Skip to main content
EFROS

Interactive tools

Interactive tools.

Tools built from the numbers we see inside real engagements. Run them in your browser (nothing leaves your device unless you request the emailed report on the security scan). Use them to sanity-check a vendor quote, a readiness claim, a scoping decision, or your own external security posture before you commit budget.

By Stefan Efros, CEO & Founder, EFROS
Updated ยท

Assessment

Free AI Risk Score

Five-minute self-assessment for US organizations classifying your AI usage against NIST AI RMF governance maturity, NYC LL144, CA AB 2013, and Colorado SB 26-189 (amended AI law). Branded report with citation-anchored recommendations, sector-specific compliance overlays (HIPAA, SR 11-7, CMMC), and a 90-day execution roadmap.

NIST AI RMFISO/IEC 42001Colorado SB 26-189AI Governance

Scorecard

AI Vendor Risk Scorecard

Fifteen-question scorecard that scores any AI vendor (OpenAI, Anthropic, Microsoft Copilot, custom GPT, embedded SaaS AI) across five categories: Data Handling, Model Governance, Security Controls, Vendor Maturity, and Legal/Contract. /45 score with per-category breakdown and a risk tier mapped to NIST AI RMF, SOC 2, and US procurement baselines.

AI vendorsNIST AI RMFSOC 2Procurement

Tracker

AI Inventory Mapper

Living inventory of every AI tool, model, and use case in your org. Add a row per tool with vendor, use case, department, PHI/PII handling, and approver. Auto-calculates risk tier from NIST AI RMF GOVERN-1.4, with Colorado SB 26-189 (amended AI law) transparency/disclosure context. Browser-resident, CSV export, no signup. Start tracking shadow AI in five minutes.

AI inventoryNIST AI RMFColorado SB 26-189HIPAA

Calculator

Cost of Getting Hit

Cyber incident calculator for US owners and operators. Estimates the total exposure range, out-of-pocket cost after insurance, and recovery time for a ransomware or BEC incident in your industry. Calibrated against IBM Cost of a Data Breach, Verizon DBIR, and Sophos State of Ransomware benchmarks.

Cyber riskInsuranceRansomwareBEC

Assessment

Are You Ready?

Honest cyber readiness self-assessment for US owners. Answer a short series of questions about your controls, response posture, and recovery plan. Produces a readiness verdict, a personalized 5-step playbook, and question-by-question coaching you can re-run as a baseline.

ReadinessOwnersCyber playbook

Calculator

MSSP TCO Calculator

Build vs. buy for security operations. 3-year TCO comparing in-house SOC against managed MDR with analyst loaded cost, tooling, training, and turnover math most spreadsheets skip.

SOCMDRBuild vs buy

Assessment

CMMC Level 2 Readiness Quiz

Twenty-question self-assessment across the 14 NIST SP 800-171 control families. Produces a score, a gap list, and a next-step recommendation tied to where you land.

CMMCNIST 800-171DoD

Analyzer

PCI Scope Reduction Analyzer

Map your payment architecture to the scope reduction techniques that actually move the needle: tokenization, P2PE, iframe redirection, segmentation, outsourced processing.

PCI-DSSScopeTokenization

Calculator

Cyber Insurance Premium Reducer

Quantify the dollar gap between today's posture and a renewal-ready control stack. Industry + revenue + 20-control checklist returns estimated current premium, hardened-posture target, dollar savings opportunity, and a ranked gap list. Built for CFOs and risk managers 30-90 days from renewal.

Cyber InsuranceRenewalControlsPremium

Scanner

Free Security Scan

Enter your domain and we run a 60-second external audit: registrar, DNSSEC, SPF/DKIM/DMARC, BIMI, MTA-STS, subdomains, TLS, security headers, cookie flags, and IP reputation. Full report lands in your inbox.

DNSEmail authTLSSubdomains

Scanner

Prompt Injection Test

Free static analyzer for LLM system prompts. Paste your system or developer-role prompt, get an A-F vulnerability grade against 25 known prompt-injection attack patterns (5 free + 20 email-gated extended), plus copy-paste remediation snippets for every detected gap. Runs entirely in your browser. Your prompt never leaves the page.

LLM securityPrompt injectionOWASP LLM Top 10AI Governance

Why we publish these

Most vendor calculators are marketing dressed as math. The numbers are set to make the vendor look cheaper, the assumptions are hidden two layers deep, and the output is a PDF that lands in procurement with no audit trail. That is not useful. The tools on this page run entirely in your browser, show their work, and use default cost ranges drawn from engagements we actually priced and delivered. You can change every input. Nothing is sent to us unless you decide to start a conversation about the output.

The other reason these exist is that we get asked the same three questions every week: in-house SOC vs.ย MDR, CMMC and AI governance readiness, and PCI scope. Writing the answer once in a tool that anyone can run is more honest than charging a retainer to answer it again in a slide deck.

How to use the output

Treat every number as directional. A TCO calculator cannot see your specific contract terms, your specific ramp curve, or the political cost of a failed in-house build. A readiness quiz cannot substitute for a gap assessment against documented evidence. A scope analyzer cannot replace a QSA review of your actual network diagram. What these tools do is get you to a shared starting point with whoever signs the check. The next conversation is then about the gap between the estimate and reality rather than starting from scratch.

If you want to pressure-test the output against your environment, the button at the bottom of every tool routes to a 30-minute working session with one of our engineers. No deck, no discovery call template (the tool output is the discovery). Indicative managed-services pricing is published if you want to translate tool output to a budget conversation before the call.

What the tools do not do

None of these produce a procurement-grade number on their own. The TCO model does not price in-kind contributions (office space, shared IT overhead, benefits load variance by geography). The CMMC quiz does not produce an SSP or POA&M. The PCI analyzer does not substitute for a QSA ROC or a SAQ-D self-assessment. They are decision aids for the first conversation, not the last one. If a vendor hands you a single-page calculator output and tells you the procurement decision is done, that is the signal to ask a harder question. For real engagements see our case studies and the US AI Vendor Governance Index.

Where to take this further

From estimate to engagement

Services overview

Managed IT + 24/7 SOC + AI Governance

Three core disciplines plus a specialized AI program, under one SLA. Browse the catalog or jump straight to MDR, vCISO, SIEM, or AI Governance.

Open

Pricing

Indicative managed-services bands

Per-user and flat-fee bands for Core IT, Secure Operations, Fortress SOC, AI Risk Audit, and AI Governance tiers. Published before you book.

Open

Case studies

Real engagements, real outcomes

Manufacturing CMMC Level 2, financial services SOC 2 audit, healthcare HIPAA + SOC migration, retail 140-location uptime, BEC fraud recovery.

Open

Research

US AI Vendor Governance Index

Quarterly public scorecard of 30+ AI vendors against NIST AI RMF, ISO/IEC 42001, HHS-OCR Section 1557, FRB SR 11-7, and CMMC criteria.

Open

Why EFROS

Cybersecurity-first MSP vs the typical MSP

What "we run your risk, not your tickets" actually looks like in the operating model, the runbooks, and the quarterly business review.

Open

Book a call

30-min working session

Bring your tool output. A senior engineer walks through it with you, pressure-tests the assumptions, and tells you what the next step actually is.

Open
Get a detailed assessment