Self-assessed · Quick Mythos Vulnerability Assessment · sample
Initech: Quick Mythos Vulnerability Assessment
The same Tier-1 instrument as the live assessment: 40 questions across five VM areas, indicative headline, and a gap register. Postures inherit the Initech GRA sample where AICM ids overlap.
Illustrative sample for a fictional organisation. Indicative Tier-1 read only — not the per-function diagnostic, not AI-CAIQ / STAR, and not a measured or verified result. Answers aligned to the Initech GRA sample where AICM ids overlap; otherwise absent.
| Engagement ID | SAMPLE-INITECH-QS-2026-07 |
|---|---|
| Report date | 17 July 2026 |
| Period | Point-in-time · illustrative sample |
| Organisation | Initech |
| Instrument | Quick Mythos Vulnerability Assessment (40 questions · 5 VM areas) |
| Classification | Sample · Illustrative · Not measured |
| Provenance | Self-assessed |
Early
indicative · Initial · 40/40
35 foundational controls are missing, so this can’t read “well-positioned” until closed.
1 · Executive summary
Indicative readout
Initech Quick Mythos Vulnerability Assessment: indicative 0% (Early, Initial). 1 implemented · 4 partial · 35 absent · 0 NA across 40 questions. 35 foundational controls absent — the gate caps this read below “well-positioned” until closed. Self-assessed sample; not a measured function diagnostic.
This is a fast indicative read for where to dig first. It does not place a function on AISMM, does not score Adopt (AI-CMM), and does not express an audit opinion.
Questions
40
Implemented
1
Partial
4
Absent
35
Foundational gaps
35
2 · Scope and methodology
What this scan covers
Full Quick Mythos Vulnerability Assessment instrument (40 questions) across five vulnerability-management areas. Each question maps to one AICM control id; answers carry forward into a function diagnostic by aicmId.
- Instrument: Quick Mythos Vulnerability Assessment (Tier-1 on-ramp to the function diagnostic).
- Answer lexicon: Implemented / Partially implemented / Not implemented / Not applicable — same ResponseValue spine as the function diagnostic.
- Headline: coverage credit (implemented = 1, partial = 0.5, absent = 0), mapped to an indicative 1–4 ladder; any absent keystone caps the ceiling at L3.
- Priority: Critical for absent high-tier (tier ≥ 4) questions; High for other absents; Medium for partial.
- No independent testing or evidence sampling for this sample pack.
3 · Domain dashboard
Five vulnerability-management areas
Credit = implemented + half partial, over answered non-NA items in the area.
| VM area | Questions | Impl. | Partial | Absent | Credit |
|---|---|---|---|---|---|
| Infrastructure & application security | 11 | 0 | 0 | 11 | 0% |
| Data sovereignty | 6 | 1 | 1 | 4 | 25% |
| Threat intelligence | 7 | 0 | 2 | 5 | 14% |
| Identity & access | 8 | 0 | 0 | 8 | 0% |
| Operational resilience | 8 | 0 | 1 | 7 | 6% |
4 · Gap register
Where the foundation is missing
Absent and partial answers, ranked. Critical = absent high-tier (tier ≥ 4) keystones.
| Priority | AICM | VM area | Posture | Prompt |
|---|---|---|---|---|
| Critical | A&A-03 | Operational resilience | Absent | Do leadership and the board see near-real-time metrics, including how many open findings could be weaponised by AI today? |
| Critical | CCC-07 | Data sovereignty | Absent | Are cloud data stores — buckets, databases, data lakes — continuously scanned for misconfiguration and exposure? |
| Critical | I&S-09 | Infrastructure & application security | Absent | Is your network blast radius documented and within policy, and does outbound filtering block command-and-control and data exfiltration? |
| Critical | IAM-08 | Identity & access | Absent | Is privileged access managed for the service accounts your security tools use, and do identity risks become prioritised findings automatically? |
| Critical | IAM-18 | Identity & access | Absent | Is there a formal framework deciding which automated identity actions can run on their own and which need a human to approve? |
| Critical | SEF-07 | Operational resilience | Absent | Is your mean time to detect critical incidents under a few hours, with automated playbooks containing and preserving evidence before an analyst is free? |
| Critical | TVM-07 | Infrastructure & application security | Absent | Do you continuously simulate attacks year-round, and have you run an AI-assisted penetration test on critical systems? |
| Critical | TVM-08 | Infrastructure & application security | Absent | How much of your fix backlog remediates automatically, and can you deploy a compensating control within hours of a critical exploit going public? |
| Critical | TVM-08 | Operational resilience | Absent | Does your critical patch target aim for within a day, with a tested emergency fast-track for zero-days and a mandatory re-scan before closing the ticket? |
| Critical | TVM-11 | Threat intelligence | Absent | How fast do you detect a newly-exploitable vulnerability across every asset tier, including cloud and third-party? |
| High | A&A-05 | Operational resilience | Absent | How well-defined and measured is your service-level target for assigning and tracking critical findings from detection to fix? |
| High | A&A-06 | Operational resilience | Absent | Is there a tracked AI-readiness improvement program with regular leadership reporting and a business case quantifying the cost of not being ready? |
| High | AIS-05 | Infrastructure & application security | Absent | Do you scan code with AI assistance at commit time, blocking critical findings before they reach production? |
