Solanasis — Retainer & Recurring Revenue Playbook

Version: 1.0 Date: 2026-03-15 Owner: Dmitri Sunshine, Founder & CEO Purpose: Definitive guide for structuring, pricing, selling, and delivering retainer packages that become Solanasis’s core recurring revenue engine. Companion docs: 16_Remediation_And_Retainer_Options.md | call-pricing-cheat-sheet.md | market-pricing-research.md | Solanasis_Master_GTM_Playbook_2026.md

The Retainer Philosophy
Retainer Tier Structure
What’s Included vs. Billed Separately
The Ramp-Down Model
Pricing Deep Dive & Market Validation
Contract Terms & Structure
The Wedge-to-Retainer Conversion Playbook
Quarterly Business Reviews (QBRs)
Building Stickiness & Preventing Churn
Retainer Health Metrics
Nonprofit Retainer Model
Retainer SOW Language & Templates
Pro Tips & Growth Hacks

1) The Retainer Philosophy

Why Retainers Are THE Business

Solanasis’s entire economic model depends on converting one-time project work (ORB assessments, data migrations, CRM setups) into monthly recurring retainers. Here’s why:

Predictable revenue: Retainers provide the cash flow stability needed to hire contractors, invest in growth, and sleep at night
Compounding value: Every retainer client you add stacks on top of last month’s revenue (unlike projects that start at zero each month)
Higher lifetime value (LTV): A $4 K / m o n t h re t ain erc l i e n t f or 18 m o n t h s =$ 72K LTV vs. a one-time $7.5K ORB
Strategic positioning: Retainer clients see you as a partner, not a vendor — they refer you, expand scope, and defend your budget internally
Leverage for scaling: Retainer delivery is more systematizable than project work, meaning contractors can handle more of it with clear SOPs

The “Assess + Fix + Stay” Model

This is Solanasis’s unique competitive advantage. Most firms do ONE of these:

Competitor Type	What They Do	What They Miss
Assessment firms	Assess only	No remediation, no ongoing relationship
MSPs (Managed Service Providers)	Stay (managed services)	No deep assessment, no strategic advisory
vCISO (virtual Chief Information Security Officer) firms	Advisory only	No hands-on remediation, no restore testing
Solanasis	Assess + Fix + Stay	Nothing — full lifecycle

The retainer is the “Stay” part. It’s where all the recurring revenue lives. Everything else is the on-ramp.

2) Retainer Tier Structure

The Three Tiers

Solanasis offers three retainer tiers, each designed for a different level of organizational complexity and need. All tiers position you as their “Resilience Partner” — a fractional CIO (Chief Information Officer), CISO (Chief Information Security Officer), and COO (Chief Operating Officer) rolled into one.

Tier 1: Resilience Advisor — “Keep the Lights Green”

Best for: 11-50 seat organizations with basic IT needs, post-ORB clients who want ongoing guidance but don’t need heavy hands-on work.

Detail	Spec
Monthly Price	$2, 500 -$ 5,000/mo
Included Hours	8-12 hours/month
Meeting Cadence	1x monthly strategy call (60 min)
QBR Cadence	2x per year (every 6 months)
Response Time SLA	Next business day for standard requests; 4-hour response for critical incidents during business hours
Minimum Commitment	3 months

What’s Included:

Monthly posture & ops review call (60 min)
- Review security alerts, vendor issues, open items from roadmap
- Prioritize next month’s focus areas
Email/phone advisory access (business hours)
- “Should we approve this vendor?” / “We got a phishing email, what do we do?” / “Is this software safe?”
Basic vendor monitoring (up to 3 key vendors)
- Track contract renewals, SLA (Service Level Agreement) compliance, cost optimization opportunities
Roadmap ownership
- Maintain and update their 30/60/90 plan from the ORB (or equivalent)
- Quarterly roadmap refresh during QBRs
Incident escalation routing
- You’re the first call when something goes wrong
- Triage, advise, coordinate response (advisory — not hands-on remediation)
2 QBRs per year
- Structured review of progress, risks, upcoming priorities
- Executive-ready slide deck they can show their board/leadership

Tier 2: Operational Partner — “Own the Plan” (Recommended for most clients)

Best for: 51-150 seat organizations with moderate complexity, multiple systems, growing teams, or compliance needs. Also appropriate for smaller orgs (11-50 seats) with higher complexity or compliance requirements that outgrow Tier 1.

