Lens Platform Documentation

Comprehensive guide for Crownstone consultants conducting cybersecurity assessments

Consultant Resource

This documentation is designed specifically for Crownstone consultants. It covers the complete assessment workflow from client intake through final deliverables.

Platform Overview

The Lens Assessment Platform is Crownstone's proprietary cybersecurity assessment tool implementing the Cybersecurist Lens™ framework. It enables consultants to systematically identify systemic security risks that traditional tools miss.

Systemic Risk Detection

Identifies patterns across multiple findings that indicate deeper organizational issues

AI-Powered Analysis

Generates actionable recommendations across technical, organizational, and strategic dimensions

Tool Integrations

Connect to Snyk, Wiz, Jira, ServiceNow, and import from 19+ scanner formats

Automated Deliverables

Generate PDF reports, executive briefings, SOWs, GRC documents, and security roadmaps

Discovery & Profiling

12-question prospect assessment and 29-question environment profiling with maturity scoring

AI Security Platform

Comprehensive AI/ML security assessment integrating 7 frameworks (OWASP, ATLAS, EU AI Act)

Sales Pipeline

Lead management from discovery through conversion with automated SOW generation

GRC Documents

Generate policies, procedures, and compliance documents across SOC 2, ISO 27001, HIPAA, and more

Full Engagement Workflow

Discovery

Pipeline

SOW

Assessment

Review

Deliverables

Quick Start Guide

Get started with a new assessment in minutes by following these steps:

Create the Client Record

Go to Dashboard > Clients tab and click "New Client". Enter company name, industry, and primary contact information.
Create a New Assessment

From the Dashboard, click "New Assessment". Select the client, set assessment type, and define scope parameters.
Configure API Integrations

If the client uses Snyk or Wiz, add their API credentials in Assessment Settings > Connectors to pull findings automatically.
Import or Add Findings

Import scan results from security tools or manually add findings discovered during interviews and documentation review.
Review and Map to Lens Questions

Review each finding, accept/modify/reject, and map to the appropriate Lens question (Q1-Q5) to enable systemic analysis.
Generate Recommendations

Use the AI recommendation generator to create actionable guidance for each accepted finding.
Create Deliverables

Generate the assessment report, executive briefing, and remediation roadmap from the assessment page.

Client Intake Process

The client intake process captures essential information needed to scope and conduct the assessment effectively.

Required Client Information

Field	Description	Why It Matters
Company Name	Legal entity name	Report headers, compliance documentation
Industry	Primary business sector	Industry-specific compliance requirements, threat landscape
Organization Size	Employee count bracket	Scale of recommendations, resource expectations
Security Maturity	Current maturity level (1-5)	Calibrates recommendation complexity
Primary Contact	Main stakeholder for engagement	Communication, approvals, scheduling
Technical Contact	IT/Security team point person	Technical questions, API access, scan coordination

Using the Intake Form

Navigate to intake.html and share the link with the client. The form captures:

Company demographics and industry classification
Contact information (name, email, phone, role)
Assessment trigger (compliance mandate, breach response, board requirement, etc.)
Current security maturity self-assessment
Budget range and timeline preference
Top security concerns and priorities

Pipeline Integration

When a prospect submits the intake form:

Lead Created Automatically

A new lead is created in the Sales Pipeline with all intake data, including trigger, maturity, budget, and concerns.
Package Recommended

The system analyzes the intake data and recommends a service package (Standard, Plus, or Premium) with estimated value.
SOW Can Be Generated

From the intake data, a Statement of Work can be generated immediately, customized to the prospect's needs.

Best Practice

Send the intake form before the kickoff call. Review responses and the recommended package to prepare targeted questions and a draft SOW.

Discovery Assessment

The Discovery Assessment is a 12-question self-assessment wizard that prospects can complete anonymously. It detects Lens signals and generates risk analysis to qualify leads.

Assessment Flow

Start Session

12 Questions

Signal Analysis

Lead Capture

How to Use

Share the Discovery Link

Share discovery.html with prospects or embed it on the marketing site. No login required.
Prospect Selects Context

The wizard asks whether the environment is cloud or datacenter, then adjusts terminology accordingly.
Answers Drive Signal Detection

Each answer triggers real-time Lens signal calculations for Q1-Q5 (Investment Misalignment, Process Dependency, Assumption Decay, Silent Accumulation, Visibility Gaps).
Results Show Risk Profile

After completing all questions, the prospect sees their risk profile with Q1-Q5 signal scores and an overall risk rating.
Lead Capture

Optionally capture email, name, company, and role. Completed sessions appear in the Sales Pipeline for follow-up.
Convert to Client

Use the convert endpoint to create a full client and assessment from the discovery data, preserving all signal analysis.

Lens Signals Detected

Signal	Question	What It Detects
Investment Misalignment	Q1	Security spend not aligned with actual risk
Process Dependency	Q2	Critical processes relying on manual human behavior
Assumption Decay	Q3	Outdated security assumptions still driving decisions
Silent Accumulation	Q4	Risk growing quietly through deferred maintenance
Visibility Gaps	Q5	Missing clarity that enables better security decisions

Marketing Integration

The Discovery wizard is also available on the marketing website at crownstone.io/discovery. It calls the same backend API, so all sessions appear in the platform.

Environment Profiling

The Environment Profiling wizard is a comprehensive 29-question assessment organized into 6 sections. It produces a maturity score, engagement recommendation, and market intelligence tags for existing clients.

