Getting started

Welcome to ShieldIQ. This guide walks you through your first hour on the platform — from your first assessment to a board-ready PDF report.

Tutorial: Your first compliance assessment

Tutorial: Setting up your GRC programme

Navigating the platform

• Dashboard Quick Access tiles — jump to any module in one click. Tiles are draggable so you can reorder them.
• Side drawer menu — click the hamburger icon for a full module list grouped by category (GRC, Tools, Privacy).
• Activity feed — the dashboard shows who changed what and when, with field-level diffs on every update.
• Compliance calendar — a single view of every deadline across your programme (evidence expiry, policy reviews, vendor contracts, incident deadlines, retest dates).

Assessments

What it is: structured questionnaires across 9 compliance frameworks, scored individually per category by AI.

The 9 frameworks:

• NIST CSF 2.0 — Govern / Identify / Protect / Detect / Respond / Recover
• NIS2 Directive — EU cybersecurity for essential and important entities
• GDPR — EU data protection
• ISO 27001 — Information security management standard
• DORA — Digital Operational Resilience Act for financial services
• SOC 2 — Trust Services Criteria
• Cyber Essentials — UK government 5 core technical controls
• EU AI Act — EU artificial intelligence regulation
• PCI DSS — Payment card industry data security

Key features:

• Target maturity levels — set goals per category, see them as an overlay on the spider graph
• Auto-save — your progress is saved on every answer change, in localStorage
• Conditional questions — some questions only appear based on prior answers
• Re-take any time — click "Duplicate" on the Previous Assessments page to start fresh with the same framework
• Schedule reassessments — set a cadence (quarterly, biannual, annual) and the calendar will remind you

Tip: low-scoring categories show a "Get expert support" CTA that links to the ShieldIQ Cyber consultancy.

Control library

What it is: the central source of truth for every control in your compliance programme. Each control can be linked to multiple frameworks via cross-mapping, so the same control can satisfy NIST CSF, ISO 27001 and Cyber Essentials simultaneously.

Key concepts:

• Control status — not started / in progress / implemented / not applicable. Updated automatically when you sync from an assessment.
• Framework mappings — one control can map to many frameworks (e.g. NIST PR.AC-1 = ISO A.5.15 = CE Access Control)
• Evidence attachment — click the paperclip icon to upload evidence files; the green count shows how many are attached
• Sync from assessment — on the Controls page, click "Sync from latest" to pull statuses from your most recent assessment scores
• AI evidence analyser — click the magic-wand icon next to any evidence file to have our AI judge whether it satisfies the linked control

Tip: the paperclip indicator on each control row turns green when evidence is attached. Click it to expand the evidence list inline.

Policy Manager

What it is: versioned policy documents with control mappings and employee acknowledgment tracking.

Key features:

• AI Policy Generator — pick a policy type (Acceptable Use, Information Security, Data Retention, etc.) plus your scope, framework hint and linked controls. Our AI drafts a tailored policy you can review, edit, and save as a draft.
• 20 pre-built policy types covering the standard SME policy library
• Versioning — every save creates a new version. Old versions stay accessible.
• Acknowledgments — track which employees have read and acknowledged the current version. Pending acknowledgments appear on each user's dashboard.
• Control mappings — link policies to controls so the audit ZIP export shows the policy that proves the control

Where to find it: Quick Access tile → Policies, or via the nav drawer.

Risk register

What it is: a structured register with both qualitative (5×5 grid) and quantitative (FAIR-lite monetary) risk scoring, treatment workflows, and budget tracking.

Tutorial: Creating and scoring a risk

Qualitative scoring

Standard 5×5 likelihood × impact grid. The live score card in the editor updates as you change either value. Risks are auto-bucketed:

• Low — score 1-5
• Medium — score 6-11
• High — score 12-19
• Critical — score 20-25

FAIR-lite quantitative

Open the collapsible "Quantitative loss expectancy" section in the risk editor:

• SLE (Single Loss Expectancy) — min / most-likely / max in your tenant currency
• ARO (Annual Rate of Occurrence) — events per year (decimals welcome, e.g. 0.5 = once every 2 years)
• ALE (Annualized Loss Expectancy) — auto-computed = SLE most-likely × ARO

The risks page shows a tenant-wide ALE rollup card with min/max confidence range and top categories by loss expectancy.

