The capability map
Where you actually stand across govern, identify, protect, detect, respond, and recover. It’s evidence-bound and segmented by team and seniority, and it makes the gap between policy and practice explicit.
A neutral AI confidentially interviews the people who run, use, and depend on your security, from the SOC to the board. It works through all six NIST CSF 2.0 functions and hands you a segmented readiness picture plus a prioritised remediation plan.
Audits and questionnaires measure what’s documented, not what’s practised. The engineers, admins, and business owners who live with the workarounds rarely get asked. So the board sees a RAG status while the real exposure sits in the gap between policy and behaviour.
Where you actually stand across govern, identify, protect, detect, respond, and recover. It’s evidence-bound and segmented by team and seniority, and it makes the gap between policy and practice explicit.
Security hygiene, awareness, and the culture that decides whether controls hold when it counts. This is the factor questionnaires can’t see and incidents always find.
A sequenced remediation programme of quick wins and structural fixes. Every recommendation traces back to an evidenced gap and is framed against the regulations you already answer to.
Where does our documented control actually diverge from day-to-day practice?
Which of the six functions are genuinely weak, rather than just under-documented?
Do our people know what to do the moment something looks wrong?
Where does third-party and supply-chain exposure sit that we haven’t mapped?
If we could fix three things before our next assessment, what would move the needle most?
Your people answer anonymously, and honesty about security gaps depends on that. Responses are aggregated into segments, and any group too small to protect a person is suppressed or merged before it reaches you. You see the exposure and the patterns, never the person who raised them.
Scope a cyber-readiness diagnostic in minutes. It’s confidential, self-serve, and grounded in what your people actually experience.