Assessment Sections

Section	Questions	Focus Area
Infrastructure & Architecture	5	Cloud, on-premises, hybrid environment details
Governance & Policy	5	Security governance, policies, compliance frameworks
Risk Management	5	Risk assessment, incident response, business continuity
Technical Controls	5	Network security, endpoint protection, access controls
Operational Security	5	Logging, monitoring, patching, vulnerability management
Compliance & Reporting	4	Regulatory requirements, audit readiness, reporting

How to Use

Navigate to Environment Discovery

Open environment.html from the platform dashboard or client engagement tools.
Select the Client

Choose an existing client to profile. The profile is linked to the client record.
Complete 6-Section Wizard

Work through each section. Answers are partially saved as you progress, so you can resume later.
Review Maturity Score

The system calculates a 0-100 maturity score with four levels: Nascent (0-25), Developing (26-50), Established (51-75), Optimized (76-100).
Get Engagement Recommendation

Based on maturity score and profile data, the system recommends the most appropriate service package (Security Advisory, Technology Strategy, Leadership Clarity, or Systems Diagnosis).

Outputs

Maturity Score

0-100 score with breakdown by category and visual gauge

Service Recommendation

Automated recommendation of the most appropriate engagement

Market Intelligence

Auto-detected tags for interests and pain points

Multiple Profiles

Clients can have multiple environment profiles. Use this to track maturity changes over time or to profile different business units separately.

ROI Calculator

The ROI Calculator generates three-scenario financial projections demonstrating the value of security investment, using industry-specific benchmarks.

How to Use

Navigate to ROI Calculator

Open roi-calculator.html from the client engagement tools section of the dashboard.
Select Industry

Choose from 9 industries: Healthcare, Financial Services, Technology, Manufacturing, Retail, Government, Education, Energy, or Other. Each has industry-specific benchmarks.
Enter Company Size and Maturity

Input employee count and current security maturity level. These factors adjust the calculation model.
Review Three Scenarios

The calculator generates Conservative, Expected, and Optimistic projections with year-over-year savings breakdown.

Projection Components

Component	Description
Breach Cost Avoidance	Estimated savings from reducing breach probability
Incident Response Savings	Reduced incident response costs through improved detection
Compliance Efficiency	Reduced audit preparation and remediation costs
Operational Efficiency	Savings from reduced manual security processes

Industry Benchmarks

ROI calculations use published industry benchmarks for breach costs and incident frequency. Benchmarks are stored in roi-benchmarks.json and can be updated to reflect current data.

Case Studies

Reference case studies from past engagements, filterable by Lens question, context, and industry. Use them during client conversations to illustrate the value of the Lens approach.

How to Use

Navigate to Case Studies

Open case-studies.html from the client engagement tools section.
Filter by Lens Question

Select Q1-Q5 to find case studies relevant to specific systemic issues you're discussing with a client.
Filter by Context

Filter by cloud, datacenter, or hybrid to match the client's environment.
View Outcomes

Each case study includes quantified outcomes (cost savings, time reduction, risk improvement) and engagement timeline.

Case Study Content

Context: Industry, organization size, environment type
Lens Questions: Which Q1-Q5 questions the engagement addressed
Challenge: What systemic issues were identified
Approach: How the Lens framework guided the engagement
Outcomes: Quantified results with metrics
Timeline: Engagement duration and key milestones

Admin Management

Administrators can create, update, and delete case studies via the API. Keep case studies current with recent engagement data to maximize their value in sales conversations.

Sales Pipeline

The Sales Pipeline tracks leads from initial discovery through conversion to client. It integrates with Discovery sessions and the Intake Form to automatically create and qualify leads.

Pipeline Stages

Stage	Description	Next Action
New	Lead created from Discovery, Intake Form, or manually	Review signals and qualify
Qualified	Lead has been reviewed and meets engagement criteria	Schedule call, generate SOW
Proposal	SOW has been generated and sent to prospect	Follow up on SOW
Negotiation	Active discussion on scope, pricing, or terms	Negotiate and finalize
Closed Won	Engagement confirmed, ready to convert	Convert to client
Closed Lost	Lead did not convert	Document reason, nurture

How to Use

Navigate to Pipeline

Open pipeline.html from the dashboard. The pipeline shows all leads with filtering by stage, source, and search.
Create Leads

Leads are created automatically from Discovery sessions, Intake Form submissions, or manually via the "New Lead" button. Sources include: discovery, intake_form, referral, website, and other.
Review Lead Details

Click a lead to see contact info, company details, Discovery signals (if applicable), recommended package, and estimated value.
Update Stage

Use the stage selector to move leads through the pipeline. Stage changes are timestamped for tracking.
Generate SOW

From the lead detail, generate a Statement of Work with signal-customized scope based on Discovery data.
Convert to Client

When a lead is won, click "Convert" to create a Client record and optionally an Assessment, preserving all lead data.

Pipeline Statistics

The pipeline dashboard shows key metrics:

Total Pipeline Value: Sum of estimated values for active leads
Conversion Rate: Percentage of leads that became clients
Stage Distribution: Count of leads at each stage
Average Deal Size: Mean estimated value of won deals

SOW Management

Generate, edit, and manage Statements of Work (SOWs) with automated content based on Discovery signals and package selection.

Available Packages

Package	Duration	Description
Standard	3-4 weeks	Core security assessment with Lens analysis and recommendations
Plus	5-6 weeks	Standard + roadmap generation, GRC documents, and extended scope
Premium	8-10 weeks	Comprehensive engagement with AI security, executive dashboard, and ongoing monitoring

How to Use

Navigate to SOW Management

Open sow.html from the dashboard or from a lead's detail page.
Generate New SOW

Click "Generate SOW" and select a lead and package. The system generates content based on Discovery signals, company profile, and package features.
Signal Customization

If the lead has Discovery data, the SOW automatically includes signal-specific scope items. For example, a strong Q4 signal adds patch velocity analysis to the scope.
Edit SOW Content

Edit individual sections (executive summary, scope, deliverables, timeline, pricing, terms) directly in the platform.
Update Status

Track SOW through the workflow: Draft, Sent, Approved, Rejected, or Superseded.
Download PDF

Download the SOW as a branded PDF for sending to the client.

