The Framework | Cybantage Cyber Survivability Framework
The Cybantage Cyber Survivability Framework

Five stages. Universal forensic logic.
Built for regulated industries.

The CCSF is not derived from industry frameworks or vendor certifications. It is derived from original research on why organizations fail after breaches — research that preceded product development and establishes Cybantage's position independent of any product launch.

The Five Stages

Each stage's output is the next stage's input.
The framework writes its own statement of work.

No stage is optional if the full framework is engaged. The CCSF designation requires completion of all five stages. Individual stages may be engaged as standalone assessments.

1
Stage 1
CISI Assessment
Score

The entry point for the entire CCSF. The Cyber Insurance Survivability Index scores your organization's claim defensibility across 34 questions in 10 domains — measuring both claimant-side security control gaps and insurer-side policy exclusion risk. The CISI is the only assessment in the market that measures both dimensions simultaneously. Every subsequent stage is calibrated against this baseline.

CISI Assessment ReportAutomated PDF on completion. Domain scores, outcome band, financial exposure, priority recommendations.
Analysis DebriefStructured 60-minute session. Denial trigger analysis, Domain 10 findings, CCSF stage recommendation.
Stage 2A Engagement ProposalScoped from CISI findings. Domain 10 flags and critical failures inform the LDI instrument priority.
Domain 10 — The Independent Flag: A score of 0 on any Domain 10 sub-question is an immediate Stage 2A and 2B trigger regardless of Domains 1–9 performance. Insurer-side denial risk is evaluated independently of total score through three live flags: D10-NS, D10-TP, and D10-SY.
2A
Stage 2A
Leadership Defensibility Index
Expose

A dual-track assessment instrument administered under attorney-client privilege to both executive leadership (ELT) and IT/Security leadership simultaneously. The gap between the two tracks is a primary analysis data point. The Cybantage Analysis Engine applies seven-dimension analysis to produce the LDI Report — a forensic-grade leadership profile available in no other advisory product in the market. Names what leadership doesn't know they don't know.

LDI ReportFull report with seven-dimension CAE analysis, gap matrix, executive scorecard. Delivered under privilege.
Three Clarity TargetsThe three named governance gaps that define Stage 2B scope and the CyberRes governance work.
LDI ScorecardOne-page board-ready deliverable for the Risk Committee. Privilege-marked, not producible in discovery.
Privilege wrapper required: Qualified outside counsel must be retained before Stage 2A commences. The attorney retains Cybantage as a technical expert, establishing the attorney-client privilege that protects all findings. No Stage 2A engagement may begin without this structure.
2B
Stage 2B
Privileged Review
Protect

The formal legal protection instrument of the CCSF. Where Stage 2A exposes governance gaps, Stage 2B documents the organization's response to those gaps — creating a legally protected record of due diligence, producing the board-level survivability briefing, and formally reviewing Domain 10 policy exclusions with qualified insurance counsel. The Privileged Review Record is the evidentiary document that protects executives and the organization in any post-breach proceeding.

Privileged Review RecordLegally protected documentation of governance findings and organizational response. Not producible in discovery.
Domain 10 Policy ReviewExclusion scope confirmed with insurance counsel. Nation-state, third-party, and systemic event gaps addressed.
Board PackagePrivileged briefing for board and risk committee. Executive exposure documented. Legal due diligence record established.
What this protects against: Without a Privileged Review Record, post-breach forensic investigators and opposing counsel have no documented evidence that leadership identified, acknowledged, and addressed governance gaps. With it, the organization has a protected record of due diligence that no external party can compel in discovery.
3
Stage 3
CISI Forensic Deep Dive
Verify

LDI-informed forensic verification of all 10 CISI domains against production systems. Applies the same standard a carrier's forensic investigator will use — testing whether controls actually protect, not whether they are documented. Findings are cross-referenced against Stage 2B Domain 10 Policy Review findings, LDI-identified governance gaps, and the CISI baseline score. The output is the authoritative gap record that scopes Stage 4.

