Getting started

If this is your first time on the platform, here's the fastest path to a useful first result:

1. Pick a framework from the App Home page. NIST CSF 2.0 is a great default if you're not sure.
2. (Optional) set targets via the "Targets" link on the framework card — this overlays your target maturity on the spider graph.
3. Answer the assessment questions. ~25-30 questions, takes about 15 minutes. Auto-saves as you go.
4. Watch the AI analyse each category individually. Each category gets a 0-100% score plus a 2-3 paragraph analysis with your business context.
5. Review the results page — spider graph, risk heatmap, executive summary, prioritised actions, benchmark comparison.
6. Download the PDF report for the board, or click "Generate Actions" to create a remediation plan in the Actions kanban.

Tip: the dashboard's Quick Access tiles let you jump straight into any module without going through the menu.

Assessments

What it is: structured questionnaires across 9 compliance frameworks, scored individually per category by AI.

The 9 frameworks:

• NIST CSF 2.0 — Govern / Identify / Protect / Detect / Respond / Recover
• NIS2 Directive — EU cybersecurity for essential and important entities
• GDPR — EU data protection
• ISO 27001 — Information security management standard
• DORA — Digital Operational Resilience Act for financial services
• SOC 2 — Trust Services Criteria
• Cyber Essentials — UK government 5 core technical controls
• EU AI Act — EU artificial intelligence regulation
• PCI DSS — Payment card industry data security

Key features:

• Target maturity levels — set goals per category, see them as an overlay on the spider graph
• Auto-save — your progress is saved on every answer change, in localStorage
• Conditional questions — some questions only appear based on prior answers
• Re-take any time — click "Duplicate" on the Previous Assessments page to start fresh with the same framework
• Schedule reassessments — set a cadence (quarterly, biannual, annual) and the calendar will remind you

Tip: low-scoring categories show a "Get expert support" CTA that links to the ShieldIQ Cyber consultancy.

Control library

What it is: the central source of truth for every control in your compliance programme. Each control can be linked to multiple frameworks via cross-mapping, so the same control can satisfy NIST CSF, ISO 27001 and Cyber Essentials simultaneously.

Key concepts:

• Control status — not started / in progress / implemented / not applicable. Updated automatically when you sync from an assessment.
• Framework mappings — one control can map to many frameworks (e.g. NIST PR.AC-1 = ISO A.5.15 = CE Access Control)
• Evidence attachment — click the paperclip icon to upload evidence files; the green count shows how many are attached
• Sync from assessment — on the Controls page, click "Sync from latest" to pull statuses from your most recent assessment scores
• AI evidence analyser — click the magic-wand icon next to any evidence file to have our AI judge whether it satisfies the linked control

Tip: the paperclip indicator on each control row turns green when evidence is attached. Click it to expand the evidence list inline.

Policy Manager

What it is: versioned policy documents with control mappings and employee acknowledgment tracking.

Key features:

• AI Policy Generator — pick a policy type (Acceptable Use, Information Security, Data Retention, etc.) plus your scope, framework hint and linked controls. Our AI drafts a tailored policy you can review, edit, and save as a draft.
• 20 pre-built policy types covering the standard SME policy library
• Versioning — every save creates a new version. Old versions stay accessible.
• Acknowledgments — track which employees have read and acknowledged the current version. Pending acknowledgments appear on each user's dashboard.
• Control mappings — link policies to controls so the audit ZIP export shows the policy that proves the control

Where to find it: Quick Access tile → Policies, or via the nav drawer.

Risk register

What it is: a structured register with both qualitative (5×5 grid) and quantitative (FAIR-lite monetary) risk scoring, treatment workflows, and budget tracking.

Qualitative scoring

Standard 5×5 likelihood × impact grid. Risks are auto-bucketed:

• Low — score 1-5
• Medium — score 6-11
• High — score 12-19
• Critical — score 20-25

FAIR-lite quantitative

Open the collapsible "Quantitative loss expectancy" section in the risk editor:

• SLE (Single Loss Expectancy) — min / most-likely / max in your tenant currency
• ARO (Annual Rate of Occurrence) — events per year (decimals welcome, e.g. 0.5 = once every 2 years)
• ALE (Annualized Loss Expectancy) — auto-computed = SLE most-likely × ARO

The risks page shows a tenant-wide ALE rollup card with min/max confidence range and top categories by loss expectancy.

