Services
Threat risk assessment, from first scope to final roadmap
Every engagement produces one clear, defensible report that your executives and your engineers can both work from. We assess what carries your real risk, model the threats against it, and score where you stand before and after the controls already in place.
Risk register, ranked
The deliverable
One report, written for everyone who has to act on it
The assessment arrives as a single document with distinct layers. Leadership reads the executive summary and the ranked register, while technical teams work from the threat model, the scored findings and the control recommendations. A methodology trail runs underneath all of it, so any figure in the report can be traced back to how it was reached.
You receive the report in a format you can circulate internally, present to a board, or hand to an auditor without translation.
Executive summary
The risk picture and the decisions it points to, written in plain language for leadership.
Ranked risk register
Every finding ordered by inherent and residual score, with owners and priority assigned.
Threat model
Threats mapped with STRIDE and MITRE ATT&CK across each system in scope.
Control recommendations
Specific mitigations matched to the tools and processes already in place.
Remediation roadmap
A sequenced plan to close the gaps, with effort and timeline indicated.
How it works
A method we run the same way every time
Consistency is what makes a risk picture comparable from one year to the next, and from one system to another. Every assessment moves through the same six stages.
Asset identification
We map the systems, data and processes in scope and tie each one to the business value it carries, so the assessment stays anchored to what you actually need to protect.
Threat modelling
We work through how each asset could be attacked using STRIDE, then map the realistic threats to MITRE ATT&CK so the model reflects how adversaries operate in practice.
Vulnerability analysis
We connect concrete weaknesses to the threats that would exploit them, drawing on your environment rather than a generic scanner export.
Inherent risk scoring
We score likelihood and impact on a one to five scale to establish where the risk sits before any controls are taken into account.
Control mapping
We match recommended mitigations to the tools and processes you already run, so the plan builds on your existing investment wherever it can.
Residual risk and roadmap
We re-score the risk with controls accounted for and set out a sequenced plan to close what remains, with effort and timeline indicated.
Scope
Sized to the question in front of you
An assessment is scoped to the decision it needs to support, whether that sits at the level of a single system or across an entire estate.
System or platform
A focused assessment of one application, environment or vendor deployment. The right scope when a single decision is on the table.
Programme or estate
A broader review across multiple systems and shared services, with risk normalised so you can compare and prioritise across the whole.
Change or adoption
An assessment of a new tool, architecture or supplier before you commit, so you understand the residual risk and the conditions for accepting it.
Standards
Grounded in frameworks your auditors already recognise
We build on established, published standards so the assessment speaks the same language as your auditors, regulators and partners. The methodology draws on the following.
Guide for conducting risk assessments, and the backbone of how we score.
Risk Management Framework, which structures how risk is governed over time.
The security and privacy controls catalogue we map recommendations against.
Cybersecurity Framework, which organises findings into functions leadership reads easily.
Information security risk management, aligning the work to the ISO 27001 world.
A threat modelling method for categorising how a system can be attacked.
Real-world adversary tactics and techniques that ground the threat model.
What you walk away with
Clear answers you can put to work
- A ranked view of where your real exposure sits today
- Inherent and residual scores on a single, consistent scale
- A threat model mapped to STRIDE and MITRE ATT&CK
- Control recommendations matched to your existing tools
- A prioritised remediation roadmap with timelines
- An executive summary your board can read without a briefing
- Findings traceable back to their source and method
- A baseline you can measure future assessments against
Questions
Common questions about an assessment
Timing depends on scope. A single system or platform assessment usually runs a few weeks from kickoff to final report, while a programme or estate-wide assessment runs longer and is scheduled together during scoping. Whatever the size, we agree the timeline before any work begins and we hold to it.
We need access to the people who understand the systems in scope, any architecture or data flow documentation you already hold, and a clear statement of the decision the assessment has to support. Where documentation is thin we fill the gaps through structured interviews, so a lack of existing paperwork is rarely a blocker.
A penetration test demonstrates that specific weaknesses can be exploited in practice, whereas a threat risk assessment sits earlier and reaches wider. It identifies what is at risk, models the threats against it, scores the exposure and shows you where to act first. The two complement each other, and we will tell you when a test would sharpen the picture.
We score likelihood and impact on a one to five scale, producing an inherent score before controls and a residual score once controls are accounted for. The scale is anchored to recognised baselines, so a score carries the same meaning across different systems and across repeat assessments.
Yes. We are a Canadian practice and regularly align assessments to public sector and regulated-industry expectations in Canada, alongside the NIST and ISO frameworks the methodology already follows.
You own the report and the remediation roadmap outright. If the findings call for follow-on work in security, privacy or compliance, the wider Cyber Electra group can take it on, or your own team can run with the plan. There is no obligation to continue with us.
Get started
Start with the decision you need to make
Tell us what you are weighing up and the timeline you are working to, and we will come back with a scope, an approach and a quote.