SOW Sections

Executive Summary: High-level engagement overview tailored to the prospect
Scope of Work: Detailed scope items, adjusted by Discovery signals
Deliverables: List of deliverables by package tier
Timeline: Week-by-week execution plan
Pricing: Package pricing with optional add-ons
Terms & Conditions: Standard engagement terms

Package Recommendation

The platform can recommend a package based on the intake data or Discovery signals. Use the recommend endpoint to get a data-driven suggestion before generating the SOW.

Scoping & Planning

Proper scoping ensures the assessment delivers maximum value within the engagement parameters.

Assessment Types

Type	Duration	Focus Areas
Rapid Assessment	1-2 weeks	High-priority vulnerabilities, critical systems only
Standard Assessment	3-4 weeks	Comprehensive review, all Lens questions, full remediation plan
Deep Dive Assessment	6-8 weeks	Enterprise-wide, multiple business units, strategic roadmap

Scoping Checklist

Define in-scope systems, networks, and applications
Identify out-of-scope areas and document exclusions
Confirm testing windows and change freeze periods
Establish communication channels and escalation paths
Request API credentials for security tool integrations
Schedule stakeholder interviews
Define deliverable expectations and timeline

Conducting Interviews

Stakeholder interviews are essential for understanding context that automated scans cannot capture. Each Lens question should inform your interview approach.

Interview Preparation

Review Intake Form Responses

Understand the organization's stated security posture, tools, and concerns before interviews.
Identify Key Stakeholders

CISO/Security Lead, IT Operations, Development Lead, Business Unit Owners, Compliance/Risk Manager.
Prepare Role-Specific Questions

Tailor questions based on each stakeholder's domain and the Lens questions you need to explore.
Schedule 45-60 Minute Sessions

Allow time for follow-up questions and note-taking. Record sessions with permission.

Lens-Aligned Interview Questions

Q1 What is this system optimizing for?

"What metrics does leadership use to evaluate security program success?"
"Where do you feel security budget is well-spent? Where might it be misallocated?"
"How do security investments align with business objectives?"

Q2 Where does it rely on perfect human behavior?

"Walk me through how a developer deploys code to production."
"What happens when someone reports a phishing email?"
"How do you ensure security policies are followed consistently?"

Q3 Which assumptions are no longer true?

"What security decisions were made years ago that you've never revisited?"
"How has your threat landscape changed since your last major security review?"
"Are there controls in place that no one really understands anymore?"

Q4 How does failure emerge quietly over time?

"What security issues tend to get deprioritized repeatedly?"
"Where do you have technical debt that affects security?"
"Are there alerts or logs that nobody monitors regularly?"

Q5 Where does clarity reduce risk more than control?

"What security processes feel overly complicated?"
"Where do people work around security controls to get their jobs done?"
"What information would help teams make better security decisions?"

Documenting Interview Findings

After each interview:

Create findings in the platform for each identified issue
Tag findings with the relevant Lens question (Q1-Q5)
Note direct quotes that illustrate systemic issues
Identify follow-up items requiring documentation or technical validation

Performing Security Scans

The Lens Platform integrates with multiple security scanning tools and supports importing results from 19+ scanner formats.

Supported Scanner Formats

Category	Scanners
Vulnerability Scanners	Nessus, Qualys, Rapid7 InsightVM, OpenVAS, Tenable.io
SAST/DAST	Snyk, Checkmarx, Veracode, Fortify, SonarQube
Cloud Security	Wiz, Orca, Prisma Cloud, AWS Inspector, Azure Defender
Container Security	Trivy, Anchore, Aqua Security
Generic	CSV import with custom field mapping

Scan Coordination Best Practices

Coordinate Timing with Client

Schedule scans during low-traffic periods. Avoid change freeze windows and critical business operations.
Document Scan Configuration

Record scan policies, credentials used, and excluded targets. This ensures reproducibility and audit trail.
Run Authenticated Scans

Credentialed scans provide deeper visibility. Coordinate with IT to obtain appropriate service accounts.
Export Results Promptly

Export scan results in supported formats (JSON, CSV, native) immediately after completion for import.

Production Environment Caution

Always confirm authorization before scanning production systems. Some scan types can impact system performance or trigger security alerts.

API Connector Setup

Connect directly to client security tools to automatically pull findings into your assessment.

Adding a Connector

Navigate to Assessment Settings

Open the assessment and click the Settings icon or navigate to the Connectors tab.
Select Connector Type

Choose from available integrations: Snyk, Wiz, or custom API connectors.
Enter API Credentials

Provide the API key, organization ID, and any required configuration. Credentials are encrypted at rest.
Test Connection

Click "Test Connection" to verify the credentials work before saving.
Configure Sync Settings

Set filters for which projects/resources to sync and the sync frequency.

Credential Security

All API credentials are encrypted using Fernet symmetric encryption before storage. Credentials are never logged or exposed in the UI after initial entry.

Snyk Integration

Pull application security findings directly from the client's Snyk organization.

Obtaining Snyk API Credentials

The client needs to provide:

API Token: Found in Snyk Account Settings > General > Auth Token
Organization ID: Found in Organization Settings > General (UUID format)

What Gets Imported

Data Type	Description
Open Source Vulnerabilities	Dependency vulnerabilities with CVSS scores, fix availability
Code Security Issues	SAST findings from Snyk Code analysis
Container Vulnerabilities	Image vulnerabilities from Snyk Container
IaC Misconfigurations	Infrastructure as Code issues from Snyk IaC

          // Example Snyk API configuration
{
  "connector_type": "snyk",
  "api_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "org_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "severity_threshold": "medium"  // low, medium, high, critical
}
        

Wiz Integration

Import cloud security findings from Wiz's Cloud Security Posture Management (CSPM) platform.

Obtaining Wiz API Credentials

The client needs to generate a Service Account:

Create Service Account in Wiz

Navigate to Settings > Service Accounts > Create Service Account. Assign "Read" permissions.
Copy Client ID and Client Secret

Save both values securely - the secret is only shown once during creation.
Note the API Endpoint URL

Wiz has regional endpoints. Confirm which endpoint the client's tenant uses.

What Gets Imported

Data Type	Description
Cloud Misconfigurations	CSPM findings across AWS, Azure, GCP
Vulnerabilities	Host and container vulnerabilities with context
Secrets Exposure	Detected secrets in code and configurations
Network Exposure	Internet-exposed resources and paths

Importing Scan Data

For tools without direct API integration, import scan results using file uploads.

Import Process

Navigate to Import Page

From the assessment, click "Import Scan" or navigate to import-scan.html
Select Scanner Type

Choose the source scanner from the dropdown. This determines parsing logic.
Upload File

Drag and drop or click to select the export file. Supported: JSON, CSV, XML (scanner-specific)
Map Fields (CSV only)

For generic CSV imports, map columns to vulnerability fields: title, severity, description, CVE, etc.
Review and Confirm

Preview imported findings, check for parsing issues, then confirm import.

Deduplication

The platform automatically deduplicates findings based on CVE, title, and affected asset. Duplicates are merged, not created as new entries.

Finding Review Workflow

The review workflow ensures every finding is validated, contextualized, and actionable before inclusion in deliverables.

Finding States

Status	Description	Action
Pending	Newly imported, awaiting consultant review	Review and classify
Accepted	Confirmed as valid finding, included in report	Generate recommendation
Modified	Adjusted severity, description, or classification	Document rationale
Rejected	False positive or out of scope	Document rejection reason

Review Process

Open Review Page

Navigate to review.html from the assessment. Findings are listed by severity.
Select a Finding

Click on a finding to view details, evidence, and scanner output in the right panel.
Validate the Finding

Confirm the vulnerability exists, assess actual severity in context, identify affected assets.
Map to Lens Question

Assign the finding to Q1-Q5 based on the systemic issue it represents. This enables pattern detection.
Set Status

Accept, modify, or reject the finding. Add comments explaining any modifications.
Add Evidence

Attach screenshots, logs, or documentation supporting the finding.

Review Before Deliverables

Only accepted and modified findings appear in generated reports. Ensure all findings are reviewed before generating deliverables.

Cybersecurist Lens™ Framework

The Lens framework identifies systemic security issues through five strategic questions. Mapping findings to these questions enables pattern detection and strategic recommendations.

Q1 What is this system optimizing for?

Signal Type: Investment Misalignment

Indicators: Security spend not aligned with risk, compliance-driven rather than risk-driven decisions, metrics that don't measure actual security outcomes.

Example Finding: Organization has expensive SIEM but no one reviews alerts; budget for endpoint protection but no vulnerability management program.

Q2 Where does it rely on perfect human behavior?

Signal Type: Process Dependency

Indicators: Manual processes for critical security functions, policies that assume 100% compliance, no technical enforcement of procedures.

Example Finding: Code review policy exists but no branch protection; phishing training without technical email filtering; manual key rotation.

Q3 Which assumptions are no longer true?

Signal Type: Assumption Decay

Indicators: Outdated network diagrams, legacy trust relationships, controls designed for previous architecture, "we've always done it this way" thinking.

Example Finding: Firewall rules from 2018 that reference decommissioned systems; VPN as primary access when most apps are now SaaS.

Q4 How does failure emerge quietly over time?

Signal Type: Silent Accumulation

Indicators: Deferred patching, growing exception lists, ignored alerts, accumulating technical debt, "temporary" solutions that became permanent.

Example Finding: 500+ systems with critical patches pending for >90 days; 200 firewall exception rules that "we'll clean up later."

Q5 Where does clarity reduce risk more than control?

Signal Type: Visibility Gaps

Indicators: Unknown assets, shadow IT, lack of data classification, complex processes no one understands, missing documentation.

Example Finding: No complete asset inventory; developers don't know which data is sensitive; incident response plan exists but untested.

AI-Powered Recommendations

The platform uses Claude AI to generate comprehensive, context-aware recommendations for each finding.

Recommendation Dimensions

Technical

Specific tools, configurations, patches, and technical controls to implement

Organizational

Team structures, role changes, training needs, and process improvements

Operational

Day-to-day procedures, monitoring activities, and routine tasks

Strategic

Long-term business alignment, executive decisions, and roadmap items

Generating Recommendations

Accept the Finding

Only accepted findings can have recommendations generated. Review and set status first.
Click "Generate Recommendation"

In the finding detail panel, click the generate button. The AI analyzes the finding with assessment context.
Review Generated Content

Review all four dimensions, implementation steps, success metrics, and effort estimate.
Edit as Needed

Modify any section to add client-specific context or adjust recommendations based on your expertise.
Mark as Reviewed

Set "Analyst Reviewed" flag to indicate human validation of the AI-generated content.

Context Improves Quality

Recommendations are better when the assessment has industry, organization size, and security maturity set. The AI uses this context to calibrate complexity.

Vulnerability Prioritization

The platform uses a sophisticated algorithm to prioritize vulnerabilities beyond just CVSS scores.

Prioritization Factors

Factor	Weight	Description
CVSS Score	30%	Base technical severity from the CVE database
Asset Criticality	25%	Business importance of affected systems (critical, high, medium, low)
Exploit Availability	20%	Known exploits in the wild, Metasploit modules, PoC code
Lens Signals	25%	Systemic risk indicators from Lens framework mapping

Using the Vulnerabilities Page

Navigate to vulnerabilities.html to access the prioritized vulnerability view:

Filter by severity: Focus on Critical/High first
Sort by priority score: Combined algorithm score
Group by asset: See which systems need most attention
Track remediation status: Open, In Progress, Resolved, Risk Accepted

Assessment Reports

Generate comprehensive Word document reports containing all findings, recommendations, and remediation guidance.

