Use Cyber risk quantification to better justify cyber investment

Optimise cyber return on investment using CyberQUANT®

Our cyber risk quantification engine included in HyperGRC™

Difficulty prioritising your cyber roadmap?

Leaders asking for ROI or risk buy down?

Need a framework for cyber risk based decision making?

Confidently understand and communicate your cyber risk in dollar value terms, talk in the language of the Board, and optimise return on investment, without worrying about engaging consultants, blindly following vendors, or rely on what worked well in the past.

Key Benefits

Talk the language of the Board

Better business leader engagement

Optimise cyber return on investment

Present ROI trade-offs for Investment decision

Demonstrate risk buy-down

Track threat, risk and control changes


HyperGRC™ brings together all the best practice methodologies for cyber risk quantification, including scenario planning, MITRE ATT&CK simulation, Open FAIR, and control analytics in a comprehensive toolkit for cyber security business decision making.

Scenario Library

Use the Scenario Builder in CyberQUANT® to define cyber risk scenarios based on actor types and their motivations, MITRE ATT&ACK tactics and techniques, key data types, as well as their related critical IT Services. Promote awareness of your current crown jewels, their risk scenarios, and current threat environment. Maintain a history of projected and actual risk by scenario and assessment period as well the remediation options considered. Aggregate scenarios to the enterprise level to improve risk transparency and increase internal collaboration on remediation.

MITRE Analytics

Use our Machine Learning model of the top 100 threat actors and their MITRE ATT&ACK framework success rates, to estimate the vulnerability of an IT service, simulate various baskets of cyber security control improvements, and identify the top N next best improvements to make to reduce the likelihood of a cyber security breach. Use the current and projected vulnerability of the IT service to quantify the risk of each related scenario, and the buy-down associated with implementing the recommended improvements. Compare ROI of various combinations of those improvements.

A Full Implementation of Open Fair

Quantify threat, risk and control assessments in order to demonstrate the return on investment of cyber security uplift and gain executive support. CyberQUANT® has a full implementation of Open FAIR, and can use the standard FAIR model, our model customised to cyber risk, or you can define you own. This gives the flexibility to use multiple approaches to modelling complex loss scenarios. By full implementation, we mean we aren't just a Monte-Carlo simulator - we cover all the FAIR factors and distributions (Normal, Triangular, betaPERT, or step), and can also do up to 1 million Monte-Carlo simulations. A spreadsheet with only 1,000 simulations will give 5% accuracy, leading to complicated business explanations each run. Use CyberQUANT® instead, to build confidence and trust with your leadership, insurers and other stakeholders.

What If Analysis

As well as being able to quantify cyber risk based on the current control environment, CyberQUANT® can work out what control changes to do next in order of priority (a what if analysis). You can do this in three ways - based on what you consider to be key controls, based on MITRE simulation, or based on control analytics.

Cyber Roadmap

Optimise the value of cyber security programs. Calculate the return on investment for different baskets of control improvements (investment decision making based on ROI trade-offs). Periodically assess the state of controls and quantify the level of risk buy-down achieved by your cyber program, to re-plan future changes.

How CyberQUANT® can help

Getting to risk quantification is a big challenge without CyberQUANT®. First you need to find someone that can do it, then there is no tool that can do the whole GRC and FAIR process and the what-if piece. That’s exactly what we do. With CyberQUANT®, you can record all IT services and suppliers and conduct cyber risk and control assessments on them, develop cyber risk scenarios against those services based on MITRE ATT&CK framework, measure the risk using FAIR, and do what-ifs to work out the best return on investment from a risk-buy down perspective so you can prioritise it.

CyberQUANT® can help Chief Information Security Officers that have:

Difficulty justifying cyber investments

You may need to demonstrate a business ROI, prioritise cyber uplift projects, or assess the value of cyber insurance.

Risk Management Obligations

You may need to comply with regulatory requirements such as CPS 230 or SOCI that require risk scenario analysis.


CyberQUANT® can easily integrate to ERM and ITSM services using our CyberCOMPOSER™

CyberDESK® Front Door

CyberDESK® is our ML/AI-native multi-channel Digital Assistant that can use Natural Language Processing (NLP) to understand and navigate cyber governance processes. Rather than build yet another IT front door inside your GRC platform, CyberDESK® can streamline cyber intelligence gathering, and along with CyberCOMPOSER™ can navigate external stakeholders through cyber risk quantification processes with potentially zero clicks.

IT Service Management

CyberCOMPOSER™ can integrate CyberQUANT® with your IT Service Management (ITSM) such as ServiceNow or JIRA, PMO system such as Dynamics 365, or your business service desk system if it is different. You can set up cyber program phases, projects, work packages and deliverables in CyberCOMPOSER™ workflows®, have progress updated through JIRA, and be visible through MyRISK® or another cyber GRC acting as a cyber program single pain of glass.

