CyberTwin
THE WHOLE ENGINE, ONE PAGE

Every capability, in plain English.

Every feature here answers a question you already get asked — by the board, the auditor, the broker, the regulator. Each one names what the engine reads, the artifact it produces, what it needs from you first, and the plan it ships on. No agents. No live scan. Nothing fabricated.

Four terms carry this page — defined once, in the glossary just below.

37
config vendors
1,917
deterministic checks
24
frameworks scored
The CyberTwin assessments hub — capabilities as plain-English questions, each declaring what it proves and what it models.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
(00)The four words this page leans on
The twin
The working model of your environment, assembled from artifacts you upload — configs, diagrams, identity exports. No live scan, no agent, no connected integration.
Crown jewels
The systems and data you declare as the ones that matter — optionally with a dollar value at risk.
Attack path
A modeled route an attacker could take from an entry point to a crown jewel, stitched across your real tool configs.
Proven vs modeled
What we re-parse from your files is labeled proven; what we model is labeled modeled — never blurred.
(01)Decide

Decide what to build — and defend the spend.

Before you spend a dollar: what to build, what it costs at real list prices, and whether the plan survives the same attack-path stress test we run on everyone else.

The assessments hub — 13 assessments as plain-English questions, grouped by readiness, each declaring what it proves and what it models.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
(01)Design Mode

What should we build — and what will it cost?

Answer a short intake — industry, headcount, regions, frameworks, budget — and the engine returns three priced stacks (Lean / Balanced / Advanced) with real products at list prices and the deployment plan for each. Every design is stress-tested by the same attack-path engine before it counts as done. Example: a 200-person fintech with a $130k budget gets a SOC 2 + ISO 27001-aligned reference architecture and an 18-month roadmap.

Reads Your intake answers — industry, size, regions, frameworks, budget. · Requires Nothing else.

Every planDEEP DIVE
(02)Review Mode

Is what we already run actually sound?

Describe what you already run — or upload the diagrams and the engine extracts the stack — and get your posture scored, the coverage gaps ranked, and the redundant tools named with their consolidation savings in dollars. The output is a swap / augment / consolidate roadmap, plus the specific upgrade that moves each framework score.

Reads Diagrams, docs, and intake — modeled reachability is labeled modeled.

Every planDEEP DIVE
(03)HonestGrade

Would you trust a stack the vendor won’t grade?

We grade our own recommendation — out loud. On the sample, the Balanced stack scores 59/100 and the Advanced stack 78/100, from the same published rubric that scored you.

Reads The engine’s own recommendation, run back through its scoring rubric.

(04)Scenario diff

Which of two futures should we pick?

Save two or more assessment scenarios and the engine diffs them side-by-side — posture score, modeled dollar exposure, and the attack paths each future opens or closes. The budget meeting compares two priced futures instead of two opinions.

Reads Two or more saved assessment scenarios.

Every plan
(05)Pre-flight Change Gate

Will this change break us — and by how much, in $?

Propose a config change before you ship it; the engine re-simulates your twin and prices the attack paths the change would open — caught at the whiteboard, not in the incident review. The answer is a diff against your current posture: paths opened, paths closed, and the dollar delta between them.

Reads The proposed change, diffed against your existing twin. · Requires An existing assessment to diff against.

(02)Find & fix

Find what’s exposed. Fix it with the exact change.

Everything here runs on the files you upload. Findings on your real configs are labeled proven; the routes we infer are labeled modeled — and every finding arrives with the exact line that closes it.

fortigate-fw01.conf · policy 24 · seeded demo
config firewall policy
edit 24
set srcintf "wan1"
set dstintf "dmz"
set service "ALL"
+ set service "HTTPS"
set action accept
next
end
What this line changes
1 attack path closed
modeled exposure −$2.8M
  • internet → dmz jump-host hop is no longer traversable
  • the finding moves to fixed on your next upload — proven, not promised
  • the exact line ships with the finding: copy-paste, not advice
Sample environment (seeded demo) · exposure modeled, labeled as such
(01)Configuration Review

Would your tool configs pass an audit?

Upload one config export and the engine parses the real file against its vendor's deterministic checks (1,917 across 37 vendors) — findings on the real file are labeled proven, each with an evidence excerpt and a copy-paste fix. On the sample FortiGate upload: 42 findings, posture 32/100, and a replacement snippet for the worst one. No live scan, no agent, no connected integration.

Reads One uploaded config export — secrets redacted before storage.

Assess: 1/yr · Operate: 3/yr · Program: unlimitedDEEP DIVE
(02)Attack paths

How would an attacker actually reach your crown jewels?

A modeled route an attacker could take from an entry point to a crown jewel, stitched across your real tool configs.

