It isn’t. It will clearly send the wrong message. That you don’t know what you are doing.
I know this takes so, so much time in the early stage. In the early-ish days, doing this will be supremely frustrating. The key is to get big enough so it’s part of someone’s job to just do this. And then … the questions all start to repeat. So it gets easier. Although, still, very time consuming. But once you are big enough — time consuming for someone on the team. Not you. Suck it up until then.
But. It’s totally OK to charge any customer asking for a SecOps audit 15-20% of the ACV in professional services fees overall.
Do that instead.
more here: SaaStr | Don’t Forget the Services Revenue