Interactive tools
Interactive tools.
Four tools built from the numbers we see inside real engagements. Run them in your browser (nothing leaves your device unless you request the emailed report on the security scan). Use them to sanity-check a vendor quote, a readiness claim, a scoping decision, or your own external security posture before you commit budget.
Assessment
Free AI Risk Score
Five-minute self-assessment for US organizations classifying your AI usage against Colorado AI Act high-risk categories, NYC LL144, CA AB 2013, and NIST AI RMF governance maturity. Branded report with citation-anchored recommendations, sector-specific compliance overlays (HIPAA, SR 11-7, CMMC), and a 90-day execution roadmap.
Calculator
Cost of Getting Hit
Cyber incident calculator for US owners and operators. Estimates the total exposure range, out-of-pocket cost after insurance, and recovery time for a ransomware or BEC incident in your industry. Calibrated against IBM Cost of a Data Breach, Verizon DBIR, and Sophos State of Ransomware benchmarks.
Assessment
Are You Ready?
Honest cyber readiness self-assessment for US owners. Answer a short series of questions about your controls, response posture, and recovery plan. Produces a readiness verdict, a personalized 5-step playbook, and question-by-question coaching you can re-run as a baseline.
Calculator
MSSP TCO Calculator
Build vs. buy for security operations. 3-year TCO comparing in-house SOC against managed MDR with analyst loaded cost, tooling, training, and turnover math most spreadsheets skip.
Assessment
CMMC Level 2 Readiness Quiz
Twenty-question self-assessment across the 14 NIST SP 800-171 control families. Produces a score, a gap list, and a next-step recommendation tied to where you land.
Analyzer
PCI Scope Reduction Analyzer
Map your payment architecture to the scope reduction techniques that actually move the needle: tokenization, P2PE, iframe redirection, segmentation, outsourced processing.
Scanner
Free Security Scan
Enter your domain and we run a 60-second external audit: registrar, DNSSEC, SPF/DKIM/DMARC, BIMI, MTA-STS, subdomains, TLS, security headers, cookie flags, and IP reputation. Full report lands in your inbox.
Why we publish these
Most vendor calculators are marketing dressed as math. The numbers are set to make the vendor look cheaper, the assumptions are hidden two layers deep, and the output is a PDF that lands in procurement with no audit trail. That is not useful. The tools on this page run entirely in your browser, show their work, and use default cost ranges drawn from engagements we actually priced and delivered. You can change every input. Nothing is sent to us unless you decide to start a conversation about the output.
The other reason these exist is that we get asked the same three questions every week: in-house SOC vs. MDR, CMMC and AI governance readiness, and PCI scope. Writing the answer once in a tool that anyone can run is more honest than charging a retainer to answer it again in a slide deck.
How to use the output
Treat every number as directional. A TCO calculator cannot see your specific contract terms, your specific ramp curve, or the political cost of a failed in-house build. A readiness quiz cannot substitute for a gap assessment against documented evidence. A scope analyzer cannot replace a QSA review of your actual network diagram. What these tools do is get you to a shared starting point with whoever signs the check, so the next conversation is about the gap between the estimate and reality rather than starting from scratch.
If you want to pressure-test the output against your environment, the button at the bottom of every tool routes to a 30-minute working session with one of our engineers. No deck, no discovery call template (the tool output is the discovery). Indicative managed-services pricing is published if you want to translate tool output to a budget conversation before the call.
What the tools do not do
None of these produce a procurement-grade number on their own. The TCO model does not price in-kind contributions (office space, shared IT overhead, benefits load variance by geography). The CMMC quiz does not produce an SSP or POA&M. The PCI analyzer does not substitute for a QSA ROC or a SAQ-D self-assessment. They are decision aids for the first conversation, not the last one. If a vendor hands you a single-page calculator output and tells you the procurement decision is done, that is the signal to ask a harder question. For real engagements see our case studies and the US AI Vendor Governance Index.
Where to take this further
From estimate to engagement
Services overview
Managed IT + 24/7 SOC + AI Governance
Three core disciplines plus a specialized AI program — under one SLA. Browse the catalog or jump straight to MDR, vCISO, SIEM, or AI Governance.
OpenPricing
Indicative managed-services bands
Per-user and flat-fee bands for Core IT, Secure Operations, Fortress SOC, AI Risk Audit, and AI Governance tiers — published before you book.
OpenCase studies
Real engagements, real outcomes
Manufacturing CMMC Level 2, financial services SOC 2 audit, healthcare HIPAA + SOC migration, retail 140-location uptime, BEC fraud recovery.
OpenResearch
US AI Vendor Governance Index
Quarterly public scorecard of 30+ AI vendors against Colorado AI Act, NIST AI RMF, HHS-OCR Section 1557, FRB SR 11-7, and CMMC criteria.
OpenWhy EFROS
Cybersecurity-first MSP vs the typical MSP
What "we run your risk, not your tickets" actually looks like in the operating model, the runbooks, and the quarterly business review.
OpenBook a call
30-min working session
Bring your tool output. A senior engineer walks through it with you, pressure-tests the assumptions, and tells you what the next step actually is.
Open