From the Lab
Products and tools
The workshop behind RiskByDesign. Some of this is released and in your hands today; some is still on the bench. Everything here follows the same rules: local-first, offline, no cloud, no telemetry. Here is the detail the front page doesn't have room for.
FORLAS CRQ
A local-first quantitative cyber risk platform built on the FAIR methodology. It turns loss scenarios into defensible numbers a board can act on, and it does it entirely on your own machine.
Monte Carlo simulation
Every scenario is run 100,000 times to produce a full loss distribution and an exceedance curve, with reproducible seeds.
Sensitivity analysis
Rank the FAIR inputs by how much they drive the result, so effort goes to the estimates that actually change the answer.
Tolerance measurement
Probability of breach, utilisation, headroom, and a within-tolerance verdict, all measured against the risk appetite you set.
Portfolio aggregation
Combine every scenario into one organisation-wide loss picture, ranked by contribution, with a portfolio exceedance curve.
Analysis & Evidence
Capture the reasoning beside each number: narrative, confidence, data relied upon, assumptions, gaps, and a rationale per input.
Executive reporting
PDF and Word reports with FORLAS-branded covers, written for boards and auditors, generated straight from your scenarios.
Governance built in
Role-based access, an audit log, review scheduling, and segregation of duties on approvals. On by default.
Yours, and offline
One desktop application, one SQLite database file that you own. No cloud, no accounts, no telemetry, no external services.
Read more: a full tour of FORLAS CRQ, why cyber risk needs numbers, and what shipped in v0.2.0.
Calibrated Course
A quantitative model is only as good as the humans feeding it. Calibrated Course trains subject matter experts to give probability estimates that match their real accuracy, before their inputs ever reach a risk model.
Practice trainer
90% confidence-interval rounds and true/false rounds with immediate feedback, hit-rate tracking, and Brier scoring.
Live calibration curve
An SVG calibration curve shows, at a glance, where stated confidence is drifting from measured accuracy.
Nine-module course
A self-paced course that teaches the method, verifies your practice rounds, and issues a printable completion certificate.
Verified question bank
240 general-knowledge questions with a published answer key, so the training data can be independently checked.
Runs from disk
Single HTML files with all CSS and JavaScript inline. No build step, no CDN, no network calls. Works on a locked-down laptop.
Nothing leaves the browser
Profiles and progress live in local storage, with JSON and CSV export for backup. No telemetry, no accounts.
Read more: why calibrated humans matter to a risk model.
BowCRQ
On the bench. BowCRQ is a local-first desktop application for quantified Bow Tie risk analysis with Cyber Risk Quantification, pairing the clarity of a bow tie diagram with data-backed numbers on both sides of the knot.
Bow tie, quantified
Threats, the top event, and consequences laid out visually, with quantified likelihood and loss driving the picture.
Local-first and offline-first
The same foundations as the rest of the Lab: everything runs on your machine, with nothing sent anywhere.
No external dependencies
No cloud, no SaaS, no telemetry, no external services, no API dependencies. Built to work in isolation.