Detail	Spec
Monthly Price	$5, 000 -$ 9,000/mo
Included Hours	16-24 hours/month
Meeting Cadence	2x monthly strategy calls (60 min each)
QBR Cadence	4x per year (quarterly)
Response Time SLA	Same business day for standard; 2-hour response for critical incidents during business hours
Minimum Commitment	3 months

Everything in Tier 1, PLUS:

Bi-weekly strategy touchpoints (2x/month)
- Deeper operational reviews, project status, vendor issues, staff concerns
Full vendor management & contract negotiation
- Act as their representative with IT vendors
- Negotiate renewals, evaluate alternatives, manage relationships
- You become the vendor relationship owner (key stickiness mechanism)
Quarterly restore drill coordination
- Plan, schedule, and oversee a real backup restore test each quarter
- Document results and remediation items
Quarterly incident/DR (Disaster Recovery) tabletop exercise
- Run a scenario-based tabletop with their leadership team
- “What happens if ransomware hits on a Friday night?” type exercises
Staff training coordination (quarterly)
- Plan and coordinate cybersecurity awareness training
- Phishing simulation coordination
- New tool adoption support
Quarterly QBRs with strategic recommendations
- Full executive briefing with metrics, progress, risks, and forward-looking roadmap
- Technology investment recommendations tied to business goals
Proactive security advisory
- Monthly threat landscape briefing relevant to their industry
- “Heads up — there’s a new vulnerability affecting [tool they use]“

Tier 3: Strategic Executive — “Run the Show”

Best for: 151-500 seat organizations with complex environments, multiple locations, compliance requirements, or going through major transitions (M&A, rapid growth, system overhauls). Also appropriate for 51-150 seat orgs in regulated industries (healthcare, financial services).

Detail	Spec
Monthly Price	$9, 000 -$ 15,000/mo
Included Hours	24-40 hours/month
Meeting Cadence	Weekly strategy calls (60 min)
QBR Cadence	4x per year (quarterly) + monthly executive check-ins
Response Time SLA	4-hour response for standard; 1-hour response for critical incidents (business hours); after-hours escalation available
Minimum Commitment	6 months

Everything in Tier 2, PLUS:

Weekly executive strategy meetings
- Deep dives into operational efficiency, technology investments, risk posture
- Direct advisory to CEO/leadership on technology decisions
Compliance & regulatory guidance
- SOC 2 (System and Organization Controls Type 2) readiness oversight
- HIPAA (Health Insurance Portability and Accountability Act) compliance monitoring
- State privacy law compliance tracking
- Audit preparation and evidence coordination
M&A / major initiative support
- Technology due diligence for acquisitions
- Integration planning for mergers
- Major system migration oversight
Staff training delivery (not just coordination)
- Actually run training sessions, not just plan them
- Onboarding new employees into security protocols
- Advanced training for IT staff
Proactive security monitoring & advisory
- Ongoing posture reviews between QBRs
- Vendor security assessment (evaluating vendors’ security posture)
- Supply chain risk monitoring
Technology budget planning
- Annual IT budget development and review
- ROI analysis for technology investments
- Cost optimization across their tech stack
After-hours incident escalation
- Available for critical incidents outside business hours
- First-response coordination and triage

Quick Tier Comparison

Feature	Tier 1: Advisor	Tier 2: Partner	Tier 3: Executive
Monthly Price	$2, 500 -$ 5,000	$5, 000 -$ 9,000	$9, 000 -$ 15,000
Included Hours	8-12	16-24	24-40
Strategy Calls	1x/month	2x/month	Weekly
QBRs	2x/year	4x/year	4x/year + monthly check-ins
Vendor Management	Monitoring only	Full management	Full management + budget planning
Restore Drills	—	Quarterly	Quarterly
Tabletop Exercises	—	Quarterly	Quarterly
Staff Training	—	Coordination	Delivery
Compliance Guidance	—	Basic	Full
Incident Response SLA	Next business day / 4hr critical	Same day / 2hr critical	4hr standard / 1hr critical + after-hours
Minimum Commitment	3 months	3 months	6 months

3) What’s Included vs. Billed Separately

This is critical to get right. Scope creep kills retainer profitability. Be explicit in your SOW (Statement of Work) and on calls.

Always Included in Retainer (All Tiers)

Scheduled strategy calls per tier cadence
QBR preparation and delivery
Roadmap maintenance and updates
Email/phone advisory during business hours
Incident escalation triage and advisory
Vendor monitoring/management per tier
Monthly value reports

Always Billed Separately (Project Work)

Service	Typical Price Range	Notes
ORB / Security Assessment	$5, 000 -$ 19,500	One-time project
Remediation Sprint (2-4 weeks)	$9, 000 -$ 35,000	Post-ORB fix work
Data Migration	$3, 000 -$ 25,000	Scope-dependent
CRM Setup / Optimization	$2, 500 -$ 12,000	Scope-dependent
Systems Integration	$2, 000 -$ 20,000	Scope-dependent
AI Readiness Assessment	$3, 000 -$ 5,000	One-time project
AI Implementation Sprint	$5, 000 -$ 15,000	One-time project
Policy Development Pack	$4, 500 -$ 9,000	One-time deliverable
Penetration Testing	Refer out	Not a Solanasis service; refer to partner
Emergency incident response beyond retainer hours	$200/hr	Out-of-scope hourly rate

