Features & pricing

The full platform, priced by the size of the organisation it runs.

RateYourCyber

Single-organisation governance, risk and compliance. SME and Medium Enterprise.

RYCo Risk Management

Group, multi-org enterprise risk management with a multi-level hierarchy (Group, Division, Business Unit, Operational and deeper). Large Enterprise.

RateYourCyber

SME

For small and medium businesses starting on cybersecurity compliance.

£3,000/year
4 assessments/year
Get started
RateYourCyber

Medium Enterprise

For organisations building a compliance programme.

Contact MSP or consultant for pricing
14 assessments/year
Contact sales
RYCo Risk Management

Large Enterprise

For multi-entity organisations needing centralised oversight.

Custom pricing
50+ assessments/year
Contact sales
Capability SME Medium Large
Seven core scored assessmentsCybersecurity, business continuity, HR security, data privacy, physical security, third-party risk and AI security. All benchmarked to industry and size.
DPIA assessmentData protection impact assessment workflow.
AI security assessmentAssessment of AI tool usage, exposure and controls.
Full assessment libraryOver 30 scored assessments, each generating its own reporting and feeding the risk register.
Language toggleEnglish, Arabic and Spanish per framework.
Risk registerAuto-populated from assessment gaps, integration findings and monitoring.
FAIR quantitative engineNative annualised loss expectancy with loss and probability from the organisation profile.
Monte Carlo simulationThousands of iterations, with stress, reverse-stress and historical replay.
Breach-cost data sourcesIBM, Ponemon and Verizon DBIR with GCC and ME regional coefficients.
30+ risk visualisationsEisenhower, heat map, tornado, ALE curves, sensitivity and concentration.
Qualitative 5x5 matrixAvailable alongside the quantitative model.
ALE and VaR outputsQuantitative loss outputs.
Multi-level risk hierarchyGroup, division, business unit, operational and deeper, fully built with reporting.
PESTEL risk taxonomyAll six dimensions live. Political, Economic, Social, Technology, Environmental and Legal, each scored as a sign-normalised z-score composite against the country's own multi-year baseline.
Reputation dimensionFirm-level reputational stress per business unit, scored separately from the macro PESTEL environment. News volume, tone and severe negative spike days.
External risk signal ingestionWorld Bank, GDELT, USGS, NASA EONET, CISA KEV and NVD feeds resolved into signals and linked to register entries.
Departmental risk ownershipRisk domains assigned to departments, with scoped access per business unit.
Group stress and reverse-stress scenariosScenario levers applied across business units with reverse-stress solving.
Portfolio Monte CarloMulti-risk aggregation across business units.
Per-business-unit breakdownConcentration and composite scoring by unit.
RIMS Risk Maturity ModelMaturity assessment of the risk programme.
Bowtie analysisCauses, consequences and controls auto-derived from the register.
Expected Shortfall outputsTail-risk loss measure.
Cross-entity risk aggregationRoll up risk across subsidiaries.
Board-ready group risk dashboardHeadline narrative, historical ALE, top-risk bowtie, top-5 table, signals and governance.
Multi-subsidiary supportManage many entities under one group.
KPI trees with driver decompositionObjectives decomposed into measurable nodes, each linked to the risk drivers that move it.
848 statistical risk-driver conceptsEmpirical distributions sourced from regulators, national statistics offices and published consultancy research, with citation on every concept.
1,568 driver-to-KPI mappingsDirectional mappings with inversion handling, so a driver moving in its own terms resolves correctly against the KPI it depletes.
19 industry-calibrated templatesDriver distributions calibrated per industry, then scaled by organisation size and geography.
KPI forecasting and variance explanationPredicted values with variance attributed back to the drivers responsible.
KPI Monte Carlo and bowtieSimulation across the driver set, with bowtie causes, consequences and controls derived from the tree.
Automatic risk-driver classificationEvery risk raised is resolved to its underlying drivers and remediation tasks are generated from them.
KPI-sourced register entriesKPI breaches and forecast breaches raise register entries in their own right.
ISO 27001Information security management. Full ISMS, statement of applicability and internal audits.
SOC 2Service organization control. Self-service auditor portal, any external auditor, 90-day scoped.
DORADigital operational resilience. ICT third-party register, incident management and tabletops.
GDPRData protection regulation. RoPA, SAR, breach, DPA and LIA.
HIPAAHealth insurance portability. Security and privacy rules with breach notification letters.
NCA ECCEssential cybersecurity controls. 108 controls with SAMA automapping.
SACS-002Third-party cybersecurity. 92 controls, classification-aware, automated board reporting.
CMMC 2.0Cybersecurity maturity model. C3PAO questions, SPRS arc gauge, CUI data-flow builder.
SAMA CSFCyber security framework. 95 controls, 222 questions, EN/AR board PDF, tabletop runner.
