Turn invisible risk into
decisions you can act on.

Yes. On the Self-assessment plan, AI drives assessment, analysis, and reporting and produces results without humans in the loop. On Expert-review-and-above plans, our security consultants sign off on the assessment before finalization, so you can operate it as an external CISO function. It also works for organizations where IT runs security as a side duty.

Yes. Assessment results are auto-bundled into a PDF for leadership (score summary, economic analysis, investment priority, improvement roadmap). You can report the state of risk and the basis for investment with quantitative data.

Pick what your structure calls for. We publish prices on the four plans (Enterprise is custom-quoted): Self-assessment (AI runs end-to-end), Expert-review (expert sign-off + quarterly review), Dedicated CISO (a dedicated specialist as the external CISO), and Enterprise (group-wide and regulation-fit, designed individually). Start with Self-assessment to make the current state visible, and move to a higher plan when you need executive explainability or hands-on accompaniment.

Every plan has a monthly cap on AI usage. The specific limits are shared at contract time. Typical usage rarely reaches the cap; if you do approach it, we'll reach out in advance so you can consider moving to a higher plan or arranging additional capacity.

You can try the same features as your prospective plan free for 14 days. During the trial, usage is limited to 1 assessment and up to 3 users, with a cap on AI usage; PDF reports include an evaluation watermark. After the trial ends, you keep read-only access for 14 days, and all assessment results and reports carry over when you subscribe.

It depends on the plan. On Self-assessment, AI drives from first-pass assessment to finalization on its own — results are immediate. On Expert-review-and-above, before delivery to leadership our security consultants sign off in a two-stage flow; the score, risk analysis, and report are finalized after sign-off.

It means 'one review and sign-off per assessment, before finalization' — not a per-month or per-contract count. If you run multiple assessments in the same tenant, each one gets a review before finalization.

Risk is quantified along the attack chain via our own method ACRA (MITRE ATT&CK-aligned). Expected loss is computed as a probability distribution using the international standard FAIR (Factor Analysis of Information Risk) plus Monte Carlo simulation — telling you 'the 95% annual loss range' and 'how bad a worst case looks', a more confident basis for investment than a single point estimate. Optimal investment is computed via the Gordon-Loeb model from information security economics.

Yes. The six frameworks — CIS Controls v8.1.2 / NIST Cybersecurity Framework (CSF) 2.0 / ISO 27001:2022 / Supply-chain Security Evaluation Scheme (SCS) / OWASP Top 10 for LLM / AI Governance Maturity Assessment — totaling 628 assessment items can be run in parallel within the same tenant. You can also choose a different IG / ★ level for each assessment.

Yes. We cover OWASP Top 10 for LLM Applications 2025 (with MITRE ATLAS attack-tactic tags), so AI-specific risks like prompt injection, sensitive-data leakage, data/model poisoning, and excessive agency are visualized in the same framework as your existing cyber risk analysis (ACRA) and ROI. Designed for organizations using, building, or providing internal chatbots, RAG, or AI agents.

Yes — via the AI Governance Maturity Assessment (10 management domains, 68 questions), which we built ourselves by referencing NIST AI RMF 1.0 and ISO/IEC 42001:2023. Where OWASP Top 10 for LLM addresses the technical risks of individual AI systems, this framework visualizes the organizational/policy layer — how the organization governs and manages AI — on a 0–5 maturity scale. Available on all plans. It is not the official standard published by NIST or ISO/IEC, and does not guarantee certification.

When each roadmap phase is assumed complete, our proprietary model — applying ideas from security game theory (Stackelberg Security Games; Tambe et al., 2011) — previews how an attacker's likely focus would shift across areas, with AI-generated commentary. It is not a forecast of actual attack probabilities. Available on the Dedicated CISO and Enterprise plans. See 'Attacker-Perspective Simulation: methodology' in Help for the full rationale and references (with DOIs).

Yes. The Expert-review plan supports up to 5 additional tenants and Dedicated CISO up to 15, with larger group structures covered by the Enterprise plan (custom quote). Admins and viewers of the parent tenant can browse and aggregate their scores, risks, and contract status. Data remains fully isolated across tenants.

In the AWS Tokyo region. Data is fully isolated across tenants, and all major operations from sign-in through assessment and report generation are recorded to the audit log (retained for 1 year, exportable in CSV / JSON).

No. AI (large language models) is used for the AI hearing, risk analysis, and report generation, but data sent through this service is never used to train the AI. Data is stored in the AWS Tokyo region and fully isolated across tenants. See our Privacy Policy for details.

We implement MFA, a strong password policy, browser-side security controls, per-feature rate limiting, audit log retention and export for all major operations, and error monitoring. Data is fully isolated across tenants and cannot be cross-referenced by design.

This is a monthly subscription. Please contact us for details such as minimum contract period.