Threat-Informed Risk Assessment

Define the organizational context, applicable regulations, and asset boundaries. Before any client data is received, a dedicated infrastructure environment is provisioned — isolated VPC, dedicated databases, and VPN-secured access. Client data is never commingled across engagements. Data handling protocols, sensitivity classifications, and AI processing boundaries are defined and agreed upon before technical work begins.

Identify and classify all organizational assets — data repositories, hardware, software, network infrastructure — by business criticality and sensitivity. This establishes what you are protecting before assessing what threatens it. Without a classified asset inventory, threat profiling is abstract and coverage analysis has no anchor.

Select the MITRE ATT&CK techniques most relevant to the organization based on industry vertical, size, geography, and known adversary targeting patterns. This profile becomes the foundation for likelihood — grounded in how adversaries actually operate, not subjective opinion.

Catalog the organization's existing controls against recognized control frameworks. Map each control to a standardized taxonomy so coverage can be measured consistently. The classified asset inventory from Stage 2 anchors every control to the assets it protects.

Map each control to the specific MITRE mitigations it addresses for each selected technique. Control test history validates whether the control actually works — a control that has not been tested in 18 months is weighted differently than one tested last quarter.

Rate coverage for each Response Guidance requirement using evidence-based verdicts: Covered, Partial, or No Coverage. Vulnerability scan results and penetration test findings validate whether controls are working in practice — not just documented on paper.

Derive likelihood from the threat profile — not from a committee vote or subjective scale. Active vulnerabilities from scans increase likelihood. SIEM data shows whether techniques are already being attempted against the organization. Likelihood is defensible because it traces to observed adversary behavior and real telemetry.

Determine impact based on what is exposed when coverage gaps exist. Business impact analysis data and asset criticality ratings quantify the consequence. If a technique succeeds because controls are missing or partial, what is the business, regulatory, and operational consequence?

Combine likelihood and impact to produce a risk score for each technique. Visualize across the full threat profile as a risk heat map. Every score traces back to the threat profile (likelihood) and coverage gaps (impact) — fully defensible, no opinion required.

Rank gaps by risk score, not by compliance order or alphabetical listing. The highest-risk gaps — where likelihood is high and coverage is weakest — get addressed first. This ensures remediation effort is directed where it reduces the most risk.

Design controls to close the highest-risk gaps. Each recommendation traces back to the specific MITRE mitigation it addresses, the gap it closes, and the risk it reduces. Assign owners, timelines, and success criteria.

Bundle the complete evidence chain — from threat profile through coverage analysis to risk ratings and remediation plans — into deliverables for the board, regulators, and audit committee. Every finding traces from adversary technique to control gap to business risk. Upon client acceptance, all engagement data is destroyed: the dedicated VPC is terminated, databases are purged, and all client artifacts are removed. A formal data destruction attestation is issued with timestamped CloudTrail evidence documenting every deletion. Physical media sanitization is covered by the cloud provider's SOC 2 and ISO 27001 controls.