CyberTwin
Who it's for

Built for the job you hold.

CISOs, founders, compliance leads, regulated SaaS — each section shows the artifacts and frameworks that matter to your role.

Pick the role that fits — each card jumps to the artifacts, frameworks, and example output for that job.

Role · CISOs

Numbers your CFO can read.

Risk in dollars, not a colour-coded heat map — so a budget meeting ends in a decision. Board pack, audit evidence, the 8-K call, the renewal, each rendered from data you already entered.

Six things you do every quarter

The quarterly board pack

Board pack

Posture trend, dollar exposure, framework coverage. Rendered from assessment data you already entered — no second data entry.

Audit evidence prep

Auditor pack

Every audited control mapped to its evidence — findings, intake answers, snapshots, documents. Gaps ranked by remediation effort.

The 8-K materiality call

SEC materiality module

The materiality determination — not the incident — starts the four-business-day clock. The engine drafts the dollar estimate — labeled modeled — and the disclosure narrative.

See the materiality tools →

The insurance renewal

Broker pack

The questionnaire arrives pre-filled from your posture. Premium-loading answers are flagged before you submit.

Tool consolidation analysis

Consolidation findings

Overlapping capabilities surface with the dollar delta, labeled modeled. You decide what to cut before renewal.

The posture trend

Dated snapshots

Each re-upload adds a dated snapshot. The year-over-year chart is history, not memory.

Do-Nothing scenario · Acme Capital
ALE today
$3.8M
modeled · P50, ±37% band
ALE after Balanced
$720k
−$3.08M risk reduction
ROI multipleStack $128,400/yr
24×
SOC 288
ISO 2700171
PCI DSS64
Illustrative — sample numbers for a representative fintech profile.
Exhibit 1

Quarterly hours — hand-assembled vs rendered

Quarterly board pack80h current4h with CyberTwin (saves 76h)Audit-evidence prep60h current8h with CyberTwin (saves 52h)Insurance questionnaire24h current4h with CyberTwin (saves 20h)Tool consolidation analysis16h current1h with CyberTwin (saves 15h)Quarterly posture review8h current0h with CyberTwin (saves 8h)Hours per quarterTotal saved: ~171h/quarter
Where the quarter goes: board packs and audit prep dominate. The engine renders both from data you already entered.
Source: Illustrative estimates, calibrated against public CISO time-allocation surveys — not measured CyberTwin usage data
Role · Founders & CTOs

For the week it becomes urgent.

No CISO yet, a questionnaire on the table. Assess produces the document in one session.

01

The SOC 2 ask

Symptom

A 5,000-person prospect sends a SIG Lite questionnaire and asks for your SOC 2 report. You have neither. Vendor-risk teams send these regardless of your headcount.

Response

Run Assess in one session. Return the questionnaire with a scored posture assessment and evidence pack — same day, deal alive.

02

The board question

Symptom

A director asks about your cyber risk profile. Every answer you have sounds improvised.

Response

Walk in with the PDF: posture score, top risks, a dollar-labeled do-nothing scenario, a 90-day roadmap.

03

The peer breach

Symptom

A company in your category gets breached. Investors ask: are we exposed to that?

Response

The assessment names the techniques active in your sector and the controls in your stack that answer them. A specific answer, not arm-waving.

04

The insurance questionnaire

Symptom

Renewal lands with twelve pages of technical questions you can’t answer alone.

Response

Your assessment maps to the standard questionnaires. You answer truthfully, with the premium-loading questions flagged first.

05

The first security hire

Symptom

They start with “tell me about your posture.” You have nothing written down.

Response

Hand them the assessment on day one. They start fixing instead of spending a month on discovery.

SIG Lite excerpt · Acme Capital
  • Do you have a documented information-security policy?
    YesDefinite
  • Is MFA required for all administrative accounts?
    Yes — Entra Conditional Access policyDefinite
  • Do you maintain an incident-response plan?
    Yes — last reviewed 2026-04Definite
  • Are encryption-at-rest and -in-transit applied to customer data?
    Yes — AES-256 + TLS 1.3Definite
  • Annual penetration test performed by qualified third party?
    In flight — first test scheduled Q3 2026Inferred
Illustrative — sample answers for a representative profile.
Assess

$499/mo or $4,800/yr — annual saves $1,188.

