Checklists, calculators, generators and simulations — built from the same practitioner experience behind our advisory work. Most show results instantly; a few offer a free PDF if you'd like a copy emailed to you.
10 questions on backups, segmentation and response — score plus a downloadable PDF gap list.
Start checklist →The controls insurers actually look for — MFA, backups, EDR — scored against typical underwriting questions.
Start checklist →A fast gut-check on how your personal-data handling stacks up against the Digital Personal Data Protection Act.
Start checklist →A narrower, identity-focused cousin of the SOC-CMM assessment — eight questions on access control maturity.
Start checklist →Our flagship 15-question, 5-domain assessment with instant gauge scoring.
Start assessment →Already have a SOC-CMM score? See how it compares to illustrative ranges for your industry.
Compare your score →Enter your detection time, get the exact six-hour cutoff and a who-to-call checklist.
Calculate deadline →Industry and record count in, a rough breach-cost range out — useful for budget conversations.
Estimate cost →Alert volume and coverage hours in, an estimated analyst headcount for 24x7 coverage out.
Calculate staffing →Pick your industry, get a tailored third-party security questionnaire to send to vendors.
Build questionnaire →Fill in your roles and names, get a printable escalation tree for the wall.
Build contact tree →Pick which policies you need, get downloadable starter outlines for each.
Build policy pack →Choose your industry and top concern, get a free scenario script to run with your team.
Pick a scenario →A realistic inbox view — click the parts of the email that gave the scam away.
Try the demo →Side-by-side real vs. spoofed login pages — find the tells before you'd type a password.
Try the demo →A simulated "IT support" call transcript — pick your responses and see what gave the scam away.
Try the demo →Everything here is free and built by practitioners. If there's a gap, let us know.
SPF, DKIM and DMARC analyzed instantly — see how easy it'd be to spoof email from your domain.
Check your domain →Generates likely typosquat variants of your domain and checks which ones are actually registered.
Check for lookalikes →See exactly when any domain was registered — a brand-new domain is a classic scam signal.
Check domain age →Vulnerabilities CISA confirms are actively being exploited right now — not just theoretical CVEs.
View live feed →Watches Certificate Transparency logs in real time for newly-issued lookalike-brand certificates.
View live feed →Real, recently-reported malicious IPs, geolocated and visualised — refreshed hourly.
View map →Paste raw headers, get SPF/DKIM/DMARC results and the server hop path — parsed entirely in your browser.
Analyze headers →Paste your package.json or requirements.txt, checked against Google's free OSV.dev database.
Check dependencies →Searchable reference of common ports, what runs on them, and why each one matters.
Search ports →Live, real-time browser exposure demo — see your own fingerprint surface, no login required.
See your exposure →Drag the stages of a cyber attack into the correct order — a quick game, not just a quiz.
Play now →A real three-clue capture-the-flag challenge hidden in page source, HTTP headers, and cookies.
Start the challenge →