ai · security · skills

Self-assessed · Quick Mythos Vulnerability Assessment · sample

Initech: Quick Mythos Vulnerability Assessment

The same Tier-1 instrument as the live assessment: 40 questions across five VM areas, indicative headline, and a gap register. Postures inherit the Initech GRA sample where AICM ids overlap.

Illustrative sample for a fictional organisation. Indicative Tier-1 read only — not the per-function diagnostic, not AI-CAIQ / STAR, and not a measured or verified result. Answers aligned to the Initech GRA sample where AICM ids overlap; otherwise absent.

Engagement IDSAMPLE-INITECH-QS-2026-07
Report date17 July 2026
PeriodPoint-in-time · illustrative sample
OrganisationInitech
InstrumentQuick Mythos Vulnerability Assessment (40 questions · 5 VM areas)
ClassificationSample · Illustrative · Not measured
ProvenanceSelf-assessed
0%

Early

indicative · Initial · 40/40

35 foundational controls are missing, so this can’t read “well-positioned” until closed.

1 · Executive summary

Indicative readout

Initech Quick Mythos Vulnerability Assessment: indicative 0% (Early, Initial). 1 implemented · 4 partial · 35 absent · 0 NA across 40 questions. 35 foundational controls absent — the gate caps this read below “well-positioned” until closed. Self-assessed sample; not a measured function diagnostic.

This is a fast indicative read for where to dig first. It does not place a function on AISMM, does not score Adopt (AI-CMM), and does not express an audit opinion.

Questions

40

Implemented

1

Partial

4

Absent

35

Foundational gaps

35

2 · Scope and methodology

What this scan covers

Full Quick Mythos Vulnerability Assessment instrument (40 questions) across five vulnerability-management areas. Each question maps to one AICM control id; answers carry forward into a function diagnostic by aicmId.

  1. Instrument: Quick Mythos Vulnerability Assessment (Tier-1 on-ramp to the function diagnostic).
  2. Answer lexicon: Implemented / Partially implemented / Not implemented / Not applicable — same ResponseValue spine as the function diagnostic.
  3. Headline: coverage credit (implemented = 1, partial = 0.5, absent = 0), mapped to an indicative 1–4 ladder; any absent keystone caps the ceiling at L3.
  4. Priority: Critical for absent high-tier (tier ≥ 4) questions; High for other absents; Medium for partial.
  5. No independent testing or evidence sampling for this sample pack.

3 · Domain dashboard

Five vulnerability-management areas

Credit = implemented + half partial, over answered non-NA items in the area.

VM areaQuestionsImpl.PartialAbsentCredit
Infrastructure & application security1100110%
Data sovereignty611425%
Threat intelligence702514%
Identity & access80080%
Operational resilience80176%

4 · Gap register

Where the foundation is missing

Absent and partial answers, ranked. Critical = absent high-tier (tier ≥ 4) keystones.

