Free cyber security risk assessment tool. Score your exposure across identity, endpoints, network and data. Instant risk report with prioritised actions.
It is a structured way of identifying what could harm your organisation digitally, how likely it is, and how much it would hurt, so you can decide what to fix first. Recognised methods such as ISO/IEC 27005:2022 and NIST SP 800-30 set out how to do this rigorously. This free tool gives you a fast, scored starting view across seven domains.
It is an honest self-assessment that scores your posture and points to your weakest areas. It is a board-ready signal and a useful starting artefact, but it is not a formal risk assessment, audit or certification, and it does not replace one. A real assessment looks at your specific assets, threats and context in depth.
Yes. The seven domains and 21 questions work as a plain-language checklist of the controls that matter most, mapped to NCSC, ISO, NIST and CIS guidance. Many organisations use the output to frame their first proper risk assessment or to brief a board.
The structure draws on the NCSC 10 Steps to Cyber Security, ISO/IEC 27005:2022 and NIST SP 800-30 (risk assessment method), the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover), the CIS Critical Security Controls v8.1, and Cyber Essentials control areas. Sources are listed in the methodology note below.
Each of the 21 questions scores from 1 (worst) to 4 (best). We take your total, subtract the minimum possible, and scale the result to a true 0 to 100 with no hidden floor, so the lowest answers genuinely score 0 and the strongest genuinely score 100. Each domain is scored the same way so you can see your weakest areas.
No. The questions are written for business leaders, trustees and managers in plain English. If you genuinely do not know an answer, choose the not sure option, which scores at the bottom, because a control you cannot evidence is one you cannot rely on.
About eight minutes. You can answer from what you know; you do not need to gather evidence first. The value is in seeing where the gaps are.
We ask for your details so we can send your results and relevant follow-up, and we block personal email domains to keep this for organisations. We do not sell or share your details. You can opt out at any time. See our privacy policy.
No. Starkhorn is an independent advisory consultancy. We do not certify, insure, or sell tooling, and we take no commission, so the assessment and any review are about what is right for you, not what we are selling.
Use the score and your two weakest domains to brief your board and prioritise. If you want to turn it into a costed, sequenced plan, book a security review through our virtual CISO service, which examines your specific context rather than a generic checklist.