Cyber Metrics Platform¶
Continuous Security Assurance Through Automated Data-Driven Metrics
The Cyber Metrics Platform transforms raw security tool data into actionable business intelligence for cybersecurity teams. By automatically collecting data from your existing security stack and processing it through standardized metric definitions, the platform provides real-time visibility into security posture, control effectiveness, and operational performance.
What Makes This Different¶
From Data to Decisions: Rather than manual spreadsheet-based reporting, this platform automatically ingests data from security tools like CrowdStrike, Tenable, Okta, and Snyk, then applies SQL-based metric definitions to generate consistent, comparable measurements.
Operational Focus: Metrics are designed around real security operations - vulnerability management prioritization, incident response effectiveness, access control hygiene, and compliance posture - not just checkbox compliance.
Framework Alignment: Every metric maps to established frameworks (ISO 27001, CIS Controls, NIST CSF, Essential 8) while maintaining practical utility for day-to-day security operations.
Multi-Tenant Architecture: Built for scale with support for multiple storage backends (local files, AWS S3, PostgreSQL, DuckDB) and configurable data retention policies.
Platform Architecture¶
Three-Stage Pipeline¶
- Collect (
01-collectors/): Automated data extraction from security tools via APIs - CrowdStrike Falcon (endpoints, vulnerabilities)
- Tenable.io (vulnerability scans, asset inventory)
- Okta (identity and access management)
- Snyk (application security, dependencies)
-
KnowBe4 (security awareness training)
-
Process (
02-metrics/): SQL-based metric calculation using YAML definitions - DuckDB query engine with Jinja2 templating
- Standardized output schema (resource, compliance, detail)
-
Configurable SLO thresholds and weighting
-
Publish (
03-publish/): Delivery to dashboards and reporting systems - Parquet data format for analytics
- REST API endpoints for integration
- Configurable notification thresholds
Example: Vulnerability Management¶
The platform includes comprehensive vulnerability management metrics that move beyond simple "count of critical vulnerabilities" to operationally useful measurements:
- Posture Metrics: "What percentage of systems have addressed patchable, exploitable OS vulnerabilities?"
- Performance Metrics: "Are we meeting our 7-day SLA for Patch Tuesday Priority vulnerabilities?"
- Categorization: Vulnerabilities classified by urgency matrix (Patchable+Exploitable = "Just bloody patch it")
How to use this guide¶
Types of Metrics¶
| KxI | Description | Example |
|---|---|---|
 |
A measure that tracks the implementation of actions, processes, or technologies designed to reduce or mitigate risks within the organization. | % of systems with MFA enforced |
 |
A measure that provides visibility into existing or potential risks within the organization, helping to assess areas of vulnerability. | % of endpoints with critical vulnerabilities |
 |
A measure that evaluates the efficiency and speed with which a team is executing and delivering on control implementations and operational tasks. | Time to deploy security patches |
Framework references¶
The following frameworks are used in the mapping of metrics
Getting Started¶
Quick Start¶
# 1. Collect data from your security tools
cd 01-collectors && python wrapper.py
# 2. Generate metrics from collected data
cd 02-metrics && python metrics.py
# 3. Publish results to your dashboard
cd 03-publish && python publish.py
Configuration¶
Set environment variables for your security tool APIs and storage preferences. The platform supports multiple simultaneous storage backends - local files, AWS S3, PostgreSQL, and DuckDB.
Creating Custom Metrics¶
Define new metrics using YAML files in 02-metrics/. Each metric specification includes:
- Metadata (title, description, compliance mapping)
- SQL query using {{ref('table_name')}} pattern
- SLO thresholds and performance targets
See schema.md for complete data source documentation.
Contribute¶
New Metrics: Define additional metrics using the YAML specification format
New Collectors: Add support for additional security tools via the collector framework
New Publishers: Integrate with additional dashboard and reporting platforms
Access Control¶
| Metric | Type |
|---|---|
| Access Control - Access Revoking Process | |
Asset Management¶
| Metric | Type |
|---|---|
| Assets known to Asset Management | |
Data Protection¶
| Metric | Type |
|---|---|
| Systems with their volumes encrypted | |
Disaster Recovery¶
| Metric | Type |
|---|---|
| Systems with backups configured per their SLO | |
| Systems that has had a successful backup per their SLO | |
Identity Management¶
| Metric | Type |
|---|---|
| Identities with MFA | |
| Identity - Credentials - Regular Password Rotation | |
| Identity - Inactive Identities | |
| Accounts without Admin privileges | |
Malware Protection¶
| Metric | Type |
|---|---|
| Systems with an up-to-date agent deployed | |
Network Security¶
Software Development¶
| Metric | Type |
|---|---|
| SDLC - Repositories with SAST / DAST scanning enabled | |
| SDLC - Repositories without exploitable vulnerabilities | |
| SDLC - Repositories without exploitable vulnerabilities remediated within SLO | |
User Security¶
| Metric | Type |
|---|---|
| Users completed awareness training in the last 12 months | |