The Gray Zone (Use Judgment)

These situations come up regularly. Here’s how to handle them:

“Can you just hop on a quick call with our vendor?” — If it’s 15 minutes and within your tier hours, yes. If it’s a 2-hour negotiation, that counts against your monthly hours.
“We need help evaluating a new CRM” — Advisory and recommendation is included. If they want you to actually set it up, that’s a separate project.
“We got a phishing email — can you investigate?” — Triage and advisory is included. Deep forensic investigation is out-of-scope.
“Can you train our new hire on security?” — Tier 3: included. Tier 1-2: schedule it as part of their quarterly training coordination, or bill separately for delivery.

Pro Tip: Always document the gray zone decisions in writing (even a quick email). This prevents expectation drift over time and protects both sides.

4) The Ramp-Down Model

This is the smartest thing Solanasis can do for recurring revenue. Here’s how it works:

The Concept

Most client engagements start heavy (ORB assessment, remediation sprint, system implementation) and naturally require fewer hours over time as their environment stabilizes. Instead of going from heavy engagement to zero, you ramp down to a sustainable retainer “floor.”

The Ramp-Down Timeline

PHASE 1: PROJECT ENGAGEMENT (Weeks 1-6)
├── ORB Assessment (10 days)
├── Remediation Sprint (2-4 weeks)
├── Effort: 40-60+ hours/month
├── Billing: Project-based ($5K-$35K+ total)
└── Relationship: You're deep inside their systems

        ↓ Natural transition point ↓

PHASE 2: INTENSIVE RETAINER (Months 2-4)
├── Retainer starts at Tier 2 or Tier 3
├── Effort: 20-40 hours/month
├── Focus: Implementing roadmap items, vendor transitions, training
├── Billing: Monthly retainer at full tier rate
└── Relationship: You're their operational partner

        ↓ Environment stabilizes ↓

PHASE 3: STEADY-STATE RETAINER (Months 5+)
├── Ramp down to Tier 1 or Tier 2 (the "floor")
├── Effort: 8-24 hours/month
├── Focus: Advisory, QBRs, monitoring, vendor management
├── Billing: Monthly retainer at floor rate
└── Relationship: Trusted strategic advisor

The “Floor” — What They Always Pay

This is the most important concept in the retainer model. The floor is the minimum monthly retainer that keeps the relationship alive and provides baseline value. Clients never go below the floor.

Client Size	Floor Retainer	Floor Tier	What the Floor Buys
11-50 seats	$2,500/mo	Tier 1	Monthly call, email access, incident routing, roadmap, 2 QBRs/year
51-150 seats	$5,000/mo	Tier 2	Bi-weekly calls, vendor mgmt, quarterly drills, 4 QBRs/year
151-500 seats	$9,000/mo	Tier 3	Weekly calls, full vendor mgmt, compliance oversight, after-hours escalation

How to Position the Ramp-Down on Sales Calls

What to say:

“Most of our clients start with the Resilience Checkup and a remediation sprint — that’s where we do the heavy lifting. After that, we transition to a monthly retainer that covers ongoing advisory, vendor management, quarterly restore drills, and strategic planning. The first few months tend to be more intensive as we implement the roadmap. After that, it typically settles into a steady rhythm — less hours per month, but we’re always there. Think of it like going from building the house to maintaining it. You’ll always want someone making sure the roof doesn’t leak.”

What NOT to say:

Don’t say “it gets cheaper over time” — say “the intensity decreases as your environment matures”
Don’t promise a specific ramp-down timeline — environments vary
Don’t position the floor as “maintenance mode” — it’s “strategic advisory mode”

Ramp-Down Contract Language

“The initial retainer engagement begins at [Tier X] ( $X, XXX / m o n t h) f or aminim u m o f [3/6] m o n t h s . F o ll o w in g t h e ini t ia lp er i o d, t h ee n g a g e m e n tw i llt r an s i t i o n t o a s t e a d y - s t a t ere t ain er a t n o l ess t han [Fl oor T i er] ($ X,XXX/month), subject to mutual agreement on scope adjustments. Either party may propose scope adjustments with 30 days written notice, provided the monthly retainer does not fall below the minimum floor of $X,XXX/month.”