Acceptance workflow

Setting a risk's treatment to accept kicks off a formal request flow:

1. Click "Request acceptance" in the editor
2. Provide justification (min 10 chars), business case, compensating controls, optional expiry date
3. Admin/DPO reviews and approves or rejects
4. Approved acceptances flip the risk to accepted; the request can be revoked at any time
5. Acceptances with an expiry date auto-reopen the risk when they expire (sweep via the "Expire stale" button)

Separation of duties: the requester can never self-approve, even if they're an admin.

Approval evidence: upload a supporting document (email screenshot, signed approval) directly on the acceptance card, and/or paste an external approval URL (Jira ticket, SharePoint link) for auditability.

Deferred risks

When a risk needs to be deferred rather than immediately treated, set the status to Deferred. This reveals two fields:

• Deferred until — the date the deferral expires (shown as a blue badge in the register: "deferred → 2026-06-30")
• Deferral justification — why the risk is being deferred (captured in the audit trail)

When the status changes away from Deferred, both fields are automatically cleared.

Treatment plans + budget

Each risk can have multiple treatment plans (iterations or alternatives). Each plan tracks:

• Currency, estimated cost, actual cost, budget variance (auto-coloured red over / green under)
• Start date, target date, completion date
• Owner
• Milestones with their own status (pending / in progress / complete / blocked)
• Progress bar driven by milestone completion

The Treatment portfolio endpoint rolls up budget vs actual across the entire tenant for the dashboard view.

Vendor-inherited risks

When a vendor scores poorly on its TPRM assessment (default threshold 70%), use the "Generate inherited risk" button on the vendor detail page. ShieldIQ creates a register entry tagged source=vendor with appropriate likelihood and impact, linked back to the vendor and its assessment. Inherited risks show a vendor icon in the register list.

Linked assets

Link assets to risks via the "Linked Assets" card in the risk editor. This creates a bidirectional M2M relationship — open an asset and you'll see the risk listed too. Useful for tracking which systems are affected by each risk.

Tip: the AI risk generator on the assessment results page automatically creates risks for any low-scoring categories.

Asset register

What it is: structured inventory of your information assets with classification, ownership, criticality and control linkage.

Per-asset fields:

• Type — database / server / SaaS / endpoint / network / data store / etc.
• Classification — public / internal / confidential / restricted
• Criticality — low / medium / high / critical
• Owner, location, vendor link, IP/hostname for technical assets
• Linked controls — which controls protect this asset
• Linked ROPA records — which processing activities use this asset

Bulk import: use the CSV import wizard to load 200+ assets at once. See Bulk CSV import.

Vendor risk management (TPRM)

What it is: third-party risk management module covering vendor inventory, questionnaires, scoring, and risk auto-generation.

Two pre-built questionnaire templates:

• Lite — 10 questions, ~5 minutes. Suitable for low-criticality vendors.
• Standard — 42 questions across data handling, security controls, SLA, and incident response. ~15-20 min.

How it works:

1. Add a vendor with criticality, contract dates, data exposure
2. Send (or fill on their behalf) one of the questionnaires
3. Each question has a risk-flag rule — high-risk answers auto-flag
4. Score = sum(positive answers) / sum(weights) × 100
5. Decision: approved / conditional / rejected
6. Reject or conditional auto-creates a risk in the register, linked back to the vendor

The vendor detail page has a "Generate inherited risk" button that creates a register entry whenever a vendor's score is below the threshold (default 70%). See Risk register → vendor-inherited risks.

Editable vendor detail: all vendor fields are editable directly on the detail page — name, website, contacts, criticality, status, type, region, data classification, contract dates, DPA status, and notes. Click "Save changes" to persist.

Linked items: link controls and risks to vendors via the modal multi-select. Useful for tracking which controls a vendor should comply with, and which risks they introduce. Links auto-save when you click Apply.

Where to find it: GRC → Vendors, or via the Quick Access tile.

Incident management

What it is: structured incident lifecycle management with automatic regulatory deadline calculation and AI-drafted notification templates.

Reporting an incident

Click the "Report Incident" button (always visible in the nav) and fill in:

• Title, description, severity (low / medium / high / critical)
• Category (data breach / phishing / malware / DDoS / insider threat / lost device / system outage / supplier incident / misconfiguration)
• "This is a personal data breach (GDPR Art. 33)" tick — triggers the 72h notification clock
• Approximate number of affected data subjects

ShieldIQ auto-generates a reference (INC-YYYY-NNNN) and computes the regulatory notification deadline based on the category and tenant country.