NIS2EU network and information security directive.
ESG ReportingEDCI, SASB and GRI cyber disclosure.
ISO 42001AI management system.
ISO 22301Business continuity management.
LFPDPPPMexican federal data protection law. Full module.
Regulatory trackingTracks the position against legislation in real time across multiple jurisdictions.
Legal-requirement compliance checkAssesses whether what the organisation has in place meets the legal requirements.
Policy-presence checkChecks whether the required policies exist in the organisation.
Regulation readinessAssesses whether the organisation is ready to comply with a specific regulation.
Policy libraryBrowse the policy catalogue.
Assessment-driven policy generationPolicies generated from real results, not templates. Patent pending.
Localised policiesLocalised where applicable, including a dedicated data privacy policy for each core geography.
Policy-adherence checksVerifies whether the organisation's policies are actually being adhered to.
Auto-verified complianceCompliance verification with cross-policy conflict detection.
Distribution and acknowledgementTracked per policy.
AML / FCC moduleTen control areas, business-wide risk assessment and obligations register.
Jurisdiction-aware AML policy generatorUnited Kingdom, European Union, Spain, Saudi Arabia and Mexico variants.
MLRO governance and SARWith suspicious activity reporting.
KYC / CDD and sanctions screeningPlus transaction-monitoring posture.
AML trainingAwareness training with evidence to the regulator.
Vulnerability scannerNative, CVSS-based deep checks.
Threat and supplier monitoringVulnerability, supplier and SSL and domain monitoring.
Attack surface scoringRatio-based seven-category, NIST SP 800-30 and CVSS v4.0.
Dark web credential monitoringSurfaces exposed credentials.
Domain impersonation detectionDetects look-alike domains.
Credential breach monitoringContinuous breach exposure checks.
Executive summary and recommendationsWith a PDF report generator.
Framework mappingMaps results to frameworks.
ESG disclosure reportsEDCI, SASB and GRI.
150+ reportsAcross thousands of permutations.
Per-framework and per-assessment reportingEvery framework module and every assessment generates its own reports.
Board and enterprise language registersReporting tuned for board and for operational enterprise audiences.
Three languagesEnglish, Spanish and Arabic.
Industry benchmarkingNCSI regional maturity data, size and geography adjusted.
Investor and 3-year-plan reportsBuilt in.
No external LLM exposureClient data is never sent to any external large language model.
AI cyber advisorGuidance from results. Enhanced from Medium Enterprise up.
AI security assessmentDedicated assessment of AI tool usage, exposure and controls.
AI governanceAligned to ISO 42001 for AI management systems.
AI vendor due diligence and portfolio riskWith executive briefings.
Business continuityISO 22301 aligned assessment.
Third-party risk assessmentVendor risk questionnaires and scoring.
HR personnel securityJoiner-mover-leaver, insider threat and board liability.
LMS and awareness trainingEmployee training portal with completion certificates.
Enterprise vendor managementFull vendor lifecycle, not just questionnaires.
ICT third-party registerDORA ICT register.
Trust CentreBasic from SME, full from Medium Enterprise.
Share with MSPGrant managed-service-provider access.
Hardened authAuth0, httpOnly cookies, no local-storage auth.
Verifiable code gatesPHPStan Level 9 and Semgrep on all production code.
Team, task and calendar managementWith the cyber maturity journey.
75 integrations and data sources29 platform connectors, 17 native scanners, device agent, 11 AI observability integrations, 6 external risk feeds, 6 regulatory jurisdictions, 3 sanctions lists and 2 FX sources. All with verified security posture, multi-tenant support and partner API.
Enterprise vaultEncrypted, isolated tenant database with split-key recovery.
Custom integrations and API accessWith a dedicated account manager.

Every framework module and every assessment generates its own reporting. Feature availability is curated for this page and kept in step with the licence configuration.

Frequently asked questions

Each completed assessment across any of the available assessment types counts towards your annual limit. You can reassess the same area multiple times to track progress.

Yes, you can upgrade at any time. We will pro-rate the difference for the remainder of your subscription period.

RateYourCyber maps to ISO 27001, SOC 2, GDPR, NIS2, DORA, HIPAA, CMMC 2.0, NCA ECC, SACS-002, SAMA CSF, LFPDPPP, ISO 42001, ISO 22301, ESG reporting, and financial crime compliance with AML programme management. Medium Enterprise includes one framework as a full ISMS, Large Enterprise includes all of them.

The Medium Enterprise plan is available through our MSP and consultant partner network. Partners can customise features and pricing based on your requirements.

We offer a one-time assessment at £799 for organisations wanting to evaluate the platform before committing to an annual subscription.

Ready to strengthen your security posture?

Join organisations using RateYourCyber to manage compliance and reduce cyber risk.