5) Pricing Deep Dive & Market Validation

How Solanasis Retainer Pricing Compares to Market

Benchmark	Market Range	Solanasis Range	Positioning
vCISO retainer (SMB sweet spot)	$3, 000 -$ 7,000/mo	$2, 500 -$ 5,000/mo	In range, but broader scope
vCISO retainer (mid-market)	$5, 000 -$ 12,000/mo	$5, 000 -$ 15,000/mo	Premium justified by CIO+COO scope
Fractional CTO	$3, 000 -$ 18,000/mo	Included in Tier 2-3	They’d pay this PLUS a vCISO elsewhere
Fractional COO	$5, 000 -$ 20,000/mo	Included in Tier 3	Triple-threat value proposition
Full-time CISO salary	$250 K -$ 700K/yr ( $21 K -$ 58K/mo)	$2, 500 -$ 15,000/mo	70-85% savings
MSP monthly (per user)	$100 -$ 250/user/mo	N/A (not per-user)	Different model; we’re strategic, not helpdesk
FRSecure (closest competitor model)	$4, 000 -$ 6,000/mo starting	$2, 500 -$ 7,500/mo	Competitive; they ramp down over time too

The Value Anchor for Sales Conversations

Use this math on calls:

“If you hired a full-time CISO, you’d spend $350 K + a ye a r in c l u d in g b e n e f i t s . A C I O o n t o p o f t ha t i s an o t h er$ 300K+. A COO is $250 K + . T ha t^{'} s n e a r l y$ 1 million a year for three C-suite roles. Our Tier 2 retainer gives you all three perspectives for $54 K -$ 90K a year. That’s a 90%+ savings.”

Pricing by Engagement Depth (Compass ITC Model Comparison)

This is a well-known framework in the fractional CISO space:

Their Tier	Their Price	Their Cadence	Solanasis Equivalent
Advisory Starter	$2, 000 -$ 4,500/mo	Quarterly touchpoints	Tier 1 ( $2, 500 -$ 5,000) — we do monthly, not quarterly
Balanced Program	$5, 000 -$ 9,000/mo	Monthly steering	Tier 2 ( $5, 000 -$ 9,000) — we include restore drills and tabletops
High-Touch Compliance	$9, 000 -$ 20,000+/mo	Weekly cadence	Tier 3 ( $9, 000 -$ 15,000) — comparable, broader scope

Key differentiation: The Compass ITC model (and most vCISO firms) focus exclusively on cybersecurity. Solanasis bundles security + disaster recovery + operational efficiency + technology strategy into one retainer. That’s the value premium.

6) Contract Terms & Structure

Recommended Contract Framework

Term	Recommendation	Why
Initial commitment	3 months (Tier 1-2), 6 months (Tier 3)	Long enough to demonstrate value, short enough to not scare away clients
Renewal	Auto-renew month-to-month after initial term	Reduces friction; they can cancel anytime after initial commitment
Cancellation notice	60 days written notice	Industry standard; protects your cash flow planning
Payment terms	Monthly invoice, due on 1st of the month	Simple, predictable
Annual prepay discount	10% off annual total	Incentivizes commitment; improves cash flow
Out-of-scope hourly rate	$200/ h r (10$ 200/hr project rate)	Small discount rewards retainer clients without undercutting project work
Rollover hours	NO rollover	See explanation below

Why No Rollover Hours

This is a critical policy. Industry experts consistently warn against rollover hours:

The problem: Client doesn’t use hours for 3 months, then dumps 30 hours of work on you in month 4
The fix: Unused hours expire at month-end, period
How to position it: “The retainer covers ongoing access, advisory, and deliverables — not a bank of hours. If you need project work beyond the retainer scope, we’ll scope that separately at a preferred rate.”

Pro Tip: If a client consistently uses less than 50% of their retainer hours for 3+ months, proactively suggest a tier adjustment. This builds trust and prevents them from questioning the value. Better to suggest a downgrade yourself than have them cancel entirely.

SLA (Service Level Agreement) Structure

Priority	Definition	Tier 1 Response	Tier 2 Response	Tier 3 Response
Critical	Active security incident, data breach, complete system outage	4 hours (business hours)	2 hours (business hours)	1 hour (including after-hours)
High	Partial outage, suspected incident, vendor emergency	Next business day	Same business day	4 hours
Normal	Advisory questions, vendor reviews, planning requests	2 business days	Next business day	Same business day
Low	General questions, non-urgent recommendations	3 business days	2 business days	Next business day

SLA Credit Policy

If Solanasis misses an SLA 3+ times in a single month:

First occurrence: Written acknowledgment and root cause
3+ misses in one month: 10% credit on next month’s invoice
Repeated failures (2+ consecutive months): Client may terminate without notice period

Pro Tip: Track your SLA performance religiously from day one. Even before you have many clients, build the habit. This data becomes a powerful sales tool: “We’ve maintained 99% SLA compliance across all clients.”

