Risk Assessment Methodology

This document defines FindTheBreach's formal risk assessment methodology for identifying, evaluating, prioritizing, and treating information security risks. The methodology is aligned with SOC 2 CC3 (Risk Assessment), ISO 27001 clause 6.1.2 (Information Security Risk Assessment), NIST Cybersecurity Framework ID.RA (Risk Assessment), and CIS Control 3 (Data Protection).

Scope. This methodology applies to:

• All information assets, systems, and services operated by FindTheBreach
• All personnel responsible for risk identification, assessment, and remediation
• All third-party integrations, vendor relationships, and supply chain dependencies
• All computing environments including production, staging, development, and disaster recovery
• Customer-facing scanning infrastructure and data processing pipelines

This methodology provides a consistent, repeatable, and auditable framework for making risk-based decisions that protect FindTheBreach's operations and customer data.

Risks are identified through multiple complementary sources to ensure comprehensive coverage across technical, operational, and organizational domains.

Identification Sources:

• Automated Scanning — 40+ integrated security tools continuously identify vulnerabilities across infrastructure, applications, and configurations
• EASM Monitoring — External Attack Surface Management continuously discovers and monitors internet-facing assets for exposure and misconfiguration
• Threat Intelligence Feeds — Curated threat intelligence provides context on emerging threats, active exploits, and threat actor campaigns
• Manual Penetration Testing — Scheduled and ad-hoc penetration tests identify risks that automated tooling may miss
• Vendor Risk Assessments — Third-party and supply chain risk evaluations identify risks introduced through external dependencies
• Change Management Review — All significant changes to systems, configurations, and processes are evaluated for risk impact prior to implementation
• Incident Post-Mortems — Lessons learned from security incidents and near-misses are fed back into the risk identification process
• Employee Reports — All personnel are encouraged to report potential risks, suspicious activity, and security concerns through established channels

Identified risks are documented with sufficient detail to enable consistent scoring and are assigned to a risk owner for further evaluation.

Risks are scored using a 5×5 matrix that evaluates Likelihood (probability of occurrence) against Impact (severity of consequence). The Risk Score is calculated as:

Likelihood Scale:

• 1 — Rare: Unlikely to occur; no historical precedent
• 2 — Unlikely: Could occur but not expected; limited precedent
• 3 — Possible: May occur at some point; some precedent exists
• 4 — Likely: Expected to occur in most circumstances
• 5 — Almost Certain: Expected to occur imminently or is already occurring

Impact Scale:

• 1 — Negligible: Minimal effect on operations; no data exposure
• 2 — Minor: Limited disruption; minor data or financial impact
• 3 — Moderate: Noticeable operational impact; potential regulatory concern
• 4 — Major: Significant disruption; data breach or major financial loss
• 5 — Critical: Catastrophic impact; business continuity threat; large-scale data breach

Risk Matrix:

Rows = Likelihood  |  Columns = Impact  |  Cell values = Risk Score

Based on the calculated risk score, each risk is classified into one of four levels with corresponding response timelines:

For each identified and scored risk, one of the following treatment strategies must be selected and documented by the risk owner:

All identified risks are maintained in the in-platform Risk Register, providing a centralized, auditable record of risk posture. Each entry contains the following fields:

All entries are reviewed on a quarterly basis at minimum. Changes to risk scores, treatment plans, or ownership are logged with timestamps and attribution for audit purposes.

The risk assessment program follows a structured review cadence to ensure risks remain current and treatment plans are effective:

• Quarterly Full Review — Complete review of all entries in the Risk Register. Likelihood and impact scores are re-evaluated based on current threat landscape and control effectiveness.
• Ad-Hoc Review — Triggered after significant incidents, major system changes, new threat intelligence, or material changes to the business environment.
• Annual Methodology Review — The risk assessment methodology itself is reviewed and updated to reflect evolving standards, regulatory requirements, and lessons learned.

Risk Committee. Reviews are conducted by the Risk Committee, which includes:

• Chief Information Security Officer (CISO) — Chair
• Chief Technology Officer (CTO)
• Compliance Lead

Minutes of each Risk Committee meeting are documented and retained for a minimum of three years.

Escalation ensures that risks above defined thresholds receive timely attention from appropriate decision-makers:

All escalation actions and decisions are logged in the Risk Register with timestamps and responsible parties for audit trail purposes.

FindTheBreach's risk assessment is not a point-in-time exercise. The following automated systems feed directly into the risk management lifecycle:

• Automated Vulnerability Scanning — Continuous scanning results are correlated with the Risk Register. New critical and high vulnerabilities automatically generate risk entries for triage.
• EASM Change Detection — Changes to external attack surface (new subdomains, exposed services, certificate expirations) trigger automated risk reassessment workflows.
• Anomaly Detection — The platform's anomaly detection engine (app/anomaly_detector.py) monitors for behavioral anomalies and triggers real-time risk alerts when deviations exceed configured thresholds.

These integrations ensure that the Risk Register reflects current conditions and that emerging threats are identified and assessed without manual intervention.