cyber
6 MIN READ
For most of the last decade, cyber risk quantification (CRQ) — putting a dollar figure on cyber risk instead of a red/amber/green heatmap — was a thing a handful of large banks and insurers did. In 2026 it became mainstream.
The numbers are striking. In the 2026 State of Cyber Risk Management Report, published in early June by GuidePoint Security and The FAIR Institute, organisations reported a clear shift toward financial risk management:
89%
Expect rising demand
for cyber risk management over the next three years
64%
Mostly/fully automated
risk management programs already running
80%
Using or trialing AI
most often for automated quantification & simulation
The vendor market has noticed. There is now a wave of "instant" CRQ products promising a board-ready financial risk number with minimal inputs — one launched this year offering results in as little as 24 hours. The category is consolidating around a single promise: faster, more automated, less manual effort.
That is genuine progress, and it is overdue. But it has quietly skipped past the oldest, hardest problem in the entire discipline. Speed and automation make a CRQ model faster. They do not make it right. And the same FAIR Institute report that shows all this momentum also shows the catch: 76% of organisations believe they're effective at turning risk assessments into business decisions, but only 35% say their governance groups are fully effective at it. Confidence is running well ahead of rigour.
So here's the question worth asking before you buy the fastest number on the market: where did the inputs come from?
Automation solved the wrong bottleneck
A CRQ engine is, underneath, an arithmetic machine. Most credible platforms — ours included — run a Monte Carlo simulation over a FAIR-style decomposition: how often a loss event happens (Loss Event Frequency), multiplied by how much it costs when it does (Loss Magnitude), simulated thousands of times to produce an Annual Loss Expectancy (ALE) with a distribution around it.
That maths is well understood and, frankly, commoditised. Automating it — pulling in scan data, wiring up live threat feeds, refreshing the model continuously — is the part the 2026 product wave has nailed. Kovrr's widely-read list of CRQ trends for the year is a good summary of where the energy is going: automated risk registers, integration with continuous threat-exposure management, real-time data feeds, AI-assisted scenario generation.
Useful, all of it. But notice what every one of those improvements has in common: they make the engine faster and the known data fresher. None of them touches the quality of the estimates the engine runs on.
A Monte Carlo simulation will perform flawless arithmetic on garbage and hand you back a beautifully formatted, precisely wrong number — in 24 hours instead of a fortnight.
This isn't a fringe concern. The FAIR community has been explicit about it for years: the answer to "garbage in, garbage out" is calibration — making estimates as a 90%-confidence range rather than a single confident point, by people trained and measured on how accurate their past estimates turned out to be. The problem is that calibration is exactly the part automation can't do for you. It's a property of the people and process feeding the model, not the software running it.
Confident is not the same as calibrated
Ask an uncalibrated expert how much a ransomware event would cost you and they'll often give you a single, confident figure: "About seven million." It sounds authoritative. It's also, statistically, almost certainly wrong — point estimates from unmeasured experts miss far more often than the experts believe.
A calibrated expert answers differently: "I'm 90% confident it's between six and fifteen million." That feels less satisfying to a board that wants one number. But it's far more likely to actually contain the truth — and it carries its own honesty about uncertainty, which is precisely what a risk decision needs.
The distinction matters because most CRQ inputs are not measured — they're estimated. Some factors you can pull from data. Many you can't, and a human has to make a judgement. If that human is confidently uncalibrated, automating the model around them just industrialises the error. You get wrong answers faster, more often, and with a more convincing dashboard wrapped around them.
This is the gap a fast-CRQ buyer should be probing. Not "how quickly does it produce a number?" but "how does it know whether the people supplying the estimates are any good — and does it get more accurate as it learns who is?"
And then there are the assets you can't scan at all
Calibration is the input problem for the data you have. There's a second, larger problem: the data you'll never have.
Automated CRQ depends on telemetry — scanners, agents, feeds. That works beautifully for IT: servers, endpoints, cloud workloads. It runs into a wall the moment you reach the systems that carry the highest consequence if they fail.
You cannot run an active scan against a live SCADA system controlling a water treatment plant — the scan itself can disrupt a safety-critical process. You cannot put an agent on an air-gapped defence network; that's the whole point of air-gapping it. You cannot install software on a third party's environment you don't administer, or on a legacy controller whose vendor went out of business in 2009.
