From DIY SaaS to firm engagement: the missing middle of compliance

A buyer's decision framework for compliance vendor selection. Why the two markets every compliance buyer evaluates — SaaS automation platforms and big-firm engagements — both fail specific buyer segments, what the missing middle actually requires, and how to evaluate vendors who claim to fill it.

Key 102 Consulting · 2026 · Veteran-owned. Practitioner-led HIPAA, PCI, CMMC, and surface-transport readiness with recipient-verifiable deliverables at SaaS pricing.

---

The dilemma that breaks compliance vendor selection

A compliance officer at a 60-person aerospace subcontractor needs to be ready for CMMC L2 assessment in nine months. The DoD prime they sub to has communicated that the clause will be in their next contract award. The compliance officer has been asked to evaluate vendors and recommend a path.

She spends three weeks running the evaluation. Two distinct markets show up:

Market A — the SaaS compliance platforms. Tens of vendors, broadly comparable feature sets, monthly subscription pricing in the hundreds-to-low-thousands of dollars per month. They ship workflow tooling, evidence collection, dashboards, and PDF exports of compliance documentation. She can demo any of them in a 30-minute call and stand up an account the same day.

Market B — the big-firm consultancies and regional CPA- adjacent compliance practices. Slower sales cycles, scoping calls before quotes, hourly billing or fixed-fee engagements running in the tens of thousands of dollars (and well beyond that for full CMMC L2 readiness engagements). They ship practitioner-led work product, audit-grade deliverables, and the human accountability the SaaS platforms can't.

The compliance officer's problem is that neither market actually serves her well. The SaaS platforms produce documents that look professional but carry no named human signature and no cryptographic anchor — when the C3PAO walks her assessment, the audit-grade question will surface a trust gap she can't close. The big firms produce defensible work product but at price points designed for organizations with materially larger compliance budgets than hers. She doesn't fit either segment cleanly.

This is the missing middle — the gap between SaaS-priced workflow tooling and big-firm-priced practitioner engagements. Most compliance buyers in the 20-to-500-employee range live in the gap. The market hasn't produced a clean offering for them historically because building one requires technical infrastructure that's hard and business-model discipline that's harder.

This paper covers what each existing market is good at, what each fails at, what the missing middle requires, and how to evaluate vendors who claim to fill it.

Market A — what SaaS automation gets right and wrong

The SaaS compliance market exists because compliance workflow is real work and software can dramatically reduce its operational cost. SaaS platforms are good at:

• Workflow consolidation. Tasks, evidence requests, control mappings, vendor reviews — all in one place. Better than email
  • spreadsheets, dramatically better than nothing.
• Continuous evidence collection. Integrations with identity providers, cloud platforms, SDLC tooling, and ticket systems pull evidence on cadence rather than via annual scramble.
• Scoping and gap analysis tooling. What's in scope, what's not, what controls need attention.
• Pricing accessibility. A 60-employee company can afford the subscription. The math closes.

The SaaS market fails at the moments the audit-day question actually matters:

• Vendor-claimed deliverables. The PDF the platform exports carries the platform's branding, not a named human's signature with a credential reference. When the auditor asks "who attested to this?", the platform's answer is the customer's CFO — but the CFO signed whatever the platform produced, with no qualified-practitioner review interposed.
• No cryptographic integrity. The document the auditor reads is whatever the database said at render time. Silent regeneration, date drift, hash mismatch — none of it is detectable without server-side hash anchoring + RFC 3161 TSA timestamping, which most SaaS platforms haven't built. (See Whitepaper #1 in this series.)
• No human in the loop. AI-generated drafts and vendor-templated policies make it to deliverables without a credentialed practitioner reviewing them. The customer is trusting the platform's content, not a named expert's attestation of the content.
• Lock-in pressure resists verifiability. A platform that produced recipient-verifiable deliverables would be partially fungible — customers could switch vendors and the documents still hold up. SaaS business-model pressure resists building for that future.

SaaS platforms serve well: organizations whose compliance exposure is low-stakes operationally (e.g., SOC 2 attestation for a SaaS company that has no breaches and no specific regulatory enforcement risk), or organizations with existing mature compliance functions where the platform is workflow help rather than the trust anchor.

SaaS platforms serve poorly: organizations facing real enforcement risk (HIPAA-covered entities subject to OCR investigations, PCI merchants subject to acquirer scrutiny, DIB contractors facing FCA exposure, surface-transport operators under TSA Stop Movement Order risk).