Acceptance workflow

Setting a risk's treatment to accept kicks off a formal request flow:

1. Click "Request acceptance" in the editor
2. Provide justification (min 10 chars), business case, compensating controls, optional expiry date
3. Admin/DPO reviews and approves or rejects
4. Approved acceptances flip the risk to accepted; the request can be revoked at any time
5. Acceptances with an expiry date auto-reopen the risk when they expire (sweep via the "Expire stale" button)

Separation of duties: the requester can never self-approve, even if they're an admin.

Treatment plans + budget

Each risk can have multiple treatment plans (iterations or alternatives). Each plan tracks:

• Currency, estimated cost, actual cost, budget variance (auto-coloured red over / green under)
• Start date, target date, completion date
• Owner
• Milestones with their own status (pending / in progress / complete / blocked)
• Progress bar driven by milestone completion

The Treatment portfolio endpoint rolls up budget vs actual across the entire tenant for the dashboard view.

Vendor-inherited risks

When a vendor scores poorly on its TPRM assessment (default threshold 70%), use the "Generate inherited risk" button on the vendor detail page. ShieldIQ creates a register entry tagged source=vendor with appropriate likelihood and impact, linked back to the vendor and its assessment. Inherited risks show a vendor icon in the register list.

Tip: the AI risk generator on the assessment results page automatically creates risks for any low-scoring categories.

Asset register

What it is: structured inventory of your information assets with classification, ownership, criticality and control linkage.

Per-asset fields:

• Type — database / server / SaaS / endpoint / network / data store / etc.
• Classification — public / internal / confidential / restricted
• Criticality — low / medium / high / critical
• Owner, location, vendor link, IP/hostname for technical assets
• Linked controls — which controls protect this asset
• Linked ROPA records — which processing activities use this asset

Bulk import: use the CSV import wizard to load 200+ assets at once. See Bulk CSV import.

Vendor risk management (TPRM)

What it is: third-party risk management module covering vendor inventory, questionnaires, scoring, and risk auto-generation.

Two pre-built questionnaire templates:

• Lite — 10 questions, ~5 minutes. Suitable for low-criticality vendors.
• Standard — 42 questions across data handling, security controls, SLA, and incident response. ~15-20 min.

How it works:

1. Add a vendor with criticality, contract dates, data exposure
2. Send (or fill on their behalf) one of the questionnaires
3. Each question has a risk-flag rule — high-risk answers auto-flag
4. Score = sum(positive answers) / sum(weights) × 100
5. Decision: approved / conditional / rejected
6. Reject or conditional auto-creates a risk in the register, linked back to the vendor

The vendor detail page has a "Generate inherited risk" button that creates a register entry whenever a vendor's score is below the threshold (default 70%). See Risk register → vendor-inherited risks.

Audit trail: every vendor change is logged in the audit log.

Incident management

What it is: structured incident lifecycle management with automatic regulatory deadline calculation and AI-drafted notification templates.

Reporting an incident

Click the "Report Incident" button (always visible in the nav) and fill in:

• Title, description, severity (low / medium / high / critical)
• Category (data breach / phishing / malware / DDoS / insider threat / lost device / system outage / supplier incident / misconfiguration)
• "This is a personal data breach (GDPR Art. 33)" tick — triggers the 72h notification clock
• Approximate number of affected data subjects

ShieldIQ auto-generates a reference (INC-YYYY-NNNN) and computes the regulatory notification deadline based on the category and tenant country.

Regulatory deadlines (auto-computed)

• GDPR Art. 33 — 72 hours from awareness for personal data breaches
• NIS2 Art. 23 — 24 hours initial early warning + 72h notification + 1 month final report
• DORA Art. 19 — 4 hours classification + 24 hours initial notification

The incident card shows a countdown banner that pulses red when the deadline is <24h or overdue.

AI-drafted regulator notification

Click "AI Draft Notification" on the incident detail page. Our AI takes the incident facts (title, description, category, breach status, data subjects affected, your tenant country) and drafts a regulator-ready notification using the right legal template (Art. 33 / NIS2 / DORA). Edit and download as a PDF or copy to clipboard.

Lifecycle & closure

Incidents move through: detected → triaged → investigating → contained → eradicated → recovered → closed. Closure prompts you to enter lessons learned, which optionally auto-creates a risk register entry for follow-up.

Cross-links: incidents can have evidence attached (Evidence module) and remediation actions linked (Actions module). Incident timelines log every status change automatically.

Evidence + freshness

What it is: structured evidence storage that ties files to controls, assessments and incidents with expiry-date tracking and AI judging.

Upload pipeline

Every uploaded file goes through a layered validation:

1. Extension allow-list
2. Magic-bytes check (real file type, not just the extension)
3. Type-specific scans: PDF active content scan, DOCX/XLSX macro scan, text/CSV script scan, image metadata scan
4. Optional ClamAV scan

Files that fail any check are rejected with a specific reason.

