A threat risk assessment identifies what matters in your environment, models the threats that could affect it, and scores the resulting risk before and after the controls you have in place. The outcome is a ranked, defensible view of where your exposure really sits and what to do about it first.

Timing depends on scope. A single system or platform assessment usually runs a few weeks from kickoff to final report, while a programme or estate-wide assessment runs longer and is scheduled together during scoping. We agree the timeline before any work begins and we hold to it.

We need access to the people who understand the systems in scope, any architecture or data flow documentation you already hold, and a clear statement of the decision the assessment has to support. Where documentation is thin we fill the gaps through structured interviews, so a lack of paperwork is rarely a blocker.

A penetration test demonstrates that specific weaknesses can be exploited in practice, whereas a threat risk assessment sits earlier and reaches wider. It identifies what is at risk, models the threats against it, scores the exposure and shows you where to act first. The two complement each other, and we will tell you when a test would sharpen the picture.

We score likelihood and impact on a one to five scale, producing an inherent score before controls and a residual score once controls are accounted for. The scale is anchored to recognised baselines, so a score carries the same meaning across different systems and across repeat assessments.

Yes. Every assessment opens with an executive layer written for decision makers, free of jargon, with the choices and their consequences stated plainly. The technical detail sits behind it for the people who need it.

Yes. We are a Canadian practice and regularly align assessments to public sector and regulated-industry expectations in Canada, alongside the NIST and ISO frameworks the methodology already follows.

We can. Because every assessment uses the same scale and method, a follow-up shows movement clearly. Many organizations run an annual cycle so risk is tracked rather than rediscovered.

You own the report and the remediation roadmap outright. If the findings call for follow-on work in security, privacy or compliance, the wider Cyber Electra group can take it on, or your own team can run with the plan. There is no obligation to continue with us.