CYBEREEN MODULE · AI-NATIVE

Design security in. Don't audit it after.

Secure by Design is the module for the moment security is cheapest to get right — while a solution is still being designed. Upload your design docs and the AI derives the applicable controls, threats and scope. You review and commit; it assembles a living Security Architecture Document as you go.

In the platform → Stage · design-time, before & during build Frameworks · SCF catalogue + your mapped standards Output · living Security Architecture Document AI · derives controls from your docs Writes through · Controls · Risks · Evidence
WHAT IT IS

Where security architecture happens — not just where it's recorded.

Cybereen is strong at tracking compliance once a system exists. Secure by Design adds the missing piece: a guided, design-stage workflow for a new or changing solution, before it's built.

Today that design-stage work happens in documents and spreadsheets, outside the platform. Threats are reasoned about informally, controls are decided in meetings, exemptions are agreed verbally, and a Security Architecture Document is hand-written after the fact, if at all. The result is the pattern this module exists to end: security audited after build, rather than designed in.

You create a project for the solution and work six plain-language stages. As you go, decisions write through to your existing Applied Controls, Risks and Evidence — so design-stage work is captured once and never re-keyed. Secure by Design sits on the compliance spine you already run; it adds no new place to keep in sync.

The honest version: the hard part of designing security in isn't the policies — it's the threat model and keeping a live inventory of where controls actually land. That's exactly what the AI co-pilot does the heavy lifting on, with a human in the loop on every commit.
AI DOES THE HEAVY LIFTING

Upload your docs. The AI derives the controls.

AI isn't a bolt-on here — it's how the module works. Drop in a design document, an architecture diagram write-up or an intake brief, and the co-pilot reads it and proposes what applies.

  • Controls — the applicable SCF controls, drafted from your documentation and mapped to the parts of your solution.
  • Threats — what could go wrong at each component, each tied to a control and an owner.
  • Scope & classification — the in-scope domains, the moving parts, and a suggested data classification.
  • You stay in control — every suggestion is a draft. Nothing reaches an authoritative record until a human reviews and commits.
THE JOURNEY

Six plain-language stages. One living document.

Each stage answers one question and contributes to the Security Architecture Document. The journey is the spine; the document is its by-product.

Stage 1 · Describe

What are we building?

Name the solution, set a data classification and answer a short intake. The AI can suggest the classification straight from your description.

Produces · project overview & classification
IN THE PRODUCT

One project, the whole design stage in view.

Every project shows its journey, its live counts, its go-live readiness and who's accountable — assembled from the work, not typed into a status report. Illustrative project shown.

app.cybereen.com / secure-by-design / project
LIVE
Cybereen Secure by Design project detail — the six-stage journey, at-a-glance counts, go-live readiness, recent activity and members for a design-stage project
WHAT IT MANAGES

Threats, risks, exceptions and patterns. Nothing silent.

Every skipped control and every accepted risk is an explicit object with an owner, a reason, a compensating control and a review date. A gap is never invisible.

01
Threat modelling

Threats identified per architecture node, each tied to a control and an owner — drafted by AI from your docs, confirmed by you.

See threat modelling →
02
Project risks

Risks raised during design flow straight into Cybereen Risks. Residual risk is formally accepted by someone accountable before go-live.

Written through
03
Exceptions & exemptions

A documented decision not to apply a control or pattern — with a reason, a compensating control, an owner and an expiry. Logged for approval, never verbal.

Owned & dated
04
Security patterns

Pre-approved, reusable building blocks — SSO, central logging, and more — with baseline guardrails. Apply the pattern, assess only the delta.

See patterns →
THE HEADLINE OUTPUT

One Security Architecture Document. Assembled, not authored twice.

Doing the work is writing the document. Open it at any time and every chapter is assembled live from the project — its state derived from whether the underlying work exists.

  • Confirmed / Draft / Empty — each chapter's state is derived, never faked. If a number can't be re-derived from the records, it doesn't appear.
  • No second write-up — scope, threats, controls, exemptions and residual risk assemble themselves as you commit them.
  • Board- and auditor-ready — a single record of how the solution was designed to be secure, produced by design-stage work you were doing anyway.
  • See how the document assembles →
Security Architecture Document · Payments upliftLIVE
1Solution overview & classificationConfirmed
2Scope & architecture nodesConfirmed
3Threats & controlsConfirmed
4Exceptions & residual riskDraft
5Go-live readinessDraft
6HandoverEmpty
HOW IT KEEPS YOU HONEST

Three promises the module enforces.

Not slogans — each is built into how the data works.

Promise 01

The AI drafts, the human commits.

The co-pilot only ever writes suggestions. Nothing reaches an authoritative record — a control, a risk, the design document — without a deliberate human action.

So: AI speed, human accountability. No silent auto-writes.
Promise 02

Built is not the same as assured.

A control the project marks implemented is not yet assured. Assurance is a separate act by a different person — and you can't assure your own work.

So: "we built it" and "someone independent checked it" are different, tracked states.
Promise 03

Nothing silent.

Exemptions, blocked controls and gaps are explicit objects with an owner, a reason, a compensating control and a review or expiry date. A skipped control is never invisible.

So: the thing you deferred still has a name, an owner and a date.
SECURE BY DESIGN FAQ

Questions before you design your next solution.

If yours isn't here, the contact form has a free-text field — answers go in the next page revision.

How does the AI derive controls from my documents?
You upload a design document, architecture write-up or intake brief. The co-pilot reads it and drafts the applicable SCF controls, the threats at each component and a suggested scope and classification — mapped to your solution. Every draft is presented for you to accept or dismiss; nothing is committed to a control, risk or the design record until a human confirms it.
Is this a separate platform to learn?
No. Secure by Design is a module on the Cybereen platform you already run. It reuses your Applied Controls, Risks, Evidence, the SCF catalogue and your framework mapping — and writes design-stage decisions straight through to them. There's no second system to keep in sync.
What does "built is not assured" mean in practice?
A project team can mark a control implemented. That is not the same as it being assured. Assurance is a separate, recorded act by a different person on the Cyber side — and the platform stops anyone assuring a control they implemented themselves. Your go-live readiness reflects what is actually assured, not just what someone says is done.
What do we get out of it at go-live?
A living Security Architecture Document assembled from the work — solution overview, scope, threats and controls, exceptions and residual risk, and readiness — plus every control and risk already flowed into your platform. Board- and auditor-ready, produced by the design-stage work you were doing anyway rather than written up afterwards.
Do we have to use the AI co-pilot?
The guided journey and the living document work end to end whether or not you use the co-pilot — you can enter everything yourself. The AI is there to do the heavy lifting and get you to a first threat model far faster; it never removes the human decision.

Design your next solution secure from day one.

Bring a solution that's still on the drawing board. Upload the design, let the AI derive the controls, and walk out with a threat model and a Security Architecture Document that's already in your platform.

Explore Secure by Design →