PROOF · NOT A BROCHURE

Real shapes. Real engagements. Anonymised numbers.

Eight charts below. Every shape was drawn from a real piece of work, Telefónica DSI program, Sixt risk quantification, third-party risk patterns, internal maturity scoring. Numbers are anonymised so we can show the work without naming clients.

No AI-generated imagery on this site. Every chart is hand-rendered SVG, drawn from real data structures.

01

Loss exceedance curve (LEC)

A$100KA$1MA$10MA$100M 0.1%1%10%100% LOSS SIZE · AUD (LOG SCALE) ANNUAL EXCEEDANCE PROBABILITY

Source. Pattern from FAIR / Cyber Doppler quantification engagements (TEF DSI, Sixt Risk P&L). Real curve shape, characteristic log-log decreasing slope with mid-range knee. AUD amounts illustrative.

02

Residual risk waterfall

0M25M50M75M100M 100M Inherent risk −45M Existing controls −20M IAM hardening −10M Vendor SOC 2 verification −7M Detection improvements 18M Residual exposure EXPOSURE · AUD M (ILLUSTRATIVE)

Source. Pattern from TEF v7 'Path to Green' board exhibit. Real category structure, inherent risk → existing controls → planned controls → residual. Values anonymised.

03

Risk appetite cascade

Board · enterprise total 78M / 100M Executive committee 65M / 80M Customer-facing BU 28M / 35M Internal services BU 32M / 25M ⚠ Critical vendor cluster 12M / 15M Tier-1 asset class 7M / 10M █ actual exposure ▒ appetite envelope ⚠ exceeds appetite

Source. Pattern from TEF v7. Real hierarchy, board appetite cascades to executive, business unit, asset class. Each level shows actual exposure vs appetite envelope. Values anonymised.

04

Composite posture score breakdown

Composite score · 6.4 / 10 02.557.510 Coverage 7.2 w 20% Control effectiveness 6.5 w 20% Operational maturity 6.1 w 20% Detection / response ops 6.4 w 20% Quantified risk reduction 6.0 w 20%

Source. Pattern from TEF Master Tracker. Real composite-scoring structure (DSI 6.4 = weighted sum of coverage / effectiveness / maturity / operations / risk reduction). Component values illustrative.

05

CMDB transparency · working assets vs raw inventory

RAW INVENTORY · OBSERVED 428,157 objects across discovery feeds, scanners, agents, and import jobs WORKING POPULATION · MODELLED 78,553 unmodelled · 349,604 COVERAGE 18.3% The gap is what every CISO is judged on, and what most boards never see.

Source. Pattern from TEF v6 CMDB transparency tile. Real structure, total raw inventory minus duplicates / decommissioned / out-of-scope yields working population. The unmodelled gap is what keeps every CISO awake.

06

Vendor risk heatmap

IdentityDataNetworkAppSecBCDR Vendor AVendor BVendor CVendor DVendor EVendor FVendor GVendor H LLLMLLLMLMLLHMLML cleanminor (L)material (M)critical (H)

Source. Pattern from third-party risk management work, vendors × control areas, color by residual risk after evidence review. Vendor names anonymised. Cell colors reflect realistic distribution (most vendors green, a few amber, rare red).

07

Object graph · third-party assessment lineage

Vendor Profile SOC 2 Type II Report Pentest Findings Compensating Controls Control Owner Regulation SOC 2 / GDPR Internal Policy Risk Score Third-Party Assessment Each node carries provenance + timestamp + decision context. Drill-in retrievable on demand.

Source. Pattern from the Mosaical AI platform's typed graph. Real entity types (Vendor, SOC 2 Report, Pentest, Policy, Regulation, Control Owner, Risk Score). Generic IDs.

08

Maturity radar · 12 cybersecurity domains

IAMAppSecCloudDataNetworkDetectRespondVuln MgmtThird-PartyPrivacyBCDRGovernance █ current ┄ target (3.5) 4-level maturity scale · 1 ad-hoc · 2 repeatable · 3 defined · 4 optimised

Source. Pattern from in-house cybersecurity maturity assessment (4-level model across 12 domains). Real domain set used in CISO advisory. Current vs target band. Scores illustrative.

What you see here is what you'll see in your engagement.

Same chart shapes. Different data, yours. Anonymised when shared externally, retrievable internally with full lineage.

Commission the 48-hour prototype →