7) The Wedge-to-Retainer Conversion Playbook

This is where the revenue engine lives. Every project engagement should be designed to naturally lead into a retainer conversation.

The ORB → Retainer Pipeline (Primary Path)

This is your highest-conversion path. The ORB is specifically designed to reveal ongoing needs.

ORB Assessment (10 days, $5K-$19.5K)
    │
    ├── Day 10 Readout: Present findings + 30/60/90 plan
    │   └── "Here are 27 items that need attention. Which ones
    │        do you want to tackle first?"
    │
    ├── Remediation Sprint (2-4 weeks, $9K-$35K) [OPTIONAL]
    │   └── Fix top 5-10 items from the 30-day list
    │
    └── Retainer Proposal (present at readout or post-remediation)
        └── "Now that we've built the baseline, who's going to
             own the plan going forward? That's what the
             Resilience Partner retainer does."

Target conversion rate: 50-60% of ORB clients should convert to retainer (industry benchmark for assess-to-retain is 40-60%)

What to Say at the ORB Readout (Day 10)

“We’ve given you a clear picture of where you stand and a prioritized roadmap. Some of these items are urgent — the remediation sprint handles those. But the bigger question is: who’s going to own this roadmap going forward? Who’s making sure the restore drills happen quarterly? Who’s watching your vendors? Who’s keeping this from sliding back? That’s what our Resilience Partner retainer covers. For a company your size, that’s $X,XXX per month.”

Conversion from Other Project Types

Entry Project	Natural Retainer Pitch	Target Retainer Tier
ORB ( $5 K -$ 19.5K)	“Who owns the roadmap going forward?”	Tier 1-2
Remediation Sprint ( $9 K -$ 35K)	“We fixed the urgent items. Who keeps them fixed?”	Tier 2
Data Migration ( $3 K -$ 25K)	“The migration is done, but data environments need ongoing optimization”	Tier 1
CRM Setup ( $2.5 K -$ 12K)	“Your CRM is live. Who makes sure adoption sticks and it keeps working?”	Tier 1
Systems Integration ( $2 K -$ 20K)	“Integrations break. Who monitors them and keeps them running?”	Tier 1-2
AI Implementation ( $5 K -$ 15K)	“AI governance isn’t a one-time thing. Regulations are changing monthly.”	Tier 1-2

The “Bridge” Discount (Use Sparingly)

For clients who are on the fence about a retainer after a project:

“Here’s what I can do: start at Tier 1 for the first 3 months at $2,500/month. That gives us time to demonstrate the value. After 3 months, we’ll review and decide together whether to stay at Tier 1 or expand to Tier 2 based on what you need.”

Rules for using the bridge:

Never discount below the floor price
Never offer more than 3 months at bridge pricing
Only use when the alternative is losing the client entirely
Document it as an “introductory rate” in the SOW, not a permanent discount

8) Quarterly Business Reviews (QBRs)

QBRs are the single most important retainer deliverable. They’re what justifies the retainer cost and what prevents churn. Do these well and clients will never leave.

QBR Structure (90 Minutes)

Section	Time	Content
Executive Summary	10 min	Top 3 wins, top 3 risks, overall posture score
Progress Review	20 min	Roadmap items completed, items in progress, items deferred and why
Risk & Security Update	15 min	New threats relevant to their industry, vulnerability status, incident summary
Vendor Performance	10 min	Vendor scorecard, contract renewals upcoming, cost optimization opportunities
Restore Drill Results	10 min	What was tested, what worked, what didn’t, remediation plan (Tier 2-3 only)
Technology Roadmap	15 min	Updated 30/60/90, technology investment recommendations, budget implications
Open Discussion & Q&A	10 min	Their concerns, upcoming business changes, strategic questions

QBR Deliverables

Every QBR should produce these artifacts:

Executive Summary Slide Deck (5-8 slides) — something they can forward to their board
Updated Risk Register — what’s improved, what’s new, what’s still open
Updated 30/60/90 Roadmap — next quarter’s priorities clearly defined
Vendor Scorecard — how their vendors are performing
Value Report — quantified savings, improvements, and risk reductions since last QBR

The Value Report (Critical for Retention)

Every QBR must include a value report that answers: “What have we done for you this quarter?” Include:

Cost savings identified: “We renegotiated your Microsoft licensing, saving $4,200/year”
Risk reductions: “Closed 8 of 12 critical items from the risk register”
Efficiency gains: “New integration saves your team 5 hours/week”
Incidents prevented/handled: “Caught and contained a phishing attempt in under 2 hours”
Compliance progress: “You’re now 75% SOC 2 ready, up from 40% at last QBR”

Pro Tip: Start tracking value from day one. Even small wins compound into a powerful story at QBR time. Keep a running “value log” in your project management tool for each client. When the QBR comes around, you won’t be scrambling for examples.

