Structured SP 800-30 threat and vulnerability identification, likelihood and impact scoring, inherent and residual risk calculation, and risk response planning — guided or freeform, in your browser.
Risk judgments made without a documented framework are difficult to justify, reproduce, or compare across time. SP 800-30 provides a structured vocabulary and process — threat sources, threat events, vulnerabilities, likelihood, impact — that transforms informal security intuition into auditable analysis.
Every risk entry in this tool maps to the SP 800-30 structure. When an auditor or AO asks how you arrived at a risk level, you have both the methodology citation and the specific assessment data to back it up.
Work in Guided Mode for step-by-step prompts or freeform for direct entry. Every entry maps to SP 800-30 risk factor categories so your assessment is reproducible and methodology-traceable.
Start with system identification: name, boundary description, operational environment, and primary mission. Identify information types and categorization levels to anchor the risk assessment. Document the assessment purpose — initial assessment, periodic review, change-triggered — and the organizational tier (system, mission, or organizational level).
Select from SP 800-30 Appendix D/E threat source taxonomy: adversarial (nation-state, criminal, insider, competitor), accidental, structural (component failure), and environmental (natural disaster, infrastructure failure). Characterize adversarial sources by capability, intent, and targeting to link them to realistic threat events in the next step.
Document threat events — the specific attack scenarios or adverse events a threat source could initiate. For each threat event, identify the system vulnerabilities it could exploit: configuration weaknesses, missing controls, procedural gaps, architectural exposures. Guided mode presents SP 800-30 Appendix E threat event examples organized by threat source type.
Rate Likelihood of Initiation (adversarial) or Likelihood of Occurrence (non-adversarial) on a qualitative scale aligned to SP 800-30 Table G-2/G-3. Rate adverse impact across Confidentiality, Integrity, and Availability per Table H-2. The tool calculates inherent risk level per SP 800-30 Table I-2 and plots each risk on an interactive heat matrix.
For each identified risk, document the planned response: Accept, Avoid, Transfer, or Mitigate. For mitigations, describe the planned countermeasure, responsible party, target completion date, and residual risk after control implementation. View a prioritized risk assessment sorted by inherent risk level to guide remediation sequencing.
A risk assessment is only useful if it can be shared, revisited, and updated. Pro adds the I/O layer so your work lives beyond the browser session.
Save your complete risk assessment as a JSON file and reload it in a future session. Share drafts with colleagues or maintain a version archive as the system evolves over time.
Generate an Excel workbook with all risk entries, likelihood/impact scores, risk levels, and response plans — ready for distribution to leadership, AOs, or system owners who work outside the browser tool.
Produce a print-ready SP 800-30 aligned report with the heat matrix, risk assessment table, and response plans formatted for inclusion in an ATO package or plan of action.
Compare snapshots across time to see how your risk posture evolves as controls are implemented. Track residual risk movement, remediation velocity, and closure rates over periodic assessments.
Start identifying threats and scoring risk levels immediately — no setup, no account required. Pro adds the export layer when you're ready to share your findings.
Risk Posture Tools