For vCISOs & advisory firms

vCISO playbook

The operating model for running 10+ client risk programs at once: tiered engagements, onboarding, reporting architecture, and regulatory coverage.

Read the guide →
For CISOs & vCISOs

How to build a KRI program from scratch

Stand up a Key Risk Indicator program from the controls you already run: the four indicator categories, picking and thresholding your first signals, and cadence.

Read the guide →
For security operations

Reading the signal: catching drifting KRIs

Most incidents arrive as warnings nobody caught. Read KRI velocity and compound drift, and act on degrading signals before thresholds are crossed.

Read the guide →
For practitioners

KRI reference library

Sixty-plus KRIs across fifteen domains, mapped to all 18 CIS Controls v8.1, with green/amber/red thresholds and weighting for a board-ready posture score.

Read the guide →
For CISOs & security engineers

Privileged access management, done right

The control that matters most and gets implemented worst. The threat model, the inventory problem, the controls that close the gaps attackers exploit, and PAM KRIs.

Read the guide →
For CISOs & security teams

Incident response readiness

What to have before the phone rings at 2am: decisions to pre-authorize, infrastructure to test, what a tabletop reveals, and the metrics that indicate readiness.

Read the guide →
For CISOs & finance partners

The CISO's guide to cyber risk quantification

Put a dollar figure on cyber risk. What the FAIR model requires, why most attempts fail, and the quarterly risk statement that answers the board.

Read the guide →
For CISOs & finance partners

Justifying security spend to a CFO

Make a budget argument that works: the risk-transfer reframe, a cost-of-breach baseline, defending against cuts, and tracking the return on what you spent.

Read the guide →
For CISOs & security leaders

Translating security risk into business language

Reframe security risk so the room can act on it. Audience-specific framings, five reframes, and a board presentation architecture that holds up.

Read the guide →
For CISOs & vCISOs

The CISO and the board

What directors actually want from a security briefing: a posture verdict, material risks with timelines, the decisions they need to make, and what to leave out.

Read the guide →
For vendor risk teams

Third-party risk intelligence

Vendor questionnaires go stale the day after submission. Tier your vendors, monitor continuous signal, and run a TPRM program you can actually staff.

Read the guide →
For CISOs, CFOs & PE-backed teams

Security due diligence in M&A

How acquirers evaluate cyber risk in a deal, the findings that move price, what sellers should fix before diligence, and the inherited liability window after close.

Read the guide →
For CISOs & CFOs

What cyber insurers actually look for

Underwriting decoded: the external scan, the controls that move pricing, the claims carriers deny, and how to present your program for better terms.

Read the guide →
For security & finance leaders

Cyber insurance readiness checklist

Ten control areas with required, expected, and preferred criteria, what triggers a surcharge or declination, and renewal-conversation tactics.

Read the guide →

KRI library by domain

Thirty deep-dive guides, one per security domain. Each names the KRIs that matter, where to derive them from the stack you already run, how to calculate them, and green/amber/red thresholds. They go a level deeper than the KRI reference library, which summarizes every domain in one CIS-mapped catalog.

For CISOs & risk leaders

Enterprise security KRIs

The cross-domain synthesis view: composite posture score, enterprise-wide MTTD and MTTC, security debt, regulatory notification exposure, and insurance adequacy.

Read the guide →
For SOC & security operations

Security operations KRIs

Whether detection and response actually work: alert fidelity, detection and log-source coverage, MTTD and MTTC, playbook coverage, and analyst capacity.

Read the guide →
For IAM & security engineers

Identity and access management KRIs

Whether IAM is a real control or a checkbox: MFA enforcement, privileged access sprawl, dormant and orphaned accounts, least privilege, and non-human identity risk.

Read the guide →
For security architects

Security architecture KRIs

Whether the design contains blast radius: segmentation effectiveness, zero trust maturity, cryptographic standards, attack surface reduction, and IaC security.

Read the guide →
For AppSec & engineering

Application security KRIs

Whether the SDLC produces secure software: SAST and DAST coverage, open-source CVEs, secrets exposure, critical finding age, gate compliance, and API security.

Read the guide →
For product security teams

Product security KRIs

Risk in the software you ship: customer-facing patch MTTP, VDP health, product CVE disclosure, dependency exposure, tenant isolation assurance, and advisory SLA.

Read the guide →
For AI & security leads

AI security KRIs

The newest attack surface: shadow AI inventory, data access scope, prompt injection testing, agentic action oversight, model supply chain, and output leakage.

Read the guide →
For GRC & compliance

GRC program health KRIs

The process-integrity signals auditors and regulators check: risk register currency, policy framework currency, obligation tracking, and audit remediation rate.

Read the guide →
For awareness & insider risk

Human security KRIs

Human risk past click rates: phishing reporting resilience, high-risk cohort training, insider threat indicators, vishing resistance, and joiner-mover-leaver completion.

