FAQ

Most GRC tools give you a spreadsheet of controls to check off. PRISM connects your security architecture to real threat intelligence, quantifies the cost-effectiveness of every tool in your stack, and generates audit-ready documentation automatically. Key differences:

• Threat-informed compliance — MITRE ATT&CK and D3FEND mapped to every control, not just checkboxes
• Cost optimization — redundancy analysis, What-If simulator, and full TCO visibility
• Document generation — 88+ templates auto-populated with your real data, not blank boilerplate
• Architecture modeling — interactive diagrams, data flows, and countermeasure tracking in one place

PRISM serves several roles across security and compliance teams:

• CISOs & Security Directors — single view of compliance, threat coverage, and spend efficiency
• Security Engineers & Analysts — architecture modeling connected to threat intelligence
• Compliance Managers — audit prep that used to take months now takes days
• GRC Consultants & C3PAOs — structured assessment workflow with professional deliverables
• MSSPs — portfolio-wide visibility across multiple client organizations
• IT Directors — justify security spend with data, not gut feel

PRISM supports 34+ frameworks out of the box, including:

• Defense — CMMC 2.0/3.0, NIST 800-171/800-53, DFARS
• Healthcare — HIPAA, HITRUST, 21 CFR Part 11
• Financial — PCI DSS, SOX, GLBA
• Industrial/Energy — IEC 62443, NERC CIP v7, TenneT OT-Sec
• AI Governance — EU AI Act, NIST AI RMF, ISO 42001

Cross-framework mapping means overlapping controls (e.g. CMMC and NIST 800-171) are assessed only once, eliminating redundant work.

PRISM identifies every control you are failing or partially meeting and prioritizes by severity: Showstopper, High, Medium, and Low — grouped by compliance domain. Each gap includes the requirement text, your current status, evidence requirements, estimated remediation effort, and AI-generated recommendations. Gaps link directly to a remediation plan with owners and timelines.

Yes. PRISM generates pre-configured compliance packages for CMMC Level 2, SOC 2 Type II, NIST 800-171, and other frameworks. Each package includes a required-documents checklist, a readiness score (0–100%), and one-click export of all documents as a PDF/ZIP bundle — ready to hand directly to an assessor or C3PAO.

PRISM maps the full MITRE ATT&CK technique library to your assets and countermeasures. Each technique is scored 1–4 on Protect, Detect, and Respond based on your actual architecture. A coverage heatmap shows exactly which techniques you defend against and which leave you exposed. Sector-specific threat weighting adjusts relevance for your industry, and APT group profiles reveal which threat actors target organizations like yours.

P/D/R stands for Protect, Detect, Respond — the three dimensions of your defensive posture. PRISM gives you a composite score (1–4 scale) across all MITRE techniques, weighted by your sector's threat landscape. Rather than "we have firewalls and EDR," you get a precise statement like "our Protect score is 3.2, Detect is 2.8, Respond is 2.1 — and our Respond gap is concentrated in lateral movement techniques." Board-presentable and immediately actionable.

Yes. PRISM includes a dedicated AI Governance module. Inventory your AI systems (generative, predictive, RAG, classification, etc.), classify them under the EU AI Act, and assess AI-specific threats from MITRE ATLAS — including prompt injection, model poisoning, and training data attacks. Supported frameworks include EU AI Act, NIST AI RMF, ISO 42001, and OWASP AI Security.

That's one of PRISM's core capabilities. Every asset is classified as Fully Redundant (removable with zero protection loss), Partially Redundant, Essential, or Sole Satisfier (required by a compliance standard). You see exact savings potential per tool alongside the P/D/R impact of removing it — so you know the true cost of consolidation before making any changes.

Toggle tools on or off and watch the impact recalculate in real time — total cost savings, P/D/R score changes, techniques losing coverage, compliance requirements at risk, and maturity changes. Model full consolidation scenarios before committing to anything. The Iris AI assistant provides a plain-English explanation of each scenario's trade-offs.

Yes. PRISM tracks the full Total Cost of Ownership per asset: license fees, maintenance, and FTE allocation. It also provides staffing gap analysis (reported FTE vs. required FTE) and a 5-year cost projection. Staffing costs flow directly into the What-If Simulator, so savings estimates reflect the full picture — not just the license line item.

PRISM includes 88+ document templates, covering:

• Core compliance docs — SSP, POAM, ATO, Risk Assessment Report, SAR, SPRS Score Documentation
• Policy documents — 16+ policy templates
• Procedure documents — 14+ procedure templates
• Specialized assessments — BIA, PIA, Vendor Risk, Supply Chain Security

All documents are auto-populated with your real project data and exportable as DOCX or PDF.

Upload any evidence type — PDF, Word, images, CSV, JSON, YAML, Excel (up to 50MB per file). PRISM automatically categorizes each file, extracts relevant controls, maps it to compliance requirements, and shows which requirements still lack evidence. Pull evidence automatically from cloud sources: AWS (S3, CloudTrail), Azure, GCP, GitHub, Jira, and Slack.

PRISM's guided 7-step wizard walks new users through project setup, system modeling, framework selection, threat profile configuration, initial P/D/R scoring, evidence upload, and gap analysis preview. Most users reach their first gap analysis in under an hour. Bulk CSV import, OSCAL document import, and GRC platform sync mean you're not re-entering existing data manually.

Yes. PRISM offers a self-guided demo requiring only an email address. You get full read-only access to all modules — dashboards, MITRE coverage matrix, Cost Optimizer, document generation — loaded with realistic sample data. No sales interaction required. The product is the pitch.

Yes. PRISM supports CSV import for assets, data flows, and countermeasures; OSCAL document parsing for existing SSPs; and GRC platform sync via CISO Assistant integration. Evidence connectors pull automatically from AWS, Azure, GCP, GitHub, Jira, and Slack. PRISM meets you where your data already lives.

Yes. MSSPs and C3PAOs can manage all client organizations from a single portfolio dashboard with aggregate P/D/R scores, compliance status, and cross-client gap analysis — identifying controls multiple clients are failing simultaneously. Assessment scheduling and readiness tracking are built in, so one analyst can manage what would otherwise require a full team.