Cyber IQ Score is an evidence model — calibrated against real player behaviour over 90 days, weighted by domain and recency, designed to be defensible under audit. Not a marketing metric. An audit-grade record of competency, per employee, per threat domain, per quarter.
The Cyber IQ Score runs on a familiar 300-to-850 scale. Five bands describe what an employee in each band can be trusted to do under pressure — not what they have read, not what they have completed, but what they can be expected to recognise and decide correctly today.
Band floors shown. Internal weights and calibration constants reviewable under engagement.
Every Cyber IQ Score is a weighted aggregate across eight threat domains. A player who excels at phishing recognition but folds on credential hygiene reads differently from one who is steady across all eight. The composition is part of the evidence.
Recognising deceptive lures across email, SMS and adjacent channels under live time pressure.
Identifying malicious payload behaviour and the everyday delivery vectors employees actually encounter.
Password hygiene, MFA discipline and the social-engineering attempts that target both.
Classifying sensitive data correctly and choosing the right channel for transmission and storage.
Spotting pretext, urgency and authority-spoofing in voice, chat and in-person interactions.
Knowing the first three moves when something has gone wrong — report, contain, preserve.
Tailgating, device handling, clean-desk discipline and the analogue gaps that bypass the firewall.
Sharing controls, third-party app authorisation and the everyday SaaS decisions that change the blast radius.
A correct answer at the end of a thirty-second deliberation reads differently from a correct answer at four seconds. Three behavioural signals run alongside accuracy on every session — and they are what separate a player who has been taught from a player who has been trained.
How well decision quality holds up when the clock is running. The signal looks for the players whose answers don't deteriorate when the pressure rises — the ones you'd want on the call at 4am.
Time-to-correct-answer over the session, weighted to reward speed only when it arrives with accuracy. Faster is better — but only if the answer is still right.
Retention of correct decisions across a 90-day window. The signal flags the difference between someone who learned the answer in October and someone who still knows it in January.
Each signal is a directional indicator on the dashboard, not a published number on the public score. The signals compose into the Cyber IQ aggregate — the aggregate is what the auditor sees.
Three principles govern how raw session evidence becomes the score that lands on an audit page. None of them are clever. All of them are deliberate.
Weighted by domain. Decayed by recency. Reviewable under engagement. Each play is a stamped, timestamped record of a decision under pressure — not a completion log, not a quiz score, but a behavioural artefact that adds to the employee's competency record.
Not synthetic benchmarks. Not a theoretical curve. The score thresholds are anchored on the live distribution of player performance across the eight domains — and recalibrated as the population shifts so the bands stay honest as the cohort grows.
Today's score reflects today's competency — not last year's training session. Recent evidence carries more weight than legacy evidence; legacy evidence is not erased, but its contribution recedes on a calibrated schedule. The audit page never asks an employee to vouch for a decision they made eighteen months ago.
Exact weights, decay constants and threshold maps are reviewable under engagement.
The hand-to-auditor moment is the thing the whole model is designed for. When the external assessor asks "show me", the answer is a single export — readable in ninety seconds, defensible in ninety minutes.
The export folds the calibration model into a single, readable artefact. It is the document a control owner hands to an auditor and a manager hands to a board. Three frameworks, one page.
Management-body training evidence with auditable competency progression by individual and by domain.
Information security awareness, education and training — evidenced as competency outcomes, not enrolment counts.
Workforce-awareness alignment with quarterly trend lines to evidence ongoing competency, not point-in-time attestation.
Keep the awareness platform you already trust. Add the competency-evidence layer you can hand to an auditor. We'll walk you through the model, the calibration and the export — on a single call.