Research | Cybantage
Published Research & Whitepapers

The research preceded
every product we built.

Every Cybantage advisory product has a published research antecedent. The research identifies the problem, defines the mechanism, and establishes the standard. No competitor can replicate this lineage by announcing a competing offering.

Primary Research · 2026

The foundational dataset.
1,478 organizations. Three years. Definitive findings.

Healthcare Breach Survivability · Whitepaper · 2026

Healthcare Breach Survivability Research Whitepaper

The intellectual foundation of the Cybantage Cyber Survivability Framework. 1,478 healthcare providers and business associates. Major breaches affecting 500+ individuals. January 2023–February 2026. HHS/OCR data. 73% logistic regression accuracy. The first published research to establish that survivability is determined by program infrastructure — not breach size.

31.3%of breached organizations closed or sold post-breach
194Kavg individuals affected at organizations that survived
40Kavg individuals affected at organizations that failed
73%logistic regression accuracy for predicting survival
Survivors were not larger organizations — they were survivable organizations with governance depth and insurance positioning built before the breach
Organizations that failed averaged 40,000 affected individuals — far smaller than survivors, disproving the "too large to absorb" narrative
Introduces the Healthcare Breach Survivability Index (HBSI) framework for predicting organizational survival probability
83.1% of breaches involved hacking; 65.5% network server + 22.2% email = 87.7% of breach locations
Download Research →
Published Works

Six additional publications.
Every one a research antecedent to a product.

CISI Methodology · 2026

Cyber Insurance and the Compliance Reality Gap

The foundational CISI Discussion Paper. 215-point scoring methodology for cyber insurance claim defensibility. Two-dimensional denial risk framework: claimant-side and insurer-side.

40% of cyber claims denied or only partially paid
Two independent denial dimensions — neither addresses the other
Domain 10 exclusion risks void coverage regardless of security posture
Download Discussion Paper →
CFO / Board · 2026

The Assumption Stack: Why Your Safety Net Has a 40% Failure Rate

The three assumptions that fail under forensic conditions. The accurate cyber risk register entry most CFOs don't have. The questions your board should be asking — including the critical insurer-side question most boards have never heard.

Compliance audit ≠ forensic defensibility — different tests, different verdicts
IT security delegation creates structural spending misalignment
56–60% actual claim payment probability — not the assumed near-certainty
Download Whitepaper →
Insurance Intelligence · 2026

The Compliance-Insurance Illusion

Four structural failures in SMB and mid-market cyber risk management. Same 1,478-organization dataset.

Governance misread as resilience — the most common structural failure
Identity neglect the highest-frequency correctable failure
Insurance denial rate 40–44% — not the assumed near-zero
Read the Research →
Framework Analysis · 2026

HITRUST: Certification Assurance and Its Limits

HITRUST confirms control maturity — not adversarial resilience. Change Healthcare held r2 certification when breached via Citrix and stolen credentials with no MFA.

HITRUST r2 certification does not prevent breach or guarantee claim payment
Control maturity ≠ operational validation ≠ strategic alignment
The 99.41% resilience marketing claim is not supported by breach data
Read the Analysis →
Framework Analysis · 2026

SOC 2: Governance Assurance and Its Limits

SOC 2 is governance assurance under AT-C 205 — not adversarial resilience. Mirrors the HITRUST analysis paper methodology.

SOC 2 tests design suitability — not operational effectiveness under attack
Semantic gap between auditor language and forensic investigator language
Identity-based threats exploit the conformance-vs-resilience gap
Read the Analysis →
Governance · 2025

The Accidental DQI

Governance framework for the Designated Qualified Individual role across healthcare, financial services, and small business. Covers governance, risk assessment, vendor oversight, regulatory frameworks, and personal liability.

DQI personal liability is real and frequently unrecognized by named individuals
Role applies across FTC Safeguards Rule, HIPAA, and state frameworks
Governance gaps create exposure that no insurance policy eliminates
Read the Book →
The Research Foundation

Original data. Not curated statistics.
Not vendor reports.

The Cybantage research dataset is sourced directly from HHS/OCR breach reporting data — the same data carriers and regulators use. It represents every major breach reported by healthcare providers and business associates from January 2023 through February 2026.

1,478Healthcare providers and business associates in the primary dataset
73%Logistic regression accuracy for predicting organizational survival
462Organizations confirmed closed or sold post-breach (31.3%)
3 yrsData span: January 2023 through February 2026
Source
HHS/OCR Breach Portal — official federal breach reporting database
Scope
Major breaches affecting 500+ individuals. Excludes health plans, government, and educational entities.
Period
January 2023 through February 2026
Model
73% accurate logistic regression model for survival probability. Introduces HBSI framework.

The CISI puts this research to work for your organization.

215 points. 10 domains. Two denial dimensions. The free assessment generates a scored picture of your organization's claim defensibility against the same forensic standard this research established.