April 20, 2026 — Draxis.ai today announced the Cyber Risk Simulation Engine (CRSE), a purpose-built impact quantification layer that turns the Draxis risk model into live, defensible dollar figures. CRSE runs Monte Carlo simulations over atomic compromise scenarios and composable attack chains, produces P10 / P50 / P90 loss bands across the six FAIR loss categories plus jurisdictional regulatory fines, and applies MITRE ATT&CK-mapped control efficacy as a loss reducer — not a frequency hand-wave.
CRSE is deliberately scoped to the magnitude side of the problem. It does not estimate threat frequency or annualized loss expectancy. Each simulation answers a conditional question — given this scenario, what is the loss distribution? — which removes the most error-prone variables in cyber risk quantification and lets Draxis produce numbers customers can put in front of a CFO without apologizing for them.
The Problem: Quantification That Nobody Trusts
Cyber risk quantification has a credibility problem. Teams that try to stand up FAIR programs run into the same walls:
- Frequency estimates are educated guesses; annualized loss figures inherit every one of those errors and compound them
- Per-entity loss inputs live in spreadsheets disconnected from the asset inventory, the data catalog, and the control library
- Control efficacy is asserted in narrative, not modeled — "we have MFA" does not tell a CFO how much cheaper the breach gets
- Multi-hop attack chains — phishing → identity → domain controller → backups → data — are the scenarios boards actually worry about, but most tools only quantify one hop at a time
- Regulatory fines are modeled as a lump sum, ignoring the per-jurisdiction, per-data-type, per-regulator reality of GDPR / HIPAA / PCI / CCPA / LGPD / PIPEDA
CRSE fixes each of these without pretending to solve what cannot honestly be solved. It quantifies magnitude; it leaves frequency to the humans.
How It Works
1. Seventeen Atomic Scenarios Across Seven Entity Classes
CRSE ships with a scenario library covering the compromise events that actually matter: identity compromise and privilege escalation, asset compromise / denial / ransomware, application compromise, data exfiltration / encryption / destruction / integrity loss, third-party breach and outage, insider malicious and negligent actions, and backup compromise — the catalyst that turns a bad incident into a catastrophic one. Every scenario is data-driven, mapped to MITRE tactics, and extensible per tenant.
2. FAIR-lite Monte Carlo with PERT Distributions
Each magnitude input — records affected, downtime hours, replacement costs, fine bands — is expressed as a PERT distribution (min / most-likely / max). Ten thousand iterations sample each input independently, per-iteration losses are summed across categories, and the engine returns P10 / P50 / P90, mean, and the full histogram. PERT is the FAIR community standard for SME-driven estimates; falls back to triangular when only two points are available.
3. Composable Attack Chains
Chains are directed graphs of atomic scenarios. Analysts can drag-and-drop paths on a Cytoscape canvas, the engine can auto-generate plausible chains from a seed entity using the dependency graph, or the two can be blended: the analyst picks start and end, the engine fills in the middle. Per-category aggregation rules prevent double-counting — productivity sums across assets, reputation caps at one event per scenario, regulatory fines sum across distinct (data element × jurisdiction) pairs and cap at statutory maximums per regulator.
4. MITRE-Mapped Control Efficacy as Loss Reducer
Each control in the Draxis library maps to MITRE techniques with per-loss-category efficacy values, scaled by the control's maturity level (1–5). When a scenario's techniques intersect with mapped controls, the engine applies the reduction post-sampling — so customers see exactly how much loss a given control is buying them, in dollars, per category. Default efficacy ships from MITRE D3FEND mappings plus Draxis-curated benchmarks, fully overridable per tenant.
5. Jurisdictional Regulatory Fines, Modeled Properly
Regulatory fines get their own reference layer keyed on (regulator, jurisdiction, data type). GDPR is modeled as percent-of-revenue with an absolute cap. HIPAA runs tiered per-record. PCI is per-card with egregious-breach multipliers. CCPA, PIPEDA, LGPD, and the rest each carry their own statute-specific shape. For every affected (data element, jurisdiction) pair, the engine samples within the statutory band, sums across regulators, and caps each at its own maximum — producing a fine estimate a GC can defend.
Key Capabilities
- Seven entity classes covered — identity, asset, application, data element, third party, employee, data collection
- Seventeen atomic scenario types — fully data-driven and tenant-extensible
- Monte Carlo with PERT — 10,000 iterations, P10 / P50 / P90 bands, full histogram binned for storage efficiency
- Six FAIR loss categories plus split regulatory fines — productivity, response, replacement, fines and judgments, competitive advantage, reputation, regulatory fines
- Attack chain composition — user-authored, auto-generated, or blended; 4-hop default depth, per-tenant configurable
- MITRE ATT&CK control efficacy — per-category reduction scaled by control maturity
- Jurisdictional fine model — GDPR, HIPAA, PCI, CCPA, PIPEDA, LGPD, and growing
- Reproducible runs — every simulation snapshots its input set and is re-runnable with identical results
- Cytoscape graph visualization — entities, relationships, blast-radius overlays, and chain editing on one canvas
- Dashboard tiles and drill-down reports — loss distributions, category breakdowns, per-control attribution
- Performance target — five-node chain on a mid-sized customer in under three seconds on a single worker
- Expert Panel integration — CRSE outputs are available to every persona, so loss figures appear in CFO, CISO, Insurance, and Board conversations without a separate workflow
Why It Matters for vCISOs and CFOs
For vCISOs, CRSE ends the era of narrative risk memos. Every recommendation — add MFA, harden this application, revoke that vendor — comes with a loss reduction estimate the client can see in their own currency, against their own entities, across their own scenario set. For CFOs and boards, CRSE turns security investment from a faith-based line item into a quantifiable portfolio decision: this control, on this risk, for this much. For insurance conversations, the simulation output maps cleanly onto submission requirements and feeds directly into the Cyber Insurance Advisor for coverage-adequacy analysis.
"The reason most cyber risk quantification fails is not that the math is wrong. It's that the inputs are made up. Draxis already has the inventory, the data catalog, the control library, and the MITRE mappings. CRSE just closes the loop — and refuses to estimate anything it cannot defend."— Draxis.ai
Availability
The Cyber Risk Simulation Engine is available today across all Draxis.ai platform tiers. Scenario library, PERT-based Monte Carlo runs, control efficacy modeling, and the core regulatory fine library ship at launch. The graph visualization and auto-generated chain engine are available on vCISO and Enterprise tiers.
Put a number on your cyber risk — and defend it.
Run your first simulation, see the loss distribution for your own environment, and watch your control portfolio show up in dollars.
Get Early Access →About Draxis.ai
Draxis.ai is a cyber risk intelligence platform that pulls Key Risk Indicators from the security controls organizations already run, ties them to the risks and business outcomes that matter, and surfaces the picture through dashboards and a panel of AI expert personas — led by the AI vCISO, alongside Privacy, Third-Party Risk, and Cyber Insurance experts. A persistent institutional memory learns from every stakeholder conversation so guidance compounds over time. Used by companies managing their own risk posture and by vCISO advisory firms scaling across multiple clients.
Media contact: press@draxis.ai