Regulatory deadlines (auto-computed)

• GDPR Art. 33 — 72 hours from awareness for personal data breaches
• NIS2 Art. 23 — 24 hours initial early warning + 72h notification + 1 month final report
• DORA Art. 19 — 4 hours classification + 24 hours initial notification

The incident card shows a countdown banner that pulses red when the deadline is <24h or overdue.

AI-drafted regulator notification

Click "AI Draft Notification" on the incident detail page. Our AI takes the incident facts (title, description, category, breach status, data subjects affected, your tenant country) and drafts a regulator-ready notification using the right legal template (Art. 33 / NIS2 / DORA). Edit and download as a PDF or copy to clipboard.

Lifecycle & closure

Incidents move through: detected → triaged → investigating → contained → eradicated → recovered → closed. Closure prompts you to enter lessons learned, which optionally auto-creates a risk register entry for follow-up.

Cross-links: incidents can have evidence attached (Evidence module) and remediation actions linked (Actions module). Incident timelines log every status change automatically.

Evidence + freshness

What it is: structured evidence storage that ties files to controls, assessments and incidents with expiry-date tracking and AI judging.

Upload pipeline

Every uploaded file goes through a layered validation:

1. Extension allow-list
2. Magic-bytes check (real file type, not just the extension)
3. Type-specific scans: PDF active content scan, DOCX/XLSX macro scan, text/CSV script scan, image metadata scan
4. Optional ClamAV scan

Files that fail any check are rejected with a specific reason.

Evidence reuse

One file can satisfy multiple controls. After uploading, click the "Link to additional controls" button and pick the additional controls. The file appears in all linked controls' evidence lists.

Freshness + expiry

When uploading, set a "Valid for" period (30 days / 3 months / 6 months / 1 year / 2 years / custom date). Evidence freshness badges show on the control modal:

• Fresh — expires >30 days away (or no expiry set)
• Soon — expires within 30 days
• Expired — past the expiry date

The dashboard "Calendar" widget surfaces all evidence expiring in the next 30 days.

AI evidence analyser

Click the magic-wand icon next to any evidence file. Our AI reads the file (PDF / DOCX / XLSX / TXT / CSV / image via vision) and judges whether it satisfies the linked control. You get a verdict (satisfies / partial / does_not_satisfy), confidence score, and gap analysis.

Download safety: evidence downloads are forced as application/octet-stream with X-Content-Type-Options: nosniff and a Content-Security-Policy: default-src 'none' header so the browser can't render anything inline.

ROPA register (GDPR Art. 30)

What it is: Records of Processing Activities — the structured Article 30(1) field set that controllers must maintain. Required for any organisation with 250+ employees, or any organisation processing high-risk / regular / special-category data (so basically: everyone).

What you record per activity

• Identification — activity name, status (draft / active / archived)
• Controller / DPO — controller name + contact, DPO contact, joint controllers, representative (for non-EU controllers)
• Purposes — what the processing is for
• Legal basis (Art. 6) — consent / contract / legal obligation / vital interests / public task / legitimate interests
• Data subjects — categories (customers, employees, prospects, minors, etc.)
• Personal data categories — types of data (contact details, financial, health, etc.)
• Special category data (Art. 9) — flag + Art. 9 condition dropdown
• Children's data (Art. 8) — flag for separate regulator focus
• Recipients — categories of who receives the data
• Third-country transfers — structured list of {country, mechanism} with mechanism dropdown (Adequacy / SCCs / BCRs / Code of conduct / Certification / Derogation)
• Retention — period, basis, deletion method
• TOMs — technical and organisational security measures
• Linked assets & vendors — which assets implement this and which processors are involved

Auto reference IDs

Records are numbered ROPA-YYYY-NNN per tenant per year.

Export

The "Export CSV" button on the ROPA register page streams a regulator-ready CSV in the format supervisory authorities expect.

Tip: the summary cards on the register page show counts of records with special category data, records involving children, and records with cross-border transfers — these are the ones the regulator will look at first.

DPIA workflow (GDPR Art. 35)

What it is: a structured 6-step Data Protection Impact Assessment workflow following the EDPB template. Mandatory under Art. 35 when processing is likely to result in a high risk to data subjects' rights and freedoms.

