Skip to content

Cyber Metrics Platform

Continuous Security Assurance Through Automated Data-Driven Metrics

The Cyber Metrics Platform transforms raw security tool data into actionable business intelligence for cybersecurity teams. By automatically collecting data from your existing security stack and processing it through standardized metric definitions, the platform provides real-time visibility into security posture, control effectiveness, and operational performance.

What Makes This Different

From Data to Decisions: Rather than manual spreadsheet-based reporting, this platform automatically ingests data from security tools like CrowdStrike, Tenable, Okta, and Snyk, then applies SQL-based metric definitions to generate consistent, comparable measurements.

Operational Focus: Metrics are designed around real security operations - vulnerability management prioritization, incident response effectiveness, access control hygiene, and compliance posture - not just checkbox compliance.

Framework Alignment: Every metric maps to established frameworks (ISO 27001, CIS Controls, NIST CSF, Essential 8) while maintaining practical utility for day-to-day security operations.

Multi-Tenant Architecture: Built for scale with support for multiple storage backends (local files, AWS S3, PostgreSQL, DuckDB) and configurable data retention policies.

Platform Architecture

Three-Stage Pipeline

  1. Collect (01-collectors/): Automated data extraction from security tools via APIs
  2. CrowdStrike Falcon (endpoints, vulnerabilities)
  3. Tenable.io (vulnerability scans, asset inventory)
  4. Okta (identity and access management)
  5. Snyk (application security, dependencies)
  6. KnowBe4 (security awareness training)

  7. Process (02-metrics/): SQL-based metric calculation using YAML definitions

  8. DuckDB query engine with Jinja2 templating
  9. Standardized output schema (resource, compliance, detail)
  10. Configurable SLO thresholds and weighting

  11. Publish (03-publish/): Delivery to dashboards and reporting systems

  12. Parquet data format for analytics
  13. REST API endpoints for integration
  14. Configurable notification thresholds

Example: Vulnerability Management

The platform includes comprehensive vulnerability management metrics that move beyond simple "count of critical vulnerabilities" to operationally useful measurements:

  • Posture Metrics: "What percentage of systems have addressed patchable, exploitable OS vulnerabilities?"
  • Performance Metrics: "Are we meeting our 7-day SLA for Patch Tuesday Priority vulnerabilities?"
  • Categorization: Vulnerabilities classified by urgency matrix (Patchable+Exploitable = "Just bloody patch it")

How to use this guide

Types of Metrics

KxI Description Example
control A measure that tracks the implementation of actions, processes, or technologies designed to reduce or mitigate risks within the organization. % of systems with MFA enforced
risk A measure that provides visibility into existing or potential risks within the organization, helping to assess areas of vulnerability. % of endpoints with critical vulnerabilities
performance A measure that evaluates the efficiency and speed with which a team is executing and delivering on control implementations and operational tasks. Time to deploy security patches

Framework references

The following frameworks are used in the mapping of metrics

Getting Started

Quick Start

# 1. Collect data from your security tools
cd 01-collectors && python wrapper.py

# 2. Generate metrics from collected data  
cd 02-metrics && python metrics.py

# 3. Publish results to your dashboard
cd 03-publish && python publish.py

Configuration

Set environment variables for your security tool APIs and storage preferences. The platform supports multiple simultaneous storage backends - local files, AWS S3, PostgreSQL, and DuckDB.

Creating Custom Metrics

Define new metrics using YAML files in 02-metrics/. Each metric specification includes: - Metadata (title, description, compliance mapping) - SQL query using {{ref('table_name')}} pattern - SLO thresholds and performance targets

See schema.md for complete data source documentation.

Contribute

New Metrics: Define additional metrics using the YAML specification format
New Collectors: Add support for additional security tools via the collector framework
New Publishers: Integrate with additional dashboard and reporting platforms

Submit contributions

Access Control

Metric Type
Access Control - Account Deactivation Timeliness control

Asset Management

Metric Type
Asset Management - Asset Discovery Coverage control

Data Protection

Metric Type
Data Protection - Volume Encryption Coverage risk

Disaster Recovery

Metric Type
Disaster Recovery - Backup Configuration Coverage control
Disaster Recovery - Backup Success Rate performance

Identity Management

Metric Type
Identity Management - Multi-Factor Authentication Coverage risk
Identity Management - Password Rotation Compliance control
Identity Management - Inactive Account Detection control
Identity Management - Privileged Account Control risk

Malware Protection

Metric Type
Malware Protection - Agent Deployment Coverage control

Network Security

Metric Type
Network Security - DNS Domains Expiring Within the Next Month risk
Network Security - DNS Domains with SPF configured risk
Network Security - DNS Domains with DMARC Configured risk
Network Security - External endpoints with insecure ports exposed risk
Network Security - External endpoints protected by a WAF control

Software Development

Metric Type
SDLC - Repositories with SAST / DAST scanning enabled control
SDLC - Repositories without exploitable vulnerabilities risk
SDLC - Repositories without exploitable vulnerabilities remediated within SLO performance

User Security

Metric Type
User Security - Awareness Training Completion control

Vulnerability Management

Metric Type
Vulnerability Management - Agent Deployment Coverage control
Systems with an up-to-date vulnerability database deployed control
End-of-life - Systems running vendor-supported software risk
Vulnerabilities not remediated within SLO - exploitable patchable critical and high performance
Application vulnerabilities not mitigated within SLO - non-patchable exploitable performance
OS vulnerabilities not mitigated within SLO - non-patchable exploitable performance
Vulnerabilities not remediated within SLO - patchable performance
Application vulnerabilities not remediated within SLO - patchable exploitable performance
OS vulnerabilities not remediated within SLO - patchable exploitable performance
OS vulnerabilities not remediated within SLO - patchable non-exploitable performance
Systems without non-patchable exploitable application vulnerabilities risk
Systems without non-patchable exploitable OS vulnerabilities risk
Systems without non-patchable non-exploitable application vulnerabilities risk
Systems without non-patchable non-exploitable OS vulnerabilities risk
Systems without patchable exploitable application vulnerabilities risk
Systems without patchable exploitable OS vulnerabilities risk
Systems without patchable non-exploitable application vulnerabilities risk
Systems without patchable non-exploitable OS vulnerabilities risk