EBIOS RM · MITRE ATT&CK® · Monte Carlo Simulation
Know which cyber risks matter —
and prove it.
A guided, five-step workflow that turns scattered policies, systems, and expert knowledge into a clear picture of the risks that actually matter, and a prioritised plan to act on them. A structured, repeatable method does the reasoning and AI does the heavy lifting, with real-world attack modelling and Monte Carlo quantification underneath. Every figure traces back to its source.
Hover over any entity to explore the analysis flow.
Unify three frameworks
One knowledge graph joins methodology, threat intelligence, and quantified risk.
Single shared entity model
Model real attack chains
Strategic scenarios map to concrete ATT&CK® kill-chains, not tactic labels.
Enterprise · ICS · Mobile
Quantify what's at stake
Event-driven simulation puts monetary loss curves on every scenario.
Loss exceedance · treatment ROI
Deliver defensible output
Traceable reporting your auditors can follow, from threat model to residual risk.
NIS2 / DORA · ISO 27001 reference
The challenge
Complexity is outpacing protection
The gap between what organizations need to analyze and what they can assess manually is widening across systems, threats, and regulatory requirements.
Complexity and fragmentation
Cloud services, supply chains, and hybrid infrastructure multiply the systems that need assessment. At the same time, risk methodology, threat intelligence, and quantification live in separate tools and spreadsheets, so context is lost at every handoff.
Escalating threat sophistication
State-sponsored groups, ransomware operators, and supply chain attacks combine known techniques in novel ways. Effective risk analysis requires mapping specific threats to your infrastructure, not applying generic checklists.
Compliance under time pressure
NIS2, DORA, and sector-specific regulations demand documented, repeatable risk analysis. A traditional EBIOS RM cycle takes weeks of expert workshops. Regulatory timelines don't wait.
Aurelian Risk Manager addresses all three.
The approach
From real-world threats to business impact
Aurelian Risk Manager connects what used to live in separate tools. Real-world threat intelligence, expert analysis driven by agentic workflows, and risk quantification share one knowledge graph, so the line from the threats you face to what they mean for the business stays unbroken.
Real-world threat intelligence
Model against the threats your sector actually faces, not a generic checklist. Adversary techniques, tooling, and group profiles flow in from threat intelligence feeds and the ATT&CK® knowledge base, so every scenario is grounded in observed behaviour.
Expert analysis, powered by agentic workflows
AI agents handle the collection, mapping, and drafting, while the analyst stays in control and makes the calls. The agentic workflow does the heavy lifting of a full risk analysis, and every output stays reviewable and traceable.
Risk quantified in business terms
Monte Carlo quantification turns technical risk into financial impact, so leadership sees what cyber exposure means in money and business value. Comparable figures replace heatmaps and gut feel.
How it works
Three steps from context to countermeasure
Import your existing documentation or start from scratch. The platform handles the methodology, the mapping, and the computation, so you focus on the decisions that matter.
Define your scope
AI-powered extractionUpload existing documentation: security policies, architecture diagrams, audit reports. The Document Analysis Agent extracts entities and builds the initial knowledge graph. Or start from scratch with the Interview Agent guiding you through structured dialogue.
Run the analysis
3 frameworks, 1 workflowSix specialized AI agents guide you through a five-workshop analysis modelled on EBIOS RM. MITRE ATT&CK® techniques are mapped automatically. Kill-chains are built visually. Monte Carlo simulation quantifies each risk. All outputs converge in a single knowledge graph.
Generate deliverables
Audit-ready outputExport audit-ready risk reports, quantitative risk assessments, MITRE ATT&CK® coverage dashboards, and prioritized action plans. Every finding is traceable from business value to countermeasure, ready for management review or regulatory audit.
Core capabilities
From data to insight in one platform
Take a tour. Click through each capability to see the platform in action.