The 6 steps

1. Identify — name, processing description, link to a ROPA record
2. Necessity & proportionality (Art. 35(7)(b)) — why this processing is necessary, what less intrusive alternatives were considered
3. Consultation — DPO consulted on date + advice; data subjects consulted (or reason if not)
4. Risks to rights & freedoms — inline list with the same 1-5 likelihood/severity grid as the risk register, with separate residual scores
5. Mitigations — the measures you'll take to bring the risk down. Can link to existing risk treatment plans for traceability.
6. Sign-off — outcome (proceed / proceed with conditions / do not proceed) + DPO sign-off

Auto Art. 36 trigger

If any risk's residual likelihood × severity is ≥ 16, ShieldIQ flags "Prior consultation required". You can't sign off the DPIA until you've recorded evidence of consulting your supervisory authority (date + response).

Sign-off

Sign-off is admin/DPO-only. ShieldIQ requires all mandatory fields to be present (description, necessity, proportionality, risks, mitigations, outcome). Once signed off, the DPIA becomes immutable — further changes must go through "Duplicate (new version)", which bumps the version number and supersedes the previous record.

Re-reviews

Schedule re-reviews via the DPIA detail page. Required by Art. 35(11) when the risk profile changes. Reviews show on the compliance calendar.

Tip: DPIAs always link to a ROPA record, so the regulator can trace the full processing → assessment chain.

Pen test report repository

What it is: structured engagement records for every penetration test with findings counts, retest scheduling, file storage, and risk linkage.

Per-engagement fields:

• Auto reference ID (PT-YYYY-NNN per tenant per year)
• Title, vendor name + contact
• Methodology — black box / grey box / white box / OWASP / PTES / PCI ASV / custom
• Scope description, test start/end dates, report received date
• Findings counts per severity (critical / high / medium / low / info)
• Executive summary
• Status (draft / final / remediated / superseded)
• Next retest date (shows on the compliance calendar)
• Linked risks (M2M to the risk register)

File upload: the report file goes through the same validated-upload pipeline as evidence (magic bytes, active-content scan, ClamAV). The file icon in the list matches the file type (PDF = red, DOCX = blue, other = grey). Download is forced as binary.

Tags & external links: add custom tags (e.g. "Internal Network", "PCI Segmentation") for filtering and external tracking links (Jira, GitHub) for remediation tracking.

Filters: the list page has from-date / to-date / status filters above the table.

Validation rules:

• Status = "Final" requires a completed date
• Status = "Remediated" requires a retest date

Multi-file attachments: upload multiple report files per engagement (PDF, DOCX, XLSX, images). Each file gets its own download link and type-specific icon. Previous files are preserved, not replaced.

Linked items: link controls and risks to each pen test via the modal multi-select. Useful for mapping findings to specific controls and tracking which risks were identified.

Where to find it: GRC → Pen Tests, or via the Quick Access tile.

BCDR test tracking

What it is: a lightweight module to record Business Continuity and Disaster Recovery test exercises, their outcomes, and the remediation actions that arise from them.

Tutorial: Recording a BCDR test

Per-test fields:

• Auto reference ID (BCDR-YYYY-NNN per tenant per year)
• Test type (BCP / DR / Tabletop / Failover / Full Exercise)
• Scope, test date, next scheduled test date
• Outcome (Successful / Partial / Failed)
• Observations, gaps identified, remediation actions + owners
• Evidence file upload (same validated pipeline as pen tests)
• Tags, external links, linked risks, linked incidents
• Status (Draft / Completed / Reviewed)

Summary cards: the list page shows total tests, successful, partial, and failed counts.

Why it matters: BCDR testing is a common audit and compliance requirement (ISO 22301, NIST SP 800-34, DORA Art. 26). Having structured records with evidence makes audit preparation straightforward.

Compliance certificates & badges

What it is: generate a verifiable compliance certificate from any completed assessment, with an embeddable SVG badge for your website.

Tutorial: Generating and using a certificate

The badge shows: "CERTIFIED" banner, your company name, overall score (%), framework name, level (Basic / Intermediate / Advanced), year, and app.shieldiqcyber.com footer.

Verification page: the public verification URL shows a branded page with status (Verified / Expired / Revoked / Not Found), company name, framework, score, issue date, and expiry date. API clients can append ?format=json for machine-readable verification.

Validity: certificates are valid for 1 year from the assessment date. Expired certificates show as "Expired" on the verification page.