Report Contents

Executive Summary with key metrics and risk overview
Findings organized by Lens question with systemic analysis
Detailed recommendations with implementation steps
Vulnerability inventory with prioritization scores
Remediation roadmap with effort estimates
Appendices with technical details and evidence

Generating Reports

Complete Finding Review

Ensure all findings have been reviewed and have status set. Generate recommendations for accepted findings.
Navigate to Assessment

Open the assessment from the Dashboard and click "Generate Report" in the actions menu.
Select Report Options

Choose which sections to include, level of detail, and any custom branding requirements.
Generate and Download

Click Generate. The report is created as a .docx file and downloaded automatically.

Executive Briefings

Create board-ready presentations summarizing assessment findings for executive audiences.

Briefing Format

Executive briefings are designed for 15-20 minute presentations covering:

Overall security posture assessment (risk rating)
Top 3-5 systemic risks requiring attention
Business impact analysis in financial terms
Recommended immediate actions
90-day remediation priorities

Using the Briefing Generator

Navigate to Briefings

From the assessment, click "Executive Briefing" or go to briefing/index.html
Select Findings to Highlight

Choose 3-5 critical findings that represent systemic issues for executive attention.
Customize Messaging

Adjust the business context, industry comparisons, and recommended actions.
Generate Briefing

The AI generates executive-appropriate language and talking points.
Export

Download as PDF or copy to your presentation tool of choice.

Security Roadmaps

Generate comprehensive multi-year security roadmaps with phased execution plans, NIST CSF and CIS Controls alignment, and four-dimensional action items.

Roadmap Phases

Phase	Timeframe	Focus
Quick Wins	0-3 months	High-impact, low-effort improvements that build momentum
Foundation	3-12 months	Core security program elements, policy development, tool deployment
Maturity	12-24 months	Process optimization, advanced controls, team development
Optimization	24-36 months	Continuous improvement, automation, advanced threat detection
Continuous	36+ months	Ongoing monitoring, adaptation, and maturity advancement

How to Use

Navigate to Roadmap Tool

Open roadmap.html from the dashboard deliverables section.
Generate Roadmap

Select a client and assessment. The generator uses organization size, industry, maturity level, and Lens signals to create a tailored multi-year plan.
Review Phases and Actions

Each phase contains categorized actions (Technical, Organizational, Operational, Strategic) with effort estimates, NIST/CIS mappings, and Lens alignment.
Track Execution

Update action status (Not Started, In Progress, Completed, Blocked, Deferred) to track progress. Use bulk status update for efficiency.
Analyst Review

Mark the roadmap as analyst-reviewed to indicate human validation of the AI-generated plan.

Action Categories

Technical

Tool deployments, configurations, patches, and infrastructure changes

Organizational

Team structures, roles, training, and hiring needs

Operational

Processes, procedures, monitoring, and day-to-day tasks

Strategic

Long-term initiatives, executive decisions, and business alignment

Framework Alignment

Each action is mapped to relevant frameworks:

NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, Recover
CIS Controls v8.1: Mapped to specific control numbers
Lens Framework: Q1-Q5 alignment and signal addressed

Progress Tracking

Use the progress endpoint to get completion percentages by phase and category. This data feeds into executive dashboard reporting.

GRC Documents

Generate, manage, and export governance, risk, and compliance documents from a library of templates covering 7+ compliance frameworks.

Document Types

Type	Description	Examples
Policy	High-level organizational directives	Information Security Policy, Access Control Policy
Procedure	Step-by-step operational instructions	Incident Response Procedure, Change Management
Standard	Technical requirements and configurations	Password Standard, Encryption Standard
Guideline	Recommended practices and guidance	Secure Development Guidelines
Charter	Committee and program mandates	Security Steering Committee Charter

Supported Frameworks

SOC 2

Trust Service Criteria mapping

ISO 27001

Annex A controls coverage

HIPAA

Security and Privacy Rule requirements

PCI-DSS

Payment card data protection

GDPR

EU data protection regulation

NIST CSF / CIS / CMMC

US government and industry frameworks

How to Use

Navigate to GRC Documents

Open grc-documents.html from the dashboard. The page has four tabs: Documents, Templates, Packages, and Compliance Matrix.
Browse Templates

Filter templates by document type, category, or framework. Each template shows applicable frameworks, estimated pages, and review frequency.
Generate Single Document

Select a template and generate a document for a client. The generator uses client context (industry, maturity, applicable frameworks) to customize content.
Generate Document Package

Use pre-defined packages (e.g., "SOC 2 Essential", "ISO 27001 Core") to generate multiple related documents at once.
Edit Sections

Each generated document has editable sections. Update content to reflect client-specific details and requirements.
Approve and Export

Route through the approval workflow (Draft, Review, Approved, Active, Archived). Export as PDF or Markdown.

Compliance Tools

Compliance Matrix: View framework coverage across all documents for a client, identifying which controls are addressed
Gap Analysis: Identify missing documents and unaddressed framework requirements
Version History: Track all changes to documents with version snapshots and change summaries
Recommended Packages: AI-driven package recommendations based on client context and compliance gaps

Document Workflow

Generate

Edit

Review

Approve

Export

Industry Variants

Templates include industry-specific variants. A healthcare client gets HIPAA-aligned content by default, while a financial client gets SOC 2 and PCI-DSS language. The generator automatically selects the appropriate variant based on the client's industry.

SLA Management

Define and enforce remediation deadlines with policy-based SLA tracking and automated escalation alerts.

Creating SLA Policies

SLA policies define remediation timeframes based on vulnerability severity and asset criticality:

Severity	Default Response	Default Remediation
Critical	4 hours	24 hours
High	24 hours	7 days
Medium	72 hours	30 days
Low	1 week	90 days

Escalation Workflow

Warning Alert (75% of SLA)

Notification sent to assigned owner when 75% of remediation time has elapsed.
Breach Alert (100% of SLA)

SLA violation recorded, escalation notification sent to management channels.
Critical Escalation (125% of SLA)

Executive notification triggered for unresolved critical/high severity items.

