The quarterly board pack
Board packPosture trend, dollar exposure, framework coverage. Rendered from assessment data you already entered — no second data entry.
CISOs, founders, compliance leads, regulated SaaS — each section shows the artifacts and frameworks that matter to your role.
Pick the role that fits — each card jumps to the artifacts, frameworks, and example output for that job.
Risk in dollars, not a colour-coded heat map — so a budget meeting ends in a decision. Board pack, audit evidence, the 8-K call, the renewal, each rendered from data you already entered.
Posture trend, dollar exposure, framework coverage. Rendered from assessment data you already entered — no second data entry.
Every audited control mapped to its evidence — findings, intake answers, snapshots, documents. Gaps ranked by remediation effort.
The materiality determination — not the incident — starts the four-business-day clock. The engine drafts the dollar estimate — labeled modeled — and the disclosure narrative.
See the materiality tools →The questionnaire arrives pre-filled from your posture. Premium-loading answers are flagged before you submit.
Overlapping capabilities surface with the dollar delta, labeled modeled. You decide what to cut before renewal.
Each re-upload adds a dated snapshot. The year-over-year chart is history, not memory.
No CISO yet, a questionnaire on the table. Assess produces the document in one session.
A 5,000-person prospect sends a SIG Lite questionnaire and asks for your SOC 2 report. You have neither. Vendor-risk teams send these regardless of your headcount.
Run Assess in one session. Return the questionnaire with a scored posture assessment and evidence pack — same day, deal alive.
A director asks about your cyber risk profile. Every answer you have sounds improvised.
Walk in with the PDF: posture score, top risks, a dollar-labeled do-nothing scenario, a 90-day roadmap.
A company in your category gets breached. Investors ask: are we exposed to that?
The assessment names the techniques active in your sector and the controls in your stack that answer them. A specific answer, not arm-waving.
Renewal lands with twelve pages of technical questions you can’t answer alone.
Your assessment maps to the standard questionnaires. You answer truthfully, with the premium-loading questions flagged first.
They start with “tell me about your posture.” You have nothing written down.
Hand them the assessment on day one. They start fixing instead of spending a month on discovery.
$499/mo or $4,800/yr — annual saves $1,188.
Monthly, cancel anytime.
Most founders start on Assess and upgrade when the first security hire lands. Upgrades prorate.
All 24 frameworks scored at once — each control labeled with where its score came from.
We authored the mapping from the product to the framework’s controls. Full audit weight — the score you defend in front of an auditor.
Scored through the crosswalk table, capped at 75% per control. Signal for direction — not yet audit-grade for the derived framework.
Part direct mapping, part crosswalk. Audit-grade where direct, indicative where derived — every contribution inspectable.
When a framework has no authored mappings at all (all-derived), we show no framework number — it reads not directly scored rather than a manufactured score. When direct evidence exists but is thin, the number is capped at 70/100 (ceiling) with a footnote. A derived score never masquerades as a direct audit.
Whatever your regulators are, the engine scores against them. Crosswalk-derived where direct authoring is not yet complete — provenance always visible.
Direct per-product mappings. Full audit weight.
Direct mappings, calibrated for European regulatory specifics.
Direct + crosswalk-derived across the NCA family. Provenance always visible.
Derived from anchor frameworks, ceiling-capped, labeled.
Fintech & payments teams land here. PCI DSS, SOC 2, plus your regional banking framework — scored together, in one pass.
Your buyer's vendor-risk team treats you like any third party touching customer data — whatever your headcount.
The questionnaire arrives and their review runs 6–12 weeks. CyberTwin scores SOC 2 and ISO 27001 against your real configurations in one session — so you answer with artifacts, not promises.
A poisoned dependency reaches production before any review catches it. Days later it touches customer data.
Laptops carry production-adjacent credentials. One leaked secret in a public commit is immediate access.
A departing admin exports customer data through product paths — CSV, tokens, BI. No perimeter alert fires.
SOC 2 and ISO 27001 playbooks are both authored and current — each scored on its own direct mappings, with provenance labels showing direct versus derived. EU playbooks (NIS2, DORA) are deferred — the assessment says so explicitly.
Healthtech teams land here too. HIPAA, ISO 27001, PHI handling — the same review, scored against your regulators.