Tags & external links

What it is: custom labels and tracking links that you can attach to any risk, pen test, BCDR test, control, asset, vendor, incident, or policy.

Tags

• Create tags by typing a name in the tag picker on any editor and pressing Enter or clicking +. Tags that already exist in your tenant auto-complete via the dropdown.
• Remove tags by clicking the × on the tag chip.
• Tags save immediately — no need to click Save on the parent record.
• Tags show in list tables as coloured badges under the category/title column for quick visual scanning.
• Use cases: "Internal Network Pentest", "PCI Scope", "Q2 Sprint", "High Priority", "Outsourced", "Decommissioned".

External links

• Attach links to external systems (Jira tickets, GitHub issues, SharePoint docs, Confluence pages) on risks and pen tests.
• Each link has a label (e.g. "Jira") and a URL. Click the open icon to jump to it in a new tab.
• Add/remove rows with the + Add link / × buttons. Links are saved when you save the parent record.

Where they appear: the Tags and External Links sections are in the editor for Risks, Pen Tests, and BCDR Tests. Tags are supported on 8 resource types; external links on risks and pen tests.

Compliance calendar

What it is: a unified view of every date that matters across your compliance programme.

What it pulls in (automatically):

• Control review due dates (from review_frequency_days on each control)
• Evidence expiry dates (from expires_at)
• Policy next-review dates
• Risk review dates
• Remediation action due dates
• Reassessment schedules
• Vendor contract end dates + assessment due dates
• Incident regulatory notification deadlines
• DPIA scheduled re-reviews
• Pen test next retest dates

Two views:

• Month grid — calendar layout with colour-coded events per type
• List view — chronological list grouped by date

The dashboard widget shows the next 7-14 days. The page also shows a 6-card stat strip (total / regulatory / evidence / reviews / contracts / actions).

Tip: click any event to jump straight to the underlying record.

Comments + activity feed

What it is: threaded comments with @mentions and a tenant-wide activity feed driven by the audit log.

Comments are available on:

• Controls (in the control detail modal)
• Vendors (on the vendor detail page)
• Incidents (on the incident detail page)

@mentions — type @username in any comment. ShieldIQ resolves the mention against your tenant members (no cross-tenant exposure) and creates a Mention record. Mentioned users see them in their account drawer.

Activity feed on the dashboard shows the last N events from the audit log: who created/updated/deleted what, when, with action-coloured icons and relative timestamps. Update events show field-level diffs (e.g. "status: open → mitigated · likelihood: 3 → 4") so you can see exactly what changed at a glance.

Editing: comments can be edited within 15 minutes of posting. After that, edits leave an "edited" timestamp visible. Soft-delete only — the audit log keeps the original.

Bulk CSV import + export

What it is: a 3-step wizard for importing risks, assets and vendors from CSV. No more hand-entering 200 assets.

The flow:

1. File picker — pick your CSV. UTF-8-sig accepted.
2. Preview & validate — ShieldIQ parses up to 500 rows and shows them in a table with red highlighting on rows that have errors. Common errors: missing required fields, invalid enum values, malformed dates.
3. Confirm — click confirm and ShieldIQ creates the rows. Errored rows are skipped (you fix them and re-upload).

Exports are available from the same buttons on each register page. CSVs are generated via defusedcsv to prevent formula injection attacks.

Where to find it: the "Import" and "Export" buttons in the page header on the Risks, Assets, and Vendors pages.

Remediation actions

What it is: a kanban board for tracking remediation tasks generated from assessments, risks, vendor reviews, and incidents.

Columns: Backlog → In Progress → Blocked → Done

Per-action fields: title, description, owner, due date, source (assessment / risk / vendor / incident / manual), effort (low / medium / high), impact (low / medium / high), priority bucket (low effort + high impact = "fix first")

Auto-generation: the assessment results page has a "Generate Actions" button that creates one action per low-scoring category, prefilled with the AI's recommendations.

Tip: drag actions between columns to update their status. The dashboard widget shows the top 5 "fix first" actions.

Network scanner

What it is: NMAP-based vulnerability scanner with AI analysis of the results.

Three scan profiles:

• Quick — top 1000 TCP ports, ~30 sec, available on Starter
• Standard — full port range, OS fingerprint, service detection, ~5 min, Business+
• Deep — standard + NSE vulnerability scripts, ~15 min, Enterprise

After the scan completes, our AI analyses the open ports, identified services, and any version banners, then writes a plain-English summary of the risks and what to do about them.