9) Building Stickiness & Preventing Churn

The 5 Layers of Stickiness

Each of these makes it harder for a client to leave — not because you’re locking them in, but because the value of staying is obvious:

Layer 1: Knowledge Depth

You know their systems better than anyone on their team
Your documentation of their environment is comprehensive
Institutional knowledge of why decisions were made

Layer 2: Vendor Relationships

You become the point of contact for their IT vendors
Vendors know you, trust you, and work with you directly
Client would need to rebuild all these relationships from scratch

Layer 3: Process Embedding

QBRs are on their executive calendar
Restore drills are part of their quarterly rhythm
Incident escalation procedures route through you
Their team is trained on your processes

Layer 4: Roadmap Ownership

You wrote the roadmap; you know the context behind every item
Abandoning the roadmap mid-execution is disruptive
New provider would need months to get up to speed

Layer 5: Trust & Relationship

You’ve proven yourself through delivered results
C-suite trusts your judgment
You’re the person they call when something unexpected happens

Proactive Anti-Churn Actions

When	Action	Why
Monthly	Send a brief value update email (3-5 bullets of what you did this month)	Keeps value visible between QBRs
Quarterly	Deliver QBR with quantified value report	Justifies the retainer investment
Quarterly	Proactively suggest one new improvement or cost savings opportunity	Shows you’re thinking about their business, not just collecting a check
Semi-annually	”Retainer health check” call with decision-maker	”Is this still working for you? What could we do better?”
Annually	Technology roadmap refresh with 12-month forward view	Ties them into a forward-looking plan
If usage drops	After 2 months of low utilization, proactively reach out	”I noticed we haven’t had as many touchpoints. Everything okay?”
If a competitor approaches	Share competitive comparison showing your broader scope	Remind them of the CIO+CISO+COO bundle value

Warning Signs of Churn Risk

Signal	Severity	Action
Client skips 2+ scheduled calls	Medium	Direct outreach to decision-maker: “Everything okay?”
Client asks for detailed hours breakdown	High	Prepare value report ASAP; they’re questioning ROI
New internal IT hire	High	Position yourself as complementary, not competitive. “Great — here’s how we work together”
Budget conversation / “we need to cut costs”	Critical	Proactively offer tier adjustment before they ask. Show value report.
Client stops responding to emails	Critical	Phone call to decision-maker. If no response in 1 week, in-person visit.

10) Retainer Health Metrics

Metrics to Track (Weekly Review)

Metric	Target	Why It Matters
MRR (Monthly Recurring Revenue) from retainers	Growing monthly	Core business health indicator
Number of active retainer clients	Growing quarterly	Pipeline health
Net Revenue Retention (NRR)	>110%	Measures if expansion outweighs churn; >110% = healthy growth
Gross churn rate	<5%/month	% of retainer revenue lost to cancellations
Retainer renewal rate	>90%	% of clients who renew after initial commitment
ORB-to-retainer conversion rate	>50%	How well your wedge converts to recurring revenue
Average retainer contract value	Growing over time	Indicates tier upgrades and scope expansion
Retainer utilization rate	60-80%	If <50%, client may question value; if >100%, you’re losing money
QBR completion rate	100%	Never miss a QBR. Ever.
Client satisfaction (post-QBR)	4.5+/5	Simple survey after each QBR
Time to first retainer value	<30 days	How quickly clients see tangible results after retainer starts

NRR (Net Revenue Retention) Calculation

This is your most important metric for retainer business health:

NRR = (Starting MRR + Expansion - Contraction - Churn) / Starting MRR × 100

Example:
  Starting MRR:  $20,000 (4 clients)
  Expansion:     +$2,000 (1 client upgraded Tier 1 → Tier 2)
  Contraction:   -$1,000 (1 client downgraded)
  Churn:         -$0 (no cancellations)

  NRR = ($20,000 + $2,000 - $1,000 - $0) / $20,000 × 100 = 105%

NRR Benchmarks:

<100%: You’re shrinking. Urgent problem.
100-105%: Stable but not growing. Need more expansion.
105-115%: Healthy. Good balance of retention and expansion.
115%+: Excellent. Your clients are buying more over time.

11) Nonprofit Retainer Model

Nonprofits are a core ICP (Ideal Customer Profile) for Solanasis. They have real security and operational needs but tighter budgets. Here’s how to serve them profitably.

