vCISO playbook
The operating model for running 10+ client risk programs at once: tiered engagements, onboarding, reporting architecture, and regulatory coverage.
Read the guide → For CISOs & vCISOsHow to build a KRI program from scratch
Stand up a Key Risk Indicator program from the controls you already run: the four indicator categories, picking and thresholding your first signals, and cadence.
Read the guide → For security operationsReading the signal: catching drifting KRIs
Most incidents arrive as warnings nobody caught. Read KRI velocity and compound drift, and act on degrading signals before thresholds are crossed.
Read the guide → For practitionersKRI reference library
Sixty-plus KRIs across fifteen domains, mapped to all 18 CIS Controls v8.1, with green/amber/red thresholds and weighting for a board-ready posture score.
Read the guide → For CISOs & security engineersPrivileged access management, done right
The control that matters most and gets implemented worst. The threat model, the inventory problem, the controls that close the gaps attackers exploit, and PAM KRIs.
Read the guide → For CISOs & security teamsIncident response readiness
What to have before the phone rings at 2am: decisions to pre-authorize, infrastructure to test, what a tabletop reveals, and the metrics that indicate readiness.
Read the guide → For CISOs & finance partnersThe CISO's guide to cyber risk quantification
Put a dollar figure on cyber risk. What the FAIR model requires, why most attempts fail, and the quarterly risk statement that answers the board.
Read the guide → For CISOs & finance partnersJustifying security spend to a CFO
Make a budget argument that works: the risk-transfer reframe, a cost-of-breach baseline, defending against cuts, and tracking the return on what you spent.
Read the guide → For CISOs & security leadersTranslating security risk into business language
Reframe security risk so the room can act on it. Audience-specific framings, five reframes, and a board presentation architecture that holds up.
Read the guide → For CISOs & vCISOsThe CISO and the board
What directors actually want from a security briefing: a posture verdict, material risks with timelines, the decisions they need to make, and what to leave out.
Read the guide → For vendor risk teamsThird-party risk intelligence
Vendor questionnaires go stale the day after submission. Tier your vendors, monitor continuous signal, and run a TPRM program you can actually staff.
Read the guide → For CISOs, CFOs & PE-backed teamsSecurity due diligence in M&A
How acquirers evaluate cyber risk in a deal, the findings that move price, what sellers should fix before diligence, and the inherited liability window after close.
Read the guide → For CISOs & CFOsWhat cyber insurers actually look for
Underwriting decoded: the external scan, the controls that move pricing, the claims carriers deny, and how to present your program for better terms.
Read the guide → For security & finance leadersCyber insurance readiness checklist
Ten control areas with required, expected, and preferred criteria, what triggers a surcharge or declination, and renewal-conversation tactics.
Read the guide →KRI library by domain
Thirty deep-dive guides, one per security domain. Each names the KRIs that matter, where to derive them from the stack you already run, how to calculate them, and green/amber/red thresholds. They go a level deeper than the KRI reference library, which summarizes every domain in one CIS-mapped catalog.
Enterprise security KRIs
The cross-domain synthesis view: composite posture score, enterprise-wide MTTD and MTTC, security debt, regulatory notification exposure, and insurance adequacy.
Read the guide → For SOC & security operationsSecurity operations KRIs
Whether detection and response actually work: alert fidelity, detection and log-source coverage, MTTD and MTTC, playbook coverage, and analyst capacity.
Read the guide → For IAM & security engineersIdentity and access management KRIs
Whether IAM is a real control or a checkbox: MFA enforcement, privileged access sprawl, dormant and orphaned accounts, least privilege, and non-human identity risk.
Read the guide → For security architectsSecurity architecture KRIs
Whether the design contains blast radius: segmentation effectiveness, zero trust maturity, cryptographic standards, attack surface reduction, and IaC security.
Read the guide → For AppSec & engineeringApplication security KRIs
Whether the SDLC produces secure software: SAST and DAST coverage, open-source CVEs, secrets exposure, critical finding age, gate compliance, and API security.
Read the guide → For product security teamsProduct security KRIs
Risk in the software you ship: customer-facing patch MTTP, VDP health, product CVE disclosure, dependency exposure, tenant isolation assurance, and advisory SLA.
Read the guide → For AI & security leadsAI security KRIs
The newest attack surface: shadow AI inventory, data access scope, prompt injection testing, agentic action oversight, model supply chain, and output leakage.
Read the guide → For GRC & complianceGRC program health KRIs
The process-integrity signals auditors and regulators check: risk register currency, policy framework currency, obligation tracking, and audit remediation rate.
Read the guide → For awareness & insider riskHuman security KRIs
Human risk past click rates: phishing reporting resilience, high-risk cohort training, insider threat indicators, vishing resistance, and joiner-mover-leaver completion.