Compliance use: link scan results to specific controls (e.g. NIST PR.AC-3 = "Remote access is managed") for evidence.

AI features (unified credit pool)

ShieldIQ has five AI features. They share a single monthly credit pool that drains by one credit on each successful call.

Tier credit allocations:

• Starter: 0 credits
• Individual: 10 credits/month
• Professional: 50 credits/month
• Business: 200 credits/month
• Enterprise: 1,000+ credits/month

Credits reset on the 1st of each month. Unused credits do not roll over. Top-up packs are available if you exhaust your quota mid-month.

What costs a credit:

• AI Policy Generator (1 credit per generated policy)
• AI Evidence Analyser (1 credit per evidence file analysed)
• AI Cross-Framework Gap Analysis (1 credit per analysis)
• AI Incident Notification Drafter (uses a separate incident_ai_drafts_per_month pool)

Free: per-category assessment scoring runs on every assessment submission and is bundled into the cost of the assessment.

Tenant security policy

What it is: tenant-wide controls for authentication, session lifetime, password rules and anomaly detection. Admin-only.

Where to find it: Organisation page → Security Policy card.

Settings:

• Require MFA — force all users to enable MFA. Comes with a configurable grace period (in days) so existing users have time to set it up before being locked out.
• Session timeouts — idle timeout in minutes + absolute max session in hours
• Password policy — minimum length (clamped 8-128) + complexity flag (upper, lower, digit, symbol)
• Anomaly detection — enable/disable, with options to email users on high-risk sign-ins and require step-up MFA

Effect: when MFA is required and a user past the grace period tries to sign in without MFA enabled, they get a 403 with a message directing them to set up MFA in Account Settings.

Login anomaly detection

What it is: ShieldIQ scores every login attempt for risk on five factors and alerts when something looks unusual.

The 5 factors (cumulative score):

• New country (+30) — flagged when the geolocated IP country is one you've never signed in from before
• New device (+15) — flagged when the User-Agent fingerprint is new. Suppressed if the device is on your trusted list.
• Impossible travel (+50) — flagged when the distance from your last login is >500 km AND would require >900 km/h (faster than a commercial aircraft)
• Unusual hour (+10) — flagged when the sign-in is >3 hours from any of your historical hours. Only kicks in once you have ≥10 prior successful logins.
• Known-bad IP (+20) — flagged when the IP is on a threat-intel block list

Risk levels:

• Low — score 0-24
• Medium — score 25-49
• High — score 50+

High-risk sign-ins fire an email alert (if your tenant has alerting enabled). With "Step-up on risk" enabled, high-risk sign-ins also force a re-auth before the user can do anything.

Trusted devices: on your Account page, click "Trust this device" to add the current browser to your trusted list. Trusted devices skip the new-device flag. Revoke trust at any time from the same page.

Where to view events: the Organisation page (admin view of all tenant events) and your Account page (your own last 50 events).

Organisation + auditor mode

What it is: team accounts with role-based permissions and a special read-only mode for external auditors.

Roles:

• Owner — created the org, can do everything including billing
• Admin — can manage members, security policy, controls, policies, risks, etc.
• Member — standard user
• Auditor — time-boxed read-only role for external auditors

Auditor mode

Use the "External Auditors" card on the Organisation page to invite an auditor with a specific expiry date (7 / 14 / 30 / 60 / 90 days). They sign in with normal credentials but every non-GET request is rejected by the API. The UI hides write controls and shows a yellow auditor banner. After their access expires, their sessions are terminated automatically.

Audit ZIP export: the Business+ tiers can generate a full audit-ready ZIP containing controls, risks, evidence, policies, ROPA records, DPIAs and the audit log. Use this to hand over to an auditor without giving them login access.

