MyCyberHub.ai · by Centuric · managed compliance & security programs

From managed IT to
managed compliance.

The compliance program your auditors will respect — SOC 2, HIPAA, PCI-DSS, ISO 27001, advanced NIST CSF. Continuous control monitoring on a purpose-built GRC platform. Evidence collected automatically. Audits run by the same Centuric team that already knows your environment.

Talk to an advisor Or call (954) 691-1651
25 years independent
SOC 2 · HIPAA · PCI · ISO 27001
vCISO bench available
Audit-prep coordinated end-to-end
Who this is for

Three paths
to managed compliance.

Compliance programs only work when the IT layer underneath them is sound. We’ve organized the practice around the three situations our customers actually land in.

Path 1

On supportdesk Complete

You’re already a Centuric managed IT customer on the Complete tier. Your environment is hardened to the NIST CSF Tier 1 baseline. Now you need the compliance program layer on top — the GRC platform, the evidence collection, the audit relationship, the formal reporting. This is the cleanest path because we already know everything about your environment.

  • Foundation tier picks up where supportdesk Complete leaves off
  • Same engineers, same ticketing platform, single account team
  • Audit prep coordinated without re-onboarding
Path 2

IT covered elsewhere

You have an internal IT team or another MSP and you’re happy with them. You don’t need us to run your IT — you need a dedicated compliance partner who works alongside your existing operations. We overlay your IT layer with the program work, the platform, and the auditor relationship. Your IT team keeps doing what they do.

  • Compliance program runs in parallel with existing IT operations
  • vCISO advisory reports up to your executive team, not your MSP
  • We handle the auditor; your IT team handles infrastructure
Path 3

Starting fresh, deadline looming

You just won a deal that requires SOC 2. Your insurance carrier is asking for HIPAA evidence. Your largest customer wants ISO 27001 attestation by Q4. You don’t have time to figure out IT and compliance separately. We bundle supportdesk Complete plus mycyberhub into one engagement — one account team, parallel workstreams, one deadline plan.

  • Supportdesk Complete + cyberhub deployed together
  • Parallel readiness work to compress the timeline
  • Single project plan with auditor coordination built in
The path

Four stops from gap analysis
to continuous compliance.

01

Assessment & gap analysis

Two to four weeks. We map your current state against the target framework(s). Where are the gaps? Which controls are partially implemented? Where does evidence already live? You get a written gap analysis, a remediation roadmap, and a fixed-fee readiness project quote before any commitment.

02

Framework readiness

Four to sixteen weeks per framework. We close the gaps: implement missing controls, write the policies, capture the evidence baseline, train your team on the workflows. By the end of readiness, you have a defensible posture and a binder ready for the auditor.

03

Audit preparation & coordination

We sit between you and the auditor. We deliver the evidence binder, answer the auditor’s requests, schedule the interviews, and prepare your team for what they’ll be asked. The first audit is a known process, not a fire drill.

04

Continuous program

The day-to-day: continuous control monitoring, automated evidence collection, drift detection, quarterly posture reviews, vCISO touchpoints, annual reassessment. Year-two and year-three audits are cheaper and faster because the evidence has been gathering itself all year.

How we deliver

Four pillars,
one compliance program.

A real compliance program is platform plus people plus process. We bring all three under one Centuric account team so you’re not stitching together a vendor, a consultant, and an auditor relationship that don’t talk to each other.

01

Continuous control monitoring

Purpose-built GRC platform mapped to your active frameworks. Controls monitored continuously, evidence collected automatically from your environment, drift detected and ticketed. You see compliance posture as a dashboard, not as an annual scramble.

02

Multi-framework management

SOC 2, HIPAA, PCI-DSS, ISO 27001, and advanced NIST CSF (Tiers 2–4) all run on the same platform with shared control mappings. Adding a second framework is incremental work, not a parallel program. CMMC lives on a separate Centuric practice (mycmmc.ai) because of US-citizen-only delivery requirements.

03

vCISO advisory & risk management

Strategic security leadership without a full-time hire. Risk register management, board-level reporting, vendor risk reviews, security questionnaire responses, tabletop exercises. Your CISO function gets staffed without the executive search and the $300K salary.

04

Audit prep & coordination

We own the auditor relationship. We deliver the evidence binder, run the auditor request workflow, prep your team for interviews, and handle the back-and-forth. You see the audit timeline up front; the auditor sees a clean engagement.

Pricing

Three program tiers.
Flat monthly retainer.

Compliance programs scale by framework count and depth, not by user count — so pricing is flat retainer, published. Framework readiness projects (the one-time work to stand up each framework) are scoped and quoted per engagement based on current state and audit timeline.

Foundation
$2,500 per month, one framework

The compliance program for a single framework. The right starting point if your audit scope is one standard.

  • One framework continuously managed
  • GRC platform access for your team
  • Automated evidence collection
  • Quarterly compliance posture report
  • Annual risk assessment
  • Audit-prep coordination & auditor liaison
  • Policy library aligned to the framework
  • Ticketed remediation through Centuric helpdesk
Talk to advisor
Most engagements
Multi-Framework
$4,500 per month, up to three frameworks

For organizations carrying multiple audit obligations. Shared control mappings make additional frameworks cheaper than running them separately.