Nonprofit Pricing

Tier	Standard Price	Nonprofit Price (25% discount)
Tier 1: Resilience Advisor	$2, 500 -$ 5,000/mo	$1, 875 -$ 3,750/mo
Tier 2: Operational Partner	$5, 000 -$ 9,000/mo	$3, 750 -$ 6,750/mo
Tier 3: Strategic Executive	$9, 000 -$ 15,000/mo	$6, 750 -$ 11,250/mo

Why 25% and Not More

25% is meaningful enough to demonstrate commitment to the sector
Your costs don’t change based on client type — you still deliver the same scope
Nonprofit budgets for IT/security are real and growing (63% increased cybersecurity budgets in 2025)
Going below 25% discount risks undervaluing your work and making the business unsustainable

Nonprofit-Specific Value Adds (Included at No Extra Cost)

Guidance on TechSoup and Goodstack software discounts
Help applying for technology grants
Compliance guidance specific to nonprofit requirements (state charity registrations, donor data protection)
Board-ready reporting (nonprofits often need this for governance)

Pro Tip: Nonprofits are incredible referral sources. They sit on boards with other nonprofit leaders, attend sector conferences, and actively share resources. A happy nonprofit client can generate 3-5 warm referrals within 6 months. Treat the discount as a customer acquisition cost (CAC), not a margin hit.

12) Retainer SOW Language & Templates

Key Clauses to Include in Every Retainer SOW

1. Scope Definition

Solanasis will provide ongoing fractional technology leadership services (“Resilience Partner Services”) at the [Tier Name] level, as described in Exhibit A. Services include [list core deliverables per tier]. All services not explicitly listed in Exhibit A are considered out-of-scope and will require a separate Statement of Work or Change Order.

2. Term & Renewal

This engagement begins on [Start Date] with an initial commitment period of [3/6] months (“Initial Term”). Following the Initial Term, this agreement will automatically renew on a month-to-month basis under the same terms. Either party may terminate this agreement with sixty (60) days written notice, effective at the end of the then-current monthly billing period.

3. Ramp-Down Floor

In the event that the parties mutually agree to adjust the scope or tier of services, the monthly retainer shall not be reduced below the minimum floor of $[X,XXX] per month (“Minimum Retainer”). Scope adjustments require thirty (30) days written notice and mutual agreement in writing.

4. Hours & Utilization

The retainer includes up to [X] hours of advisory and management services per month. Unused hours do not carry over to subsequent months. Work exceeding the monthly allocation requires prior written approval and will be billed at $200/hour.

5. SLA & Response Times

Solanasis will respond to client requests within the timeframes specified in Exhibit B (Service Level Agreement). Response time is measured from receipt of request during business hours (Monday-Friday, 8:00 AM - 6:00 PM MT). Critical incident response times apply [24/7 | during business hours] as specified in the selected tier.

6. QBR Commitment

Solanasis will deliver [2/4] Quarterly Business Reviews per year, scheduled in advance with at least 2 weeks notice. Each QBR will include an executive summary, progress report, risk register update, vendor scorecard, and forward-looking roadmap. QBR deliverables will be provided in written form within 5 business days of the QBR meeting.

7. Annual Prepay Discount

Client may elect to prepay the annual retainer amount in full at the start of the Initial Term or any renewal period. Annual prepayment includes a 10% discount on the total annual retainer cost. Prepaid amounts are non-refundable for the period covered.

13) Pro Tips & Growth Hacks

For Selling Retainers

Never sell the retainer on the first call. Sell the ORB first. The retainer sells itself once they see the findings.
Use the “who owns this?” technique. At every readout, ask: “Who on your team is going to own this going forward?” The silence that follows is your retainer sale.
Anchor to full-time salaries, not competitor retainers. “ $5 K / m o n t h so u n d se x p e n s i v e u n t i l yo u re a l i ze a f u ll - t im e C I SO cos t s$ 30K/month.”
Start every prospect at Tier 2. It’s easier to sell Tier 2 and adjust down to Tier 1 than to sell Tier 1 and try to upsell later.
Offer the “3-month trial” framing for hesitant prospects. “Try Tier 1 for 3 months. If you don’t see the value, we’ll part ways — no hard feelings.”

For Delivering Retainers

Send a monthly value email even when nothing urgent happened. “This month we: monitored 3 vendor renewals, reviewed 2 security alerts, updated 4 roadmap items, and confirmed your backup health.” Visibility = perceived value.
Never let a QBR slip. Rescheduling once is fine. Skipping is never acceptable. QBRs are the anchor that justifies the retainer.
Track your time even though you’re not billing hourly. You need utilization data to know if retainers are profitable and to justify pricing to yourself and your clients.
Build SOPs for every retainer activity. Monthly reviews, QBR prep, vendor scorecards, restore drill coordination — all of these should be documented so contractors can execute them.
Create a “Retainer Client Onboarding” checklist that runs in the first 30 days. Include: access provisioning, vendor introductions, calendar setup, communication preferences, emergency contacts.