Account, security & MFA

The Account page (top-right user menu) lets you manage:

• Profile — email and company name
• Password — change password (requires current password). Passwords are hashed with PBKDF2-SHA256 with a random per-user salt. They are never stored in plain text and cannot be recovered — only reset.
• MFA — enable TOTP (compatible with Google Authenticator, Microsoft Authenticator, Authy, 1Password, and any other TOTP app). Scan the QR code, verify a 6-digit code, done.
• Trusted devices — see and revoke devices that have been marked trusted
• Recent sign-in activity — your last 50 login events with risk scores and locations

Login & registration security

• Cloudflare Turnstile CAPTCHA — both the login and registration forms are protected by Cloudflare Turnstile to prevent automated credential stuffing and bot registrations. The challenge is invisible in most cases.
• Account lockout — after multiple failed login attempts, the account is temporarily locked. The lockout duration increases with each consecutive failure.
• Login anomaly detection — every sign-in is scored for risk (new country, new device, impossible travel, unusual hour). High-risk sign-ins trigger an alert. See the anomaly detection section for details.
• Forced MFA — your organisation admin can require all users to enable MFA, with a grace period for setup. See the security policy section.

Evidence storage

All uploaded evidence files and pen test reports are stored in Amazon S3 with server-side encryption (AES-256). Files are versioned, so accidental overwrites can be recovered. Downloads are served via time-limited presigned URLs that expire after 5 minutes.

Tip: if your organisation has "Require MFA" enabled, you'll see a banner counting down your grace period. Set up MFA before it expires or you'll be locked out.

Plans & limits

ShieldIQ offers five tiers. All paid plans save ~17% with annual billing (pay for 10 months, get 12).

Note: charity, education, and early-adopter discounts are available. Contact us for details.

Add-on packs

Need more of a specific resource without upgrading your full plan? Add-on packs extend individual limits on top of your current tier.

To purchase an add-on pack, email info@shieldiqcyber.com with your account email and the add-on you need. We'll apply it within 24 hours.

Dashboard

The dashboard is your operational command centre — a single-glance view of your entire compliance programme.

Metric cards

Two rows of clickable cards showing live counts with mini severity/status breakdowns:

• Open Risks — count + critical/high/medium breakdown. Click → Risks page.
• Active Incidents — count + severity. Card highlights red when incidents are active. Click → Incidents page.
• Open Actions — to-do + in-progress count. Click → Actions kanban.
• Policies / Assets — total counts. Click → respective pages.
• Vendors — count + active vendors. Click → Vendors page.
• Controls — total controls. Click → Control Library page.
• Pen Tests / BCDR Tests — count + critical findings or failed tests. Click → respective pages.
• Deadlines (7 days) — upcoming calendar events. Click → Compliance Calendar.

Compliance Posture

Horizontal progress bars showing your latest assessment score per framework, colour-coded (green ≥70%, amber ≥40%, red <40%). Click any bar to jump to that framework's results. Shows "Overall: X%" average across all assessed frameworks.

Onboarding checklist

New users see a checklist at the top of the dashboard with 5 steps: complete an assessment, sync controls, create a policy, register risks, add vendors. Each step auto-detects when complete (green checkmark). Dismiss with the × button once you're up and running.

Risk Severity Distribution

Coloured bar showing the proportion of risks at each severity level (Critical/High/Medium/Low). Click → Risks page.

Search & navigation

Global search

The search bar at the bottom of the navigation bar searches across all modules — risks, controls, policies, incidents, vendors, and assets — by keyword. Results appear in a grouped dropdown. Click a result to jump to that item's detail view.

Shortcut: press Ctrl+K (or ⌘+K on Mac) from anywhere to focus the search bar instantly.

Desktop navigation bar

When logged in on desktop, a full navigation bar replaces the top links with grouped dropdown menus:

• Dashboard — direct link
• Assess — New Assessment, Previous, Actions, Calendar
• GRC — Controls, Policies, Risks, Assets, Vendors, Incidents, BCDR Tests, Pen Tests
• Privacy — ROPA, DPIA
• Tools — Network Scanner, Activity Feed
• Team — Organisation, My Account, Admin, Super Admin

The right side shows: notification bell, Help, Blog, Trust, Login/Logout, Report Incident button, and dark mode toggle.

Breadcrumbs

When editing a risk, viewing a vendor, or working in any detail view, a breadcrumb trail appears below the navigation: Dashboard > Risks > Unpatched servers. Click any segment to navigate back to that level.

"What's next" prompts

After completing a key action (assessment, risk creation, policy creation, incident close, evidence upload), a floating card appears at the bottom-left suggesting natural next steps. Auto-dismisses after 15 seconds or click any button to navigate.

Linking items together

ShieldIQ uses a connected data model — risks link to controls, controls link to policies, assets link to risks, vendors link to controls. These relationships are central to how a GRC programme works.