Guided analysis, step by step
AI agents guide you through the risk-analysis workshops as a structured, step-by-step dialogue. Each step presents reviewable proposals (selectable tables, editable rows, choice buttons) that the analyst confirms, modifies, or rejects. Reasoning traces and source references stay visible inline. Every decision is recorded in the knowledge graph, traceable end-to-end.
- Reviewable agent proposals at every step
- Selectable, editable tables with multi-select
- Reasoning traces and source citations inline
Regional Hospital · Baseline
EBIOS RM study · 5 workshops · 38 entities
Security Baseline
Identify business assets, supporting assets, and feared events.
Searched the uploaded inventory and audit
EHR · PACS · IAM · clinical core
Drafted the asset baseline
4 business assets · 4 supporting systems · 4 feared events
Scored severity on a 1 – 4 scale
criticality, recovery time, regulatory impact
Key findings
Patient Identity & Access
All clinical systems authenticate against the same directory. A compromise here cascades into EHR, PACS, and lab portal at once.
📄 hospital-inventory.pdf §2.1Clinical Operations
Direct in-patient impact when EHR, imaging, or the lab portal is unavailable. Recovery target stated by the BSI audit: 4 hours.
📄 bsi-audit-2026.pdf §4.3Patient identity compromise
Plausible attacker path: phished credentials → directory takeover → silent privilege escalation across clinical systems.
✦ inferred from 3 documentsCascading dependency identified
Active Directory failure simultaneously disables EHR access, PACS authentication, and the lab portal. Beyond a 4-hour recovery window the hospital must divert incoming patients. Treat identity compromise as Severity 4.
Inside the platform
AI agents and analytical capabilities
Six specialized AI agents operate on a shared knowledge graph. Each handles a specific analytical task, from data collection through threat mapping to report generation. Their outputs are immediately available to all others.
Interview Agent
Conducts structured data collection through guided dialogue. Identifies business values, supporting assets, and feared events.
Research Agent
Searches MITRE ATT&CK® for matching techniques, groups, and tactics, delivering real-time threat intelligence relevant to your context.
Scenario Agent
Generates attack scenarios and operative kill-chains. Maps each step to ATT&CK® techniques, integrating threat data directly into the analysis.
Risk Assessment Agent
Performs quantitative risk assessment using Monte Carlo simulation. Identifies MITRE coverage gaps and proposes countermeasures, closing the loop between threat modeling and risk treatment.
Document Analysis Agent
Extracts entities from uploaded documents (PDF, DOCX). Integrates existing documentation (security policies, architecture diagrams, audit reports) into the knowledge graph.
Report Agent
Generates audit-ready risk reports, executive summaries, and documentation that supports NIS2 / DORA reporting obligations. Every finding is traceable to its source in the knowledge graph.
* MITRE ATT&CK® is a registered trademark of The MITRE Corporation. Aurelian Risk Manager is an independent product, not affiliated with, certified by, or endorsed by MITRE. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Methodology
Five questions every risk assessment has to answer
Underneath the jargon, a sound risk assessment answers five questions in order: what matters, what could go wrong, who would attack, how, and how bad. Each answer builds on the one before. This question chain follows EBIOS RM, a recognised European risk method aligned with ISO/IEC 27001, so the result is structured, repeatable, and something an auditor can follow.
Why a method? Without one, a risk assessment is an opinion. With one, it is repeatable, comparable, and auditable.
What matters, and what could go wrong?
Starting point
Define what matters and what could go wrong. The Interview Agent collects critical business values through structured dialogue. The Document Analysis Agent extracts entities from existing policies, architecture diagrams, and audit reports. Both sources converge in the knowledge graph, creating the analytical foundation for all subsequent workshops.
Key outputs
What the organisation needs to protect
IT systems, networks, applications
Impact scenarios tied to each business value
These outputs define the scope and impact model. Every downstream analysis traces back to the business values and feared events established here.
Why our suite
Three frameworks, one knowledge graph
Most tools digitise a single framework end-to-end. Aurelian Risk Manager joins three (methodology, threat intelligence, and quantitative risk) on a shared entity model, so analysis crosses framework boundaries without manual stitching.