| High | AIS-06 | Infrastructure & application security | Absent | Are containers and their orchestration scanned before deployment and watched at runtime as part of your program? |
| High | AIS-08 | Infrastructure & application security | Absent | Are all your interfaces — internal, external, and partner — inventoried and in scope for scanning, with controls for interface-specific attacks? |
| High | CCC-04 | Infrastructure & application security | Absent | Is there a tested process to deploy critical patches fast and roll them back safely without service disruption? |
| High | CCC-06 | Infrastructure & application security | Absent | Are infrastructure-as-code templates scanned for misconfiguration before deployment, so flaws are not provisioned into your environment? |
| High | CEK-12 | Identity & access | Absent | Are orphaned and service accounts and credential hygiene issues caught as findings with timelines, and are secrets centrally managed and rotated? |
| High | DCS-06 | Data sovereignty | Absent | Can you produce a complete, business-context inventory of every internet-facing asset — including anything stood up in the last day — within minutes? |
| High | DSP-04 | Data sovereignty | Absent | Are your most critical data assets formally identified and classified, with tighter fix timelines and continuous monitoring? |
| High | GRC-15 | Identity & access | Absent | If you run defensive AI agents, is there a documented decision-authority matrix that includes identity context for what they may do on their own? |
| High | I&S-04 | Infrastructure & application security | Absent | Are systems hardened to a defined baseline, with compliance continuously monitored and enforced? |
| High | IAM-01 | Identity & access | Absent | Does every finding, including identity issues, have a named owner and arrive in a form the owner can act on without security hand-holding? |
| High | IAM-07 | Identity & access | Absent | Do you catch joiner-mover-leaver risks, conflicting access combinations, and multi-step privilege-escalation paths? |
| High | IAM-13 | Identity & access | Absent | Is strong authentication enforced on every privileged and high-risk path, with sign-in logs watched for anomalies? |
| High | LOG-03 | Operational resilience | Absent | Are findings from identity, infrastructure, and applications all integrated into your operations and detection tooling with consistent risk scoring? |
| High | LOG-13 | Threat intelligence | Absent | Are identity risk signals — odd logins, privilege abuse, impossible travel — correlated with your vulnerability findings to re-rank fixes in near real time? |
| High | LOG-14 | Operational resilience | Absent | Do you have tested procedures and behavioural analytics for AI-powered attacks that leave no traditional malware signature? |
| High | MDS-06 | Identity & access | Absent | Are your defensive AI tools themselves patched and tested against adversarial manipulation and prompt injection? |
| High | STA-13 | Data sovereignty | Absent | Does your program watch the exposure and security posture of your key suppliers and partners, not just your own systems? |
| High | TVM-03 | Infrastructure & application security | Absent | Can your scanners find novel weaknesses beyond known-signature lists, including in your custom and legacy apps? |
| High | TVM-04 | Threat intelligence | Absent | Do you analyse how several smaller weaknesses could be chained together to reach critical access? |
| High | TVM-06 | Infrastructure & application security | Absent | Do you keep a bill of materials for critical apps and continuously watch third-party components for new vulnerabilities, with automatic alerts? |
| High | TVM-09 | Threat intelligence | Absent | Does your prioritisation go beyond severity scores to use real-time exploit intelligence like exploit-prediction scores and the known-exploited catalogue? |
| High | TVM-10 | Threat intelligence | Absent | When new exploit intelligence emerges for a risk you previously accepted, does something automatically trigger a re-look? |
| Medium | A&A-01 | Data sovereignty | Partial | Is there a governance framework covering where your AI models come from, how identity data is protected, hardened run environments, and full auditability for AI making security decisions? |
| Medium | GRC-02 | Threat intelligence | Partial | How much of your backlog is over 90 days old, and is each aged item formally risk-accepted with a documented approver and expiry? |
| Medium | HRS-15 | Operational resilience | Partial | Is vulnerability management a dedicated function with named people, runbooks, escalation procedures, and active training on AI-era threats? |
| Medium | TVM-01 | Threat intelligence | Partial | Do all your security tools feed one program view, with exploit intelligence and vendor advisories processed promptly into tracked findings? |
5 · Recommendations
Where to dig next
- Close Critical and High absents in the gap register before treating the indicative % as a planning target.
- Carry these answers into a function diagnostic — matching AICM ids are not re-asked.
- Pair with the Initech GRA function sample and the ISO / NIST / AI-CAIQ packs for board-altitude lenses on the same baseline.
- Treat “Well-positioned” as unreachable while any foundational control remains absent (gate).
6 · Limitations
What this pack is not
- Not a function diagnostic (no Govern × Adopt gate score).
- Not CSA AI-CAIQ / STAR for AI.
- Not measured or independently verified — self-assessed sample data.
- Fictional organisation; overlapping AICM ids match the Initech GRA baseline.