Market B — what big-firm engagements get right and wrong

The big-firm and regional-firm market exists because practitioner-led work product is what audit-day requires when the stakes are real. The market does well at:

• Practitioner accountability. A named consultant — typically with industry credentials (QSA, CMMC RP, CISSP, CISA, HCISPP) — leads the engagement. Their signature is on the deliverable. Their professional reputation is the accountability anchor.
• Audit-grade work product. The SSP, AoC, SRA, or incident playbook is built for the assessor's eye — not for the customer's dashboard. The output survives scrutiny.
• Customized scoping. The engagement is designed for the customer's specific environment, not retrofitted from a platform's templates.
• Years of pattern-matching. Senior practitioners have seen many assessments. They know what each regulator's investigator cares about. They've worked with C3PAOs, QSAs, OCR, DCMA.

The big-firm market fails at the economic threshold:

• Pricing doesn't scale down. A scoping call alone can carry costs sized for organizations significantly larger than the buyer in question. The hourly rates and fixed-fee thresholds assume the customer has a large compliance budget. A 50- employee subcontractor's annual compliance budget might not cover a single big-firm CMMC L2 engagement.
• Senior-partner-to-junior-consultant handoff. The practitioner who pitched the engagement is often not the practitioner who executes most of it. The customer pays partner rates for junior work.
• Episodic engagement model. The firm engages, delivers, exits. Quarterly continuity, evidence freshness, and ongoing readiness require a separate retainer or a return engagement. Each engagement carries scoping overhead.
• No platform infrastructure. The firm produces work product but not a system. The customer ends up with a stack of PDFs and a relationship — not a verifiable, durable compliance posture.

Big firms serve well: large enterprises with compliance budgets sized to the work, organizations facing specific high-stakes events (M&A diligence, IPO readiness, post-breach remediation, regulatory enforcement response), and customers with existing in-house compliance staffing.

Big firms serve poorly: the missing-middle organizations who need audit-grade work product but lack the budget for big-firm engagement economics.

What the missing middle actually requires

The missing-middle buyer needs five things the existing markets don't pair:

1. Named practitioner accountability (from Market B) — a credentialed human signs every audit-relevant deliverable. Not an AI byline. Not "the platform vendor." A named individual whose credentials are verifiable.

2. Workflow + evidence platform (from Market A) — the operational cost of compliance management is software-low, not manual-firm-high. Daily evidence collection, automated control mapping, integrated plugin pulls.

3. Cryptographic deliverable integrity (neither market ships) — server-side hashing, RFC 3161 TSA anchoring, append-only audit chains, recipient-verifiable PDFs the auditor can validate independently of the vendor.

4. SaaS-priced engagement economics (from Market A) — monthly or annual subscription pricing that fits a missing- middle budget, not hourly billing that scales with engagement duration.

5. Continuous engagement model (blends both) — practitioner continuity through quarterly readiness cycles, annual re-attestations, and audit-day support. Not episodic. Not "we'll quote you again next year."

A vendor that delivers all five is filling the missing middle. A vendor that delivers any subset is closer to Market A or Market B respectively.

The economics that made this hard

The missing middle wasn't filled historically because the business model was structurally difficult:

SaaS economics resist practitioner accountability. Paying a credentialed human to review every deliverable adds cost that SaaS platforms can't absorb at their current pricing without gross-margin destruction. SaaS platforms that try this typically end up either raising prices (drifting toward Market B economics) or quietly reducing the practitioner involvement (drifting back toward platform-only Market A).

Firm economics resist platform investment. Big firms make their margin on practitioner hours, not on software seats. Building a workflow + evidence + cryptographic-integrity platform requires engineering investment with payback periods longer than typical firm partnership cycles. Firms that try this typically white-label a third-party SaaS platform — which means they don't control the cryptographic infrastructure either.

Two-sided staffing model required. The missing-middle vendor needs both engineers (to build the platform) and credentialed practitioners (to deliver work product). Most compliance ventures lean heavily one way or the other; both-strong is rare.

These structural forces are why the missing middle has been unoccupied for so long. The vendors who can fill it are vendors who treat the platform + practitioner combination as core, neither subordinated to the other.

