Risk Heatmap: App Family vs Tiering Cross-tabulation of average RPN scores by App Family (Managed By Group) and Tiering level. Darker red cells indicate higher risk combinations requiring attention.

Risk Heatmap: Vendor vs Tiering Cross-tabulation of average RPN scores by Vendor and Tiering level. Identifies which vendor relationships may pose elevated risk, especially for critical tier applications.

Vendor Risk Assessment

Comprehensive vendor risk scoring to support procurement and contract renewal decisions. Grades are based on average RPN, Tier 1 exposure, data sensitivity, and improvement trends. Use this for vendor selection, contract negotiations, and consolidation decisions. Vendor selection and contract decision support

Highest Risk First Lowest Risk First Most Apps First Most Tier 1 First Alphabetical All Vendors 3+ Apps 5+ Apps 10+ Apps

A/B: Recommend C: Caution D/F: Avoid

Vendor	Grade	Risk Score	Apps	Tier 1	PHI/PCI	Avg RPN	Top Risk Factors	Recommendation

Talking Points for Executive Discussions:

Business Application Family Risk

Risk summary by business application family. Helps business leaders understand the security posture of their application portfolios and identify areas needing investment. Business-centric risk view

Highest Risk First Lowest Risk First Most Apps First Most Improvement Potential

Business App Family	APMs	Avg RPN	Highest RPN	Improvement	Tier Distribution	Risk Level

Risk Concentration Analysis

Identifies concentration risk - where too much critical infrastructure depends on a single vendor, pillar, or platform. Helps identify single points of failure and diversification opportunities. Single points of failure

Vendor Concentration

IS Pillar Concentration

Platform Risk

Risk Analytics

Comprehensive analytics on RPN component metrics including radar profiles, distribution charts, coverage matrices, portfolio comparisons, and improvement impact analysis. Use for data-driven security investment decisions. Deep dive into RPN component metrics

RPN Component Risk Profile Radar chart displaying average scores for each RPN component metric. Points closer to the edge indicate higher risk. Compare organization baseline vs filtered selection to identify component-level gaps.

Average scores by component (higher = more risk)

Severity Exposure Probability

Risk Score Distribution by Component Stacked bar chart showing how many applications fall into low/medium/high risk for each RPN component. Components with more red indicate widespread gaps that need program-level remediation.

How many apps at each risk level per metric

Low (1-3) Medium (4-6) High (7-8) Critical (9-10)

Security Tools & Controls Deployment rates for security tools (CrowdStrike EDR, Rapid7 vulnerability scanning) and security controls (SSO authentication, PAM vaulted accounts, backup status). Green = covered/enabled, red = gaps requiring remediation.

Security tools deployment and control adoption status

Security Tools

Security Controls

Portfolio Risk Comparison Grouped bar chart comparing portfolios/App Families by application count and average RPN score. Identifies which business units have the largest attack surface and highest risk concentration.

Top 10 portfolios by application count

By App Count By Avg RPN By Improvement Top 10 Top 15 Top 20

Avg RPN Severity Exposure Probability

Improvement Impact Analysis Waterfall chart showing how much the organization's average RPN could be reduced by addressing each remediation category. Prioritize categories with the largest green bars for maximum risk reduction.

Potential RPN reduction by remediation category

Top Risk Contributors Identifies which specific metric/dimension combinations contribute most to overall risk. Shows app count, average score, and cumulative impact. Focus remediation on top contributors for maximum organizational risk reduction.

Which specific values are driving the highest risk scores

Component	Category	High-Risk Value	Apps at Risk	% of Total	Avg RPN	Recommended Action

Risk Acceptance Candidates

Applications that may be candidates for formal risk acceptance rather than remediation. These are typically Tier 3 apps with no sensitive data and limited business impact. Review with business owners before accepting risk. Low-impact apps for potential risk acceptance

Criteria: Tier 3 No PHI/PCI/PII RPN > 40

0 candidates

Application	Vendor	RPN	Theo Min	Top Issues	Rationale

Risk acceptance requires documented business owner approval and periodic review. These are suggestions only.

Metric Deep Dive

Detailed analysis of individual RPN component scores broken down by dimension. Use to identify which specific metrics (CrowdStrike, Rapid7, SSO, etc.) need attention within each App Family, Tier, or Vendor. Analyze individual RPN components by dimension

App Family IS Pillar Tiering Vendor Business Apps All Pillars Severity Exposure Probability

Metric Comparison Heatmap Heatmap showing average score for each RPN metric across dimensions. Darker cells indicate higher risk. Use to quickly identify which metrics are problematic in which App Families, Tiers, or Vendors.

Average scores by metric and dimension

Top 8 Top 10 Top 15

Metric Trend by Dimension Bar chart comparing a single selected metric across all values of the chosen dimension. Use to identify outliers and determine which specific groups need targeted remediation for that metric.