The engine stitches your real tool configs into one graph and walks it the way an attacker would — kill-chain rows from a foothold to your crown jewels, annotated against 26 MITRE ATT&CK techniques. Each path carries a modeled dollar exposure and names the cheapest single fix that breaks it.

Reads Your twin — configs, diagrams, identity exports.

Single-vendor on Operate · Multi-vendor on ProgramDEEP DIVE
(03)Breach Replay

A CVE is in the news. Does it reach you?

A CVE is trending. Type its ID — see if it reaches you.

Type the CVE ID and get one honest verdict — exposed (modeled), defended (proven), not-applicable, or a plain no-guess refusal when your twin can’t resolve it. Underneath: a dated facts card cited to NVD, CISA KEV, and EPSS, the routes a foothold could ride to your crowns with a dollar figure, and the controls that shut the technique down.

Reads Your existing twin + the cited CVE record (MITRE, CISA KEV, EPSS, NVD). · Requires No re-upload — replayed against what you already gave us.

From AssessDEEP DIVE
(02·B)Blast radius — one question, three doors

The blast-radius family answers one question — if this single thing is compromised, what does it reach, in dollars? — for the three things you get asked about most: a leaked service account, a breached vendor, and a new AI agent asking for scopes.

(01)NHI Blast Radius

If one service account leaks, what does it reach?

If one service account leaks, what does it reach — and what is that worth?

Your service accounts outnumber your people. Every non-human identity becomes one register row with the four answers that matter — who it is, what it reaches, what that is worth, and the one cut that stops it. Reaches nothing? The row shows null, never a reassuring zero.

Reads Identity exports you upload — OAuth apps, service accounts, workload identities.

(02)Vendor Breach Simulator

If this vendor is breached, what do they reach inside you?

If this vendor is breached, what do they reach inside you?

A security rating vs. this: one is a guess about someone else. The other is a fact about you. Declare the access a vendor holds and we replay its breach against your real attack graph — routes, dollars, and the one cut.

Reads The access you declare the vendor holds — never the vendor’s posture.

(03)Agent-Reachability Gate

Before you grant an AI agent its scopes — what could they reach?

Before you grant an AI agent its scopes: what could those scopes reach?

A BLOCK / REVIEW / ALLOW verdict for the scopes you declare, priced in dollars, with the one scope to strip — modeled pre-grant on a tenant-safe clone, never the agent’s behavior. Paste the MCP manifest or a plain scope list; the verdict ships as a signed Agent Authority Record your auditor can re-check.

Reads The scopes you declare — an MCP manifest or a plain scope list.

(01)Findings register

Who owns each finding — and is it actually closed?

Every finding from every assessment lands in one actionable register — assign an owner, set a due date, track it to closed. No more findings scattered across three PDFs and a spreadsheet nobody reconciles.

Reads Findings from your assessments and reviews.

(02)Fix-impact simulator

Which fix buys the most risk down?

Rank candidate fixes by the modeled dollar exposure each one removes, computed by re-simulating your twin without the gap. The top move arrives defended in dollars against the next-best move — a budget argument, not a severity color.

Reads Your twin + the open findings register.

(03)What-if / Counterfactual

What if we segmented the network — would it matter?

Toggle hypothetical changes — segment a VLAN, tier the admins, retire a path — and re-run the real engine against your projected twin. Simulation only, labeled as such, never blended into your live posture.

Reads Your twin + the hypothetical changes you toggle.

(04)Incident retrospective

We had an incident. What do we tell the team — and the board?

Feed it the incident facts and it builds a structured retrospective against your modeled paths — what happened, which route it rode, what it cost, and the specific change that closes it. Written for two rooms at once: the team that fixes it and the board that asks about it.

Reads Your twin + the incident facts you provide.

Operate+
(05)AI attack-surface discovery

What AI is already running in your cloud — and what could reach it?

From your ingested cloud posture, the engine discovers the AI and LLM services in your estate — and the non-human, agentic identities that can invoke them — then folds each into your attack graph. You see, conditionally and never fabricated, which of them an attacker could reach and abuse. The AI you forgot you deployed is the AI an attacker finds first.

Reads A cloud posture export you upload — no live connection, no agent.

Program
(06)Data residency map

Where does your regulated data cross a border it shouldn’t?

The engine maps where your regulated data actually lives and every point a path would carry it across a sovereignty boundary — the crossing GDPR, a data-protection regulator, or your own policy cares about. Surfaced only where a real residency signal exists in what you declared, never invented to fill a table.

Reads Crown jewels you declare with a residency attribute.

Program
(07)OT / ICS exposure

What’s exposed on the plant floor, below your IT controls?