For Scaling Retainers

Retainer delivery is the first thing to delegate to contractors. Once your SOPs are solid, a trained contractor can handle Tier 1 delivery almost entirely, freeing you for sales and Tier 2-3 strategic work.
Use the “fractional team” model. As you scale, introduce the concept of a “Solanasis team” to clients. “Your team includes me as your strategic lead and [contractor name] as your operations specialist.” This normalizes the contractor model.
Bundle retainers into your compliance platform partnerships. When you’re delivering vCISO services through Vanta or Drata, the retainer IS the delivery mechanism. The platform does the monitoring; you provide the human judgment and advisory.
Track your “retainer capacity.” Know exactly how many retainer clients you can handle solo vs. with 1 contractor vs. with 2 contractors. Plan your hiring around this capacity model.

Scenario	Tier 1 Clients	Tier 2 Clients	Tier 3 Clients	Total MRR Range
Solo (Dmitri only)	4-5	2-3	0-1	$16 K -$ 30K
+ 1 Contractor	6-8	3-5	1-2	$30 K -$ 60K
+ 2 Contractors	8-12	5-7	2-3	$50 K -$ 100K

The ultimate growth hack: make every retainer client a referral source. At every QBR, ask: “Are there other organizations in your network that could benefit from this?” Incentivize with your referral program (10% of engagement fee, capped at $1,500). One referral per retainer client per year doubles your pipeline without spending a dollar on marketing.

Appendix A: Revenue Projection Model

Year 1 Retainer Revenue Scenario

Month	New ORBs	ORB→Retainer Conversions	Active Retainer Clients	Avg Retainer/Mo	Retainer MRR
1	1	0	0	—	$0
2	1	0	0	—	$0
3	2	1	1	$3,500	$3,500
4	2	1	2	$3,500	$7,000
5	2	1	3	$3,750	$11,250
6	2	1	4	$4,000	$16,000
7	2	1	5	$4,000	$20,000
8	3	1	6	$4,000	$24,000
9	3	2	7	$4,000	$28,000
10	3	1	8	$4,000	$32,000
11	3	2	9	$4,000	$36,000
12	3	1	10	$4,000	$40,000

Year 1 Total Retainer Revenue: ~ $217, 750 * * M o n t h 12 R e t ain er MRR : * *$ 40,000 (exceeds $30K MRR target)

Assumes: 50% ORB→retainer conversion, 0% churn (optimistic for first year with 3-month minimums), average retainer starts at Tier 1-2 pricing and grows via tier upgrades.

Revenue Mix Target by Month 12

Revenue Stream	Monthly	% of Total
Retainer MRR	$40,000	65%
Project revenue (ORBs, sprints, migrations)	$15, 000 -$ 25,000	30%
Bridge/hourly	$2, 000 -$ 3,000	5%
Total	$57, 000 -$ 68,000	100%

Appendix B: Competitive Landscape for Retainer Positioning

What Clients Are Comparing You Against

Competitor Type	Their Monthly Cost	What They Get	What’s Missing (Your Advantage)
MSP (e.g., Propel Technology, Boulder)	$135 -$ 200/user/mo ( $4 K -$ 10K for 30 users)	Helpdesk, monitoring, patching, basic security	No strategic advisory, no restore testing, no C-suite perspective
vCISO firm (e.g., FRSecure, Rhymetec)	$3, 000 -$ 7,000/mo	Security advisory, policy development, compliance guidance	No DR verification, no CRM/systems expertise, no operational efficiency
Fractional CTO firm	$3, 000 -$ 18,000/mo	Technology strategy, architecture guidance, team leadership	No security depth, no compliance expertise, no hands-on assessment
Big 4 / MBB	$300 -$ 1,000+/hr ($50K+/month)	Brand name, comprehensive methodology	Overkill for SMBs, impersonal, junior staff doing the work
Solanasis	$2, 500 -$ 15,000/mo	CIO+CISO+COO in one retainer, assess+fix+stay lifecycle	N/A

Your Elevator Pitch for Retainer Conversations

“We’re your fractional technology team — your CIO, CISO, and operations lead rolled into one monthly retainer. We start with a deep assessment to build the baseline, fix the critical items, and then stay on as your ongoing partner to own the roadmap, manage your vendors, run quarterly drills, and make sure nothing falls through the cracks. Most firms do one piece of this. We do all of it.”

This playbook is a living document. Update pricing, conversion rates, and capacity numbers as real client data comes in. Review quarterly.

Solanasis Docs

Explorer

Solanasis_Retainer_Playbook