PriorityAICMVM areaPosturePrompt
CriticalA&A-03Operational resilienceAbsentDo leadership and the board see near-real-time metrics, including how many open findings could be weaponised by AI today?
CriticalCCC-07Data sovereigntyAbsentAre cloud data stores — buckets, databases, data lakes — continuously scanned for misconfiguration and exposure?
CriticalI&S-09Infrastructure & application securityAbsentIs your network blast radius documented and within policy, and does outbound filtering block command-and-control and data exfiltration?
CriticalIAM-08Identity & accessAbsentIs privileged access managed for the service accounts your security tools use, and do identity risks become prioritised findings automatically?
CriticalIAM-18Identity & accessAbsentIs there a formal framework deciding which automated identity actions can run on their own and which need a human to approve?
CriticalSEF-07Operational resilienceAbsentIs your mean time to detect critical incidents under a few hours, with automated playbooks containing and preserving evidence before an analyst is free?
CriticalTVM-07Infrastructure & application securityAbsentDo you continuously simulate attacks year-round, and have you run an AI-assisted penetration test on critical systems?
CriticalTVM-08Infrastructure & application securityAbsentHow much of your fix backlog remediates automatically, and can you deploy a compensating control within hours of a critical exploit going public?
CriticalTVM-08Operational resilienceAbsentDoes your critical patch target aim for within a day, with a tested emergency fast-track for zero-days and a mandatory re-scan before closing the ticket?
CriticalTVM-11Threat intelligenceAbsentHow fast do you detect a newly-exploitable vulnerability across every asset tier, including cloud and third-party?
HighA&A-05Operational resilienceAbsentHow well-defined and measured is your service-level target for assigning and tracking critical findings from detection to fix?
HighA&A-06Operational resilienceAbsentIs there a tracked AI-readiness improvement program with regular leadership reporting and a business case quantifying the cost of not being ready?
HighAIS-05Infrastructure & application securityAbsentDo you scan code with AI assistance at commit time, blocking critical findings before they reach production?
HighAIS-06Infrastructure & application securityAbsentAre containers and their orchestration scanned before deployment and watched at runtime as part of your program?
HighAIS-08Infrastructure & application securityAbsentAre all your interfaces — internal, external, and partner — inventoried and in scope for scanning, with controls for interface-specific attacks?
HighCCC-04Infrastructure & application securityAbsentIs there a tested process to deploy critical patches fast and roll them back safely without service disruption?
HighCCC-06Infrastructure & application securityAbsentAre infrastructure-as-code templates scanned for misconfiguration before deployment, so flaws are not provisioned into your environment?
HighCEK-12Identity & accessAbsentAre orphaned and service accounts and credential hygiene issues caught as findings with timelines, and are secrets centrally managed and rotated?
HighDCS-06Data sovereigntyAbsentCan you produce a complete, business-context inventory of every internet-facing asset — including anything stood up in the last day — within minutes?
HighDSP-04Data sovereigntyAbsentAre your most critical data assets formally identified and classified, with tighter fix timelines and continuous monitoring?
HighGRC-15Identity & accessAbsentIf you run defensive AI agents, is there a documented decision-authority matrix that includes identity context for what they may do on their own?
HighI&S-04Infrastructure & application securityAbsentAre systems hardened to a defined baseline, with compliance continuously monitored and enforced?
HighIAM-01Identity & accessAbsentDoes every finding, including identity issues, have a named owner and arrive in a form the owner can act on without security hand-holding?
HighIAM-07Identity & accessAbsentDo you catch joiner-mover-leaver risks, conflicting access combinations, and multi-step privilege-escalation paths?
HighIAM-13Identity & accessAbsentIs strong authentication enforced on every privileged and high-risk path, with sign-in logs watched for anomalies?
HighLOG-03Operational resilienceAbsentAre findings from identity, infrastructure, and applications all integrated into your operations and detection tooling with consistent risk scoring?
HighLOG-13Threat intelligenceAbsentAre identity risk signals — odd logins, privilege abuse, impossible travel — correlated with your vulnerability findings to re-rank fixes in near real time?
HighLOG-14Operational resilienceAbsentDo you have tested procedures and behavioural analytics for AI-powered attacks that leave no traditional malware signature?
HighMDS-06Identity & accessAbsentAre your defensive AI tools themselves patched and tested against adversarial manipulation and prompt injection?
HighSTA-13Data sovereigntyAbsentDoes your program watch the exposure and security posture of your key suppliers and partners, not just your own systems?
HighTVM-03Infrastructure & application securityAbsentCan your scanners find novel weaknesses beyond known-signature lists, including in your custom and legacy apps?
HighTVM-04Threat intelligenceAbsentDo you analyse how several smaller weaknesses could be chained together to reach critical access?
HighTVM-06Infrastructure & application securityAbsentDo you keep a bill of materials for critical apps and continuously watch third-party components for new vulnerabilities, with automatic alerts?
HighTVM-09Threat intelligenceAbsentDoes your prioritisation go beyond severity scores to use real-time exploit intelligence like exploit-prediction scores and the known-exploited catalogue?
HighTVM-10Threat intelligenceAbsentWhen new exploit intelligence emerges for a risk you previously accepted, does something automatically trigger a re-look?
MediumA&A-01Data sovereigntyPartialIs there a governance framework covering where your AI models come from, how identity data is protected, hardened run environments, and full auditability for AI making security decisions?
MediumGRC-02Threat intelligencePartialHow much of your backlog is over 90 days old, and is each aged item formally risk-accepted with a documented approver and expiry?
MediumHRS-15Operational resiliencePartialIs vulnerability management a dedicated function with named people, runbooks, escalation procedures, and active training on AI-era threats?
MediumTVM-01Threat intelligencePartialDo all your security tools feed one program view, with exploit intelligence and vendor advisories processed promptly into tracked findings?

5 · Recommendations

Where to dig next

  • Close Critical and High absents in the gap register before treating the indicative % as a planning target.
  • Carry these answers into a function diagnostic — matching AICM ids are not re-asked.
  • Pair with the Initech GRA function sample and the ISO / NIST / AI-CAIQ packs for board-altitude lenses on the same baseline.
  • Treat “Well-positioned” as unreachable while any foundational control remains absent (gate).

6 · Limitations

What this pack is not

  • Not a function diagnostic (no Govern × Adopt gate score).
  • Not CSA AI-CAIQ / STAR for AI.
  • Not measured or independently verified — self-assessed sample data.
  • Fictional organisation; overlapping AICM ids match the Initech GRA baseline.