The buyer's decision framework

When SaaS fits:

• Compliance exposure is low-stakes operationally
• Existing in-house compliance function consumes the platform as workflow help
• Audit-day deliverables aren't a regulator-scrutinized event

When a big firm fits:

• Compliance budget is sized for hourly-billed engagements
• Specific high-stakes event drives a one-time engagement
• In-house compliance staffing handles ongoing operations

When the missing middle is the answer:

• Real enforcement risk exists (OCR, DCMA, TSA, QSA, C3PAO)
• Compliance budget is sized for SaaS-scale recurring spend
• The organization doesn't have in-house compliance depth
• The audit-day deliverables need to survive assessor scrutiny
• Continuity matters across quarters, not just at point-in-time

The missing-middle answer is right for the buyer whose audit-day exposure exceeds their compliance-budget ceiling — which describes most 20-to-500-employee organizations in regulated industries.

Five characteristics of a missing-middle vendor

When evaluating a vendor claiming to fill the missing middle, look for:

1. Named practitioner signatures on deliverables. Not vendor branding. Not AI byline. A specific human, with a credential reference, attesting to specific content.

2. Server-side cryptographic integrity. SHA-256 computed at ingest, RFC 3161 TSA anchoring, append-only audit chain. Ask to see the verify endpoint. If they hesitate, the integrity infrastructure isn't there.

3. SaaS-scale pricing. Monthly or annual subscription model. No hourly billing on the core engagement. No "call sales for pricing" — published tier pricing is a discipline signal.

4. Practitioner pool architecture. The vendor either has multiple credentialed practitioners or a documented 1099 contractor network. Solo-practitioner missing-middle vendors are single-point-of-failure for the customer.

5. Continuity through quarterly readiness. The engagement extends beyond the initial deliverable. Quarterly readiness reports, annual re-attestation, audit-day support — all included in the subscription, not quoted episodically.

What Key 102 looks like

Key 102 Consulting is veteran-owned, SAM-registered, and based in Phoenix, Arizona. UEI TXQFV5FJX797. The company is deliberately structured as a missing-middle vendor:

• Named practitioner signatures. Every readiness report and deliverable carries a specific practitioner's name. Cyber AB RPO enrollment is in progress; methodology follows the registered-practitioner curriculum until activation.
• Server-side cryptographic integrity. Every deliverable carries a SHA-256 hash, RFC 3161 TSA timestamp, and public verify endpoint. The verify endpoint works independently of Key 102's clock and database.
• Published SaaS pricing. Aegis (HIPAA), Vault (PCI), Fortress (CMMC), and Nexus (Logistics) tiers from Self- Service through Audit Co-Pilot. $674 Mission Brief diagnostic entry. No hourly billing on the core engagement.
• Practitioner-pool architecture. Solo today with a 1099 specialist staffing model documented. The pool activates as customer volume warrants; tier promises restore in lockstep with staffing activation.
• Quarterly continuity. Daily Capability Readiness Score, quarterly practitioner-signed readiness reports, annual re-attestation, audit-day support on Audit Co-Pilot tiers.

The honest disclosure: Key 102 is filling the missing middle from a position of building, not from a position of established market dominance. The technical infrastructure is mature. The credential stack is partially built and explicitly disclosed at every customer touch. The practitioner pool will scale as customers do.

For buyers evaluating the missing middle, the diagnostic question survives: can the vendor demonstrate all five characteristics above, and are any gaps honestly disclosed?

The market shift coming

The missing middle isn't structurally unoccupiable. It's been unoccupied because the combination of platform engineering investment + credentialed-practitioner staffing + SaaS-scale pricing discipline + cryptographic-integrity infrastructure is genuinely hard to assemble. As more buyers discover the gap — typically painfully, at audit-day — the demand pressure increases. Vendors who built for the missing middle from the start will be the ones who occupy it.

The buyers who win this transition are the ones who recognize their position now, before audit-day forces the realization.

---

Start with a $674 Mission Brief

Start your Mission Brief →

The Mission Brief is a 90-minute diagnostic engagement with Tammie and a practitioner. You walk out with the regulator-ready artifact for your framework — HIPAA SRA, PCI SAQ-D, CMMC L1 SPRS affirmation, or Logistics SD-1580 alignment — plus your initial Capability Readiness Score tier (Compliance Ready / Material Gaps / Significant Work) and the specific gaps that would move you up. The $674 credit converts 1:1 into any annual subscription within 14 days.

UEI: TXQFV5FJX797 Primary NAICS: 541519 (Other Computer Related Services) Additional NAICS: 541512 · 541690 · 611420 PSC Codes: DJ10 · DJ01 · D302 · R499 · U099

---