Evidence reuse

One file can satisfy multiple controls. After uploading, click the "Link to additional controls" button and pick the additional controls. The file appears in all linked controls' evidence lists.

Freshness + expiry

When uploading, set a "Valid for" period (30 days / 3 months / 6 months / 1 year / 2 years / custom date). Evidence freshness badges show on the control modal:

• Fresh — expires >30 days away (or no expiry set)
• Soon — expires within 30 days
• Expired — past the expiry date

The dashboard "Calendar" widget surfaces all evidence expiring in the next 30 days.

AI evidence analyser

Click the magic-wand icon next to any evidence file. Our AI reads the file (PDF / DOCX / XLSX / TXT / CSV / image via vision) and judges whether it satisfies the linked control. You get a verdict (satisfies / partial / does_not_satisfy), confidence score, and gap analysis.

Download safety: evidence downloads are forced as application/octet-stream with X-Content-Type-Options: nosniff and a Content-Security-Policy: default-src 'none' header so the browser can't render anything inline.

ROPA register (GDPR Art. 30)

What it is: Records of Processing Activities — the structured Article 30(1) field set that controllers must maintain. Required for any organisation with 250+ employees, or any organisation processing high-risk / regular / special-category data (so basically: everyone).

What you record per activity

• Identification — activity name, status (draft / active / archived)
• Controller / DPO — controller name + contact, DPO contact, joint controllers, representative (for non-EU controllers)
• Purposes — what the processing is for
• Legal basis (Art. 6) — consent / contract / legal obligation / vital interests / public task / legitimate interests
• Data subjects — categories (customers, employees, prospects, minors, etc.)
• Personal data categories — types of data (contact details, financial, health, etc.)
• Special category data (Art. 9) — flag + Art. 9 condition dropdown
• Children's data (Art. 8) — flag for separate regulator focus
• Recipients — categories of who receives the data
• Third-country transfers — structured list of {country, mechanism} with mechanism dropdown (Adequacy / SCCs / BCRs / Code of conduct / Certification / Derogation)
• Retention — period, basis, deletion method
• TOMs — technical and organisational security measures
• Linked assets & vendors — which assets implement this and which processors are involved

Auto reference IDs

Records are numbered ROPA-YYYY-NNN per tenant per year.

Export

The "Export CSV" button on the ROPA register page streams a regulator-ready CSV in the format supervisory authorities expect.

Tip: the summary cards on the register page show counts of records with special category data, records involving children, and records with cross-border transfers — these are the ones the regulator will look at first.

DPIA workflow (GDPR Art. 35)

What it is: a structured 6-step Data Protection Impact Assessment workflow following the EDPB template. Mandatory under Art. 35 when processing is likely to result in a high risk to data subjects' rights and freedoms.

The 6 steps

1. Identify — name, processing description, link to a ROPA record
2. Necessity & proportionality (Art. 35(7)(b)) — why this processing is necessary, what less intrusive alternatives were considered
3. Consultation — DPO consulted on date + advice; data subjects consulted (or reason if not)
4. Risks to rights & freedoms — inline list with the same 1-5 likelihood/severity grid as the risk register, with separate residual scores
5. Mitigations — the measures you'll take to bring the risk down. Can link to existing risk treatment plans for traceability.
6. Sign-off — outcome (proceed / proceed with conditions / do not proceed) + DPO sign-off

Auto Art. 36 trigger

If any risk's residual likelihood × severity is ≥ 16, ShieldIQ flags "Prior consultation required". You can't sign off the DPIA until you've recorded evidence of consulting your supervisory authority (date + response).

Sign-off

Sign-off is admin/DPO-only. ShieldIQ requires all mandatory fields to be present (description, necessity, proportionality, risks, mitigations, outcome). Once signed off, the DPIA becomes immutable — further changes must go through "Duplicate (new version)", which bumps the version number and supersedes the previous record.

Re-reviews

Schedule re-reviews via the DPIA detail page. Required by Art. 35(11) when the risk profile changes. Reviews show on the compliance calendar.

Tip: DPIAs always link to a ROPA record, so the regulator can trace the full processing → assessment chain.

Pen test report repository

What it is: structured engagement records for every penetration test with findings counts, retest scheduling, file storage, and risk linkage.

