About Us

Spartacus is a governed cybersecurity platform designed to help organisations and consultancies make defensible cybersecurity decisions over time. It brings assessment, evidence, analysis, reporting, improvement planning, and long-term visibility into one structured environment, so work stays connected rather than fragmenting across spreadsheets, documents, and disconnected tools.

Rather than operating as a narrow point solution, Spartacus supports multiple cybersecurity decision lenses within one platform model, including framework maturity, implementation progress, quantitative risk, control and investment decisions, third-party assurance, and bespoke methodologies.

Rather than operating as a narrow point solution, Spartacus supports multiple cybersecurity decision lenses within one platform model, including framework maturity, implementation progress, quantitative risk, control and investment decisions, third-party assurance, and bespoke methodologies.

Spartacus exists because many cybersecurity programmes struggle for structural rather than technical reasons. Work fragments across tools and teams, evidence becomes disconnected from the decisions it supports, reporting has to be rebuilt manually, and prior conclusions become difficult to revisit or defend when scope, stakeholders, or assurance expectations change.

Spartacus is designed to remove that structural fragility by preserving continuity, comparability, and governance across the full lifecycle. The result is not just more efficient delivery, but a more sustainable model in which insight compounds over time instead of decaying between assessments and reporting cycles.

Spartacus is different because it does not treat cybersecurity work as a series of isolated outputs. Many assessment tools can generate a score, a chart, or a report, but they often struggle to preserve context, maintain comparability, or support decision-making once work needs to be repeated, challenged, extended, or governed over time. Spartacus is designed as a platform operating model rather than a single-purpose utility.

That means it supports multiple decision lenses in one governed environment and keeps assessment, evidence, analysis, reporting, and improvement activity aligned. For organisations and consultancies, that creates a more durable basis for both immediate decisions and longer-term programmes.

Spartacus is not designed to be a checklist, questionnaire, reporting, or ticketing tool. Its role is to provide the governed structure within which assessment, evidence, analysis, reporting, and improvement planning remain connected, repeatable, and defensible over time.

It does not replace professional judgement, consultancy delivery, or organisational ownership of cybersecurity outcomes. Instead, Spartacus provides a more governed and connected foundation for those activities, supporting clearer oversight, stronger continuity, and better-informed strategic decisions as programmes scale and mature.

Spartacus is designed for cybersecurity consultancies, internal cybersecurity and GRC teams, programme and transformation leaders, and organisations that need a more structured and repeatable way to govern cybersecurity over time. It is especially well suited to environments where multiple contributors, frameworks, clients, business units, or repeated delivery cycles need to be coordinated without losing consistency or control.

It is also well suited to mixed-maturity delivery teams. