Page 1 of 2

Assess Your Breach Risk

Answer 20 technical questions to evaluate your organization's exposure to real-world attack paths.

Which industry best represents your primary operations?

A

Financial Services

B

Healthcare

C

Government

D

SaaS / Technology

E

E-commerce / Retail

F

Manufacturing

G

Other

Where is multi-factor authentication NOT consistently enforced?

*

Where is multi-factor authentication NOT consistently enforced?

A

MFA enforced everywhere

B

Minor gaps (legacy systems)

C

Not enforced for service accounts

D

Not enforced for admin accounts

E

Partially deployed

F

No MFA

How is your identity provider secured?

*

How is your identity provider secured?

A

Conditional access + device trust + session controls

B

Strong policies with minor gaps

C

Basic MFA-only protection

D

Limited controls

E

No centralized identity security

How are privileged/admin accounts managed?

*

How are privileged/admin accounts managed?

A

PAM + just-in-time access + monitored

B

Dedicated accounts, well controlled

C

Separate accounts but weak monitoring

D

Admin used for daily work

E

No separation

How are service accounts and secrets managed?

*

How are service accounts and secrets managed?

A

Vault-based, rotated, least privilege

B

Managed but rotation inconsistent

C

Static credentials with monitoring

D

Hardcoded/shared credentials

E

Unknown/unmanaged

How do you detect and prevent session/token abuse?

*

How do you detect and prevent session/token abuse?

A

Real-time detection + automatic revocation

B

Monitoring with partial automation

C

Logs exist but limited detection

D

Minimal visibility

E

No controls

What is the coverage level of your EDR/XDR solution?

*

What is the coverage level of your EDR/XDR solution?

A

Full coverage, enforced, monitored

B

Mostly covered with some gaps

C

Deployed but not tuned

D

Critical assets only

E

No EDR

What is your endpoint security baseline?

*

What is your endpoint security baseline?

A

Hardened and enforced (CIS/MDM policies)

B

Standard baseline with minor gaps

C

Inconsistent configurations

D

Minimal controls

E

No baseline

What is your remediation window for critical vulnerabilities (CVSS 9–10)?

*

What is your remediation window for critical vulnerabilities (CVSS 9–10)?

A

< 24 hours

B

1–3 days

C

Within 7 days

D

Within 30 days

E

30 days / inconsistent

How complete is your asset visibility?

*

How complete is your asset visibility?

A

Real-time, continuously updated inventory

B

Mostly complete

C

Periodic/manual tracking

D

Incomplete visibility

E

Unknown assets common

How is lateral movement restricted?

*

How is lateral movement restricted?

A

Strong segmentation + identity-aware controls

B

Network segmentation enforced

C

Limited segmentation

D

Flat network with monitoring

E

No segmentation

How well do you understand your external exposure?

*

How well do you understand your external exposure?

A

Continuous ASM/EASM monitoring

B

Regularly reviewed

C

Periodic manual checks

D

Limited visibility

E

Unknown

How quickly would you detect a compromised endpoint or account?

*

How quickly would you detect a compromised endpoint or account?

A

Within minutes

B

Within 24 hours

C

Within 72 hours

D

After user/external alert

E

Unknown/inconsistent

What detection stack is in place?

*

What detection stack is in place?

A

SIEM + behavioral analytics + threat intel

B

SIEM with alerting

C

Basic alerting tools

D

Limited detection

E

No centralized detection

What level of logging visibility do you have?

*

What level of logging visibility do you have?

A

Centralized + real-time alerting across systems

B

Centralized but partial coverage

C

Logs exist but not monitored

D

Fragmented visibility

E

No reliable logging

How long are logs retained?

*

How long are logs retained?

A

>12 months

B

6–12 months

C

3–6 months

D

<3 months

E

Not retained

How is application security managed?

*

How is application security managed?

A

Secure SDLC + SAST/DAST + dependency scanning

B

Regular testing

C

Occasional reviews

D

Minimal controls

E

No AppSec

How is sensitive data access managed?

*

How is sensitive data access managed?

A

Least privilege + continuous monitoring

B

Role-based access

C

Some controls

D

Broad access

E

No control

Do you have an incident response capability?

*

Do you have an incident response capability?

A

Tested regularly (tabletops/simulations)

B

Documented + partially tested

C

Documented only

D

Informal

E

None

What is your recovery capability?

*

What is your recovery capability?

A

Immutable backups + regularly tested + isolated

B

Regular backups + tested occasionally

C

Backups exist but rarely tested

D

Inconsistent backups

E

No reliable backups