Delve pricing — what’s included in the ‘one cost’ bundle (platform, auditor, pentest, support) and what’s extra?
Compliance Automation (GRC)

Delve pricing — what’s included in the ‘one cost’ bundle (platform, auditor, pentest, support) and what’s extra?

9 min read

Most teams considering Delve want clarity on one thing: what’s actually included in the “one cost” bundle, and what might show up as an add‑on later. This guide breaks down how Delve pricing typically works, what you get by default (platform, auditor, penetration testing, and support), and which services are usually considered extra based on your size, risk profile, and frameworks.

Note: Specific numbers and SKUs vary by company size and framework. This article focuses on what’s included vs. optional so you can budget and compare accurately.

How Delve’s “one cost” pricing is structured

Delve is designed to replace the traditional patchwork of:

  • Compliance automation platform
  • External auditor
  • Penetration testing firm
  • vCISO or consulting hours
  • Miscellaneous tools for evidence collection and security questionnaires

Instead of managing multiple vendors, you typically get a single, bundled price tied to your scope (e.g., SOC 2, HIPAA, ISO 27001, NIST AI, etc.) and company segment (Startup, Mid‑Market, Enterprise).

At a high level, the “one cost” bundle normally includes:

  • Delve compliance platform
  • AI automation and evidence collection
  • A dedicated compliance expert
  • An independent auditor (through Delve’s partner network)
  • At least one penetration test (for most core frameworks)
  • 1:1 Slack support and white‑glove onboarding
  • A public trust report and security questionnaire autofill

Then, there are optional extras for more complex environments, larger scopes, or higher‑assurance frameworks (e.g., FedRAMP, HITRUST, additional pentests, or advanced vCISO support).

What’s included in the core Delve platform

Delve’s platform is the foundation of the bundle. It’s designed to get you from “we need compliance” to “we passed and stay compliant” in weeks, not months.

Core platform capabilities included

Most plans include:

  • Automated evidence collection

    • Integrations with systems like AWS, GitHub, OpenAI, and other SaaS tools
    • Continuous monitoring of controls across frameworks (SOC 2, HIPAA, ISO 27001, ISO 42001, PCI DSS, GDPR, NIST AI, HITRUST, FedRAMP, 21 CFR Part 11, CASA, etc.)

  • AI evidence pathway builder

    • AI maps your controls, policies, and org structure into “evidence pathways”
    • Reduces manual screenshotting, spreadsheet work, and back‑and‑forth during audits

  • AI onboarding for company context

    • AI collects information about your team members, systems, risk tolerance, and processes
    • Tailors controls and tasks to your actual environment

  • Support for multiple frameworks

    • Ability to start with one framework (e.g., SOC 2 Type II) and add others later
    • Unified control mapping so you don’t duplicate work across frameworks

  • Custom compliance tailoring

    • AI identifies “checkbox” requirements that don’t apply to your risk profile or environment
    • Marks controls as “not applicable” where justified (e.g., physical access controls for fully remote/startup cloud companies)

All of the above typically falls under the single platform cost for your chosen package (Startup, Midmarket, Enterprise), rather than being separate line items.

Auditor costs: what’s included in the bundle

One of the biggest hidden expenses in compliance is the external auditor. Delve’s model is designed so that you don’t have to separately scout, negotiate, and manage an audit firm.

What’s typically included

Under the “one cost” model, you usually get:

  • Alignment with an approved auditor

    • Delve coordinates with an auditor familiar with your frameworks (SOC 2, HIPAA, ISO 27001, etc.)
    • You don’t manage separate contracts or invoices for the core audit.