Compare a specific metric across groups

Pillar Breakdown Tabular view showing each RPN metric organized by pillar (Severity, Exposure, Probability). Displays average score, apps at risk (score > 1), and percentage of portfolio affected. Filter by pillar for focused analysis.

Detailed metrics analysis with filtering

Severity Exposure Probability

All Vendors All Tiers

Metric	Avg Score	Apps at Risk	% High Risk	Top Offender	Recommended Action

Recommended Actions

Prioritized list of remediation actions grouped by dimension. Each card shows the specific action needed, number of affected applications, and estimated RPN reduction if completed. Focus on high-impact, high-count items first. Prioritized remediation by dimension

App Family IS Pillar Tiering Vendor Business Apps

Risk Simulation

Interactive what-if analysis tools. Toggle metrics to see projected RPN reduction, simulate remediation at dimension level, and view quarterly roadmaps. Helps leadership understand the impact of proposed security investments. What-if analysis for RPN reduction

Metric Toggle Simulator Click metrics to simulate what happens if you fix them completely (score = 1). Shows projected RPN reduction and helps prioritize which security programs will have the biggest impact.

Select metrics to simulate fixing

Reset

Current Avg RPN

--

Projected Avg RPN

--

Reduction

--

Current Target

Dimension Simulator Simulate partial remediation at the dimension level. Use sliders to set what percentage of gaps you can realistically fix for each metric within a specific App Family, Tier, or Vendor.

Simulate % fix rate by dimension

App Family IS Pillar Tiering Vendor Business Apps

Current RPN --

Projected RPN --

Reduction --

Quarterly Remediation Roadmap Phased remediation plan showing recommended actions for each quarter. Helps leadership plan and budget security investments over time to progressively reduce risk from current RPN to target RPN.

Recommended actions per quarter to reach target RPN

App Family IS Pillar Tiering Vendor Business Apps

Dimension	Current	Target	Q1 Focus	Q2 Focus	Q3 Focus	Q4 Focus

Executive Risk Summary

Executive-ready table showing the highest-risk application families with their tiering, portfolio, RPN scores, improvement potential, and specific tactical opportunities. Perfect for leadership presentations and prioritization discussions. Tactical opportunities by application family

App Family IT App Owner Platform Vendor All Tiers Tier 1 Only Tier 2 Only Tier 3 Only Top 15 Top 20 Top 30 Top 50

App Family	Tiering	Portfolio	RPN Score	Theo Min	Improvement	Apps	Tactical Opportunities

Quarterly Business Review Summary

Pre-built executive summary for board and leadership presentations. Contains key metrics, trends, risks requiring attention, security wins, and actionable recommendations.

Print Report

Portfolio Risk Status

Top 5 Risks Requiring Attention

Security Wins This Period

Resource & Investment Recommendations

Executive Talking Points

Application Risk Details Detailed table of all applications with RPN scores and key metrics. Search, sort, and click "View Report" for a full individual application risk assessment with specific remediation recommendations.

25 per page 50 per page 100 per page

APM #	Application	Portfolio	Vendor	Tier	RPN	Min RPN	Improvement	Actions

Showing 0 of 0 applications

Previous Page 1 of 1 Next

Change Analysis

Analyzes changes across the 8 weekly snapshots for each APM. Identifies which applications have improved, worsened, or remained unchanged, and tracks specific metric changes over time. Track security posture changes over time

Filter by: All Applications App Family IS Pillar Tiering Vendor Business Apps

Select: All

Showing all applications

--

Total APMs with Changes

--% of portfolio

--

Improved

Avg: -- pts

--

Worsened

Avg: +-- pts

--

Net Portfolio Change

-- to --

--

Tier 1 Apps Changed

-- improved, -- worsened

--

Worst Trending Vendor

Avg: +-- pts

--

Top Improving Metric

-- apps improved

--

Top Worsening Metric

-- apps worsened

Critical Regressions Requiring Immediate Attention

Tier 1 applications that worsened significantly (>5 RPN points) or lost critical security controls. These require immediate investigation and remediation.

0 critical items

Remediation Program Effectiveness Shows the effectiveness of security tool rollout programs. Green indicates apps that gained the control, red indicates apps that lost it or got worse.

Are our security programs working?

Risk Trend by Tiering Shows how average RPN scores are trending for each application tier across the snapshot period. Tier 1 = Mission Critical, Tier 2 = Business Critical, Tier 3 = Business Support.

Are critical apps improving faster?

Tier 1 Tier 2 Tier 3

Vendor Performance Scorecard Tracks vendor security posture changes. Identifies vendors requiring contract discussions, remediation focus, or recognition for improvement. Sort by any column to prioritize.

Which vendors need attention?