Enterprise Risk Management

You don't need to have one or the other. With CyberQUANT® you can integrate quantified risk scenarios with your Enterprise Risk Management (ERM) system such as OpenPages or Protecht. You can record cyber security risks and controls in MyGRC™, quantify using CyberQUANT®, and then aggregate risk in your ERM or perform cyber risk quantification activities in CyberQUANT® and operational risk activities in your ERM and sync between the two.

CyberCOMPOSER™ Orchestration

CyberCOMPOSER™ is our ML/AI-native workflow hyper automation platform that can orchestrate disparate processes and technology. As well as being able to operate like a standalone risk quantification engine, with CyberCOMPOSER™ you can see all your threat, risk, control and loss assessment tasks to be done, and be automatically navigated to the appropriate screen. We are continually adding advanced AI to the risk quantification process.

MyRISK® Cyber Security GRC

MyRISK® is our core Cyber Security GRC module. As well as being able to operate like a standalone GRC platform, you can take suppliers, IT service details, and crown jewels from MyRISK® or another cyber GRC and use them in CyberQUANT® to quantify risk and prioritise risk remediation actions that can be then managed in MyRISK®, your IT Service Management System (ITSM) or separate GRC.

RESITEK™ Architecture

RESITEK™ is our highly secure and resilient data centric architecture entirely hosted in fully managed ML/AI-native Oracle Autonomous Database (ADB) services on Defence, Private or Public clouds. CyberQUANT® is an API enabled Machine Learning model entirely hosted in an Oracle Autonomous Database and run on demand in an Oracle EXADATA ML execution environment.

Experience CyberQUANT®

Talk in the language of the Board.


Define cyber risk scenarios based on threat actor types, MITRE ATT&ACK TTPs, and crown jewels they may target.

Risk Factors

Capture FAIR risk factors either using consulting-led discovery or gleaned directly from industry and internal documentation.

MITRE Analytics

Simulate the universe of actors against an IT service, to determine vulnerability and next best control improvements.


Use FAIR or your own algorithm to quantify cyber risk and gain executive support for a cyber remediation program.

What If

Calculate notional aggregate value of each control across all scenarios and group together as projects to compare ROI.

Cyber Roadmap

Record cyber program phases, projects, work packages and deliverables and periodically measure risk buy-down.

More about Open FAIR

FAIR or Factor Analysis of Information Risk if you’re not familiar with it, is an open international standard risk model that was developed specifically to enable quantified risk measurement. FAIR uses a stochastic calculation of the factors shown above, such as threat event frequency, primary and secondary loss event frequencies, as well as primary and secondary loss magnitudes. Each of the factors is a monte-carlo simulation of either a normal, triangular, or betaPERT distribution (a form of smoothed triangular distribution). There is some debate on the benefits of the FAIR algorithm that is well known and can be verified, versus proprietary models that may not be as transparent. In our experience, there is merit in using FAIR but adapting it to expand out Secondary Loss Event Frequency (at the bottom of the factor diagram) the same as Primary Loss Event Frequency (at the top of the diagram) into Threat Event Frequency and Vulnerability components. This allows for factoring in vulnerability in a secondary control such as BCP/DR that may only affect secondary loss. We built the capability in CyberQUANT® to define your own custom FAIR algorithm to allow for this, or even more complex permutations, such as a combined vulnerability or combined Loss Event Frequency.

Learn more about Open FAIR and cyber risk quantification.

Try CyberQUANT® today

In the Press

HyperGRC™ Revolutionising Cyber with the World First Composable GRC

HyperGRC™ Revolutionising Cyber with the World First Composable GRC

Press Release HyperGRC™ Revolutionising the Cyber Landscape with the World First Composable GRC Platform HyperGRC™ offers a composable architecture and free-tier GRC. Sydney, Australia – 7 May 2024 - HyperGRC™,

Australia’s Cyber Security Strategy

Australia’s Cyber Security Strategy

The Australian Cyber Security Strategy (2023-2030) process started with a Discussion Paper that sought views on measures to protect and enhance Australia’s cyber resilience. It asked 21 questions and received 330 submissions

HyperGRC™ presented at Oracle User Group

HyperGRC™ presented at Oracle User Group

The MyRISK® Journey to develop HyperGRC™ was presented to the Australian Oracle User Group (AUSOUG) at their AUSOUG Connect 2023 one day event in Melbourne on 22  November 2023. The

HyperGRC™ showcased at CyberCON 2023

HyperGRC™ showcased at CyberCON 2023

MyRISK® was proud to be a sponsor of the Australian Information Security Association's (AISA) annual Cyber Conference from 17-19 October in Melbourne, Australia. The southern hemisphere's largest cyber security conference,

Request a Demo (or other action)