deals before this sheet is shared with any prospect. Do not send
a version of this document with bracketed numbers to a client — replace them
first, then delete this banner.
1. The four offers at a glance
| Offer |
Tag |
Commercial shape |
Illustrative range ⚠️ |
What gates the price |
| Discovery Audit |
G |
Free for qualified ICP; fixed fee for a deeper paid audit |
Free → $[1.5–3k] paid |
Keep the qualified-prospect version free — it's the top-of-funnel wedge |
| Starter / Quick-Win |
[QW] |
Fixed price, 2–3 days |
$[3–6k] one-time |
# of repos, existing CI complexity |
| Baseline "Cloud Secure" |
[B] |
Fixed-price project + monthly retainer |
$[25–45k] project + $[3–6k]/mo |
greenfield vs brownfield, # subs/envs, AKS yes/no |
| Advanced "Certification-Ready" |
[A] |
Larger fixed project + retainer (parallel to auditor) |
$[60–110k] project + $[6–12k]/mo |
target framework(s), audit deadline, # of controls |
| Module licensing |
— |
Per-module annual license + support SLA |
$[X]/module/yr |
which F-modules, support tier |
These ranges assume India-based delivery / global clients and a fixed-price,
productized motion (no T&M, no offshoring framing — per the Output Guardrails).
They are anchored below a US senior platform hire (~$180k+/yr loaded) and a
top-tier compliance consultancy, above a freelancer. Validate against
actual deals — these are hypotheses.
2. Commercial principles (the durable decisions — claude.md §3.8)
- Land → expand → upsell. Free Discovery Audit → Starter/Baseline → Advanced. The tiers are an expansion ladder, not isolated SKUs (Y0 §5).
- The retainer is the recurring engine. Project fees fund delivery; the managed retainer (drift S1/S2, evidence E0, posture upkeep) is the durable revenue. Always sell the retainer with the project, never as an afterthought.
- Fixed-price over time-and-materials. Reinforces the productized positioning and gives the client budget certainty. We absorb estimation risk; that's what the module library buys us.
- The audit that scopes the deal is free. It de-risks the buy for the client and gives us the requirements to price accurately.
3. Offer detail sheets
3.1 Discovery Audit (G) — the wedge
|
|
| Price |
Free for a qualified ICP prospect. Paid deeper audit $[1.5–3k] (illustrative) for out-of-ICP or repeat/expanded scope. |
| Duration |
~Days (mostly automated). ~20 min of client time + read-only access. |
| Includes |
G0 read-only SP bootstrap (Reader + Security Reader, time-boxed, no secrets leave tenant) · G1 collectors (Resource Graph, Defender, Policy, AAD, Cost) · G2 rule pack (SOC2 CC + ISO 27001 A.x + CIS Azure mappings) · G3 branded PDF (exec summary, control table, prioritized roadmap with remediation_asset_id links) · findings-review call. |
| Out of scope |
Any change to the tenant (read-only by hard contract) · AWS/GCP (AWS = roadmap M4) · penetration testing · application-layer security review. |
| Upgrade trigger |
Findings exist (they always do) → propose Starter or Baseline scoped to the roadmap. |
3.2 Starter / Quick-Win [QW]
|
|
| Price |
$[3–6k] (illustrative) fixed, one-time. |
| Duration |
2–3 days. Zero cloud credentials required. |
| Includes |
D1 (pre-commit gates) · D2 (PR-blocking GH Actions) · D3 (Conftest/OPA policy bundle) · C4 (GitOps branching standard + repo template) · R1 (PR template + validation). Adoptable onto an existing repo. |
| Out of scope |
Cloud infrastructure provisioning · IAM · evidence collection · anything requiring an Azure subscription. |
| Why it exists |
Proof-of-value before a Baseline contract. A client can adopt it in days and feel the rigor. |
| Upgrade trigger |
Client wants the hardened cloud the gates are protecting → Baseline. |
3.3 Baseline "Cloud Secure" [B] — the core engagement
|
|
| Price |
$[25–45k] (illustrative) fixed project + $[3–6k]/mo (illustrative) managed retainer. |