  • Everything in Foundation, plus:
  • Up to three frameworks on shared mappings
  • Vendor risk management workflow
  • Policy library across all active frameworks
  • Monthly compliance touchpoint with your team
  • Security questionnaire response service
  • Semi-annual tabletop exercise
Talk to advisor
Strategic
$7,500 per month, unlimited frameworks

Full vCISO function plus the compliance program. For organizations where security and compliance are board-level concerns.

  • Everything in Multi-Framework, plus:
  • Unlimited frameworks on the program
  • 8 hours/month dedicated vCISO time
  • Board-level security & compliance reporting
  • Quarterly tabletop & red-team coordination
  • Strategic risk register management
  • Priority response SLA for advisory work
Talk to advisor

Framework readiness projects (gap analysis, control implementation, policy creation, evidence baseline) are scoped and quoted per engagement. Indicative ranges: SOC 2 readiness $15K–$35K, HIPAA $8K–$20K, PCI-DSS $10K–$25K, ISO 27001 $20K–$45K — actual numbers depend on environment size and current state. Defense contractors with CUI handling requirements should visit mycmmc.ai for our CMMC practice. Managed IT and NIST CSF Tier 1 baseline live on mysupportdesk.ai.

Frequently asked

Questions we hear
before every program.

Which frameworks do you support?

SOC 2 (Type I and Type II), HIPAA, PCI-DSS, ISO 27001, and advanced NIST CSF (Tiers 2 through 4). We also handle vendor-specific compliance frameworks like AICPA TSC, NIST 800-53, CIS Controls, and state-specific privacy regulations (CCPA/CPRA, NYDFS, etc.). CMMC for defense contractors lives on a separate practice at mycmmc.ai because of US-citizen-only delivery requirements.

Do we have to be on mysupportdesk to use cyberhub?

No. Path 2 customers run their own IT (internal team or another MSP) and use cyberhub as a compliance overlay. We work alongside your existing operations. That said, the work is faster and cleaner when we run both layers — Path 1 customers on supportdesk Complete have lower readiness costs because we already know the environment.

What’s a “framework readiness” project, and how long does it take?

Readiness is the one-time work to stand up a framework before you go live with the audit relationship: closing control gaps, writing policies, training your team, capturing the evidence baseline. Typical timelines: SOC 2 readiness 8–16 weeks, HIPAA 6–12 weeks, PCI-DSS depends on merchant level, ISO 27001 16–24 weeks. Once readiness is complete, the ongoing monthly program kicks in.

What’s the GRC platform you use?

A purpose-built compliance management platform that maps controls to frameworks, automates evidence collection from your environment, manages policy libraries, and provides the executive dashboards. We don’t name the specific vendor publicly because we want to keep the option to swap in the right tool for your engagement — what we commit to is the program outcome, not a specific platform brand.

Who owns the auditor relationship?

You contract directly with the audit firm (we don’t take percentages or refer fees) but Centuric runs the engagement. We schedule the interviews, deliver the evidence binder, respond to information requests, and coach your team through what they’ll be asked. You can use your existing audit firm; if you don’t have one, we’ll introduce you to firms we’ve worked with cleanly in the past.

What about CMMC?

CMMC Level 1 and Level 2 readiness for Defense Industrial Base suppliers is a separate Centuric practice at mycmmc.ai. CMMC delivery requires US-citizen-only personnel, GCC High enclave deployment, and our CMMC Level 2 Registered Practice oversight — different cost basis, different team, different framework. If your contracts involve CUI handling, talk to that team.

Can we add frameworks later?

Yes, and it’s common. Most customers start with one framework (usually whatever’s tied to the contract or insurance requirement that triggered the engagement), then add a second or third over the following year. Moving from Foundation to Multi-Framework is a tier change at renewal — new readiness projects for additional frameworks are scoped at that point.

Do you do penetration testing or red teaming?

Coordinated through partner firms we’ve vetted — pen testing is a separate discipline best done by specialists who don’t also build the program (independence matters for audit defensibility). The Strategic tier includes quarterly tabletop coordination and red-team scheduling; partner firm fees are pass-through.

Why Centuric

Compliance programs
by people who’ve done audits.

A lot of GRC providers will sell you a platform login and call it a compliance program. That’s not what auditors expect, and it’s not what your board needs. We’ve been running IT and security for South Florida businesses since 2001 — long enough to have seen many companies pass their first SOC 2, survive their first HIPAA OCR letter, and renew their ISO 27001 every year. The platform is the tool. The program is the work. We do both.

25
Years independent & never sold
5+
Frameworks under management
100%
US-based vCISO & advisory bench
Audit
Coordinated end-to-end, not handed off

Let’s scope
your compliance program.

Tell us your target framework, your audit timeline, and where your IT currently lives. We’ll call back within one business day to talk through the readiness path and the ongoing program. First conversation is free; if we’re a fit we’ll quote, and if we’re not we’ll tell you who is.

Talk to an advisor Or call (954) 691-1651