Per-engagement fields:

• Auto reference ID (PT-YYYY-NNN per tenant per year)
• Title, vendor name + contact
• Methodology — black box / grey box / white box / OWASP / PTES / PCI ASV / custom
• Scope description, test start/end dates, report received date
• Findings counts per severity (critical / high / medium / low / info)
• Executive summary
• Status (draft / final / remediated / superseded)
• Next retest date (shows on the compliance calendar)
• Linked risks (M2M to the risk register)

File upload: the report file goes through the same validated-upload pipeline as evidence (magic bytes, active-content scan, ClamAV). Download is forced as binary with a strict CSP.

Where to find it: Quick Access tile → Pen Tests, or via the nav drawer.

Compliance calendar

What it is: a unified view of every date that matters across your compliance programme.

What it pulls in (automatically):

• Control review due dates (from review_frequency_days on each control)
• Evidence expiry dates (from expires_at)
• Policy next-review dates
• Risk review dates
• Remediation action due dates
• Reassessment schedules
• Vendor contract end dates + assessment due dates
• Incident regulatory notification deadlines
• DPIA scheduled re-reviews
• Pen test next retest dates

Two views:

• Month grid — calendar layout with colour-coded events per type
• List view — chronological list grouped by date

The dashboard widget shows the next 7-14 days. The page also shows a 6-card stat strip (total / regulatory / evidence / reviews / contracts / actions).

Tip: click any event to jump straight to the underlying record.

Comments + activity feed

What it is: threaded comments with @mentions and a tenant-wide activity feed driven by the audit log.

Comments are available on:

• Controls (in the control detail modal)
• Vendors (on the vendor detail page)
• Incidents (on the incident detail page)

@mentions — type @username in any comment. ShieldIQ resolves the mention against your tenant members (no cross-tenant exposure) and creates a Mention record. Mentioned users see them in their account drawer.

Activity feed on the dashboard shows the last N events from the audit log: who created/updated/deleted what, when, with action-coloured icons and relative timestamps.

Editing: comments can be edited within 15 minutes of posting. After that, edits leave an "edited" timestamp visible. Soft-delete only — the audit log keeps the original.

Bulk CSV import + export

What it is: a 3-step wizard for importing risks, assets and vendors from CSV. No more hand-entering 200 assets.

The flow:

1. File picker — pick your CSV. UTF-8-sig accepted.
2. Preview & validate — ShieldIQ parses up to 500 rows and shows them in a table with red highlighting on rows that have errors. Common errors: missing required fields, invalid enum values, malformed dates.
3. Confirm — click confirm and ShieldIQ creates the rows. Errored rows are skipped (you fix them and re-upload).

Exports are available from the same buttons on each register page. CSVs are generated via defusedcsv to prevent formula injection attacks.

Where to find it: the "Import" and "Export" buttons in the page header on the Risks, Assets, and Vendors pages.

Remediation actions

What it is: a kanban board for tracking remediation tasks generated from assessments, risks, vendor reviews, and incidents.

Columns: Backlog → In Progress → Blocked → Done

Per-action fields: title, description, owner, due date, source (assessment / risk / vendor / incident / manual), effort (low / medium / high), impact (low / medium / high), priority bucket (low effort + high impact = "fix first")

Auto-generation: the assessment results page has a "Generate Actions" button that creates one action per low-scoring category, prefilled with the AI's recommendations.

Tip: drag actions between columns to update their status. The dashboard widget shows the top 5 "fix first" actions.

Network scanner

What it is: NMAP-based vulnerability scanner with AI analysis of the results.

Three scan profiles:

• Quick — top 1000 TCP ports, ~30 sec, available on Starter
• Standard — full port range, OS fingerprint, service detection, ~5 min, Business+
• Deep — standard + NSE vulnerability scripts, ~15 min, Enterprise

After the scan completes, our AI analyses the open ports, identified services, and any version banners, then writes a plain-English summary of the risks and what to do about them.

Compliance use: link scan results to specific controls (e.g. NIST PR.AC-3 = "Remote access is managed") for evidence.

AI features (unified credit pool)

ShieldIQ has five AI features. They share a single monthly credit pool that drains by one credit on each successful call.

Tier credit allocations:

• Starter: 0 credits
• Individual: 10 credits/month
• Professional: 50 credits/month
• Business: 200 credits/month
• Enterprise: 1,000+ credits/month

Credits reset on the 1st of each month. Unused credits do not roll over. Top-up packs are available if you exhaust your quota mid-month.

What costs a credit:

• AI Policy Generator (1 credit per generated policy)
• AI Evidence Analyser (1 credit per evidence file analysed)
• AI Cross-Framework Gap Analysis (1 credit per analysis)
• AI Incident Notification Drafter (uses a separate incident_ai_drafts_per_month pool)

Free: per-category assessment scoring runs on every assessment submission and is bundled into the cost of the assessment.

