Design security in. Don't audit it after.
Secure by Design is the module for the moment security is cheapest to get right — while a solution is still being designed. Upload your design docs and the AI derives the applicable controls, threats and scope. You review and commit; it assembles a living Security Architecture Document as you go.
Where security architecture happens — not just where it's recorded.
Cybereen is strong at tracking compliance once a system exists. Secure by Design adds the missing piece: a guided, design-stage workflow for a new or changing solution, before it's built.
Today that design-stage work happens in documents and spreadsheets, outside the platform. Threats are reasoned about informally, controls are decided in meetings, exemptions are agreed verbally, and a Security Architecture Document is hand-written after the fact, if at all. The result is the pattern this module exists to end: security audited after build, rather than designed in.
You create a project for the solution and work six plain-language stages. As you go, decisions write through to your existing Applied Controls, Risks and Evidence — so design-stage work is captured once and never re-keyed. Secure by Design sits on the compliance spine you already run; it adds no new place to keep in sync.
Upload your docs. The AI derives the controls.
AI isn't a bolt-on here — it's how the module works. Drop in a design document, an architecture diagram write-up or an intake brief, and the co-pilot reads it and proposes what applies.
- Controls — the applicable SCF controls, drafted from your documentation and mapped to the parts of your solution.
- Threats — what could go wrong at each component, each tied to a control and an owner.
- Scope & classification — the in-scope domains, the moving parts, and a suggested data classification.
- You stay in control — every suggestion is a draft. Nothing reaches an authoritative record until a human reviews and commits.
Six plain-language stages. One living document.
Each stage answers one question and contributes to the Security Architecture Document. The journey is the spine; the document is its by-product.
What are we building?
Name the solution, set a data classification and answer a short intake. The AI can suggest the classification straight from your description.
Which areas matter, and what are the moving parts?
Confirm the in-scope domains and list your architecture nodes. The AI drafts both from your documentation for you to edit.
What could go wrong, and what stops it?
Review the threats at each node, confirm the controls that answer them, and record any exemptions and risks. Committed straight to your platform.
Who is doing what, and is it assured?
Track each control through implementation by owner and date. Cyber independently assures what's implemented — and no one assures their own work.
Are we ready to operate this safely?
Work the pre go-live checklist. Readiness is derived from what's assured and done — and one hard gate holds the project until every item is cleared.
Who owns it now that it's live?
Review a closure summary derived from the project — scope, controls, exemptions and residual risk — then mark it handed over to the accountable owner.
One project, the whole design stage in view.
Every project shows its journey, its live counts, its go-live readiness and who's accountable — assembled from the work, not typed into a status report. Illustrative project shown.
Threats, risks, exceptions and patterns. Nothing silent.
Every skipped control and every accepted risk is an explicit object with an owner, a reason, a compensating control and a review date. A gap is never invisible.
Threats identified per architecture node, each tied to a control and an owner — drafted by AI from your docs, confirmed by you.
Risks raised during design flow straight into Cybereen Risks. Residual risk is formally accepted by someone accountable before go-live.
A documented decision not to apply a control or pattern — with a reason, a compensating control, an owner and an expiry. Logged for approval, never verbal.
Pre-approved, reusable building blocks — SSO, central logging, and more — with baseline guardrails. Apply the pattern, assess only the delta.
One Security Architecture Document. Assembled, not authored twice.
Doing the work is writing the document. Open it at any time and every chapter is assembled live from the project — its state derived from whether the underlying work exists.
- Confirmed / Draft / Empty — each chapter's state is derived, never faked. If a number can't be re-derived from the records, it doesn't appear.
- No second write-up — scope, threats, controls, exemptions and residual risk assemble themselves as you commit them.
- Board- and auditor-ready — a single record of how the solution was designed to be secure, produced by design-stage work you were doing anyway.
- See how the document assembles →
Three promises the module enforces.
Not slogans — each is built into how the data works.
The AI drafts, the human commits.
The co-pilot only ever writes suggestions. Nothing reaches an authoritative record — a control, a risk, the design document — without a deliberate human action.
Built is not the same as assured.
A control the project marks implemented is not yet assured. Assurance is a separate act by a different person — and you can't assure your own work.
Nothing silent.
Exemptions, blocked controls and gaps are explicit objects with an owner, a reason, a compensating control and a review or expiry date. A skipped control is never invisible.
Questions before you design your next solution.
If yours isn't here, the contact form has a free-text field — answers go in the next page revision.
How does the AI derive controls from my documents?
Is this a separate platform to learn?
What does "built is not assured" mean in practice?
What do we get out of it at go-live?
Do we have to use the AI co-pilot?
Design your next solution secure from day one.
Bring a solution that's still on the drawing board. Upload the design, let the AI derive the controls, and walk out with a threat model and a Security Architecture Document that's already in your platform.