Forensic Findings ReportFull domain-by-domain verification results. Evidence quality assessment. Claim defensibility gaps identified.
Priority Gap MatrixRanked remediation priorities weighted by claim denial risk. Inputs the Stage 4 program scope directly.
Stage 4 Scope DocumentComplete scope, timeline, and program design for CyberRes based on Forensic Deep Dive findings.
The distinction that matters: This is not a penetration test or red team exercise. Stage 3 is forensic verification — it tests the same evidence a claims investigator will seek. The question is not whether an attacker can get in. The question is whether your controls can be proved to have been operating at the time of an incident.
4
Stage 4
CyberRes — Build & Sustain
Build & Sustain

CyberRes builds the program and keeps it built. The initial engagement addresses all Forensic Deep Dive findings across governance design, identity hardening, backup integrity, IR operationalization, policy alignment, and regulatory compliance mapping. The sustained program runs quarterly CISI re-scores, monthly advisory, annual LDI re-evaluation, and full insurance renewal support — creating a program that performs under real-world conditions and sustains through every policy renewal cycle.

Full Program BuildAll Priority Gap Matrix items addressed. Governance design, technical hardening, IR operationalization, compliance mapping.
Quarterly Re-ScoreCISI re-assessment against the 215-point baseline. Score trajectory tracked. Renewal preparation continuous.
Annual LDI CycleLeadership re-evaluation under privilege. Privileged Review Record updated. Board package refreshed annually.
The compounding effect: Organizations sustaining through Stage 4 are simultaneously building claim defensibility, maintaining the Privileged Review Record, and generating the continuous evidence chain that forensic investigators require. Every year of CyberRes is a year of demonstrable, sustained control operation — the most powerful defense against post-breach claim denial.
⚖️ Legal Architecture

The privilege wrapper is not a product feature. It is the infrastructure that makes the findings defensible.

All Stage 2A and 2B activities are conducted under attorney-client privilege. Cybantage is retained as a technical expert by outside counsel — not directly by the client. This structure means findings are protected. They cannot be compelled in discovery. They exist to protect the organization, not expose it.

Request a Consultation →
  • Qualified outside counsel retained before any Stage 2A activity begins
  • Industry-specific engagement letters for healthcare and financial services
  • All LDI instruments and 2B deliverables prepared at direction of legal counsel
  • No findings produced outside the privilege wrapper
  • Annual re-evaluation cycle covered under same privilege structure
  • Privilege extends to board package and insurance positioning letter
Industry Coverage

Universal forensic logic.
Industry-adaptive regulatory mapping.

The compliance-to-survivability gap exists in every regulated industry. The CCSF applies the same forensic standard across all four verticals while mapping to each vertical's specific regulatory cascade.

🏥
Primary Vertical

Healthcare + MedTech

31.3% of breached healthcare organizations ceased to exist independently. HIPAA attestation, HITRUST certification, and OCR compliance do not translate to forensic survivability. Nation-state exclusions, EHR clearinghouse dependencies, and systemic outage coverage gaps are primary Domain 10 risks.

HIPAA / HITECH HITRUST OCR Enforcement Change Healthcare Precedent EHR Dependency
🏦
Primary Vertical

Financial Services + FinTech

FTC Safeguards Rule enforcement, DORA compliance requirements, and state-backed exclusions define the regulatory landscape. Third-party API and payment processor dependencies create supply chain coverage gaps standard policies frequently exclude.

GLBA / FTC Safeguards DORA PCI DSS API Supply Chain State-Backed Exclusion
🏛️
Secondary Vertical

Government Contractors

Most attacks on cleared contractors are state-backed by definition. CMMC Level 2/3 certification does not address the nation-state exclusion paradox — the exclusion may void coverage for the most likely threat actor class in this sector.

CMMC Level 2/3 NIST 800-171 FAR / DFARS Nation-State Exclusion CUI Protection
⚙️
Secondary Vertical

Manufacturing

OT ransomware surge, CrowdStrike-type systemic events, and IT/OT convergence create coverage gaps that ISO 27001 certification does not address. Business interruption policies frequently exclude non-malicious correlated outages — the scenario most likely to impact production environments.

ICS / OT Security NIST CSF Systemic Event Gap ISO 27001 OT Ransomware
Engagement Lifecycle

From initial assessment to sustained program.
Every stage builds on the last.

Stage 1
CISI Assessment
1–2 days
Stage 2A
Leadership Defensibility Index
2–3 weeks
Stage 2B
Privileged Review
2–4 weeks
Stage 3
CISI Forensic Deep Dive
3–6 weeks
Stage 4
CyberRes — Build & Sustain
6–12 mo + ongoing

The CISI assessment is where every engagement begins.

Free assessment. Paid analysis debrief. Every completed assessment generates a full domain score profile, Domain 10 flag analysis, outcome band placement, and financial exposure estimate — the complete picture of where your organization stands.