Read the guide → For physical & corporate securityPhysical security KRIs
Physical access as enterprise risk: access control failures, badge deprovisioning latency, visitor escort compliance, CCTV health, and assessment recency.
Read the guide → For security & marketing opsMarketing web presence KRIs
The overlooked public footprint: SPF/DKIM/DMARC coverage, subdomain takeover risk, third-party tag risk, form PII handling, TLS health, and CSP coverage.
Read the guide → For cloud security engineersCloud security KRIs
Cloud runtime posture, not the architecture diagram: CSPM finding age, account governance, cloud identity posture, workload protection coverage, logging health, and data exposure.
Read the guide → For platform security engineersContainer and Kubernetes KRIs
Risk in containerized workloads and orchestration: image scan coverage, base image hygiene, cluster benchmark compliance, admission control, runtime detection, and network policy.
Read the guide → For DevSecOps and platform engineeringDevSecOps and security engineering KRIs
Security built into how software ships: pipeline gate coverage and enforcement, security tool reliability, developer training, mean time to resolve, security-as-code, and developer friction.
Read the guide → For vulnerability management teamsVulnerability management KRIs
Whether vulnerabilities actually get fixed: scan coverage, SLA compliance by severity, MTTR, KEV exposure rate, backlog age distribution, risk acceptance quality, and patch effectiveness.
Read the guide → For security architectsCryptography and PKI KRIs
The least-instrumented domain: certificate expiry exposure, dark certificate discovery, CA infrastructure health, key rotation compliance, secrets exposure, and post-quantum readiness.
Read the guide → For data security and governance leadsData security and governance KRIs
How data is managed, protected, and controlled: classification coverage, sensitive data access entitlement, retention and destruction, shadow data, DLP enforcement, and breach scope readiness.
Read the guide → For email security leadsEmail security KRIs
The highest-volume attack channel: authentication enforcement, gateway threat effectiveness, BEC impersonation protection, user reporting rate, sandboxing coverage, and outbound DLP.
Read the guide → For CTI and SOC leadersThreat intelligence KRIs
Whether intelligence drives action: intelligence-to-detection pipeline coverage, threat actor relevance, dark web and credential monitoring, vulnerability intelligence integration, and reporting relevance.
Read the guide → For IR and SOC leadersIncident response KRIs
Whether the program holds up under a real incident: IR plan currency, exercise cadence, forensic retainer readiness, regulatory notification workflow, post-incident review, and team staffing.
Read the guide → For TPRM and procurement securityThird-party risk KRIs
Risk across the vendor and supply chain: vendor tier coverage and assessment currency, security ratings trend, fourth-party concentration, breach notification, and access offboarding timeliness.
Read the guide → For DPOs and privacy counselPrivacy program KRIs
Privacy operations and regulatory exposure: PIA/DPIA coverage, ROPA completeness, DSAR fulfillment timeliness, consent validity, cross-border transfer compliance, and breach notification readiness.
Read the guide → For BC/DR and resilience leadsBusiness continuity and DR KRIs
Whether recovery commitments are real: business impact analysis currency, RTO/RPO validation, recovery test success rate, backup integrity, and critical vendor recovery dependency.
Read the guide → For mobile and endpoint teamsMobile and BYOD security KRIs
Risk from devices you do and don't own: MDM enrollment, OS currency, mobile app security controls, mobile threat defense coverage, BYOD data isolation, and lost-device response.
Read the guide → For OT and ICS security teamsOT and ICS security KRIs
Risk in operational technology and control systems: IT/OT segmentation integrity, asset inventory completeness, remote access controls, OT patch risk, anomaly detection, and safety system integrity.
Read the guide → For red team and offensive security leadsRed team and offensive security KRIs
Whether offensive testing changes posture: operation cadence and scope, finding remediation speed, detection coverage against red team TTPs, purple teaming, and assumed-breach scenario coverage.
Read the guide → For executive protection leadsExecutive and VIP protection KRIs
The digital exposure of high-value targets: executive credential exposure, impersonation and brand threats, digital footprint risk, account security posture, and targeted threat intelligence.
Read the guide → For M&A and deal security teamsM&A security due diligence KRIs
Risk signal across the acquisition lifecycle: pre-close assessment coverage, critical finding severity, inherited regulatory exposure, external attack surface, and post-close debt remediation.
Read the guide → For network and infrastructure securityNetwork security KRIs
Whether the network is defended and observable: device firmware and config currency, firewall rule hygiene, remote access controls, NDR coverage, flow log retention, and NAC/802.1x coverage.
Read the guide → For endpoint and IT security teamsEndpoint security KRIs
Whether endpoint defense actually prevents: EDR coverage and prevention mode, compliance posture, full-disk encryption, anti-malware currency, exploit prevention, web/DNS filtering, and removable media control.
Read the guide →