How to link

Every editor (Risk, Policy, Asset, Vendor, Pen Test, BCDR Test) has linked-item cards — uniform panels with a coloured icon and a "Link Controls..." (or Risks/Assets) button. Clicking the button opens a modal with a searchable checkbox list where you can select multiple items at once. Click Apply to save.

What can link to what

Viewing links

• Chips on list pages — linked controls show as green badges (e.g. AC-01) on policy rows, risk rows, and asset rows. Click a chip to open the control detail.
• Relationship chips on detail views — the Control detail modal, Risk editor, Incident detail, and Vendor detail show coloured count badges: "3 risks mitigated", "2 evidence files", etc.
• Bidirectional — link a risk from an asset, then open that risk — the asset appears in its Linked Assets section. Same in both directions.

Notifications

The bell icon in the navigation bar shows a red badge with the count of pending items that need attention. Click the bell to open the notification panel.

What triggers a notification:

• Evidence expiring — evidence files with an expiry date within 30 days
• Overdue risk reviews — risks with a review date in the past
• Incident regulatory deadlines — active incidents with an unsent regulatory notification approaching its deadline
• Unread @mentions — someone mentioned you in a comment
• Overdue remediation actions — actions past their due date
• Vendor contract expiry — vendor contracts ending within 30 days

Click any notification to navigate directly to the relevant record. The panel auto-refreshes every 5 minutes.

Threat intelligence

The Threat Intel page (Tools → Threat Intel, or the red shield icon in the top nav) aggregates live cyber threat data and regulatory signal in one place.

Known Exploited Vulnerabilities (KEV + EPSS)

Shows the 20 most recently added entries from the CISA Known Exploited Vulnerabilities catalog — every entry is confirmed exploited in the wild. Each vulnerability is enriched with an EPSS score (Exploit Prediction Scoring System) showing the probability of exploitation in the next 30 days.

• Sort toggle — switch between "Most Recent" (default) and "Exploit Likelihood" (EPSS percentile)
• EPSS badges — red (top 5%), amber (high 90%+), dim amber (elevated 70%+). Hover for the exact percentile.
• Ransomware flag — entries linked to known ransomware campaigns get a red "RANSOMWARE" badge and tinted row
• Overdue dates — remediation deadlines in the past show in red
• Click any row to see the full CVE detail modal with description, required action, EPSS data, and links to NVD and CISA
• Add to risks — the + icon creates a risk register entry pre-filled from the CVE data

Regulatory Enforcement

Recent enforcement actions from data protection and cybersecurity regulators: DPC (Ireland), ICO (UK), EDPB (EU), and CNIL (France). Data is scraped automatically every 6 hours from official regulator feeds and press releases.

• Each row shows the regulator badge, organisation name, and fine amount
• Click any row for a detail modal with full summary, legal basis / GDPR articles cited, and a link to the regulator's source page
• Fine amounts are auto-extracted from press releases where available

Ransomware Activity

Recent ransomware victim postings aggregated from ransomware.live. Two views:

• Victims view (default) — 10 most recent postings with organisation name, sector, country, threat group, and days since posting
• Sectors view — horizontal bar chart of victim counts by sector
• Click any row for a detail modal with full description, screenshot (where available), and links to ransomware.live
• TTPs button — shows the threat group's MITRE ATT&CK tactics and techniques
• Tools & IOCs button — shows known tools grouped by category (credential theft, exfiltration, RMM tools, etc.) plus reference links (CISA alerts, research posts)

Regulatory Horizon

A carousel of upcoming regulatory milestones relevant to EU/UK/Global compliance. Hand-curated and updated monthly. Covers DORA, NIS2, EU AI Act, GDPR, ISO 27001, Cyber Essentials, and PCI DSS. Click any card for a detail modal with the full description and source link.

Cyber Security News

Aggregated RSS from 5 reputable sources: Krebs on Security, BleepingComputer, The Record, SANS ISC, and NCSC UK. Shows the 10 most recent articles with source badge and relative timestamp. Click to open the article in a new tab.

Data freshness: KEV and news update every 15 minutes. Ransomware every 30 minutes. Enforcement every 6 hours. Regulatory horizon is static (hand-curated). All feeds cache server-side and serve stale data if the upstream is temporarily unreachable.

Keyboard shortcuts

A few global shortcuts to speed things up:

Frequently asked questions