Three ways in. One engine.
The same engine runs underneath all three — the door you pick just changes what you hand it. Design a stack from a blank page, score the one you already run, or upload a real config export and let it read the bytes.
Three priced stacks — before you spend a dollar.
For new programs, M&A integrations, or "let's start over" moments. The engine designs a security stack from your industry, size, regulatory load, and budget — three priced architectures (Lean / Balanced / Advanced) with real products, real prices, and the reference architectures teams like you actually deploy.
A short profile: industry, headcount, regions, frameworks in scope, current stack, budget, and concerns. Or upload diagrams and invoices and the engine extracts the stack for you.
- Three priced architectures with real product recommendations from a catalog of 99 products
- An architecture diagram (exportable as SVG / PNG) with the attack paths each design opens
- Compliance coverage scored across 24 frameworks, a Do-Nothing dollar scenario, and a sequenced roadmap
- A board-ready PDF behind every number
EXAMPLE · 200-person fintech, $130k budget → reference architecture: Microsoft Entra + FortiGate + Microsoft Defender for Endpoint + Veeam immutable backups. SOC 2 + ISO 27001 aligned. 18-month roadmap with quarterly milestones.
Score what you run. Keep what works.
For teams who already deployed but want a second opinion. The engine scores your current posture, surfaces the gaps, recommends optimizations to the tools you already own before you buy anything new, and produces a roadmap of what to swap, augment, or consolidate.
What you run today — products, vendors, and configuration described in intake or pulled from uploaded documents and network diagrams. Modeled reachability is labeled modeled; nothing is invented.
- Posture scored against 24 frameworks, with explicit / derived provenance per control
- An attack-path map across the 15 supported vendor families — the path from a foothold to your crown jewels
- Redundant-tool and coverage-gap findings, with consolidation savings
- A prioritized risk register with named threat-actor patterns, and the board-ready report
EXAMPLE · 450-person SaaS, San Francisco. Existing CrowdStrike Falcon + Splunk + Okta → 4 redundant tools, 2 critical data-loss-prevention gaps, $89k of annual consolidation savings, SOC 2 score 71→89 with three configuration changes.
Upload the real config. Every finding, proven or modeled.
Upload a real configuration export and the engine parses the actual bytes against vendor-specific best practices — 1,917 checks across 37 supported vendors. Findings on the real file are labeled proven; everything modeled is labeled modeled. Recorded, ledgered control proofs re-parse FortiGate, PAN-OS, and OPNsense configs today — proven for those, modeled for the rest. The same review a consultancy would bill tens of thousands of dollars for — re-run it yourself any time a config changes.
A configuration export from any of the 37 supported vendors — firewall, WAF, EDR, cloud, identity, SIEM, email, backup, DLP. Secrets are redacted across 8 secret classes before storage; nothing is stored in the clear. No live scan, no agent, no connected integration.
- Every rule analyzed for hygiene, not just posture — shadowed and redundant rules, overly-permissive any-any grants, stale and unused objects, and risky rule combinations across your firewall, identity, and cloud policies (unused-rule detection is skipped, never guessed, when the export carries no hit counts)
- On Program every vendor is covered and findings stitch cross-vendor to your crown jewels; Operate audits any one vendor per review
- Rule-by-rule findings with real evidence excerpts from your file (proven, not asserted)
- Copy-paste remediation snippets for each finding
- The attack path each gap opens, and the compliance controls it maps to
- A posture score and a tamper-evident proof you can re-verify offline
Intrusion-prevention profile not assigned to the default policy.
EXAMPLE · FortiGate config upload → 42 findings (12 critical, 8 high), posture 32/100. Top finding: intrusion-prevention profile not assigned to the default policy. Replacement snippet generated. SOC 2 CC6.6 + ISO 27001 A.13.1.1 flagged.