Upload an inventory export and the engine places your operational-technology assets on their Purdue / IEC-62443 level, then makes the gap between your IT controls and the plant floor explicit — the reachable path from a corporate foothold down to a device that was never meant to be routable. The half of your estate a config audit alone never sees.

Reads An OT / ICS inventory export you upload.

Program
(03)Prove

Prove it — to people who don’t trust you.

Dated, signed, re-checkable. What we re-parse from your files is proven; what we model is modeled — and anyone can re-verify a proof in their own browser, with no account and without trusting us.

The Un-Reachability Certificate surface honestly refusing to certify — a modeled path reaches the crown, so the engine shows the path to cut instead of issuing the proof.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
(01)Re-upload to re-prove

Is last quarter’s posture still true today?

Re-upload an export on your cadence and the engine re-checks it against the same rules — and where the artifact re-parses (FortiGate, PAN-OS, and OPNsense configs; IaC, CSPM, and identity exports), posture is re-proven, not re-asserted. Each pass becomes a dated snapshot, so your posture has a history instead of a memory. No live scan, no agent, no connected integration.

Reads A fresh export of the same config, whenever you choose.

Operate+
(02)Evidence ledger

Can you show an auditor proof that holds over time?

Hash-chained, dated proofs from your own uploaded configs.

Every proven finding lands in a hash-chained, signed ledger, with its evidence excerpt and its date. Hand the auditor a bundle that re-verifies offline — proof that holds over time, not a screenshot that ages. View your signed ledger on Operate; the re-proving loop — regressions, drift, and auto-answers — is Program.

Reads The proven findings from your uploaded configs.

Operate+ (view)
(03)Un-Reachability Certificate

Can you prove a crown jewel is NOT reachable?

A signed, dated proof a crown jewel is NOT reachable — re-checkable without trusting us.

Declare a crown jewel and, if no modeled path reaches it, the engine issues a signed, dated certificate — scope-bounded to what the twin can see, and honestly refused when a path exists. It travels with its witness, so anyone can re-run the check without trusting us.

Reads Your twin + the crown jewel you declare.

(04)Verify a proof

Why should anyone believe your proof?

Trust the proof without trusting us. Drop any proof bundle, certificate, or agent record on /verify and it re-checks in your browser — nothing uploads, no login.

Reads A proof bundle — yours or one someone sent you.

(05)Fits your stack

Does it push to our Jira / ServiceNow and feed our SIEM?

A read-only REST API (Bearer-token, per-org rate-limited) exposes your posture, findings, compliance scores, and risk acceptances so your GRC/BI tools pull the current numbers on a schedule — no PDF export. Signed outbound webhooks fire on the events that matter (including “a proven control reopened”) into Jira, ServiceNow, or a SIEM, and posture exports as OSCAL for tools that speak it. The honesty grammar survives the wire: every pushed figure keeps its PROVEN/MODELED label.

Reads The same twin every other feature reads — surfaced over an API + webhooks, never a new scan.

(06)Copilot

Can you just ask your environment a question?

Ask your twin in plain English — “which crown jewels can a phished laptop reach?”, “what changed since last month?”, “are we DORA-ready?” — and every answer arrives with the exact attack path, config finding, or ledger entry that proves it. If the engine can’t prove it, the copilot says so: never an ungrounded LLM guess.

Reads Your live twin — the same graph, findings, and signed ledger every other answer is built on.

(07)Proven-closure copilot

Is that fix actually closed — or just marked closed?

Mark a fix done and it stays “awaiting proof” until a re-uploaded config actually shows the change — closure is proven, never self-attested. And you can ask your evidence questions in plain English; the copilot answers from the ledger, with citations.

Reads The evidence ledger + your re-uploaded configs.

Program
(08)Underinsurance Gap

Would your cyber policy actually cover your worst day?

Your modeled loss vs your declared policy limit — where the limit breaks.

Your modeled loss against the limit and retention you declare — where the limit breaks, in dollars. Unpriced means unpriced — never "covered." Modeled and declared, never a claim your coverage is inadequate; not insurance advice.

Reads Your modeled exposure + the policy limit and retention you declare.

Operate+DEEP DIVE
(09)SEC Materiality

An incident hits. Is it material — and what do you file?

The dollar estimate, the 4-day 8-K clock, and the draft — for your disclosure committee.

An incident hits, and the clock questions follow. You get a directional dollar estimate grounded in your modeled exposure, the 8-K Item 1.05 workpaper draft, and the DORA, NIS2, GDPR, US-state, and SEC notification clocks reconciled on one cited board. Decision support for your disclosure committee, never a determination.

Reads Your twin + the incident facts your disclosure committee holds.

