CyberTwin
Sources & provenance

The dated source ledger behind /methodology.

Two kinds of number appear in your deliverables — the risk benchmarks behind the math, and the vendor prices behind the recommendations. Both are sourced and dated here, so when an auditor asks 'where did this come from?', the answer is one page.

Risk benchmarks

Every benchmark, sourced + dated.

The breach-cost and probability benchmarks behind the ALE math. Refresh cadence per source noted; stale-source warnings render in the PDFs.

Breach cost benchmarks
As of 2025-07

Per-record breach cost (US healthcare)

IBM publishes annual benchmarks per industry + per region. CyberTwin uses the US healthcare figure for HIPAA-scoped engagements; the EU figure for GDPR-scoped engagements.

IBM Security Cost of a Data Breach Reportibm.com

As of 2025-05

Ransomware recovery + downtime cost

Median recovery cost + downtime days per industry. Powers the do-nothing scenario ALE for ransomware-heavy industries.

Sophos State of Ransomwaresophos.com

As of 2025-03

Business Email Compromise loss median

Aggregate BEC loss + median per-incident loss. Anchors the BEC risk class in the ALE model.

FBI IC3 Internet Crime Reportic3.gov

Threat actor + vulnerability intelligence
As of 2026-04

MITRE ATT&CK TTP catalog

All ATT&CK techniques + sub-techniques referenced in threat-actor mappings. Updated quarterly when MITRE publishes new techniques.

MITRE ATT&CK Enterpriseattack.mitre.org

As of 2026-05-15

CISA Known Exploited Vulnerabilities catalog

Vulnerabilities with confirmed active exploitation. Cross-referenced when surfacing vendor patching priorities.

CISA KEVcisa.gov

Compliance frameworks
As of 2025-12

SOC 2 Trust Services Criteria

TSC 2017 revised criteria. Compliance scoring crosswalks every CC + Privacy criterion to a control mapping.

AICPAaicpa-cima.com

As of 2025-12

ISO/IEC 27001:2022

Annex A 2022 controls. CyberTwin maps each control to an engine capability + an evidence-collection workflow.

ISOiso.org

As of 2026-03

PCI DSS v4.0

v4.0.1 requirements with March 2025 effective dates. Scope-reduction analysis honors the v4 service-provider categories.

PCI Security Standards Councilpcisecuritystandards.org

As of 2025-09

NCA ECC v2 (Saudi Arabia)

ECC v2 controls plus the data-sovereignty + cloud-controls extensions.

Saudi National Cybersecurity Authoritynca.gov.sa

Pricing + currency
As of Quarterly refresh

Vendor product price catalog

See the per-vendor sourcing manifest at /docs/sources for the publisher URL + the refresh cadence per vendor.

Per-vendor (publisher list price or partner-attested)

Compliance benchmarks
As of Refreshed when carriers publish revisions

Cyber-insurance carrier questionnaires

CyberTwin auto-fills the questionnaire from tenant data; the canonical question shapes come from the carriers' published forms.

Carrier-published forms (the major cyber-liability carriers)

Catalog price sourcing

Where every vendor price comes from.

99+ vendor products across 37 vendor plugins, each carrying a provenance label.

Publisher list price (preferred)

When a vendor publishes a per-seat / per-endpoint list price publicly, that's the source we use. Microsoft, AWS, Cloudflare, and many SaaS vendors fall here. Refresh cadence: quarterly. The source URL is recorded for every entry.

Partner-attested price

When a vendor sells exclusively through resellers + does not publish list price, we use a partner-attested rate (i.e., a number a current reseller has confirmed in writing). Used for most appliance vendors (Palo Alto, Fortinet, Cisco). Refresh cadence: semi-annual. We flag these entries in the PDF with a "partner-attested" provenance label.

Estimate based on public RFPs

When neither list price nor partner attestation is available, we use the median price across recent public RFP awards (gov, education) for the same SKU. Refresh cadence: annual. These entries carry the most cautious "estimate" provenance label.

Most recent pricing pass

A sample of the catalog's current pricing pass — every list price was captured and dated in one pass, and each product records that date as last_priced_at. The source type is shown per vendor; the authoritative per-product source URL lives in the manifest and is cited in your report.

Priced as ofVendor / productSource
2026-05-06Microsoft Defender for Endpoint P2Per-user list price, verified from Microsoft published pricing
2026-05-06CrowdStrike Falcon Insight XDRQuote-based — unit price from analyst / partner benchmark
2026-05-06Fortinet FortiGate 100FAppliance list price, verified from public reseller listings
2026-05-06AWS GuardDuty / DetectiveUsage-based — unit price from AWS published pricing
2026-05-06Okta Workforce Identity CloudPer-user list price, verified from Okta published pricing

Every catalog entry carries its full per-vendor manifest — source URL and refresh date included — inside the engine, and each recommendation in your report cites it.