Step 1 · Profile

Sector, role, and organization

The report is framed by function: risk exposure for security and executive audiences, control gaps for GRC, cost and ROI for finance, workforce and vendor data for HR and legal.

Sector

Select your industry. This sets regulations, primary threats, and frameworks for your report.

Healthcare
Hospitals, health plans, TPAs
Financial Services
Banks, insurers, fintechs
Government
Federal, state, municipal
Manufacturing
Industrial, OT/IT, supply chain
Education
Universities, K-12, EdTech
Energy & Utilities
Utilities, critical infrastructure
Legal & Professional Services
Law firms, professional services
Retail & E-commerce
Retail, e-commerce
Other sectors
Technology / SaaS
Software, engineering, IP
Logistics & Transportation
Fleet, supply chain, delivery
Department / Function

Select the function that best matches how you’ll use this report. Report content is tailored to this lens.

Security
Risk ownership, board reporting
Executive
Business accountability, strategy
Finance
Budget, ROI, cost of risk
Legal
Counsel, contracts, client data
Compliance & privacy
Audit, regulations, privacy
GRC
Frameworks, control gaps, risk register
HR
Workforce, employee data, insider risk
IT
Architecture, operations, delivery
Procurement
Vendor/supplier selection, third-party risk
Evaluating
Researching options
Organization size
Small / Mid-Market
Under 500 employees · $5M–$100M revenue
Enterprise
500+ employees · $100M+ revenue
Startup / Scale-up
Under 100 employees · Pre-revenue to $5M
Government / Non-Profit
Public sector or mission-driven org
Engine activated
Regulations in scope
Primary threats
Frameworks required
Select sector
Step 2 · Assets & data

What’s in scope

Each type maps to specific control requirements. Tick “Outsourced” where a third party processes or stores it.

Data handling role

How your organization acts regarding this data (GDPR/CCPA: controller vs processor)

Data controller
We determine purposes and means of processing
e.g. Customer CRM, employee HR records, patient database you own
Data processor
We process on behalf of another (client/customer)
e.g. Payroll bureau, SaaS platform handling client data, outsourced IT provider
Both / varies
We act as controller for some data, processor for others
e.g. Internal employee data (controller) + client data you process (processor)
Not applicable
No personal data processed — infrastructure or internal systems only
e.g. Internal tooling, OT/SCADA, non-personal operational data only

In scope

Select at least one. Aligned to universal asset classification; frameworks map to control requirements.

Primary informational Tier 1

Customer/employee records, financial, IP, regulated data — high sensitivity

Personal Identifiable Information (PII)
Names, SSNs, addresses, email, government IDs
GDPR · CCPA
NIST PR.DS
Protected Health Information (PHI)
Medical records, diagnoses, treatment, insurance
HIPAA · HITECH
OCR Audit
Financial & Payment Data
Account numbers, transactions, credit card, payroll
PCI DSS · GLBA
SOX
Intellectual Property & Source Code
Code, formulas, product designs, R&D data
NIST CSF
ISO 27001
Controlled Unclassified Information (CUI)
Government contract data, export-controlled, FCI
CMMC 2.0
NIST 800-171

Supporting Tier 2

Legal, compliance evidence, contracts — operational sensitivity

Legal & compliance evidence
E-discovery, legal hold, audit trails, chain of custody
FRCP · SOC 2
Audit evidence
Contract & commercial data
Contracts, BAAs, DPAs, vendor terms
Contract governance
Vendor risk

Infrastructure / operational

OT, ICS, SCADA — industrial and critical systems

Operational Technology (OT / ICS / SCADA)
Industrial controls, critical infrastructure
NERC CIP
ICS-CERT
Control requirements — live
Select asset types to see required controls.
Select data role
Step 3 · Third-party

Vendor / service types

Select which types of third-party services you use. This captures risk and concentration for your report.

Service types

Select the types of services that process or store your data. This scopes risk and concentration in your report.

Vendor names optional

Add specific vendor names to include in the report and Vendor Risk Radar. You can skip this and still generate.

Third-party scope — live
Select service types. Add vendor names (optional).
Select service types, then generate.
Building your posture report…
Personalized for your role. No sensitive data accessed.
Mapping regulatory requirements to your sector
Generating control baseline from asset types
Enriching vendor profiles from external intelligence
Running gap analysis against industry baseline
Calibrating budgeted remediation roadmap
Personalizing output for your role & framing
New report
Report complete · Personalized to your role

Your posture
is ready.

CyberCaution · Risk Posture
Security Posture Report
Personalized from your inputs. No HR, CRM, or SIEM data used.
Regulations in scope
Controls to address
Vendors in scope
6
Deliverables
Sector Risk Profile
1. Risk posture & command center

The command center consolidates your sector exposure brief, organizational assessment, vendor and industry threat intelligence, and privacy risk analysis into a single interactive hub. Select any tab below to drill into a specific dimension of your risk posture. Each module can be exported independently for stakeholder distribution.

Command Center All data generated locally
24h Posture Visibility
Can you answer client impact questions within 24 hours?
Decision-Speed Risk
Likelihood that silos slow response under pressure.
Vendor Concentration
Single points of failure across critical functions.
Sector Industry Exposure Brief
What cascade patterns typically look like in your sector, and what usually gets missed in siloed organizations.
Organization Posture Exposure Snapshot
Role-personalized assessment output generated from your intake. Designed for 24h client response readiness.
Vendor Threat Radar
Check your vendor list against curated disruption signals and identify concentration + dependency blind spots.
Industry Threat Radar
Sector-focused threat signals: KEV, ransomware trends, and industry disruption events.
Vendor Risk Radar
Vendor risk posture, classifications, and concentration. Import CSV/JSON for automatic category and risk scoring.
Privacy Risk Radar
Data residency, PII/PHI exposure, and regulatory acceleration by asset and vendor.
Industry Threat Intelligence Report
Sector threat actors, attack patterns, and industry metrics for your selected sector.
2. Prioritized action roadmap

A phased, time-bound remediation plan sequenced by risk impact and calibrated to your role and sector. Each phase identifies the recommended action, why it is prioritized at that stage, and what outcome to expect. Use this roadmap to assign owners, set milestones, and track measurable risk reduction.

Recommended sequence (role & sector calibrated)Your profile
Days 1–30
Immediate
Run CyberCaution® full readiness assessment
NIST IR 8374r1 score + board-ready risk report in 30 minutes.
Days 14–45
Quick wins
Activate VendorSoluce® vendor risk radar
Enriched vendor scores in 48 hours. Tier critical vendors. Initiate evidence collection.
Days 45–90
Stabilize
Close Priority 1 control gaps
MFA, immutable backups, network segmentation. Verify BAA compliance.
Mo. 3–6
Scale
Continuous monitoring + Phase 2 unlock
Activate continuous threat monitoring. Prepare CyberCorrect® compliance automation.
Vendor Register →
3. Deliverables included in this report

This report produces six actionable deliverables, each calibrated to your role, sector, and the assets you identified. Four are ready now; two unlock with platform enrollment. Use the descriptions below to understand what each deliverable contains, why it matters, and where to access it.

Framework alignment — Control mapping, gap analysis, and the remediation roadmap in this report align to NIST CSF 2.0 (ID.AM, PR.AC, PR.DS, DE.CM, RS.RP), NIST IR 8374r1, and ISO 27001 where applicable to your scope.
01
Scoped Policy LibraryIncluded
Eight security policies pre-populated with your sector, assets, and regulatory scope. Use as the foundation for control evidence and audit readiness.
Why it matters: Eliminates weeks of policy drafting. Every policy is pre-scoped to your regulatory environment, so your team can review and adopt rather than write from scratch.
Command Center → Policy Library
02
Prioritized Remediation RoadmapIncluded
90-day, 6-month, and 12-month action plan sequenced by risk impact and aligned to your role.
Why it matters: Converts a complex gap analysis into a step-by-step plan with clear owners and timelines. Present it to leadership the same day.
Section 2 above & Command Center
03
Budgeted Implementation PlanIncluded
Cost estimates per control gap with ROI framing, ready for budget conversations.
Why it matters: Bridges the gap between security findings and budget approval. Frames remediation as an investment, not an expense.
Command Center → Sector Assessment
04
Regulatory Compliance MapIncluded
Frameworks in scope mapped to your assets, with gap status and the specific controls that close each gap.
Why it matters: Shows exactly which regulations apply, where you currently stand, and what it takes to close each obligation — no guesswork.
Section 1 above & Command Center
05
Vendor Risk Radar+ Enrich with evidence
External risk scores generated from your vendor list. Connect the vendor portal to replace estimates with verified, evidence-backed scores.
Why it matters: Third-party risk is the fastest-growing attack surface. This radar gives you vendor-level visibility before a breach forces the conversation.
Section 1 → Vendor Risk Radar tab
06
Executive Risk DashboardLive in platform
Board-ready posture visualization updated continuously as you close gaps and onboard vendors.
Why it matters: Replaces one-time snapshots with a living scorecard. Track progress, demonstrate ROI, and keep stakeholders informed without rebuilding reports.
CyberCaution Command Center
Start with Phase 1
CyberCaution® — Start Free
VendorSoluce® — Vendor Radar