These are the crown-jewel assets — the ones whose compromise makes the news and triggers the board attestation. And they are exactly the assets an automation-first CRQ tool is structurally blind to. Highest consequence, least data. A model that can only quantify what it can scan will hand a critical-infrastructure board a confident dollar figure that silently excludes the systems they most need to understand.
For Australian operators this is no longer abstract. The enhanced Critical Infrastructure Risk Management Program rules under the SOCI Act push towards more prescriptive obligations across cyber, supply chain, personnel and physical security, with maximum corporate penalties rising to $3.3 million. A board attestation that rests on a risk number which quietly omitted the OT estate is not a defensible position.
What "fixing the inputs" actually means
None of this is an argument against speed or automation. It's an argument that they're necessary, not sufficient. The CRQ tools worth buying in 2026 are the ones that automate the engine and take the input problem seriously. In practice that means looking past the headline pitch:
| The 2026 sales pitch | The question that actually matters |
|---|---|
| "Board-ready number in 24 hours" | Built from measured data, or from uncalibrated guesses run through fast maths? |
| "Fully automated, real-time" | Does it cover the OT/air-gapped/legacy assets that have no telemetry to automate? |
| "AI-assisted scenario generation" | Does the model get measurably more accurate as it learns whose estimates were right? |
CyQuantiFi was built around those three answers rather than around speed for its own sake. For scannable assets, we automate exactly like the rest of the field — telemetry in, attack graph out, Monte Carlo over a FAIR decomposition, ALE in dollars. For the unscannable assets, we use structured expert consensus: a market-based mechanism where security experts contribute probability estimates, their accuracy is tracked over time, and better-calibrated experts carry more weight. The same dollar output, on the assets a scanner can't touch. That second mode is the subject of our filed patent, and it's the difference between a number that covers your IT and a number that covers your business.
The honest framing is the one in our internal motto: Math over Vibes. A heatmap is vibes. A precise dollar figure built on uncalibrated inputs is vibes wearing a lab coat. The goal isn't a faster number — it's a number you'd actually stake a board attestation on.
What to do before you trust a CRQ number
1
Ask where every input came from
For each major factor in the model, is it measured or estimated? There's no shame in estimates — most of CRQ is estimates — but you need to know which is which.
2
Demand calibration, not confidence
Ask the vendor how they account for the accuracy of the people supplying estimates. "We use experienced practitioners" is not an answer. "We measure and weight estimators by their track record" is.
3
Map your unscannable estate first
List the assets no agent or scanner can reach — OT, air-gapped, legacy, key third parties. If a CRQ tool can't quantify those, it can't quantify the risk that matters most.
4
Treat a 24-hour number as a hypothesis, not a verdict
Fast time-to-value is genuinely useful for a first pass. Just don't confuse the speed of the output with the soundness of the inputs.
5
Make the output a range, then govern it
A single point estimate invites false precision. Insist on a distribution with confidence intervals — and remember the FAIR Institute's own finding: the gap isn't producing numbers, it's the governance to act on them.
6
Re-run it as the threat environment moves
A number is a snapshot. The value of automation is that you can refresh it — so use it to track change, not to file once and forget.
The bottom line
2026 made cyber risk quantification fast, automated, and mainstream. That's worth celebrating — for years the bottleneck on CRQ adoption was manual effort and expert time, and the industry has genuinely attacked it.
But the field has automated the part that was already easy and largely left alone the part that was always hard. The arithmetic was never the problem. The inputs were. A Monte Carlo engine is indifferent to whether you feed it calibrated estimates or confident guesses; it will produce a crisp dollar figure either way, and the fast ones will produce it before you've finished your coffee.
For most organisations, the practical test is simple. The next time someone hands you a quantified cyber risk number, don't ask how quickly it was produced. Ask two things: how do you know the inputs are any good, and does this include the systems we can't scan? If the answers are vague, you don't have a risk number. You have a heatmap with a dollar sign in front of it.
The organisations that win the CRQ era won't be the ones with the fastest number. They'll be the ones with the most trustworthy one.
See a risk number you can actually defend.
Calibrated inputs, FAIR-aligned maths, and a dollar figure for the assets you can't scan.
Related reading
- 2026 State of Cyber Risk Management Report — GuidePoint Security & The FAIR Institute
- Avoiding "Garbage In, Garbage Out" in cyber risk measurement — FAIR Institute / RiskLens
- CyQuantiFi: Risk quantification for the assets you can't scan
