Approach

Why Threat-Informed Changes Everything

Traditional risk assessments start with the compliance checklist and work backward. This methodology starts with the threat landscape and works forward. Controls exist to mitigate specific adversary behaviors — if you cannot trace a control back to a threat, you cannot validate its effectiveness. If you cannot trace a risk rating back to observed adversary behavior, the rating is opinion, not evidence.

Threat Profile Drives Likelihood

Likelihood is derived from adversary targeting patterns — industry, geography, organization size — not from subjective scales or committee votes.

Coverage Gaps Drive Impact

Impact is determined by what is exposed when controls are missing or partial. The coverage analysis tells you exactly where the organization is vulnerable.

Every Finding Is Traceable

From MITRE technique to mitigation to control gap to risk score to remediation — every finding has a complete evidence chain that a regulator can follow.

AI-Augmented, Human-Governed

This methodology leverages AI to process the scale of modern risk assessment — mapping tens of thousands of data points across controls, mitigations, techniques, and regulatory requirements. AI facilitates the analysis. A certified professional makes the judgment calls.

What AI Does

Processes 10,000+ control-to-mitigation data points that would take weeks manually
Maps controls to MITRE techniques and CRI diagnostic statements at scale
Identifies coverage gaps across the full control inventory consistently
Generates draft coverage verdicts, KPIs, and logging requirements for review
Maintains traceability chains from technique to finding to recommendation

What the Professional Does

Reviews and validates every AI-generated mapping and coverage verdict
Applies professional judgment to risk ratings, likelihood, and impact
Approves each stage gate before work advances — no auto-progression
Makes remediation prioritization decisions based on business context
Signs off on evidence packages and board-ready deliverables

AI handles the scale. The certified professional handles the judgment. Every stage gate requires human review and approval — AI-generated analysis is an input to professional decision-making, never a substitute for it.

Engagement Success Factors

A defensible risk assessment requires more than a good framework. These six factors — grounded in NIST, ISACA, ISO 27005, and FAIR — determine whether an engagement produces actionable results or a checkbox exercise.

Clean Data Inputs

Quality asset inventories, vulnerability scan results, control test evidence, and system logs. Garbage in, garbage out — the assessment is only as defensible as the data behind it.

NIST SP 800-30, ISO 27005, FAIR

Strong Stakeholder Support

Executive sponsorship, engaged risk owners, and cross-functional participation. Without business unit involvement, assessments stay theoretical and no one owns the residual risk.

ISACA, NIST RMF, Security Executive Council

Clear Scope & Risk Criteria

Defined boundaries, risk tolerance thresholds, and regulatory applicability established before any technical work begins. Without explicit criteria, assessments devolve into generic vulnerability listings.

NIST SP 800-30, ISO 27005, NIST CSF 2.0

Agreed Methodology & Definitions

Everyone working from the same risk model, terminology, and scoring criteria. If 'likelihood' and 'impact' mean different things to different participants, results cannot be defended or compared over time.

FAIR, ISO 27005, NIST SP 800-30

Skilled Practitioners

Analysts trained in MITRE ATT&CK, FAIR, CRI Profile, and NIST frameworks. Poorly trained analysts and a superficial culture lead directly to checkbox assessments and unconvincing risk narratives.

ISACA, FAIR Institute, NIST

Transparent Traceability

Every finding traceable from MITRE technique to mitigation to control gap to risk score to remediation. In audits, regulatory inquiries, or incidents, you must show how you arrived at each conclusion.

NIST SP 800-30, ISO 27001, COBIT 2019

Beyond the Report

Most risk assessments end with a PDF. This methodology produces operational artifacts that plug directly into the organization's monitoring and reporting stack — every deliverable is driven by the threat profile, not generic templates.

Threat-Targeted KPIs & KRIs

Key Performance Indicators and Key Risk Indicators derived directly from the threat profile — not generic compliance metrics. Each KPI traces to a specific MITRE technique and the controls that mitigate it, so leadership measures what actually matters for their threat landscape.

Mean time to detect per profiled technique

Coverage % by MITRE mitigation category

Control test currency (days since last validated)

Open vulnerability count by threat-relevant CVE

Splunk Logging Requirements

Specific log sources, event types, and data fields required to detect the techniques in the threat profile. Ensures the SIEM is capturing the telemetry needed for detection — not just collecting everything and hoping.

Required log sources per ATT&CK technique

Data field specifications for detection coverage

Log retention requirements by criticality tier

Gap analysis: what is logged vs. what is needed

Splunk Alert Triggers

Detection rules and correlation searches configured for the specific MITRE techniques identified in the threat profile. Each alert maps to a technique, a data source, and a response playbook — turning the threat profile into active defense.

Alert rules per profiled ATT&CK technique

Correlation searches for technique chaining

Threshold tuning based on environment baseline

Response playbook linkage per alert

Microsoft Teams Dashboards

Professional dashboards integrated into Microsoft Teams where stakeholders already work. Coverage status, risk heat maps, KRI trends, and remediation progress — all visible without logging into a separate tool.

Executive coverage dashboard (Level 1)

Risk heat map with drill-down to technique

KRI trend tracking with threshold alerts

Remediation progress by risk owner