Backup job success is not recovery capability. A DR plan that has never been tested is a theoretical DR plan. And when ransomware hits at 2am on a Sunday, 'we think we can recover' is not good enough.
Cyber resilience, rated honestly
You have backups. You have a DR plan. But can you actually recover?
ResilienceScore is a structured cyber resilience assessment that gives your organisation a single, honest answer rated AAA to D across every dimension that matters when recovery is not optional.
Built by CRSE and Singularity Research. Validated across 118 questions, 7 pillars, and the real-world failure patterns that bring organisations to their knees.
118Validated questions
7Framework pillars
AAA to DBoard-ready rating
Hard capsDeal-breaker enforcement
What the rating does
Gives boards, insurers, and executive teams a defensible view of recovery capability, not a checklist of documented intentions.
The problem
Most organisations are flying blind on recovery readiness.
The gap between what organisations believe about their resilience and what is actually true is one of the most expensive blind spots in enterprise cyber security. ResilienceScore closes it with a structured framework, a transparent scoring engine, and a rating your board, insurer, and regulator can act on.
How it works
A rating that means something. A framework that holds up.
ResilienceScore assesses your organisation across seven pillars of cyber resilience from the integrity of your backups to whether your board has ever made a real decision in a ransomware tabletop. Every answer feeds a weighted scoring engine. Deal-breaker gaps impose hard ceilings. The result is a rating from AAA to D that reflects actual recovery capability, not checkbox compliance.
P1
Resilience Foundations
Resilience Foundations covers your core ability to recover when ransomware strikes. It tests whether backups are truly immutable, whether administrator access is isolated from production, and whether critical systems can be restored within documented targets without paying ransom.
P2
Cloud & SaaS Protection
Cloud and SaaS Protection examines whether resilience extends beyond the traditional data centre. It checks whether critical SaaS platforms are independently protected and whether cloud-native recovery exists for major workloads and control-plane dependencies.
P3
AI & Next-Gen Workloads
AI and Next-Gen Workloads tests whether your organisation has governance, incident response, and supply chain oversight for AI systems. It focuses on shadow AI adoption, third-party model dependencies, and what happens when AI services fail or behave unpredictably.
P4
Operational Readiness
Operational Readiness looks at whether teams can actually execute under pressure, not just whether plans exist on paper. It covers escalation authority, clean-room recovery thinking, and whether AI-specific incidents can be handled without improvisation.
P5
Executive & Board Preparedness
Executive and Board Preparedness tests whether leadership has formally defined acceptable downtime, approved recovery priorities, and participated in scenario-based decision making. It is the bridge between technical capability and governance accountability.
P6
Compliance & Risk Alignment
Compliance and Risk Alignment connects resilience to financial impact and regulatory obligations. It asks whether downtime costs are quantified, whether notification thresholds are clear, and whether legal and response support are ready before a crisis begins.
P7
Ecosystem & Dependency Resilience
Ecosystem and Dependency Resilience recognises that recovery depends on third parties too. It tests whether critical vendors, second-order dependencies, and identity-provider failure scenarios have been mapped and whether fallback access paths actually work.
Rating system
A rating your board recognises. A methodology your auditors respect.
ResilienceScore produces a single letter rating using a weighted maturity model across all seven pillars. Miss a deal-breaker, and your ceiling drops regardless of how well you score elsewhere.
Deal-breakers enforce the rating. If recovery has never been tested, the rating cannot exceed BB. That is not arbitrary. It reflects what happens in real incidents.
Assessment options
Start where it makes sense. Go as deep as you need.
Each tier builds on the last and produces a real rating shaped by the same scoring engine.
Survey
13 questions · ~10 minutes · Any stakeholder
A rapid pulse check across all seven pillars. Right for prospect qualification, initial scoping, or a quick temperature check before a deeper engagement.
Output: Initial rating, pillar breakdown, deal-breaker flags, AI briefing.
Executive
25 questions · ~20 minutes · C-suite and board
Scenario-based questions written for executives. Every question tests whether the decisions that matter for recovery have actually been made.
Output: Structured rating, pillar dashboard, AI executive briefing.
Workshop
44 questions · ~60 minutes · Facilitated group
Designed for facilitated sessions with a mixed technical and leadership audience, with live group scoring and collaborative discussion.
Output: Full dashboard, workshop handout, AI briefing.
Deep
118 questions · ~90 minutes · Consulting engagement
The full framework. Every answer is probed for whether it exists, whether it has been tested, and whether it stands up under realistic conditions.
Output: Comprehensive report, remediation roadmap, deal-breaker analysis.
What makes it different
Not a checklist. Not a compliance tool. A resilience rating.
Most assessments tell you what controls you have documented. ResilienceScore tells you whether those controls will hold when ransomware encrypts your environment at 2am and the clock is ticking.
The framework is built by practitioners who have responded to real incidents, not constructed from framework requirements. The scoring is transparent, weighted, and enforces the things that cannot be faked: testing, evidence, and executive decision-making authority.
The output is something you can put in front of a board, a regulator, or an insurance underwriter and defend.
Who it is for
Built for the people who own recovery and the leaders who are accountable for it.
CISO / CTO
Stop presenting technical dashboards that executives cannot act on. Present a single AAA-to-D rating with a clear explanation of what is capping it and what it takes to improve.
VP of IT / Infrastructure
See exactly where your gaps are, which ones are deal-breakers, and what to prioritise mapped to your actual technology environment, not generic best practice.
Board / Executive
Understand recovery risk in terms your governance framework requires. Know whether leadership has made the decisions that make recovery possible. Know what an independent assessment says about your actual posture.
Cyber Insurance / Audit
Produce evidence of tested recovery capability, deal-breaker status, and a structured improvement programme without waiting for a breach to find out what the policy actually covers.
Closing
Your board will ask about ransomware recovery. Know the answer before they do.
ResilienceScore gives you a structured, defensible, board-ready view of your organisation's actual recovery capability, not the one you hope you have.