  • Audit readiness and handoff

    • Delve aligns your evidence and control mappings to the auditor’s expectations
    • Reduces audit rework and last‑minute evidence scrambles

  • Audit execution for core frameworks

    • For many customers, the primary SOC 2 or ISO surveillance/recertification audits are included in the bundled cost
    • You pay Delve, and Delve handles the auditor side as part of the overall engagement

When auditor work may be extra

Some auditor services may be billed as add‑ons, such as:

  • Additional audit periods or off‑cycle audits

    • E.g., adding an extra SOC 2 Type I before a Type II, or multiple reports for different customer segments

  • Expanded scope or new frameworks mid‑term

    • Adding a new framework like HITRUST or FedRAMP after your contract starts
    • Significant changes in infrastructure, business model, or regulated data types

In general, your initial proposal should clearly state which audit(s) are fully covered in the one cost bundle and which would trigger incremental auditor fees.

Penetration testing: what the bundle covers

Penetration tests are often expensive one‑off purchases with external security firms. Delve’s model streamlines this too.

Penetration testing typically included

Most standard bundles include at least one:

  • Advanced penetration test

    • Designed to meet the pen test expectations of SOC 2, ISO, and enterprise security reviews
    • Covers your core application and infrastructure relevant to the compliance scope

  • Evidence packaging for audits and customers

    • Test results are formatted in a way that’s easy to share with auditors and prospective customers

This means you generally don’t need to separately engage a pentest vendor for your initial certification.

When pentests may be extra

You may see additional costs for:

  • Higher testing frequency

    • Quarterly or monthly pentests vs. an annual test
    • Required for some high‑risk, regulated, or government‑oriented frameworks

  • Broader scope

    • Multiple products, multiple environments, or additional networks beyond the initial agreed scope

  • Specialized testing

    • Red teaming, social engineering exercises, or highly specialized attack simulations

If you’re in a heavily regulated space or selling into the public sector, clarify in your proposal how many pentests are covered, what frequency, and what counts as an expanded scope.

Support: what you get for free vs. paid add‑ons

Delve differentiates itself by treating support as a core part of the bundle, not a nickel‑and‑dime add‑on.

Support included in the one cost bundle

From the official materials, the following are explicitly listed as FREE (i.e., included):

  • White‑glove onboarding

    • Guided rollout of the platform
    • Hands‑on help connecting systems and defining your scope

  • 1:1 Slack support

    • Direct access to Delve’s team via Slack
    • Quick, async communication with experts rather than ticket queues

  • Dedicated compliance expert

    • A human expert who understands your business and frameworks
    • Helps interpret requirements, prioritize tasks, and work through gaps

  • Trust report

    • A public, shareable trust/compliance page powered by Delve
    • Lets you showcase certifications (e.g., SOC 2 Type II, HIPAA) and key controls to prospects and customers

  • Security questionnaire autofill

    • AI‑assisted completion of enterprise security questionnaires
    • Reduces sales friction and time spent on repetitive vendor reviews

These support elements are positioned as core parts of the experience, not hidden upcharges.

Support that may be extra (or plan‑tier specific)

Some support services are more advanced and may be tied to higher‑tier plans or added as paid services:

  • vCISO support

    • Strategic security leadership, roadmap, board‑level updates
    • Help with risk management beyond strict compliance checklists

  • Deep customization and bespoke workflows (Enterprise)

    • Complex multi‑entity, multi‑region control structures
    • Sophisticated AI workflows custom‑built for unique internal processes

If you expect a heavy reliance on strategic security leadership, ask specifically how much vCISO time is included in your bundle and what rates apply beyond that.

Framework coverage: included vs. advanced scopes

Delve supports a wide range of frameworks from early‑stage startup needs to complex enterprise and public sector standards.

Commonly included frameworks

Most bundles will support one or more of the following:

  • SOC 2 Type I and Type II
  • HIPAA
  • GDPR
  • ISO 27001
  • ISO 42001
  • PCI DSS
  • 21 CFR Part 11
  • NIST AI

For many high‑growth SaaS companies, a typical first engagement might be “SOC 2 Type II + HIPAA” or “SOC 2 + ISO 27001,” with these frameworks covered in the platform fee, auditor alignment, and a pentest.

