The report is framed by function: risk exposure for security and executive audiences, control gaps for GRC, cost and ROI for finance, workforce and vendor data for HR and legal.
Sector
Select your industry. This sets regulations, primary threats, and frameworks for your report.
Healthcare
Hospitals, health plans, TPAs
Financial Services
Banks, insurers, fintechs
Government
Federal, state, municipal
Manufacturing
Industrial, OT/IT, supply chain
Education
Universities, K-12, EdTech
Energy & Utilities
Utilities, critical infrastructure
Legal & Professional Services
Law firms, professional services
Retail & E-commerce
Retail, e-commerce
Other sectors
Technology / SaaS
Software, engineering, IP
Logistics & Transportation
Fleet, supply chain, delivery
Department / Function
Select the function that best matches how you’ll use this report. Report content is tailored to this lens.
Security
Risk ownership, board reporting
Executive
Business accountability, strategy
Finance
Budget, ROI, cost of risk
Legal
Counsel, contracts, client data
Compliance & privacy
Audit, regulations, privacy
GRC
Frameworks, control gaps, risk register
HR
Workforce, employee data, insider risk
IT
Architecture, operations, delivery
Procurement
Vendor/supplier selection, third-party risk
Evaluating
Researching options
Organization size
Small / Mid-Market
Under 500 employees · $5M–$100M revenue
Enterprise
500+ employees · $100M+ revenue
Startup / Scale-up
Under 100 employees · Pre-revenue to $5M
Government / Non-Profit
Public sector or mission-driven org
Engine activated
Regulations in scope
Primary threats
Frameworks required
Select sector
Step 2 · Assets & data
What’s in scope
Each type maps to specific control requirements. Tick “Outsourced” where a third party processes or stores it.
Data handling role
How your organization acts regarding this data (GDPR/CCPA: controller vs processor)
Data controller
We determine purposes and means of processing
e.g. Customer CRM, employee HR records, patient database you own
Data processor
We process on behalf of another (client/customer)
e.g. Payroll bureau, SaaS platform handling client data, outsourced IT provider
Both / varies
We act as controller for some data, processor for others
e.g. Internal employee data (controller) + client data you process (processor)
Not applicable
No personal data processed — infrastructure or internal systems only
e.g. Internal tooling, OT/SCADA, non-personal operational data only
In scope
Select at least one. Aligned to universal asset classification; frameworks map to control requirements.
Primary informational Tier 1
Customer/employee records, financial, IP, regulated data — high sensitivity
E-discovery, legal hold, audit trails, chain of custody
FRCP · SOC 2 Audit evidence
✓
Contract & commercial data
Contracts, BAAs, DPAs, vendor terms
Contract governance Vendor risk
Infrastructure / operational
OT, ICS, SCADA — industrial and critical systems
✓
Operational Technology (OT / ICS / SCADA)
Industrial controls, critical infrastructure
NERC CIP ICS-CERT
Full assessment
Actual questions and report flow
This section contains the real assessment engine, not the placeholder website summary.
Step 1 · Profile
Sector, role, and organization
The report is framed by function: risk exposure for security and executive audiences, control gaps for GRC, cost and ROI for finance, workforce and vendor data for HR and legal.
Sector
Select your industry. This sets regulations, primary threats, and frameworks for your report.
Healthcare
Hospitals, health plans, TPAs
Financial Services
Banks, insurers, fintechs
Government
Federal, state, municipal
Manufacturing
Industrial, OT/IT, supply chain
Education
Universities, K-12, EdTech
Energy & Utilities
Utilities, critical infrastructure
Legal & Professional Services
Law firms, professional services
Retail & E-commerce
Retail, e-commerce
Other sectors
Technology / SaaS
Software, engineering, IP
Logistics & Transportation
Fleet, supply chain, delivery
Department / Function
Select the function that best matches how you’ll use this report. Report content is tailored to this lens.
Security
Risk ownership, board reporting
Executive
Business accountability, strategy
Finance
Budget, ROI, cost of risk
Legal
Counsel, contracts, client data
Compliance & privacy
Audit, regulations, privacy
GRC
Frameworks, control gaps, risk register
HR
Workforce, employee data, insider risk
IT
Architecture, operations, delivery
Procurement
Vendor/supplier selection, third-party risk
Evaluating
Researching options
Organization size
Small / Mid-Market
Under 500 employees · $5M–$100M revenue
Enterprise
500+ employees · $100M+ revenue
Startup / Scale-up
Under 100 employees · Pre-revenue to $5M
Government / Non-Profit
Public sector or mission-driven org
Engine activated
Regulations in scope
Primary threats
Frameworks required
Select sector
Step 2 · Assets & data
What’s in scope
Each type maps to specific control requirements. Tick “Outsourced” where a third party processes or stores it.
