Methodology & Limitations
This page describes how Praevyn produces a cybersecurity maturity grade, what its outputs represent, and — importantly — what they do not represent. Reviewers, boards, insurers and auditors should read this page before relying on any Praevyn report.
What Praevyn is
An executive-ready cybersecurity maturity assessment grounded in recognized frameworks.
Praevyn is a decision-support platform. It structures a self-assessment across twelve control domains and produces a grade, a set of findings, and a prioritized roadmap referenced to recognized cybersecurity guidance.
What Praevyn is not
- It is not a certification, audit, or attestation.
- It is not legal, regulatory or insurance advice.
- It is not a penetration test, vulnerability scan or technical assessment of live systems.
- It does not guarantee compliance with any law, framework, contract or insurance policy.
- It does not guarantee insurance eligibility, coverage, pricing or acceptance of submitted evidence.
Scoring methodology
Deterministic scoring with framework-referenced recommendations.
Each question has a defined weight and, where applicable, a critical-finding penalty. Category scores are calculated from the weighted proportion of controls answered favorably, less any critical-finding penalties. The overall grade is a weighted average of category scores. Grades map as follows:
- A: 90–100 (Low risk)
- B: 80–89
- C: 70–79 (Moderate risk)
- D: 60–69 (High risk)
- F: below 60 (Critical risk)
Scoring is deterministic: the same answers always produce the same grade. The AI layer is used only to explain findings and draft narrative recommendations; it does not change the score.
Frameworks referenced
Findings and recommendations reference recognized cybersecurity guidance so reviewers can trace each item back to its source. Frameworks referenced include:
- NIST CSF 2.0
- NIST SP 800-53
- NIST SP 800-61
- NIST SP 800-171
- CISA Cross-Sector CPGs
- CIS Controls v8
- OWASP Top 10
- FTC Safeguards Rule
- Microsoft Security Baselines
- AWS Well-Architected (Security Pillar)
- Azure Security Benchmark
- Google Workspace security guidance
Referencing a framework is not the same as certifying compliance with it. Formal compliance requires an independent assessment by a qualified party.
Cyber-insurance readiness summary
Provides a directional view of commonly requested security controls. Coverage, pricing and evidence requirements are determined independently by each insurer and broker.
Praevyn does not guarantee insurance eligibility, coverage, pricing or acceptance of submitted evidence.
Data sources and reliance on inputs
Results are calculated from answers submitted by the organization being assessed. Accuracy depends on the reviewer's knowledge of the environment and the quality of the evidence available. Praevyn does not independently verify the answers provided.
Environments change. A grade reflects the state of controls at the point in time the assessment was completed and should be re-run when the environment, workforce or regulatory scope changes materially.
Role of AI in the platform
Language models are used to help draft explanations, remediation narratives and responses in the AI assistant. Model outputs may contain errors and should be reviewed by a qualified reviewer before acting on them. AI output does not alter the deterministic score.
Appropriate use
Praevyn is intended to help organizations understand their cybersecurity posture, prioritize remediation, and prepare materials for internal stakeholders, boards, brokers and insurers. It is not a substitute for qualified professional advice or an independent audit.
Platform disclaimer
Praevyn is a cybersecurity maturity decision-support platform. It does not provide certification, legal advice, a penetration test or a guarantee of compliance or insurance eligibility.