Skip to content

Cyber Risk Quantification for SOCI & CIRMP Compliance

Your CIRMP attestation is a board-level obligation under Australian law. A colour-coded heatmap won't defend it. CyQuantiFi translates your critical-infrastructure cyber risk into a dollar-denominated Annual Loss Expectancy your board can attest to — and your regulator can follow.


The regulatory moment: SOCI has moved from education to enforcement

The Security of Critical Infrastructure Act (SOCI) now covers roughly 200 regulated operators across energy, water, ports, transport, aviation, healthcare and more. Since 2026 the posture has shifted from education to enforcement, with corporate penalties rising into the millions. The Enhanced CIRMP Rules require responsible entities to run an all-hazards Critical Infrastructure Risk Management Program, obtain board approval, and submit an annual report — with an explicit obligation to document consideration of foreign ownership, control or influence (FOCI) in the vendor stack.

The attestation problem. A director signing a CIRMP attestation is putting their name to a statement about material risk. "Amber" is not a defensible basis for that signature. Boards are increasingly asking a question heatmaps cannot answer: what is this risk worth in dollars, and how confident are we in that number?

What we do

CyQuantiFi is a cyber risk quantification (CRQ) platform built for Australian critical infrastructure. We replace subjective red/amber/green ratings with an engineering-grade Annual Loss Expectancy (ALE) in dollars, mapped to the hazards your CIRMP has to address. The output is a board-ready number with confidence intervals — defensible in front of your directors, your regulator and your insurer.

$ ALE
Dollars, not colours

Every hazard expressed as Annual Loss Expectancy with a confidence range.

CIRMP
Mapped to the rules

Evidence aligned to the all-hazards CIRMP framework and board reporting.

OT+IT
Scannable & not

We quantify OT/SCADA and legacy systems you can't scan, not just your IT.

How it works

1

Model your critical assets

We build attack graphs across your scannable IT and your unscannable OT/SCADA and legacy environments — the systems where a CIRMP hazard actually lands.

2

Quantify with FAIR + simulation

A FAIR-aligned Monte Carlo simulation turns loss event frequency and loss magnitude into an Annual Loss Expectancy — with an honest tail, not an artificially calm one.

3

Fill the gaps with expert consensus

Where there's no telemetry, we use structured expert consensus with calibration tracking to produce a defensible probability — not a guess in a coloured cell.

4

Report to the board

Out comes a board-ready pack: portfolio ALE, top scenarios, control ROI, and evidence mapped to your CIRMP obligations — ready for attestation.

What you get

Deliverable Why it matters for CIRMP
Portfolio ALE in dollars A single, defensible figure a director can attest to.
Hazard-by-hazard breakdown Shows the all-hazards program has been quantified, not just described.
Control ROI & what-if analysis Justifies where the next dollar of uplift budget should go.
Board pack (Word / PowerPoint / PDF) Annual reporting evidence in a format directors already read.

Why CyQuantiFi for SOCI

🔒 Sovereign and FOCI-clean

Australian-incorporated, Australian-hosted, Australian-founded. A clean answer to the CIRMP FOCI clause without a foreign parent in the way.

🛰️ We quantify the unscannable

OT/SCADA, air-gapped and legacy systems are your highest-consequence assets. We put a number on them when scanners can't.

🎖️ Defence-grade methodology

Built on risk-quantification methods proven in Australia's most demanding government environments.

📐 Math over vibes

Every number is traceable, ranged, and defensible. We show the working — no black boxes for your regulator to distrust.

Who it's for

CISOs, heads of security, risk officers and boards at SOCI-regulated operators — electricity, gas, water, ports, rail, aviation, healthcare and data-storage assets — who need to satisfy a CIRMP attestation with evidence, not colour.


Frequently asked questions

What is cyber risk quantification for SOCI?

It's the practice of expressing your critical-infrastructure cyber risk as a dollar figure — an Annual Loss Expectancy — rather than a colour on a heatmap, so a board can attest to it and a regulator can follow the reasoning. CyQuantiFi does this using a FAIR-aligned model across both your scannable and unscannable assets.

Does this satisfy the CIRMP annual reporting obligation?

CyQuantiFi produces board-ready evidence mapped to the all-hazards CIRMP framework, in a format designed for directors and annual reporting. It supports your obligation; your responsible entity and its board remain accountable for the attestation itself. We're the engine underneath, not a substitute for your governance.

Can you quantify OT and SCADA risk that can't be scanned?

Yes — this is our core differentiator. Active scanning is unsafe on many OT/SCADA and legacy systems, so we use structured expert consensus with calibration tracking to produce a defensible probability for assets with no automated telemetry, then feed it into the same simulation as your scannable IT.

How does the FOCI clause affect vendor choice?

The Enhanced CIRMP Rules require you to document consideration of foreign ownership, control or influence in your vendor stack. CyQuantiFi is Australian-incorporated, Australian-hosted and single-shareholder — a clean answer where a foreign-owned platform would need explaining.

Put a dollar figure on your CIRMP hazards

Book a scoping call and see your critical-infrastructure risk in dollars before your next board report.

Related services

This page describes CyQuantiFi's cyber risk quantification service. It is general information, not legal or compliance advice; responsible entities remain accountable for their own SOCI obligations and board attestations.