Top 10 Top 15 Top 20

Vendor	APMs	Improved	Worsened	Avg Δ RPN	Dominant Issue	Status

IS Pillar Accountability Shows which IS Pillars are driving improvement or regression. Use this to hold pillar owners accountable and identify teams that may need additional support or resources.

Which teams are driving improvement?

Top 10 Top 15 All

IS Pillar	APMs	Improved	Worsened	Avg Δ RPN	Top Issue	Trend

Security Control Change Matrix Heatmap showing which security controls improved (green) or worsened (red) across different dimensions. Helps identify systemic issues affecting multiple areas.

Which controls are improving/worsening by dimension?

By IS Pillar By Vendor By Tiering

Net Improvement Net Regression No Change

RPN Change Distribution Histogram showing how RPN scores changed across all APMs. Green bars indicate improvement (score decreased), red bars indicate worsening (score increased).

Distribution of RPN score changes

Risk Level Transitions Shows how many APMs moved between risk levels (Critical, High, Medium, Low) from first to last snapshot. Green flows indicate improvement, red flows indicate worsening.

Movement between risk categories

RPN Change Over Time Shows how the average RPN score of the portfolio has changed across each snapshot date. The line shows the trend, with the shaded area representing the range (min to max).

Portfolio-wide risk trend across snapshots

Avg RPN Min-Max Range

Top 10 Most Improved Applications with the largest RPN score reduction from first to last snapshot. These represent security wins and successful remediation efforts.

Application	From Date	First	To Date	Last	Change

Top 10 Most Worsened Applications with the largest RPN score increase from first to last snapshot. These require immediate attention and investigation into root causes.

Application	From Date	First	To Date	Last	Change

Metric Change Summary For each security metric, shows the number of APMs that improved (green) vs worsened (red). Longer bars indicate more widespread change for that metric.

How many APMs improved vs worsened per metric

Improved Worsened Unchanged

Changes by Dimension Shows how changes are distributed across different dimensions (App Family, IS Pillar, Vendor, Tiering). Identifies which areas of the portfolio are improving or worsening most.

Compare changes across organizational dimensions

App Family IS Pillar Tiering Vendor Business Apps Top 10 Top 15 Top 20

Dimension	APMs	Improved	Worsened	Unchanged	Avg Δ RPN	Top Changed Metric

Metric Change Heatmap Grid showing which specific metrics changed for each APM. Green cells indicate improvement, red cells indicate worsening, white cells indicate no change. Helps identify systemic vs isolated changes.

Detailed view of metric changes per APM

Changed Only Improved Only Worsened Only All APMs Top 20 Top 30 Top 50

Detailed Change Analysis Complete table of all APMs showing first/last RPN scores, change magnitude, and number of metrics that changed. Search and filter to find specific applications or patterns.

All APMs with snapshot history

All Changed Only Improved Worsened Unchanged

Application	Portfolio	Tiering	First RPN	Last RPN	Change	Metrics Changed	Changed Metrics

Showing 0 of 0 APMs

Prev Page 1 of 1 Next

Portfolio Growth Analysis

Track newly added applications over time. APMs that first appear after the baseline date are considered "new". Adjust the date range to analyze different periods.

Baseline Date: Loading... APMs present on this date are considered "existing". APMs appearing after this date are "new".

To: Loading... Analyze new APMs up to this date.

--

Total New APMs

--

--% of portfolio

APMs Removed

--

-- high risk

Net Change

--

portfolio size change

High Risk New APMs

--

RPN > 60 or Tier 1

High Risk New Applications Requiring Attention

-- apps

Portfolio Changes Over Time Bar chart showing APMs added (above line) and removed (below line) on each date. Green = additions, Red = removals.

Daily additions and removals

New APM Risk Profile Risk distribution of newly added applications compared to the overall portfolio.

vs Portfolio Average

New APMs Avg RPN: --

Portfolio Avg RPN: --

New APMs by IS Pillar Which IS Pillars are onboarding the most new applications.

IS Pillar	New	Avg RPN	High Risk	Tier 1

New APMs by Vendor Which vendors are being newly onboarded into the portfolio.

Vendor	New	Avg RPN	High Risk	Tier 1

New APMs by App Family Which Application Families are adding the most new applications.

App Family	New	Avg RPN	High Risk	Tier 1

New APMs by Tiering What tier are the newly added applications.

Executive Talking Points

All New Applications

-- new APMs

All Dates

Application	APM	First Seen	IS Pillar	Vendor	Tier	RPN	Data Class	Actions

Showing -- of --

Previous Next

Removed Applications

-- removed APMs APMs that were present in the portfolio but no longer appear in subsequent snapshots. May indicate decommissioning, consolidation, or data issues.

Application	APM	Last Seen	Removed On	IS Pillar	Vendor	Tier	Last RPN	Data

Removed APMs should be verified - they may be decommissioned, consolidated, or experiencing data collection issues.