| Duration target |
4–6 weeks to deliver. |
| Requires |
Azure subscription + GitHub. (Azure DevOps clients supported from M3.) |
| Includes (project) |
Hardened subscription baseline (F1/B3) · hub-spoke network (F2) · AKS-ready infra (F3) + Kyverno policy floor (D4) · ACR (F4) · Key Vault (F5) · per-env state backend (F6/B4) · OIDC client bootstrap (B2) · CI/CD pipelines with policy gates (C1–C3) · IAM bundle: MFA + Conditional Access + PIM + break-glass + SP rotation (H1–H3, H5, H7) · GitOps platform layer (F8) · + the full Quick-Win quality gates. |
| Includes (retainer) |
Drift detection + remediation (S1/S2, roadmap M2b) · compliance evidence snapshot per deploy (E0, roadmap M2b) · posture upkeep · module updates/patches · support SLA. |
| Out of scope |
Formal evidence platform (Vanta) integration, SIEM, vendor risk, HR security, trust center → those are Advanced. Brownfield import (M3). AWS (M5). |
| Price gates |
greenfield vs brownfield · # subscriptions / environments · AKS yes/no · # of repos. |
| Upgrade trigger |
Client enters formal audit / pursues SOC 2 / ISO 27001 / HIPAA → Advanced. |
3.4 Advanced "Certification-Ready" [A]
|
|
| Price |
$[60–110k] (illustrative) fixed project + $[6–12k]/mo (illustrative) retainer. Runs parallel to the client's auditor engagement. |
| Duration target |
10–14 weeks (parallel with auditor). |
| Includes |
Everything in Baseline plus automated evidence collection (Vanta/Drata adapters, E-series) · Microsoft Sentinel SIEM · SOAR playbooks · vendor/third-party risk · HR security workflows · policy management · trust center · compliance scorecard · advanced data protection (CMK, DLP, Purview) · advanced network (Firewall Premium, WAF, DDoS, zero-trust). (Most Advanced assets are roadmap M4 — scope honestly per client.) |
| Out of scope |
The auditor's fee (separate vendor) · the certificate itself (the auditor issues it). |
| Price gates |
target framework(s) · audit deadline · # of controls in scope. |
3.5 Module licensing
|
|
| Price |
$[X]/module/year (illustrative) + support SLA tier. |
| For |
Clients who want a specific F-module (e.g., the AKS-secure module, the state-backend) consumed by their own team. |
| Requires |
Module versioning + private registry (F11, roadmap M3) — so this offer is not sellable until M3. Flag as roadmap. |
4. Payment terms (illustrative — Sagar/Nidhi + counsel to finalize in Y12)
- Project fees:
[50%] on signature, [50%] on delivery acceptance (acceptance criteria in the Y6 SOW). Larger Advanced projects: milestone-based, e.g., [40/30/30].
- Retainer: monthly in advance,
[12-month] initial term, [30-day] notice thereafter.
- Currency / invoicing:
[TBD — USD for global clients]. GST/tax handling per Y12.
- Discovery Audit: free for qualified ICP — no payment terms.
5. Upgrade-trigger map (when to move a client up a tier)
| From |
Trigger |
To |
| Discovery Audit |
Any findings + ICP fit |
Starter or Baseline |
Starter [QW] |
Wants the cloud the gates protect |
Baseline |
Baseline [B] |
Enters formal audit / framework pursuit |
Advanced |
Baseline [B] |
New subscription / second environment / AKS added |
Baseline scope expansion (re-price project delta) |
| Any |
Wants a single module for in-house use |
Module licensing (roadmap M3) |
6. Discounting & negotiation guardrails
- Never discount the retainer to win the project — the retainer is the durable revenue; protect it.
- Prefer scope reduction over price reduction (e.g., one environment instead of three) to hit a budget.
- The free Discovery Audit is the concession — it's already given. Resist stacking further discounts on top.
- Annual retainer prepay can earn
[~10%] (illustrative) — improves cash flow and lock-in.
Definition of Done (Y2)
Sign-off
- Reviewer (Sagar — final numbers): _ | Date: _ | Result: PASS / FAIL
- Notes: