CyberTwin
THE SECURITY DECISION ENGINE

Every security answer, proven from one upload.

Upload the firewall, cloud, and identity configs you already have. CyberTwin builds a live twin of your environment and answers the questions that actually matter — every attack path to your crown jewels, what each risk costs in dollars, where you stand across 24 frameworks, and the board packs, audit evidence, and insurance answers you owe — each one a signed proof anyone can re-check. No agents. No scanning. Nothing fabricated.

NO AGENTNO LIVE SCAN24 FRAMEWORKSSIGNED PROOFS
ATTACK PATHSPRICED RISKCOMPLIANCESIGNED PROOFBOARD REPORTSCONFIG REVIEWYOUR LIVE TWIN
(02)REAL ENGINE OUTPUT

Watch a real breach path assemble itself.

Attack paths are one of the questions your twin answers — the same twin also prices your risk, scores your frameworks, and proves it all over time. Here it is on real engine output for a sample estate, mapped across the 15 vendor families we stitch into the attack graph: click any path to trace it hop by hop — foothold to crown jewel — every dollar labeled modeled, every hop declaring its evidence.

FIG.02  //  Attack-path modelSample
Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: vpn-poolFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
6 hops to Secrets Manager: stripe-live-keys · ~47m to data
Cheapest cut: CloudOps excluded from CA admin policy
Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: MarketingMDE: Corp Laptops device groupFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
6 hops to S3 bucket: acme-customer-pii · ~1h to data
Cheapest cut: MFA not enforced for Marketing group
Modeled
up to $5.0M
modeled
Exposed SSL-VPN portal (no MFA)FortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ RDS: prod-payments-db
4 hops to RDS: prod-payments-db · ~28m to data
Cheapest cut: SSL-VPN MFA not required
Show 12 more paths
Modeled
up to $5.0M
modeled
Legacy auth not blocked (IMAP / POP)Entra group: MarketingMDE: Corp Laptops device groupFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
6 hops to S3 bucket: acme-customer-pii · ~1h to data
Cheapest cut: Legacy auth not blocked tenant-wide
Modeled
up to $5.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
6 hops to Secrets Manager: stripe-live-keys · ~53m to data
Cheapest cut: cloudops-admin user lacks MFA on console
Modeled
up to $4.5M
modeled
Internet (Cloudflare-fronted prod app)Cloudflare WAF for app.acme.io (custom skip rule for legacy partner)◆ Origin: app.acme.io (production payments API)
2 hops to Origin: app.acme.io (production payments API) · ~22m to data
Cheapest cut: Cloudflare custom rule with action=skip on managed ruleset
Modeled
up to $2.8M
modeled
Internet (post-drift exposure)◆ S3 reporting-snapshots (drift: s3-bucket-public-read-prohibited NON_COMPLIANT)
1 hop to S3 reporting-snapshots (drift: s3-bucket-public-read-prohibited NON_COMPLIANT) · ~18m to data
Cheapest cut: S3 bucket reporting-snapshots: public-read-prohibited NON_COMPLIANT
Modeled
up to $6.0M
modeled
Okta user: eng-lead@acme (Super Admin)Okta Super Admin roleEntra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: vpn-poolFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
7 hops to Secrets Manager: stripe-live-keys · ~51m to data
Cheapest cut: Standing SUPER_ADMIN assignment without JIT
Modeled
up to $2.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsCrowdStrike Falcon: Engineering host group (200 hosts)◆ Falcon exclusion: rundll32 / appdata\Local\Temp\* permit
4 hops to Falcon exclusion: rundll32 / appdata\Local\Temp\* permit · ~35m to data
Cheapest cut: Falcon exclusion list contains rundll32 + temp paths
Modeled
up to $5.0M
modeled
Branch office Cisco ASA outside interface (sec-level 0)Branch office LAN (sec-level 100)FortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM role: PowerUserRole (overprovisioned)◆ S3 bucket: acme-customer-pii
5 hops to S3 bucket: acme-customer-pii · ~41m to data
Cheapest cut: Cisco ASA shadowed deny rule on branch-outside-in
Modeled
up to $1.8M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)Compromised mailbox (CFO auto-forward to personal)◆ External recipient — exfil destination
3 hops to External recipient — exfil destination · ~24m to data
Cheapest cut: External auto-forwarding allowed org-wide
Modeled
up to $7.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-adminGCP SA: analytics-runner (proj-data)◆ GCP project "proj-prod-payments" admin scope (1 admin SA)
7 hops to GCP project "proj-prod-payments" admin scope (1 admin SA) · ~58m to data
Cheapest cut: Cross-project TokenCreator from analytics → prod
Modeled
up to $6.5M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-adminAzure SP: deploy-bot◆ Azure subscription m365-ecosystem (Owner inherits to all RGs)
7 hops to Azure subscription m365-ecosystem (Owner inherits to all RGs) · ~56m to data
Cheapest cut: Standing Owner assignment at subscription scope (no JIT)
Modeled
up to $3.0M
modeled
Phishing victim (Marketing user)Entra group: CloudOps (admin)Adversary using stolen valid creds (Sentinel-prod blind to)◆ Undetected: Valid Accounts: Cloud Accounts (T1078.004)
3 hops to Undetected: Valid Accounts: Cloud Accounts (T1078.004) · ~31m to data
Cheapest cut: Coverage gap: T1078.004 has no enabled detection rule
Modeled
up to $6.5M
modeled
Okta IDP (from network diagram)Okta user: eng-lead@acme (Super Admin)Okta Super Admin roleEntra group: CloudOps (admin)MDE: Ops Admin laptopsFortiGate zone: internal-corpFortiGate zone: prod-paymentsAWS IAM user: cloudops-admin◆ Secrets Manager: stripe-live-keys
8 hops to Secrets Manager: stripe-live-keys · ~1h to data
Cheapest cut: Standing SUPER_ADMIN assignment without JIT
Best single fix
Remediating entra-ca-exclude-001 breaks 9 of 28 paths.
The chain is the finding — hops stitch tools into one attacker pathEvery $ figure is modeled — and says so on the chipDated, not live — the board re-draws when you upload, never behind your back
generated 2026-05-07 · sample fixture · modeled

Now check our work — verify a real proof

NO BORROWED LOGOS

No customer logos. Verifiable numbers instead.

Every figure below is a count you can re-derive yourself — the checks re-run against your own uploaded file, the framework set is enumerable, the test suite is what our CI runs on every change. None of it is a usage stat, and none of it is borrowed.

LEFT EMPTY ON PURPOSE
FIG.A
1,917
deterministic config checks
across 37 vendor plugins · deterministic, re-run on your real file every upload
FIG.B
24
compliance frameworks scored
every control labeled proven from config, or modeled
FIG.C
9,000
automated tests behind every number
last counted 2026-07-14 · what CI runs on every change
(02.7)COMPLIANCE COVERAGE

Scored against 24 frameworks — from one upload.

Global standards, US, Europe, and the GCC set most tools skip — SAMA, the NCA suite, PDPL, and DESC. Every framework mapped from a single configuration data set, then scored control by control. No separate questionnaire, no second upload.

(04)Global standards
(04)United States
(04)Europe & UK
(09)Saudi Arabia & GCC
(03)Asia-Pacific & LATAM

Coverage, not certification— we map your configuration to each framework's controls and score it. CyberTwin is not an accreditation body, and naming a framework here does not imply its issuer endorses us.

(04)FROM UPLOAD TO PROOF

One upload becomes the whole story.

No agent, no connectors, no live scan — you hand over the exports you already have, and the engine turns them into structure, paths, prices, and proof. Four beats, told by the product itself.

01 · UPLOAD

Drop in the exports you already have.

A firewall config, an Okta export, a CSPM snapshot — files from your side of the wall. No agent to install, no credentials to hand over, no change window to book. One upload, and the engine has everything it needs.

02 · PARSE

Every rule becomes checkable structure.

The engine parses the real file and runs its vendor's deterministic checks — 1,917 across the catalog — and labels every result: proven when it's read straight from your config, modeled when it's inferred. You always know which is which.

03 · PATHS

Findings chain into priced attack paths.

A finding alone is a to-do; chained, it is a breach. The engine stitches gaps across vendors into the paths an attacker would actually walk — foothold to crown jewel — and prices each one as modeled ALE at risk, with every hop declaring whether it is config-backed or assumed. The fix order defends itself.

04 · PROVE

The report ships with its proof attached.

Board pack, framework scores, signed certificates — every number dated to the upload it came from and re-checkable offline. When your configs change, the next upload re-checks the claim — and where the artifact re-parses (FortiGate, PAN-OS, or OPNsense configs; IaC, CSPM, and identity exports), it re-proves it or shows exactly what broke.

The CyberTwin upload wizard with a real FortiGate config export pasted in — 14,815 characters, secrets redacted before storage.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
01 · UPLOAD

Drop in the exports you already have.

A firewall config, an Okta export, a CSPM snapshot — files from your side of the wall. No agent to install, no credentials to hand over, no change window to book. One upload, and the engine has everything it needs.

The CyberTwin upload wizard with a real FortiGate config export pasted in — 14,815 characters, secrets redacted before storage.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
02 · PARSE

Every rule becomes checkable structure.

The engine parses the real file and runs its vendor's deterministic checks — 1,917 across the catalog — and labels every result: proven when it's read straight from your config, modeled when it's inferred. You always know which is which.

The parsed FortiGate review — posture score, 20 findings, the parse date, and compound findings that each list the exact findings they are built from.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
03 · PATHS

Findings chain into priced attack paths.

A finding alone is a to-do; chained, it is a breach. The engine stitches gaps across vendors into the paths an attacker would actually walk — foothold to crown jewel — and prices each one as modeled ALE at risk, with every hop declaring whether it is config-backed or assumed. The fix order defends itself.

Top attack paths by risk — real cross-vendor chains from the seeded demo, each with hops, time-to-data, modeled ALE at risk, and how much of the chain is config-backed.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
04 · PROVE

The report ships with its proof attached.

Board pack, framework scores, signed certificates — every number dated to the upload it came from and re-checkable offline. When your configs change, the next upload re-checks the claim — and where the artifact re-parses (FortiGate, PAN-OS, or OPNsense configs; IaC, CSPM, and identity exports), it re-proves it or shows exactly what broke.

The Prove hub — dated, signed, re-checkable proof built from uploaded artifacts, with the proof loop from audit to re-proof on re-upload.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
04.5 // One engine, three jobs

Decide. Do. Prove.

One engine runs the whole program — in the order a buyer actually works it. Choose the right stack, make the exact fixes, then hand over proof that re-checks. No agents, no live scan, nothing fabricated.

(01)DECIDE

Decide what to buy

Give the engine your industry, size, frameworks, and budget. It returns three priced stacks with real products at list prices — and the attack paths each design would leave open. You defend the budget with numbers, not vendor decks.

(02)DO

Do the fixes that matter

Upload one config export and Configuration Review parses the real file and runs its vendor's slice of 1,917 deterministic checks; every finding arrives with a copy-paste fix and the attack path it opens. When a CVE trends, type the ID and Breach Replay says whether it reaches you. The exact change, not advice.

(03)PROVE

Prove it holds

Every proven finding lands in a signed, hash-chained ledger, and a fix counts as closed only when your next upload proves it. Hand the auditor a bundle that re-verifies offline — evidence that stays dated, never frozen.

04.7 // Run the program

The PDF is not the finish line. It's the first entry in the register.

Every modeled risk, config-review finding and severed attack path lands in one register — each with an owner and a dollar weight. Assign it, invite the people who fix it, and hand auditors a view-only proof they re-check themselves. The program runs in CyberTwin, not a spreadsheet.

TRACK
One register, every gap — priced.

Modeled risks, config-review findings and attack-path break-points land in a single register, each with an owner and a modeled dollar weight so the fix order defends itself.

ASSIGN
Invite the people who fix it.

Add colleagues by role, assign a finding to an owner, and track it to closed — the next upload re-checks whether the fix actually closed the path.

SHARE
Send a proof, not a screenshot.

Hand an auditor or the board a view-only, re-verifiable snapshot — with view counts and one-click revoke. They re-check the signature themselves; nothing to trust.

Risk registerSample · modeled $3 open
SSL-VPN portal allows password-only auth$420KYYou
PowerUser over-permissive on the PII bucket$310KSSam R.
DMZ → internal VLAN lateral movement allowed$180K+ assign
YSAyour teamInviteShare read-only →

illustrative preview · seeded demo estate · modeled dollars, not a real tenant

(05)THE DELIVERABLES

One upload — every report you owe someone.

Five of the 12 boardroom-grade reports your environment data set renders — real rendered pages from the seeded sample environment, not comps.

Every chained path, its hops, its cheapest cut, and its modeled dollar exposure — the fix order that defends itself.

Attack paths report — first page, rendered from the seeded sample environment.
Sample environment (seeded demo) · rendered from one upload · point-in-time snapshot, no live scan

Download the sample report — every page, no signup

(07)VERIFY IT YOURSELF

Don't take our word for it — re-check it yourself.

The proof is a dated, signed bundle — not a dashboard state. Here's exactly what a re-verify runs: the hash chain re-computes, the signature verifies, the witness matches. Run it on a real bundle in your own browser — no signup, no trust required.

  1. Hash chain re-computedsha256, in your browserPASS
  2. Signature verifiedEd25519PASS
  3. Witness timestamp matcheda3f2…9c41 · 2026-06-30PASS

Every check a re-verify runs — all pass on the sample bundle.

the checks a proof re-verify runs · seeded demo estate · illustrative

Un-Reachability Certificate
No path to customer-data (S3, prod)
in the modeled twin · internet → dmz → lan · FortiGate + Okta twin
SIGNED
2026-06-30
Ed25519
witness a3f2…9c41re-check anytime at /verify
Sample certificate (seeded demo) · scope-bounded · modeled twin · point-in-time
(05.5)HONESTY // SHOW OUR WORK

Every number wears its grade.

No customer logos yet — so instead of asking for trust, we show the grade on the work. A finding is proven, modeled, or honestly unknown, and you can tell which from across the room. The label decides what a number can survive.

ProvenModeledHonest-unknown
FIG.H  //  One finding · three gradesAcme sample fixture

Can an attacker reach the crown-jewel database — through identity, then the endpoint?

The same claim, drawn three ways.

Proven

re-parsed from the bytes of your uploaded config

Modeled

inferred from typical topology — labeled, never hidden

Unknown

a control we can't see from your upload — so we say so

A proven finding holds up under an auditor's challenge — it was re-parsed from your actual bytes. A modeled figure is decision support for sizing budgets. An honest-unknown is the gap we refuse to paper over. You always know which one you're holding.

Read-out // we grade our own pick

The engine grades the stack it recommends — and shows how much of the score is proven versus modeled headroom you'd buy for more.

Our own pick, graded59/100 proven
proven · re-parsed · 59/100modeled headroom · +$40K → 78/100

Any proof bundle re-checks in your browser — nothing uploads. Verify a proof →

(06)PRICING // NO SALES-CALL AMBUSH

The prices are on the page.

Published up front, because there's no ambush waiting on a sales call. Four plans, every number visible — pick the job you're buying for.

Decide
Assess
$4,800/yr
or $499/mo — cancel anytime
  • Scores all 24 frameworks
  • Three priced stacks
  • Breach Replay included
  • 1 config review a year
Deliverable

One session in, one artifact out: a board-ready PDF with your posture score, priced risk, and a sequenced roadmap.

Do
Operate
$14,400/yr
or $1,499/mo — cancel anytime
  • 3 config reviews a year
  • Single-vendor attack paths · Underinsurance Gap
  • Reports you can send · read-only evidence ledger
Deliverable

Upload a real config export and hand the auditor rule-by-rule findings — evidence excerpts and copy-paste fixes included.

ProveMost Popular
Program
$36,000/yr
Annual only
  • Unlimited config reviews · evidence ledger
  • NHI Blast Radius · Vendor Breach · Agent-Reachability Gate
  • SEC materiality tools
  • Un-Reachability Certificate
Deliverable

One environment data set renders 12 boardroom-grade reports — plus signed proofs anyone can re-check at /verify.

Custom
Enterprise
Custom
Contact sales

Program, on your infrastructure, with a human on the other end of the call.

Deliverable

White-label PDFs under your firm’s logo, custom internal control sets, and a single-tenant instance.

START WITH WHAT YOU HAVE

You already have the file. Let's see what it says.

Export a config, upload it, and get your first proven attack path in minutes. No agent. No live scan. No call required.

NO AGENTNO LIVE SCANFIRST PROOF IN MINUTESSIGNED & RE-CHECKABLE

Assess and Operate bill monthly — cancel anytime. Your reports are PDFs; they work after you cancel.