Custom Policies

Create custom SLA policies per client based on their compliance requirements and risk tolerance. Navigate to Client Settings > SLA Policies.

Ticket Integration

Automatically create and synchronize remediation tickets with Jira and ServiceNow for streamlined vulnerability management.

Supported Platforms

Jira Cloud & Server

Create issues, sync status, add comments, and reopen tickets on verification failure

ServiceNow

Create incidents, track remediation, integrate with ITSM workflows

Configuration

Navigate to Ticket Integrations

Go to Client Settings > Integrations > Ticket Systems.
Add Integration

Select Jira or ServiceNow, enter base URL, and provide API credentials.
Configure Mapping

Map Lens priority scores to ticket priorities and select default project/queue.
Enable Auto-Create (Optional)

Automatically create tickets for new vulnerabilities above a severity threshold.

Bidirectional Sync

Ticket status changes are synchronized back to Lens via webhooks:

Ticket closed → Triggers patch verification
Verification passes → Vulnerability marked remediated
Verification fails → Ticket reopened with comment

Threat Intelligence

Enrich vulnerability data with real-time threat intelligence from CISA KEV and EPSS for improved prioritization.

Intelligence Sources

Source	Data Provided	Update Frequency
CISA KEV	Known exploited vulnerabilities, required action date	Daily (auto-cached 24h)
EPSS	Exploitation probability score (0-1), percentile ranking	Daily (auto-cached 24h)

Enrichment Process

Automatic Enrichment

New vulnerabilities are automatically enriched with KEV/EPSS data on import.
Manual Bulk Enrichment

Re-enrich existing vulnerabilities via Assessment Actions > Enrich Threat Intel.
Priority Score Update

Priority scores are recalculated incorporating KEV (+10 boost) and EPSS factors.

KEV Priority

Vulnerabilities in the CISA KEV catalog have known active exploitation. These should be treated as highest priority regardless of CVSS score.

Notification Channels

Configure multi-channel notifications for SLA alerts, verification results, and security updates.

Supported Channels

Slack

Send alerts to Slack channels via incoming webhooks

Email

SMTP or SendGrid integration for email notifications

Webhook

Custom HTTP webhooks for integration with any system

Alert Levels

Level	Use Cases
Info	Status updates, completed actions, informational messages
Warning	SLA approaching, verification needed, attention required
Breach	SLA violated, verification failed, escalation triggered
Critical	KEV alert, critical vulnerability detected, immediate action required

Channel Configuration

Navigate to Notifications

Go to Client Settings > Notification Channels.
Add Channel

Select channel type and provide configuration (webhook URL, SMTP settings, etc.).
Set Minimum Alert Level

Configure which alert levels trigger notifications on this channel.
Test Channel

Send a test notification to verify configuration is correct.

Executive Dashboard

Real-time strategic visibility into security posture with Lens scores, remediation velocity, and compliance metrics.

Dashboard Components

Lens Score Overview

Spider chart showing scores across all five Lens questions (Q1-Q5)

Score Trend

Historical score progression over 6-12 months

Remediation Velocity

Average days to remediate by severity, trend indicators

SLA Compliance

Compliance percentage, active violations, breach count

Top Risks View

Prioritized list of the most critical vulnerabilities based on:

CISA KEV status (known exploited)
EPSS score (exploitation probability)
Asset criticality and business context
Dwell time (days since detection)
SLA violation status

Snapshot History

Daily snapshots capture metrics for historical trend analysis. Snapshots are automatically captured at midnight UTC and include all dashboard metrics for point-in-time comparison.

Early Warning System

Proactive detection of security posture degradation through pattern analysis and anomaly detection.

Detection Patterns

Pattern	Threshold	Severity
Signal Increase	25% increase in Lens signals week-over-week	Medium/High
Dwell Time Alert	Critical/High vulnerabilities open >45 days	High/Critical
Recurrence Pattern	Same vulnerability detected 3+ times	Medium
Trend Degradation	Lens score dropped 5+ points in 30 days	High
KEV Alert	New CVE added to CISA KEV matching asset	Critical

Alert Workflow

Detection

Scheduled analysis runs every 4 hours scanning for patterns across all active assessments.
Alert Creation

Detected patterns create early warning alerts with severity, details, and recommendations.
Notification

Alerts trigger notifications via configured channels based on severity.
Resolution

Alerts can be dismissed with reason or automatically resolve when condition clears.

Proactive Security

Early warnings identify systemic issues before they become incidents. Review and act on warnings to maintain security posture.

Patch Verification

Validate that remediation actions are effective by comparing scan results before and after patching.

Verification Triggers

Ticket Webhook: Automatically triggered when Jira/ServiceNow ticket is closed
Manual: Consultant-initiated verification from vulnerability details
Scheduled: Periodic verification of recently remediated items

Verification Process

Trigger Verification

Verification is triggered via webhook, manual action, or schedule.
Compare Scan Results

System compares latest scan data against the vulnerability's original detection.
Determine Outcome

If vulnerability no longer detected → Remediated. If still present → Failed.
Take Action

Success: Mark as remediated. Failure: Reopen ticket, send notification.

Verification History

All verification attempts are logged for audit purposes with:

Timestamp and trigger source
Verification outcome (remediated/still present)
Scan source used for verification
Actions taken (ticket reopened, notification sent)

Best Practice

Run a fresh scan after remediation before closing tickets to ensure accurate verification results.

AI Security Platform

The AI Security Platform provides comprehensive AI/ML security assessment capabilities integrating 7 major frameworks for identifying and mitigating AI-specific risks.