Read the guide →
For physical & corporate security

Physical security KRIs

Physical access as enterprise risk: access control failures, badge deprovisioning latency, visitor escort compliance, CCTV health, and assessment recency.

Read the guide →
For security & marketing ops

Marketing web presence KRIs

The overlooked public footprint: SPF/DKIM/DMARC coverage, subdomain takeover risk, third-party tag risk, form PII handling, TLS health, and CSP coverage.

Read the guide →
For cloud security engineers

Cloud security KRIs

Cloud runtime posture, not the architecture diagram: CSPM finding age, account governance, cloud identity posture, workload protection coverage, logging health, and data exposure.

Read the guide →
For platform security engineers

Container and Kubernetes KRIs

Risk in containerized workloads and orchestration: image scan coverage, base image hygiene, cluster benchmark compliance, admission control, runtime detection, and network policy.

Read the guide →
For DevSecOps and platform engineering

DevSecOps and security engineering KRIs

Security built into how software ships: pipeline gate coverage and enforcement, security tool reliability, developer training, mean time to resolve, security-as-code, and developer friction.

Read the guide →
For vulnerability management teams

Vulnerability management KRIs

Whether vulnerabilities actually get fixed: scan coverage, SLA compliance by severity, MTTR, KEV exposure rate, backlog age distribution, risk acceptance quality, and patch effectiveness.

Read the guide →
For security architects

Cryptography and PKI KRIs

The least-instrumented domain: certificate expiry exposure, dark certificate discovery, CA infrastructure health, key rotation compliance, secrets exposure, and post-quantum readiness.

Read the guide →
For data security and governance leads

Data security and governance KRIs

How data is managed, protected, and controlled: classification coverage, sensitive data access entitlement, retention and destruction, shadow data, DLP enforcement, and breach scope readiness.

Read the guide →
For email security leads

Email security KRIs

The highest-volume attack channel: authentication enforcement, gateway threat effectiveness, BEC impersonation protection, user reporting rate, sandboxing coverage, and outbound DLP.

Read the guide →
For CTI and SOC leaders

Threat intelligence KRIs

Whether intelligence drives action: intelligence-to-detection pipeline coverage, threat actor relevance, dark web and credential monitoring, vulnerability intelligence integration, and reporting relevance.

Read the guide →
For IR and SOC leaders

Incident response KRIs

Whether the program holds up under a real incident: IR plan currency, exercise cadence, forensic retainer readiness, regulatory notification workflow, post-incident review, and team staffing.

Read the guide →
For TPRM and procurement security

Third-party risk KRIs

Risk across the vendor and supply chain: vendor tier coverage and assessment currency, security ratings trend, fourth-party concentration, breach notification, and access offboarding timeliness.

Read the guide →
For DPOs and privacy counsel

Privacy program KRIs

Privacy operations and regulatory exposure: PIA/DPIA coverage, ROPA completeness, DSAR fulfillment timeliness, consent validity, cross-border transfer compliance, and breach notification readiness.

Read the guide →
For BC/DR and resilience leads

Business continuity and DR KRIs

Whether recovery commitments are real: business impact analysis currency, RTO/RPO validation, recovery test success rate, backup integrity, and critical vendor recovery dependency.

Read the guide →
For mobile and endpoint teams

Mobile and BYOD security KRIs

Risk from devices you do and don't own: MDM enrollment, OS currency, mobile app security controls, mobile threat defense coverage, BYOD data isolation, and lost-device response.

Read the guide →
For OT and ICS security teams

OT and ICS security KRIs

Risk in operational technology and control systems: IT/OT segmentation integrity, asset inventory completeness, remote access controls, OT patch risk, anomaly detection, and safety system integrity.

Read the guide →
For red team and offensive security leads

Red team and offensive security KRIs

Whether offensive testing changes posture: operation cadence and scope, finding remediation speed, detection coverage against red team TTPs, purple teaming, and assumed-breach scenario coverage.

Read the guide →
For executive protection leads

Executive and VIP protection KRIs

The digital exposure of high-value targets: executive credential exposure, impersonation and brand threats, digital footprint risk, account security posture, and targeted threat intelligence.

Read the guide →
For M&A and deal security teams

M&A security due diligence KRIs

Risk signal across the acquisition lifecycle: pre-close assessment coverage, critical finding severity, inherited regulatory exposure, external attack surface, and post-close debt remediation.

Read the guide →
For network and infrastructure security

Network security KRIs

Whether the network is defended and observable: device firmware and config currency, firewall rule hygiene, remote access controls, NDR coverage, flow log retention, and NAC/802.1x coverage.

Read the guide →
For endpoint and IT security teams

Endpoint security KRIs

Whether endpoint defense actually prevents: EDR coverage and prevention mode, compliance posture, full-disk encryption, anti-malware currency, exploit prevention, web/DNS filtering, and removable media control.

Read the guide →