Get your instant ransomware readiness score. Free assessment covering backups, endpoint protection, network segmentation and incident response in 5 minutes.
A structured self-check of the controls that decide whether a ransomware attack is a contained incident or a crisis: recoverable backups, network segmentation, endpoint detection, privileged access, a tested incident response plan, and your ability to handle data theft. This free version scores your answers 0 to 100 and names your weakest areas.
NCSC's Mitigating malware and ransomware attacks guidance and Ransomware-resistant backups principles, the CISA, FBI and partner #StopRansomware Guide, and the ICO's Ransomware and data protection compliance guidance, cross-referenced to CIS Controls v8.1 and the NIST Cybersecurity Framework 2.0.
About five to seven minutes. Twenty-one plain questions, no technical knowledge required.
Because modern ransomware steals before it encrypts. Google Threat Intelligence Group (GTIG, formerly Mandiant) found confirmed or suspected data theft in 77% of the ransomware intrusions it responded to in 2025, up from 57% the year before, and NCSC notes that backup resilience does not protect against data being stolen and used for extortion. Good backups get you running again; they do nothing about what was taken.
Backups are essential but no longer sufficient. They address encryption, not theft, and only if they are immutable, offline and tested. NCSC warns that attackers target backups early in an attack, so an online, deletable backup may not survive the incident it is meant to cover.
No. This is a self-assessment based on your own answers. A strong score means your stated controls align with NCSC and CISA priorities. It does not verify those controls are correctly implemented, which is what an independent review, a restore exercise or a penetration test would do.
Yes. 43% of UK businesses and 28% of charities reported a breach or attack last year, and smaller organisations are the least likely to have a formal incident response plan (21% of the smallest firms, against 76% of large ones). The assessment is written for boards and leaders, not specialists.
No. Starkhorn is an independent consultancy. We sell advisory only. We do not sell tooling, cyber insurance, certification or take any broker or vendor commission, so the gaps we name are the gaps you actually have.
Take it to your board or leadership as a baseline, fix your two lowest-scoring areas first, then validate with a real restore test and a tabletop exercise. The on-screen next steps tell you where to start.
No. It is a starting artefact and a board-ready signal. It does not replace certification, a security audit, a penetration test, an insurer's questionnaire or legal advice on your specific notification obligations.