Multi-Framework Integration

Combines OWASP LLM Top 10, OWASP Agentic Apps, MITRE ATLAS, Gartner CISO MCP 2026, NIST AI RMF, EU AI Act, and ISO 42001 into a unified assessment experience.

Tiered Offering

Tier	Features	Target Audience
Free	AI Discovery - 15-question wizard with framework signal analysis	Prospects exploring AI security needs
Standard	AI Assessment - 50-question comprehensive evaluation with maturity scoring	Clients needing detailed AI security assessment
Premium	AI Dashboard - Trending, compliance timeline, red team results	Enterprise clients with continuous monitoring needs

Integrated Frameworks

OWASP LLM Top 10 2025

10 critical vulnerabilities specific to large language model applications.

OWASP Agentic Apps 2026

Security risks specific to autonomous AI agent applications.

MITRE ATLAS

15 tactics and 66 techniques for adversarial threats to AI systems.

Gartner CISO MCP 2026

5-step AI security journey from reactive to optimizing maturity.

NIST AI RMF

Govern, Map, Measure, Manage framework for AI risk management.

EU AI Act

Compliance timeline and risk classification for European regulations.

AI Discovery (Free Tier)

The AI Discovery tool provides anonymous prospects with a quick AI security assessment, detecting framework signals and capturing leads for conversion.

Assessment Flow

Start Session

15 Questions

Signal Analysis

Lead Capture

Framework Signal Detection

Each answer triggers signal calculations for:

OWASP LLM Signals - Maps to specific LLM01-LLM10 vulnerabilities
MITRE ATLAS Signals - Identifies relevant tactics and techniques
EU AI Act Risk Level - Classifies as unacceptable, high, limited, or minimal
Governance Signals - Detects policy, oversight, and documentation gaps

API Endpoints

Method	Endpoint	Description
POST	/api/ai-discovery/start	Start anonymous session with AI maturity context
POST	/api/ai-discovery/{session}/answer	Submit answer with real-time signal calculation
GET	/api/ai-discovery/{session}/results	Get framework scores and risk analysis
POST	/api/ai-discovery/{session}/complete	Complete with lead capture (email, name, company)
POST	/api/ai-discovery/{session}/convert	Convert to authenticated AI Security Profile

Lead Conversion

Discovery sessions can be converted to full AI Security Profiles, preserving all answers and signal data for continued assessment.

AI Assessment (Standard Tier)

The AI Security Assessment provides comprehensive 50-question evaluation across all 7 frameworks, generating maturity scores and detailed compliance readiness metrics.

Assessment Sections

Section	Questions	Focus Area
AI Inventory	Q1-Q10	AI system count, types, LLM providers, deployment models
Governance	Q11-Q20	AI policy, oversight committee, model inventory, documentation
Risk Management	Q21-Q30	NIST AI RMF alignment, risk assessment processes
Technical Controls	Q31-Q40	Prompt injection, output filtering, supply chain vetting
Compliance	Q41-Q45	EU AI Act readiness, ISO 42001 alignment
Monitoring	Q46-Q50	Model behavior monitoring, incident response, red teaming

Maturity Scoring

The assessment calculates a 0-100 maturity score with four levels:

Nascent (0-25) - Ad-hoc AI usage with minimal security controls
Developing (26-50) - Basic governance and emerging technical controls
Established (51-75) - Formal AI security program with framework alignment
Optimized (76-100) - Continuous improvement with advanced threat detection

Framework Scores

Individual scores calculated for each framework:

OWASP LLM Score - Coverage against LLM Top 10 vulnerabilities
OWASP Agentic Score - Coverage for agentic AI risks
MITRE ATLAS Coverage - Percentage of tactics with controls
NIST AI RMF Alignment - Govern, Map, Measure, Manage scores
EU AI Act Readiness - Compliance percentage with deadline tracking
ISO 42001 Readiness - Management system alignment
Gartner MCP Score - Position on 5-step maturity journey

API Endpoints

Method	Endpoint	Description
POST	/api/ai-security/start	Start profile for authenticated client
POST	/api/ai-security/{profile}/answer	Submit answers with partial save support
GET	/api/ai-security/{profile}/maturity	Get maturity score and level
GET	/api/ai-security/{profile}/owasp	Get OWASP LLM coverage details
GET	/api/ai-security/{profile}/atlas	Get MITRE ATLAS coverage
GET	/api/ai-security/{profile}/compliance	Get EU AI Act and ISO 42001 readiness
POST	/api/ai-security/{profile}/complete	Complete and calculate all framework scores

AI Dashboard (Premium Tier)

The AI Security Dashboard provides continuous monitoring, historical trending, and red team result tracking for enterprise clients.

Dashboard Features

Framework Trending

6-12 month historical trends for all framework scores.

Compliance Timeline

EU AI Act deadline tracking with countdown to Aug 2026.

OWASP Radar

Visual coverage chart for LLM Top 10 vulnerabilities.

Red Team Results

Track AI-specific penetration test findings and remediation.

Metric Snapshots

Periodic snapshots capture point-in-time metrics for trending analysis:

Overall maturity score and level
Framework scores (OWASP, ATLAS, NIST, EU AI Act)
Control implementation count and coverage percentage
Days remaining to EU AI Act compliance deadline

Red Team Integration

Track AI-specific security testing results:

Test Type	ATLAS Mapping	OWASP Mapping
Prompt Injection	AML.T0051	LLM01
Jailbreak Attempts	AML.T0054	LLM01, LLM09
Data Extraction	AML.T0024	LLM06
Model Inversion	AML.T0025	LLM06
Supply Chain	AML.T0010	LLM05

API Endpoints

Method	Endpoint	Description
GET	/api/ai-dashboard/{profile}/overview	Full dashboard metrics and scores
GET	/api/ai-dashboard/{profile}/trend	Historical trend data (6-12 months)
GET	/api/ai-dashboard/{profile}/owasp-coverage	OWASP radar chart data
GET	/api/ai-dashboard/{profile}/compliance-timeline	EU AI Act deadline tracking
POST	/api/ai-dashboard/{profile}/snapshot	Capture metrics snapshot
GET	/api/ai-dashboard/{profile}/red-team-results	List red team test results
POST	/api/ai-dashboard/{profile}/red-team	Submit red team test result

Framework Reference

Quick reference for the 7 AI security frameworks integrated into the platform.