Data handling role
How your organization acts regarding this data (GDPR/CCPA: controller vs processor)
Data controller
We determine purposes and means of processing
e.g. Customer CRM, employee HR records, patient database you own
Data processor
We process on behalf of another (client/customer)
e.g. Payroll bureau, SaaS platform handling client data, outsourced IT provider
Both / varies
We act as controller for some data, processor for others
e.g. Internal employee data (controller) + client data you process (processor)
Not applicable
No personal data processed — infrastructure or internal systems only
e.g. Internal tooling, OT/SCADA, non-personal operational data only
In scope
Select at least one. Aligned to universal asset classification; frameworks map to control requirements.
Primary informational Tier 1
Customer/employee records, financial, IP, regulated data — high sensitivity
E-discovery, legal hold, audit trails, chain of custody
FRCP · SOC 2 Audit evidence
✓
Contract & commercial data
Contracts, BAAs, DPAs, vendor terms
Contract governance Vendor risk
Infrastructure / operational
OT, ICS, SCADA — industrial and critical systems
✓
Operational Technology (OT / ICS / SCADA)
Industrial controls, critical infrastructure
NERC CIP ICS-CERT
Critical functions & systems optional
Select the business functions and systems that matter most for cascade and concentration. This personalizes the report and improves vendor-to-function mapping.
Critical business functions
Which functions drive your operations and regulatory exposure
Identity / access
SSO, IAM, directory
Customer operations
CRM, support, delivery
Finance / billing
Payments, accounting
HR / payroll
Workforce, benefits
Legal / compliance
Legal hold, audit
Product / service delivery
Core product or service
Vendor onboarding / procurement
Third-party due diligence
Communications
Email, collaboration
Data analytics
BI, reporting, analytics
Other
Other critical function
Critical systems
Systems that support those functions — improves cascade path narrative
IAM / SSO
CRM
ERP
Cloud file storage
Endpoint / device fleet
Email / collaboration
Payment systems
Ticketing / support
Backup / recovery
SIEM / logging
Custom apps
Other
Control requirements — live
Select asset types to see required controls.
Select data role
Step 3 · Third-party
Vendor / service types
Select which types of third-party services you use. This captures risk and concentration for your report.
Service types
Select the types of services that process or store your data. This scopes risk and concentration in your report.
Vendor names optional
Add specific vendor names to include in the report and Vendor Risk Radar. You can skip this and still generate.
Third-party scope — live
Select service types. Add vendor names (optional).
Select service types, then generate.
Building your posture report…
Personalized for your role. No sensitive data accessed.
Mapping regulatory requirements to your sector
Generating control baseline from asset types
Enriching vendor profiles from external intelligence
The command center consolidates your sector exposure brief, organizational assessment, vendor and industry threat intelligence, and privacy risk analysis into a single interactive hub. Select any tab below to drill into a specific dimension of your risk posture. Each module can be exported independently for stakeholder distribution.
Command CenterAll data generated locally
24h Posture Visibility
—
Can you answer client impact questions within 24 hours?
Decision-Speed Risk
—
Likelihood that silos slow response under pressure.
Vendor Concentration
—
Single points of failure across critical functions.
Sector Industry Exposure Brief
What cascade patterns typically look like in your sector, and what usually gets missed in siloed organizations.
Organization Posture Exposure Snapshot
Role-personalized assessment output generated from your intake. Designed for 24h client response readiness.
Vendor Threat Radar
Check your vendor list against curated disruption signals and identify concentration + dependency blind spots.
Industry Threat Radar
Sector-focused threat signals: KEV, ransomware trends, and industry disruption events.
Vendor Risk Radar
Vendor risk posture, classifications, and concentration. Import CSV/JSON for automatic category and risk scoring.
Data residency, PII/PHI exposure, and regulatory acceleration by asset and vendor.
Industry Threat Intelligence Report
Sector threat actors, attack patterns, and industry metrics for your selected sector.
2. Detailed recommendations
Prioritized recommendations derived from your role, sector, asset scope, and identified gaps. Use these to assign owners and sequence remediation.
3. Action roadmap
A phased, time-bound remediation plan sequenced by risk impact and calibrated to your role and sector. Each phase identifies the recommended action, why it is prioritized at that stage, and what outcome to expect. Use this roadmap to assign owners, set milestones, and track measurable risk reduction.
This report produces six actionable deliverables, each calibrated to your role, sector, and the assets you identified. Four are ready now; two unlock with platform enrollment. Use the descriptions below to understand what each deliverable contains, why it matters, and where to access it.