(04)Reports

One upload. A report for every reader.

The board, the auditor, the broker, and the regulator each get their own artifact — rendered from one uploaded environment, every figure traced to the same underlying truth, never re-typed by hand.

A built quarterly board pack from the seeded demo — posture score, annualized loss, open criticals, and the posture-trend narrative, every number derived.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
(01)Compliance readiness

Where do you stand on the frameworks that matter to you?

All 24 frameworks scored in one pass, with EXPLICIT / DERIVED provenance on every control — so you know what's audit-grade and what's directional. The honest ceiling: a score built only on derived mappings caps at 70/100, because a crosswalk never gets to masquerade as an audit.

Reads Your twin + any audit reports and security docs you upload.

(02)One upload, many reports

What do you send the board, the auditor, the broker?

One environment data set renders 12 boardroom-grade reports — the board pack, the auditor evidence pack, the broker questionnaire, the attack-path simulation, and more. Each is written for its reader, and every figure traces to the same underlying truth.

Reads The same twin every other feature reads — no extra uploads.

(03)Board pack

Will the board understand it in one read?

A risk-quantified, vector-only PDF: the dollar exposure, the top moves, and the one thing — with sourced citations throughout and a signed methodology page. Present it live in the browser, or export the editable slide deck (.pptx) to take into the boardroom — your framing and honesty labels survive into the room instead of being re-typed. It ships on every tier, because the board question doesn’t wait for an upgrade.

Reads Your assessment results.

Every tier
(04)Auditor evidence pack

What do you hand the auditor?

Every audited control mapped to its evidence — findings, excerpts, framework mappings — and exported as one pack. Show-me artifacts instead of trust-me assertions, assembled from data you already entered.

Reads Your proven findings + compliance scoring.

Operate+
(05)Regulator-ready reports

What do you file with your regulator?

The regulated-market deliverables, generated from the same twin: a SAMA CSF quarterly posture summary from your snapshot series, a DORA ICT-risk register, and the NIS2 / GDPR / US-state / SEC notification clocks reconciled on one board. Regulator-ready documents you hand over — not just a framework score. Decision support for your compliance function, never a filing determination.

Reads Your twin + your snapshot history + the frameworks in scope for your jurisdiction.

(06)Insurance questionnaire pre-fill

Could your insurance answers cost you at renewal?

Questionnaires for 5 carriers, pre-filled from the twin with each answer traced to its source. Premium-loading answers are flagged before you bind — so the renewal starts from your real posture, not a guess made under deadline.

Reads Your twin + the questionnaire your broker sends.

Operate+
(07)Stakeholder share

Can you share a report without losing control of it?

Send any report as a view-only link with an expiry date and a view cap — no attachment drifting through inboxes forever. Recipients see exactly what you sent, and nothing you didn’t.

Reads Any report you choose to share.

Operate+
(08)Questionnaire auto-answer

A customer sent a 200-question security questionnaire. Do you fill it by hand?

The engine maps your proven controls onto the questions in an inbound security questionnaire — CAIQ, SIG, VSA — and drafts each answer, cited back to the evidence that backs it. You review and send instead of starting from a blank column. The proofs you already hold become the answers a deal is waiting on.

Reads Your proof ledger + the questionnaire you upload.

Program
(09)Year-in-review

What did the security budget actually buy this year?

The year’s posture story — proofs accumulated, findings closed, exposure moved, in dollars — rendered 60 days before your renewal. The budget conversation starts from what the spend actually bought, not from memory.

Reads Your assessment history and evidence ledger.

Program
(10)White-label PDFs

Can a partner firm ship this under its own brand?

Your firm’s logo on every PDF, your internal control set mapped alongside the public frameworks, and a single-tenant instance. Built for partner firms that ship CyberTwin output under their own brand.

Reads Your branding assets + your control sets.

Enterprise
(05)Coverage

What the engine covers — derived live, never claimed.

Every number below is computed from the engine’s own registries. Coverage grows, these grow; it shrinks, they shrink. Nothing here is a marketing figure — 15 vendors already stitch into a single attack graph.

37
config vendors, each with its own deterministic check set
1,917
deterministic checks — no heuristics
24
frameworks scored at once
15
vendors stitched into attack paths

9,000 automated tests · 22 tenant-isolation tests

null, never $0

an exposure we can’t price shows null — never a reassuring zero

no-guess refusals

when the engine can’t resolve an answer, it says so instead of guessing

modeled is labeled modeled

what we re-parse from your files is labeled proven; the rest is labeled modeled

START WITH WHAT YOU HAVE

Ask it about your environment.

Export a config, upload it, and get your first proven attack path in minutes. No agent. No live scan. No call required.