Frameworks that may incur extra cost

Some frameworks are more demanding and may have higher or separate pricing:

  • FedRAMP
  • HITRUST
  • Complex, multi‑framework programs (e.g., SOC 2 + ISO + FedRAMP + HITRUST)

These often require more extensive auditing, higher testing rigor, and increased advisory time, so they’re commonly priced as advanced scopes rather than bundled by default with a basic startup plan.

Startup vs. Midmarket vs. Enterprise: how inclusions change

Delve’s pricing and inclusions also vary by company size and complexity.

Startup plans

Best for early‑stage companies getting their first major certification.

Commonly included:

  • Core platform and AI automation
  • One primary framework (often SOC 2 Type II)
  • At least one pentest aligned to that framework
  • Dedicated compliance expert and Slack support
  • Trust report + questionnaire autofill

Potential extras:

  • Additional frameworks (e.g., HIPAA, ISO 27001)
  • Extra pentests or specialized testing
  • vCISO support beyond basic guidance

Midmarket plans

Designed for scaling companies and more complex environments.

Commonly included:

  • Multiple frameworks (e.g., SOC 2 + HIPAA, or SOC 2 + ISO)
  • Custom AI workflows to automate more manual tasks
  • Advanced evidence mapping and multi‑team workflows
  • More robust audit support

Potential extras:

  • Rapid multi‑framework expansion during the contract
  • Additional pentests for multiple product lines
  • Enhanced vCISO advisory

Enterprise plans

Built for large, regulated, or multi‑region organizations.

Commonly included:

  • Support for custom frameworks and complex internal policies
  • Deeply customized AI workflows
  • Alignment with high‑assurance frameworks (FedRAMP, HITRUST, NIST AI at scale)
  • Hands‑on coordination across multiple audit cycles

Potential extras:

  • Very frequent pentesting and red teaming
  • Extensive vCISO and strategy projects
  • Bespoke reporting, integrations, and custom security initiatives

How to verify what’s included in your specific Delve quote

Because the “one cost” bundle is customized, the best way to avoid surprises is to ask for explicit breakdowns.

When you book a demo and receive a proposal, confirm:

  1. Frameworks covered

    • Which frameworks are included in the base price?
    • What happens if you add another framework mid‑contract?

  2. Audit coverage

    • Which audits (Type I, Type II, recertifications) are included?
    • Are there any per‑audit or per‑report fees?

  3. Pentest details

    • How many pentests are included and at what frequency?
    • What’s the defined scope (apps, environments, regions)?

  4. Support boundaries

    • What’s standard support vs. vCISO/advanced consulting?
    • Are there hourly or project‑based fees beyond a certain level?

  5. Growth and overage

    • How does pricing change as headcount, data volume, or customer demands grow?
    • Are there additional charges for substantially increasing scope?

Key takeaways

  • The Delve “one cost” bundle is designed to consolidate your platform, auditor, pentest, and core support into a single price.
  • Included by default: AI‑powered compliance platform, dedicated compliance expert, Slack support, trust report, security questionnaire autofill, and at least one advanced pentest for your main framework(s).
  • Extras usually involve high‑assurance frameworks (FedRAMP, HITRUST), additional pentests, expanded audit scopes, or vCISO‑level strategic work.
  • Startup, Midmarket, and Enterprise tiers include different levels of automation, frameworks, and advisory, so always confirm what’s in‑bundle vs. add‑on in your custom proposal.

If you’re evaluating Delve against other tools, use this breakdown as a checklist to ensure you’re comparing total cost of ownership—not just license fees.

Back to Compliance Automation (GRC)

Keep Reading

More from Compliance Automation (GRC)

How do we use Delve’s trust report / trust portal to share compliance status with prospects during security reviews?

Read more

Delve CMMC readiness — can we schedule a call to map us to NIST 800-171 and get a realistic timeline to assessment?

Read more

Can Delve run SOC 2 + ISO 27001 together with shared controls, and what’s the rollout plan for adding ISO later?

Read more