Tenant security policy

What it is: tenant-wide controls for authentication, session lifetime, password rules and anomaly detection. Admin-only.

Where to find it: Organisation page → Security Policy card.

Settings:

• Require MFA — force all users to enable MFA. Comes with a configurable grace period (in days) so existing users have time to set it up before being locked out.
• Session timeouts — idle timeout in minutes + absolute max session in hours
• Password policy — minimum length (clamped 8-128) + complexity flag (upper, lower, digit, symbol)
• Anomaly detection — enable/disable, with options to email users on high-risk sign-ins and require step-up MFA

Effect: when MFA is required and a user past the grace period tries to sign in without MFA enabled, they get a 403 with a message directing them to set up MFA in Account Settings.

Login anomaly detection

What it is: ShieldIQ scores every login attempt for risk on five factors and alerts when something looks unusual.

The 5 factors (cumulative score):

• New country (+30) — flagged when the geolocated IP country is one you've never signed in from before
• New device (+15) — flagged when the User-Agent fingerprint is new. Suppressed if the device is on your trusted list.
• Impossible travel (+50) — flagged when the distance from your last login is >500 km AND would require >900 km/h (faster than a commercial aircraft)
• Unusual hour (+10) — flagged when the sign-in is >3 hours from any of your historical hours. Only kicks in once you have ≥10 prior successful logins.
• Known-bad IP (+20) — flagged when the IP is on a threat-intel block list

Risk levels:

• Low — score 0-24
• Medium — score 25-49
• High — score 50+

High-risk sign-ins fire an email alert (if your tenant has alerting enabled). With "Step-up on risk" enabled, high-risk sign-ins also force a re-auth before the user can do anything.

Trusted devices: on your Account page, click "Trust this device" to add the current browser to your trusted list. Trusted devices skip the new-device flag. Revoke trust at any time from the same page.

Where to view events: the Organisation page (admin view of all tenant events) and your Account page (your own last 50 events).

Organisation + auditor mode

What it is: team accounts with role-based permissions and a special read-only mode for external auditors.

Roles:

• Owner — created the org, can do everything including billing
• Admin — can manage members, security policy, controls, policies, risks, etc.
• Member — standard user
• Auditor — time-boxed read-only role for external auditors

Auditor mode

Use the "External Auditors" card on the Organisation page to invite an auditor with a specific expiry date (7 / 14 / 30 / 60 / 90 days). They sign in with normal credentials but every non-GET request is rejected by the API. The UI hides write controls and shows a yellow auditor banner. After their access expires, their sessions are terminated automatically.

Audit ZIP export: the Business+ tiers can generate a full audit-ready ZIP containing controls, risks, evidence, policies, ROPA records, DPIAs and the audit log. Use this to hand over to an auditor without giving them login access.

Account, security & MFA

The Account page (top-right user menu) lets you manage:

• Profile — email, company name, theme preference (light / dark / auto)
• Password — change password (requires current password). Passwords are hashed with PBKDF2-SHA256 with a random per-user salt. They are never stored in plain text and cannot be recovered — only reset.
• MFA — enable TOTP (compatible with Google Authenticator, Microsoft Authenticator, Authy, 1Password, and any other TOTP app). Scan the QR code, verify a 6-digit code, done.
• Trusted devices — see and revoke devices that have been marked trusted
• Recent sign-in activity — your last 50 login events with risk scores and locations

Login & registration security

• Cloudflare Turnstile CAPTCHA — both the login and registration forms are protected by Cloudflare Turnstile to prevent automated credential stuffing and bot registrations. The challenge is invisible in most cases.
• Account lockout — after multiple failed login attempts, the account is temporarily locked. The lockout duration increases with each consecutive failure.
• Login anomaly detection — every sign-in is scored for risk (new country, new device, impossible travel, unusual hour). High-risk sign-ins trigger an alert. See the anomaly detection section for details.
• Forced MFA — your organisation admin can require all users to enable MFA, with a grace period for setup. See the security policy section.

Evidence storage

All uploaded evidence files and pen test reports are stored in Amazon S3 with server-side encryption (AES-256). Files are versioned, so accidental overwrites can be recovered. Downloads are served via time-limited presigned URLs that expire after 5 minutes.

Tip: if your organisation has "Require MFA" enabled, you'll see a banner counting down your grace period. Set up MFA before it expires or you'll be locked out.

Keyboard shortcuts

A few global shortcuts to speed things up:

Frequently asked questions