PER-VENDOR CHECK DEPTH →
Depth varies by vendor, and we publish it — the live check count per vendor, next quarter's target, and the last baseline review, so you can size up before you buy. AWS Config / Security Hub is the reference plugin at 94 checks today.
| Vendor | Category | Checks today | Target Q4 2026 | Last review | Status |
|---|---|---|---|---|---|
| AWS Config / Security Hub | cloud | 94 | 25 | 2026-04-01 | Reference depth |
| Azure Policy + Defender for Cloud | cloud | 88 | 25 | 2026-04-01 | Reference depth |
| GCP Security Command Center | cloud | 84 | 25 | 2026-04-01 | Reference depth |
| CrowdStrike Falcon | endpoint | 73 | 25 | 2026-04-01 | Reference depth |
| Jamf Pro | endpoint | 71 | 25 | 2026-04-01 | Reference depth |
| Auth0 | identity | 70 | 25 | 2026-04-01 | Reference depth |
| Microsoft Intune | endpoint | 69 | 25 | 2026-04-01 | Reference depth |
| Sophos XGS | network | 60 | 25 | 2026-04-01 | Reference depth |
| Mimecast | 57 | 25 | 2026-04-01 | Reference depth | |
| Elastic Security | siem | 55 | 25 | 2026-04-01 | Reference depth |
| Palo Alto Networks PAN-OS | network | 54 | 28 | 2026-04-15 | Reference depth |
| Okta | identity | 53 | 25 | 2026-04-01 | Reference depth |
| AWS IAM | identity | 53 | 26 | 2026-04-22 | Reference depth |
| Google Workspace | identity | 53 | 25 | 2026-04-01 | Reference depth |
| Cisco Meraki | network | 52 | 25 | 2026-04-01 | Reference depth |
| Microsoft Defender for Office 365 | 52 | 22 | 2026-04-18 | Reference depth | |
| WatchGuard Firebox | network | 51 | 25 | 2026-04-01 | Reference depth |
| Abnormal Security | 51 | 25 | 2026-04-01 | Reference depth | |
| Veeam Backup & Replication | backup | 51 | 25 | 2026-04-01 | Reference depth |
| Fortinet FortiGate | network | 50 | 36 | 2026-04-12 | Reference depth |
| Check Point GAIA / R81+ | network | 48 | 25 | 2026-04-01 | Reference depth |
| JumpCloud | identity | 48 | 25 | 2026-04-01 | Reference depth |
| Microsoft Defender for Endpoint | endpoint | 47 | 25 | 2026-04-01 | Reference depth |
| Proofpoint | 46 | 25 | 2026-04-01 | Reference depth | |
| pfSense | network | 45 | 25 | 2026-04-01 | Reference depth |
| SentinelOne | endpoint | 45 | 25 | 2026-04-01 | Reference depth |
| Juniper SRX | network | 44 | 25 | 2026-04-01 | Reference depth |
| Microsoft Purview DLP | dlp | 44 | 25 | 2026-04-01 | Reference depth |
| Cisco ASA / Firepower | network | 43 | 25 | 2026-04-01 | Reference depth |
| Microsoft Sentinel | siem | 42 | 22 | 2026-04-18 | Reference depth |
| Cloudflare WAF | waf | 40 | 25 | 2026-04-01 | Reference depth |
| Microsoft Entra ID Conditional Access | identity | 35 | 24 | 2026-04-08 | Reference depth |
| Splunk Enterprise Security | siem | 35 | 25 | 2026-04-01 | Reference depth |
| Rubrik | backup | 34 | 25 | 2026-04-01 | Reference depth |
| AWS WAF | waf | 34 | 25 | 2026-04-01 | Reference depth |
| OPNsense | network | 27 | 25 | 2026-04-01 | Production |
| GitHub Advanced Security | cloud | 19 | 25 | 2026-04-01 | Baseline |
Don't see your vendor at the depth you need? Email feedback@cybertwin.io.
Same engine. Your call on the door.
Assess includes Design, Review, and 1 Configuration Review a year. Operate: 3 a year · Program: unlimited.