Report Template

Security posture report

Main agenda points - Q1 2026

Where do we stand?
Our financial exposure is $14.2M
That is −23% YoY.
Managed, improving position.
What has the team delivered?
Exploitable attack surface −40%.
All critical assets monitored.
Return on Investment: $1 → $7.20 (in avoided losses)
Discussion points
Updated target budget
Exposure: $11.6M → under $4M
3.4:1 minimum return in year one
Created with Evidence
Evidence Board Report · Q1 2026Page 1 of 6

Where do we stand, in Dollars

All figures quantified using FAIR methodology and grounded in actuarial claims data.

Value at Risk
$14.2M
-23% YoY
Annualised loss expectancy, all scenarios
Risk Reduction
23%
+8pp from Q3
YoY decrease in loss expectancy
Avg Incident Cost
$95K
-47% from $180K
Down from $180K — investment working
Return on Security Investment
7.2:1
Above 5:1 threshold
$1 in → $7.20 in avoided loss
Financial Exposure vs. Mitigated Risk — Quarterly
Exposure trending down, mitigated risk trending up. Gap = residual exposure.
Created with Evidence
Evidence Board Report · Q1 2026Page 2 of 6

Top three risks we need to know about

Finding, financial impact, what we're doing about it.

The Finding
847 critical vulnerabilities across external-facing systems
So What
Customer payment database at risk — 1.2M records, $8–14M exposure
Now What
$340K to patch top 50 in 30 days — eliminates 80% of exposure
Critical

Ransomware Affecting ERP

$12–18M

ERP encryption → 5–8 day halt. Revenue + recovery costs.

Probability reduced 72%. Backup isolation validated weekly.

Critical

Customer Data Breach

$8–14M

2.3M records. Fines, notification, litigation, brand damage.

Attack surface reduced 40% since Q3. All access points monitored.

High

Supply Chain Compromise

$5–9M

Payment processor = largest uncontrolled third-party exposure.

Vendor assessment complete. $1M warranty backstop in place.

Created with Evidence
Evidence Board Report · Q1 2026Page 3 of 6

How We Rank Against the Industry

Your performance vs. industry average across four key metrics.

Mean Time to Detect
You
4 hours
Industry Avg
197 days

4 hours vs 197 days. Difference between a $50K incident and a $4M breach.

Exploitable Vulnerability Rate
You
3.5%
Industry Avg
38%

3.5% vs 38%. Top quartile performance.

Coverage Ratio
You
94%
Industry Avg
67%

6% gap = legacy systems, scheduled for decommission by Q3.

Third-Party Risk Score
You
82nd %ile
Industry Avg
50th %ile

12 of 340 vendors high-risk. Active remediation plans for all.

Created with Evidence
Evidence Board Report · Q1 2026Page 4 of 6

Every Dollar Justified

8.2% of IT budget. Aligned with industry median.

Total Invested
$1.51M
Annual security spend, all products
Total Risk Avoided
$8.47M
Quantified loss avoidance
Insurance Premium Impact
-15%
91% of underwriter requirements met
ROSI by Category
Invested vs. risk avoided per product.
Evidence Scan
7.2:1
Surface (ASM)
6.0:1
Warranty
5.6:1
Incident Response
4.0:1
Employee Training
3.0:1
Invested
Risk Avoided
Created with Evidence
Evidence Board Report · Q1 2026Page 5 of 6

Three Options. Your Decision.

A business decision, not a budget request.

Scenario A — Minimum

Accept Current Risk

$0

Exposure stays at $11.6M.

  • Legacy systems unmonitored
  • Third-party gaps persist
  • Insurance premiums likely increase
Drilldown
Recommended
Scenario B — Targeted

Close the Critical Gaps

$340K

$11.6M → under $4M. 3.4:1 return year one.

  • Evidence Scan → legacy systems
  • Evidence Surface → full vendor monitoring
  • Complete in 90 days
Drilldown
Scenario C — Comprehensive

Full Remediation

$1.2M

Exposure under $500K. Tier 3 maturity across all NIST functions.

  • Scenario B + zero-trust architecture
  • Dedicated SOC, 24/7 monitoring
  • Evidence Warranty $1M coverage
Drilldown
Created with Evidence
Evidence Board Report · Q1 2026Page 6 of 6
Scenario A — Minimum
Accept Current Risk
$0
Exposure stays at $11.6M. No investment, no improvement.
Ongoing Exposure
Legacy Systems
847 unpatched assets
  • Payment processing on end-of-life OS
  • No vulnerability scanning in place
  • Average patch age: 14 months
Financial Risk
Insurance Impact
Premiums increasing
  • Expected 35% premium increase at renewal
  • Coverage likely to decrease
  • Exclusions for known vulnerabilities
Risk Trajectory
12-Month Outlook
Exposure growing
  • Projected exposure: $11.6M → $15M+
  • Regulatory scrutiny increasing
  • Board liability exposure unchanged
Projected Loss
$11.6M
Unchanged over 12 months
Insurance Premium
+35%
Expected increase at renewal
Scenario B — Targeted
Close the Critical Gaps
$340K
$11.6M → under $4M. 3.4:1 return year one.
Phase 1 · 30 Days
Evidence Scan
$120KDay 1–30
  • Map all legacy systems and dependencies
  • Identify 50 critical exposure points
  • Prioritize by financial impact
Phase 2 · 45 Days
Evidence Surface
$140KDay 31–75
  • Full vendor monitoring activated
  • Continuous external scanning
  • Alert triage and escalation setup
Phase 3 · 15 Days
Validation & Hardening
$80KDay 76–90
  • Penetration testing on critical assets
  • Policy and procedure updates
  • Board signoff on remediation
Timeline: 90-Day Delivery
Phase 1 (Day 1–30) Phase 2 (Day 31–75) Phase 3 (Day 76–90)
Return on Investment
3.4:1
Year one
Risk Reduction
66%
$11.6M → under $4M
Scenario C — Comprehensive
Full Remediation
$1.2M
Exposure under $500K. Tier 3 maturity across all NIST functions.
Phase 1–3 · 90 Days
Everything in Scenario B
$340KDay 1–90
  • Evidence Scan + Evidence Surface
  • Validation & Hardening
  • Critical gaps closed
Phase 4 · 6 Months
Zero-Trust Architecture
$560KDay 91–270
  • Network segmentation and microsegmentation
  • Identity-first access controls
  • Full endpoint protection rollout
Phase 5 · 3 Months
Dedicated SOC
$300KDay 271–365
  • 24/7 monitoring and response
  • Evidence Warranty: $1M coverage
  • Quarterly board reporting automated
Timeline: 12-Month Delivery
Phase 1–3 (Day 1–90) Phase 4 (Day 91–270) Phase 5 (Day 271–365)
Return on Investment
5.2:1
Over 3 years
Risk Reduction
96%
$11.6M → under $500K
Watermark Style
Evidence
Corner Badge
Minimal pill with logo. Best for formal presentations.
Diagonal Logo
Evidence mark across the slide. Anti-screenshot.
Evidence Report · Q1 2026Page 1 of 6
Footer Bar
Branded strip with logo, date, and page number.
Contact us
No Watermark
Available on request for enterprise customers.
Data Sources
Connect your data to unlock additional insights across the report.