OWASP LLM Top 10 2025

ID	Vulnerability	Description
LLM01	Prompt Injection	Manipulating LLM behavior through crafted inputs
LLM02	Insecure Output Handling	Failing to validate/sanitize LLM outputs
LLM03	Training Data Poisoning	Corrupting training data to influence model behavior
LLM04	Model Denial of Service	Resource exhaustion attacks against LLM systems
LLM05	Supply Chain Vulnerabilities	Risks from third-party models and components
LLM06	Sensitive Information Disclosure	Exposing confidential data through model outputs
LLM07	Insecure Plugin Design	Vulnerabilities in LLM plugin/extension systems
LLM08	Excessive Agency	Granting LLMs too much autonomy or capability
LLM09	Overreliance	Trusting LLM outputs without verification
LLM10	Model Theft	Unauthorized access or extraction of model weights

Gartner CISO MCP 2026 Journey

Step 1: Reactive

Ad-hoc AI usage with no formal security controls or governance.
Step 2: Aware

Recognition of AI risks with initial policy development.
Step 3: Proactive

Formal AI security program with defined controls and processes.
Step 4: Managed

Comprehensive governance with continuous monitoring and metrics.
Step 5: Optimizing

Continuous improvement with advanced threat detection and response.

EU AI Act Risk Classification

Risk Level	Requirements	Examples
Unacceptable	Prohibited - cannot be deployed in EU	Social scoring, real-time biometric ID
High	Strict requirements: conformity assessment, documentation, human oversight	Hiring AI, credit scoring, medical devices
Limited	Transparency obligations	Chatbots, deepfake detection
Minimal	No specific requirements	AI-enabled games, spam filters

EU AI Act Compliance Deadline

High-risk AI systems must be fully compliant by August 2026. The platform tracks days remaining to this deadline.

NIST AI RMF Functions

Govern

AI governance structure, policies, accountability, and culture.

Map

Context, stakeholders, and potential impacts of AI systems.

Measure

Methods and metrics for assessing AI risks and impacts.

Manage

Risk treatment, monitoring, and continuous improvement.

Client Portal

The Client Portal provides a self-service interface for clients to view their engagement status, deliverables, findings, and remediation progress. Clients access the portal via invite-only authentication with their own dedicated login.

Data Isolation

Client portal users can only see data related to their own organization. Internal notes, reviewer comments, and consultant identities are never exposed. Advisor names appear as "Your Crownstone Consultant."

Portal Pages

Page	URL	Purpose
Client Login	`/client/login.html`	Dedicated client authentication portal
Accept Invite	`/client/accept-invite.html`	New client onboarding — set password and activate account
Client Portal	`/client/portal.html`	Main 5-tab self-service hub
Password Reset	`/client/reset-password.html`	Client password recovery

Client Invite Flow

Consultants generate invite links from the Pipeline or Client detail views. Clients receive the link (shared manually), accept the invitation, set their password, and are automatically logged into the portal.

Generate Invite

From Pipeline or Dashboard, click "Invite to Portal" on a converted lead/client. Enter the client's email address.
Share Link

Copy the generated invite URL and share it with the client via email or secure messaging. Links expire after 7 days.
Client Accepts

Client opens the link, sees the invitation details (client name, email), enters their full name, and sets a password meeting the security policy.
Portal Access

On acceptance, the client is automatically logged into the portal. The Executive tab loads by default showing their security posture.

Invite Guardrails

Staff emails (admin/advisor/viewer) cannot be invited as clients. Only one active invite per email per client. Maximum 10 portal users per client organization.

Portal Tabs

The portal provides five tabs, each lazy-loaded on first access for performance. The Executive tab is the default view.

Tab	Content	Key Features
Executive (default)	Lens score radar, trend charts, top risks, early warnings	Real-time security posture overview
Overview	Engagement status, assessment summaries, active SOW, recent activity	Engagement health at a glance
Deliverables	SOWs, roadmaps, GRC documents, assessment reports	View, download, approve/reject
Findings	Security findings filtered by assessment, severity, Lens question	Expandable detail with recommendations and comments
Remediation	Vulnerability counts by status, roadmap progress, SLA compliance	Track remediation progress over time

Consultant Actions

Consultants can interact with the client portal from the main platform:

View client comments on findings and deliverables from the Review and SOW pages
Reply to comments via the consultant reply endpoint (can mark as internal-only)
Monitor approvals — see when clients approve or request revisions on deliverables
Manage invitations — view, resend, or revoke portal invitations from the client detail view

User Management

Manage consultant and administrator access to the platform.

User Roles

Role	Permissions
Administrator	Full access: user management, all assessments, system settings
Consultant	Create/edit assessments, manage findings, generate reports
Viewer	Read-only access to assigned assessments
Client	Portal-only access: own engagement data, deliverables, findings, comments

Adding Users

Navigate to Admin Panel

Click on your user avatar and select "Admin" or navigate to the administration section.
Click "Add User"

Enter email, name, and select the appropriate role.
Set Initial Password

The system generates a temporary password. User must change on first login.

Platform Settings

Configure global platform settings and integration defaults.

Available Settings

AI Provider Configuration: Anthropic API key for recommendations
Default Connector Settings: Pre-configured integration parameters
Report Templates: Customizable report headers, footers, branding
Notification Preferences: Email alerts for assessment milestones

Administrator Only

Platform settings can only be modified by users with Administrator role.