Monthly, cancel anytime.

Not included on Assess
  • Cross-vendor attack chains · Program
  • Evidence ledger · Program
  • Auditor + insurance broker packs · Operate and up
  • Monthly engine refresh · Operate and up

Most founders start on Assess and upgrade when the first security hire lands. Upgrades prorate.

Role · Compliance leads

Provenance on every score.

All 24 frameworks scored at once — each control labeled with where its score came from.

EXPLICIT

Direct per-product mappings

We authored the mapping from the product to the framework’s controls. Full audit weight — the score you defend in front of an auditor.

DERIVED

Crosswalk from anchor frameworks

Scored through the crosswalk table, capped at 75% per control. Signal for direction — not yet audit-grade for the derived framework.

MIXED

Direct plus crosswalk supplement

Part direct mapping, part crosswalk. Audit-grade where direct, indicative where derived — every contribution inspectable.

When a framework has no authored mappings at all (all-derived), we show no framework number — it reads not directly scored rather than a manufactured score. When direct evidence exists but is thin, the number is capped at 70/100 (ceiling) with a footnote. A derived score never masquerades as a direct audit.

Coverage, by region

Whatever your regulators are, the engine scores against them. Crosswalk-derived where direct authoring is not yet complete — provenance always visible.

United States & general

Direct per-product mappings. Full audit weight.

SOC2SOC 2 Trust Services Criteria
NISTNIST CSF 2.0 + 800-53 Rev 5
PCIPCI DSS 4.0
HIPAAHIPAA Security Rule
CISCIS Controls v8
CMMCCMMC Level 2
Europe & UK

Direct mappings, calibrated for European regulatory specifics.

GDPRGeneral Data Protection Regulation
ISOISO/IEC 27001
NIS2NIS2 Directive
DORADigital Operational Resilience Act
CE+Cyber Essentials Plus
KSA & Gulf

Direct + crosswalk-derived across the NCA family. Provenance always visible.

NCANCA ECC v2 / CCC / CSCC / OTCC
SAMASAMA Cyber Security Framework
PDPLPersonal Data Protection Law (KSA / UAE)
UAEUAE IA / NESA
DESCDubai Electronic Security Center
APAC & LATAM

Derived from anchor frameworks, ceiling-capped, labeled.

E8Australia Essential Eight
DPDPIndia Digital Personal Data Protection
LGPDBrazil LGPD

Fintech & payments teams land here. PCI DSS, SOC 2, plus your regional banking framework — scored together, in one pass.

Industry · Regulated SaaS

For the enterprise security review.

Your buyer's vendor-risk team treats you like any third party touching customer data — whatever your headcount.

The SIG Lite moment

The questionnaire arrives and their review runs 6–12 weeks. CyberTwin scores SOC 2 and ISO 27001 against your real configurations in one session — so you answer with artifacts, not promises.

Three threat patterns that define SaaS risk

Supply-chain compromise

T1195 · Supply Chain Compromise

A poisoned dependency reaches production before any review catches it. Days later it touches customer data.

Answered bySoftware-composition checks at build time, dependency-review gates on every PR, lockfile pinning in CI.

Credential theft from developer machines

T1078 · Valid AccountsT1552 · Unsecured Credentials

Laptops carry production-adjacent credentials. One leaked secret in a public commit is immediate access.

Answered byWorkforce SSO with conditional access, a managed secrets vault, push-time secret detection.

Insider exfiltration through legitimate exports

T1041 · Exfiltration Over C2 Channel

A departing admin exports customer data through product paths — CSV, tokens, BI. No perimeter alert fires.

Answered byDLP on export paths, behavioural analytics over the audit log, just-in-time access to production data.
Honest scope

SOC 2 and ISO 27001 playbooks are both authored and current — each scored on its own direct mappings, with provenance labels showing direct versus derived. EU playbooks (NIS2, DORA) are deferred — the assessment says so explicitly.

Healthtech teams land here too. HIPAA, ISO 27001, PHI handling — the same review, scored against your regulators.

Whichever section is yours

One session from signup to artifact.