FAQ

Foundations is an enterprise cyber risk intelligence platform. In 51 structured questions across four organizational stakeholders — completed in roughly one week — it delivers a board-ready, financially quantified cyber risk picture. Not a compliance checklist. A living risk intelligence platform that tells you exactly where you're exposed, what it will cost if something goes wrong, and where every security dollar delivers the most protection.

Most tools assess technology. Foundations assesses the organization — governance, culture, budget, people, third-party risk, and technical debt — because breaches happen at the seams between these factors, not inside any single one. Three specific differences:

• Multi-stakeholder — four personas answer questions, not one CISO, surfacing blind spots a single-respondent assessment misses entirely
• Financial output — risk is expressed as revenue at risk, recovery timelines, and breach probability, not High/Medium/Low ratings
• Board-ready — the Cyber Risk Signal™ gives boards the single trackable number they've always needed but never had

Foundations serves multiple roles within an organization and beyond:

• CISOs — board-ready risk quantification in a week, not a quarter
• CFOs — cyber risk in dollar terms: revenue at risk, recovery time, investment ROI
• Boards & CEOs — one number to track with quarter-over-quarter trending
• MSSPs & Insurers — portfolio-wide risk visibility across all client organizations
• IT & Security Managers — multi-stakeholder assessment that surfaces gaps no single person can see
• Compliance Officers — policy evaluation against six frameworks with evidence sync to PRISM

The assessment consists of 51 structured questions distributed across four organizational stakeholders. Key risk questions are deliberately asked of multiple personas to capture different perspectives on the same issue — surfacing gaps that a single-respondent assessment would miss entirely. The four stakeholders and their question counts are:

• C-Level Technology (CTO/CIO) — 48 questions covering all domains
• CEO / Board Member — 25 questions on strategic priorities and risk tolerance
• Legal & Compliance — 21 questions on governance and regulatory exposure
• Human Resources — 20 questions on people risk and culture

Questions are organized across four domains that together capture the full organizational risk landscape:

• Enterprise360 — Strategic direction, governance structures, and executive decision-making consistency
• Data360 — Data protection practices, classification, regulatory compliance, and breach exposure
• Cyber360 — Security operations maturity, incident response capability, and technical controls
• People360 — Security staffing levels, awareness culture, training effectiveness, and burnout risk

Yes. In addition to the stakeholder survey, Foundations evaluates uploaded security policy documents (PDF, Word, or plain text) against six industry frameworks:

• Security Awareness Training — NIST SP 800-50
• Incident Response — NIST SP 800-61
• IT Governance — ISO 27001 / COBIT
• Third-Party Risk Management — ISO 27036
• Change Management — ITIL
• Offboarding — ISO 27001

Policy evaluation results feed directly into the overall risk score and, if you also use PRISM, sync automatically to the PRISM evidence locker.

The full assessment — across all four stakeholder personas — typically takes about one week to complete. This is substantially faster than traditional GRC assessments, which require months of control-by-control mapping. Progress is tracked in real time, so stakeholders can complete their sections independently and on their own schedule.

Foundations translates cyber risk into the language of finance — the terms CFOs and boards use to evaluate risk:

• Revenue at risk — Total financial exposure in dollars, based on company revenue, industry benchmarks, and current security posture
• Recovery timeline — Estimated days to restore critical operations after a major incident
• Incident probability — Likelihood of a significant breach given current posture gaps
• Daily revenue impact — Financial cost of each day of operational downtime
• Monte Carlo simulation — Probability distribution of breach costs across thousands of scenarios

The Cyber Poverty Line® is the minimum investment threshold below which security spend is statistically insufficient to prevent material loss. Foundations identifies where your current spend sits relative to this line — and identifies the optimal ROI zone where additional investment delivers the highest risk reduction per dollar. It transforms budget conversations from "we need $500K on security" into "here is what happens to our risk score, breach probability, and recovery time if we invest $500K in these three areas."

That's one of its primary use cases. The Risk Optimization Studio lets you model investment decisions before committing — adjusting readiness sliders and watching the risk score, breach probability, and financial exposure recalculate in real time. The board reports (Dartboard 360, Spider Chart, Top Threats) are formatted for presentation and communicate in five minutes what would otherwise require a thirty-minute briefing. The Cyber Poverty Line gives you a defensible financial floor for any budget request.

Executive Intelligence is a living command center for security leaders and executives. Key views include:

• CRS Dashboard — Score gauge, momentum indicator, peer comparison, and component breakdown
• Cyber Poverty Line Chart — Investment curve showing current spend vs. minimum viable and optimal levels
• Revenue at Risk Panel — Financial exposure with recovery timeline
• Key Risk Indicators (KRI) — Measurable signals with threshold-based alerting
• External Threat Landscape — Industry-specific threats, geopolitical hotspots, and threat actor activity
• Iris AI Analyst — Natural language risk analysis grounded in your own assessment data

Foundations generates professional, presentation-ready board materials without requiring the CISO to build slide decks from scratch:

• Dartboard 360 — Radial visualization showing all assessment pillars at a glance
• Executive Summary Banner — Critical risk count, risk velocity, impact level, and budget recommendation
• Spider Chart — Big 6 readiness comparison with industry benchmarks overlaid
• Top Threats Report — Ranked threat scenarios with impact, likelihood, and mitigation status

Export options include PDF (multi-page), PNG, and SVG — all formatted for board presentations.

Iris is Foundations' embedded AI analyst, powered by Llama 3.1 and grounded entirely in your organization's own assessment data. Unlike generic security tools, Iris generates recommendations from your actual scores and gaps — not industry templates. For example, rather than "implement MFA," Iris might say "your People360 score of 38, combined with 40% IT turnover, makes insider threat your top risk — here is what to address first and why." Recommendations are scored and ranked by impact, effort, and ROI, with quick-win identification for organizations below the Cyber Poverty Line.

Yes. For MSSPs, insurance carriers, and holding companies, Foundations provides a portfolio-level view with:

• Multi-company dashboard with CRS scores, risk bands, and trend indicators in a single view
• Aggregate analytics — average risk, band distribution, and high/medium/low counts across the portfolio
• Company comparison — sort and filter by risk score, revenue, industry, or assessment status
• Portfolio groups — organize clients by business unit, geography, or risk tier
• Drill-down capability — click any company to see the full assessment and Big 6 breakdown
• Critical flags — automatic highlighting of organizations requiring immediate attention

No. Foundations is a fully standalone platform. It delivers a complete organizational risk picture — Cyber Risk Signal, Big 6 analysis, financial quantification, board reports, and Iris recommendations — without requiring PRISM. The integration is additive: customers who use both get a combined organizational and technical risk view that neither tool provides independently.

Yes. Foundations offers a self-guided demo requiring only an email address — no account creation, no sales call required. You get full read-only access to all views: Executive Intelligence, Risk Optimization Studio, Board Reports, and threat intelligence — loaded with realistic sample data. Access persists for return visits, so you can explore on your own schedule.

The assessment is designed to complete in approximately one week, with four stakeholders contributing independently on their own schedule. As each persona completes their section, results begin populating in real time. There is no waiting for a consultant to compile a report — the CRS, Big 6 analysis, financial quantification, and Iris recommendations are all generated automatically from the assessment data.

Contact your Risk Aperture representative or use the Request Demo button to schedule a guided walkthrough. A personalized demo uses your industry, company size, and specific risk context to demonstrate the platform against scenarios that are relevant to your organization — not a generic walkthrough.