CyberTwin
01 // How it works

One session. One defensible assessment.

You describe your environment and upload real artifacts — configs, network diagrams, identity exports. An eleven-step deterministic engine turns them into the assessment: same inputs, same output, no judgment calls hiding in the middle.

NO AGENTNO LIVE SCANSAME INPUTSSAME OUTPUT
DETERMINISTIC ENGINE< 2s
configs · diagrams · exports
  1. 01Profile builder
  2. 03Product selector
  3. 06Compliance mapper
  4. 08Do-Nothing modeler+6 MORE
  5. 11Validator
One board-ready assessment · every number sourced
02 // The engine

Eleven steps, each auditable.

The pipeline runs in five movements — from the files you upload to a report you can defend. A typical profile computes in well under two seconds, and every step is inspectable from the structured output.

11auditable steps24frameworks scored<2smedian compute
  1. (01)INGEST

    You bring the evidence.

    Upload real artifacts — configs, network diagrams, identity exports — and answer an intake that adapts to what you tell it. No agent. No live scan. Everything normalizes into one typed environment profile.

    01
    Profile builder
    Intake answers, document extractions, and uploads normalize into one typed environment profile.
  2. (02)DECIDE

    The engine picks the stack.

    A constraint solver chooses products against your budget, region, ecosystem, and what you already own — then attaches the exact configuration playbook and the operating model to run it.

    02
    Capability targets
    Computes the target capability set for your tier, industry, and size band.
    03
    Product selector
    A constraint solver picks products against budget, region, ecosystem fit, and what you already own.
    04
    Playbook attacher
    Each selected product gets its configuration playbook for the chosen tier.
    05
    Operating model
    Recommended headcount by role, plus what to outsource, from size and regulatory load.
  3. (03)SCORE

    Every control, scored.

    Scores each control across all 24 frameworks from the selected products, then builds the risk register on likelihood × impact with residual risk per stack.

    06
    Compliance mapper
    Scores every control in every enabled framework from the selected products.
    07
    Risk register builder
    Top risks scored on likelihood × impact, with residual risk per stack.
  4. (04)PRICEMODELED

    The cost of doing nothing.

    Annualized loss as a best / likely / worst dollar range — industry-baseline-modulated, labeled MODELED, and never presented as fact.

    08
    Do-Nothing modeler
    Annualized loss as a best / likely / worst dollar range — labeled modeled.
  5. (05)PROVEVALIDATED

    Sequenced, written, checked.

    A Now / Next / Later roadmap from dependencies and risk reduction per dollar; an executive narrative generated from the structured outputs; and a validator that rejects any prose contradicting them.

    09
    Roadmap sequencer
    Now / Next / Later from dependencies, effort capacity, and risk reduction per dollar.
    10
    Narrative generator
    Executive summary and prose, generated from the structured outputs of steps 1–9.
    11
    Validator
    Rejects any narrative that contradicts the structured output. On contradiction, regenerate.
03 // Why you can defend it

Deterministic by design.

Nothing is invented. Every product name and price in your report traces to a catalog entry, and the same profile always resolves to the same structured output — so anyone can re-run it and land on the identical answer.

profile.json + intake11-STEP ENGINE
RUN 01ct·7f3a-4c17-…-c9e2
RUN 02ct·7f3a-4c17-…-c9e2
IDENTICAL OUTPUTSchematic — the same profile resolves to a byte-identical structured output every run.
COMPUTED DETERMINISTICALLY
  • Capability targets per tier × industry × framework
  • Product selection — a constraint solver over the catalog
  • Compliance scoring across all 24 frameworks
  • Do-Nothing ALE math, industry-baseline-modulated
  • Risk register, threat mapping, roadmap sequencing
  • Configuration-review checks — vendor-specific rules

Same inputs, same output. A post-generation validator rejects any narrative that contradicts the structured output.

THE WEDGE

Consultants take six weeks for $40–80k. GRC tools tell you what's broken without telling you what to buy. Vendor reps recommend whatever pays them most. CyberTwin gives you a defensible, priced answer the day you sign up.

04 // On screen

Adaptive intake in. Board-ready PDF out.

The wizard asks only what your profile makes relevant. The report renders in seconds.

(01)INTAKE WIZARD — ADAPTIVE DEPTHSTEP 3 / 9 · RISK & REGULATION
Targeting any audits in the next 18 months? SOC 2 Type II
Do you process card payments? Yes — Level 4 merchant
What's keeping you up at night? "Failing our first SOC 2 audit"
Adaptive: PCI questions appear because you process card payments; SOC 2 prep appears because of the audit answer.
(02)REPORT COVER PAGEGENERATED IN 1.5s
INFRASTRUCTURE SECURITY ASSESSMENT
Stop guessing.
Start deciding.
Acme Fintech · 240 employees · 24 frameworks

Already deployed? Configuration Review reads one uploaded config export from any of 37 vendors — Assess: 1 review a year · Operate: 3 · Program: unlimited. See Configuration Review →

PICK YOUR DOOR

See it on your own environment.

Upload one export and watch the eleven steps run. No agent, no live scan, no call required.