Cambridge Cyber InternationalCambridge CyberInternati
nal

Quantification

cVaR

Risk registers rank. cVaR prices.

Request a demo

The problem

High is not a number

A risk register tells you a threat is High. It does not tell you whether High means €50,000 or €50,000,000. DORA RTS Article 8 requires ICT risk expressed in monetary terms, and most organisations cannot.

Risk heatmap by business unit — annualised financial exposure in EUR, from IT Operations €4.2M to Customer Portal €12.4M

What it does

Cyber value-at-risk, computed with FAIR

cVaR applies the FAIR method to your full asset inventory, modelling loss frequency and magnitude and running Monte-Carlo simulation across thousands of trials to produce a loss-exceedance curve. You read value-at-risk at the 95th and 99th percentile, conditional VaR and expected annual loss.

VaR analysis — loss exceedance curves showing value of controls in monetary terms: SWIFT fraud risk reduced from €29M to €0.5M after 2FA and SoD

What cVaR reads

Full asset inventory, live

cVaR ingests asset inventory from your CMDB, discovery agent output, or NetDiagramer graph. Criticality, compliance status, cloud location and topology feed directly into the risk model — ensuring every scenario reflects your actual estate, not a sample.

Live asset inventory — 743K assets with criticality, compliance status and topology across cloud, on-premise and third-party

What cVaR reads

cVaR ingests asset inventory from your CMDB, discovery agent output, or NetDiagramer graph. It reads your existing vulnerability data, threat intelligence feeds, and historical incident records where available. Metrology — the calibrated estimates for frequency and magnitude — can be drawn from CCI's sector-specific reference data or from your own loss history.

Agent-less edition

The current edition requires inventory input. An agent-less edition is in development: it will infer asset scope and exposure from network discovery alone, without requiring a populated CMDB. Customers already waiting for this edition can register interest on the contact page.

Why FAIR

FAIR is the only open international standard for cyber risk quantification (Open FAIR Body of Knowledge 2.0, The Open Group). It has been adopted as the quantitative method of reference in DORA RTS, NIST CSF 2.0 and ISO 27005:2022. It produces results that satisfy regulatory scrutiny in a way that proprietary scoring models do not.

cVaR Risk Platform — executive welcome screen with full navigation and live KPIs
The cVaR Risk Platform — quantitative cyber risk management for 500+ enterprise clients across 190+ countries.

Frameworks addressed

FAIR DORA DORA RTS ISO 27005 NIST CSF

Related products

Finance resilience

DORA-MAST

Models operational resilience and computes financial loss for DORA-regulated entities — built on the same FAIR + Monte Carlo engine as cVaR.

Visibility

NetDiagramer

Generates 3D architecture graphs from your live inventory — the same inventory cVaR reads for asset scope and topology.

Every product is field-tested

← All products