Framework alignment — Control mapping, gap analysis, and the remediation roadmap in this report align to NIST CSF 2.0 (ID.AM, PR.AC, PR.DS, DE.CM, RS.RP), NIST IR 8374r1, and ISO 27001 where applicable to your scope.
01
Scoped Policy LibraryIncluded
Eight security policies pre-populated with your sector, assets, and regulatory scope. Use as the foundation for control evidence and audit readiness.
Why it matters: Eliminates weeks of policy drafting. Every policy is pre-scoped to your regulatory environment, so your team can review and adopt rather than write from scratch.
Command Center → Policy Library
02
Prioritized Remediation RoadmapIncluded
90-day, 6-month, and 12-month action plan sequenced by risk impact and aligned to your role.
Why it matters: Third-party risk is the fastest-growing attack surface. This radar gives you vendor-level visibility before a breach forces the conversation.
Section 1 → Vendor Risk Radar tab
06
Executive Risk DashboardLive in platform
Board-ready posture visualization updated continuously as you close gaps and onboard vendors.
Why it matters: Replaces one-time snapshots with a living scorecard. Track progress, demonstrate ROI, and keep stakeholders informed without rebuilding reports.
The command center consolidates your sector exposure brief, organizational assessment, vendor and industry threat intelligence, and privacy risk analysis into a single interactive hub. Select any tab below to drill into a specific dimension of your risk posture. Each module can be exported independently for stakeholder distribution.
Command CenterAll data generated locally
24h Posture Visibility
—
Can you answer client impact questions within 24 hours?
Decision-Speed Risk
—
Likelihood that silos slow response under pressure.
Vendor Concentration
—
Single points of failure across critical functions.
Sector Industry Exposure Brief
What cascade patterns typically look like in your sector, and what usually gets missed in siloed organizations.
Organization Posture Exposure Snapshot
Role-personalized assessment output generated from your intake. Designed for 24h client response readiness.
Vendor Threat Radar
Check your vendor list against curated disruption signals and identify concentration + dependency blind spots.
Industry Threat Radar
Sector-focused threat signals: KEV, ransomware trends, and industry disruption events.
Vendor Risk Radar
Vendor risk posture, classifications, and concentration. Import CSV/JSON for automatic category and risk scoring.
Data residency, PII/PHI exposure, and regulatory acceleration by asset and vendor.
Industry Threat Intelligence Report
Sector threat actors, attack patterns, and industry metrics for your selected sector.
2. Detailed recommendations
Prioritized recommendations derived from your role, sector, asset scope, and identified gaps. Use these to assign owners and sequence remediation.
3. Action roadmap
A phased, time-bound remediation plan sequenced by risk impact and calibrated to your role and sector. Each phase identifies the recommended action, why it is prioritized at that stage, and what outcome to expect. Use this roadmap to assign owners, set milestones, and track measurable risk reduction.
This report produces six actionable deliverables, each calibrated to your role, sector, and the assets you identified. Four are ready now; two unlock with platform enrollment. Use the descriptions below to understand what each deliverable contains, why it matters, and where to access it.
Framework alignment — Control mapping, gap analysis, and the remediation roadmap in this report align to NIST CSF 2.0 (ID.AM, PR.AC, PR.DS, DE.CM, RS.RP), NIST IR 8374r1, and ISO 27001 where applicable to your scope.
01
Scoped Policy LibraryIncluded
Eight security policies pre-populated with your sector, assets, and regulatory scope. Use as the foundation for control evidence and audit readiness.
Why it matters: Eliminates weeks of policy drafting. Every policy is pre-scoped to your regulatory environment, so your team can review and adopt rather than write from scratch.
Command Center → Policy Library
02
Prioritized Remediation RoadmapIncluded
90-day, 6-month, and 12-month action plan sequenced by risk impact and aligned to your role.
Why it matters: Third-party risk is the fastest-growing attack surface. This radar gives you vendor-level visibility before a breach forces the conversation.
Section 1 → Vendor Risk Radar tab
06
Executive Risk DashboardLive in platform
Board-ready posture visualization updated continuously as you close gaps and onboard vendors.
Why it matters: Replaces one-time snapshots with a living scorecard. Track progress, demonstrate ROI, and keep stakeholders informed without rebuilding reports.
Risk Posture is the broad starting point. It helps you pressure-test whether fundamental readiness conditions are in place before you shift into ransomware-specific scoring or sector threat context.
This quick website review is intentionally lighter than the full workspace assessment, but it gives you a real starting score and an immediate direction of travel.