EBIOS RM
ANSSI method · ISO 27001-aligned
structures the analytical reasoning
- Business values · feared events
- Risk sources · risk objectives
- Strategic & operational scenarios
- Security measures · residual risk
MITRE ATT&CK®
Adversary technique catalog
supplies the technical threat model
- Tactics · techniques · sub-techniques
- Enterprise · ICS · Mobile coverage
- Data sources · detections
- Group & software attribution
Risk Quantification
Event-driven Monte Carlo
puts numbers on the scenarios
- Frequency × magnitude distributions
- Loss exceedance curves per scenario
- Sensitivity & driver analysis
- Treatment cost-benefit ROI
What integration produces: artifacts no single framework alone can
Strategic scenarios at technique level
EBIOS strategic scenarios mapped to specific ATT&CK kill-chains, not just tactic categories.
Per-scenario monetary loss curves
Loss exceedance curves traced back to the feared event and risk source that drive them.
Coverage gaps across the graph
Techniques present in your threat model that have no security measure, surfaced automatically.
Treatment ROI in €
Residual risk reduction per security-measure spend, derived from the same simulation.
Dialogue over forms
Agents collect data through structured conversation, not checkbox lists. You describe your context, the system maps it to the graph.
Closed-loop coverage
Technique gaps from kill-chains flow directly into countermeasure recommendations. The pipeline from threat model to risk treatment is continuous.
Full analyst control
Every AI-generated output is auditable and traceable. A human-in-the-loop process: the analyst validates, adjusts, and approves before anything enters the analysis.
Integrations & sources
Works with the data you already have
Aurelian Risk Manager reads from the sources your analysis depends on (threat intelligence, your own documents, and the control frameworks you already maintain) and unifies them in one knowledge graph.
Threat intelligence
Pull adversary techniques and group profiles directly into your scenarios.
Documents & evidence
Existing documentation is parsed into structured graph entities.
Control frameworks
Map the controls you already maintain to techniques, so coverage gaps surface on their own.
Expert knowledge
Capture analyst and subject-matter context through guided dialogue.
* MITRE ATT&CK® is a registered trademark of The MITRE Corporation. Aurelian Risk Manager is an independent product, not affiliated with, certified by, or endorsed by MITRE.
Deliverables
What you deliver
Every output is traceable, auditable, and formatted for your audience, whether that is the management board, the regulator, or the security operations team.
Risk Analysis Reports
Complete reports structured along the five-milestone risk analysis (Milestone 1 to 5). Generated from the knowledge graph, every finding links back to its source.
Risk Assessments
Quantified risk values with transparent factor breakdowns. Loss event frequency, vulnerability, and magnitude, comparable across all scenarios.
MITRE Coverage Dashboards
Visual coverage analysis showing which ATT&CK® techniques are addressed and where gaps remain. Export as PDF or interactive HTML.
Prioritized Action Plans
Implementation roadmaps ordered by risk reduction impact. Each recommendation traces from countermeasure to technique to kill-chain to business value.
Event-driven Monte Carlo Simulation
Regional Hospital · Baseline
EBIOS RM study · 5 workshops · 38 entities
Risk Treatment
FAIR-based risk quantification across operational scenarios.
Annual loss distribution
·10 000 Monte Carlo runsconvergedExpected loss
€0K
mean ALE
P90
€0K
1-in-10 tail
VaR (95%)
€0K
regulatory metric
Ready to see it in action?
See how Aurelian Risk Manager turns weeks of manual analysis into a structured, AI-assisted workflow.
Contact
Interested in a demo?
Whether you are evaluating tools for NIS2 compliance, looking to streamline risk analysis engagements, or exploring structured threat modeling for research, describe your use case and we will get back to you.
- Walkthrough tailored to your infrastructure and threat context
- Discussion of deployment and integration options
- Information on early access availability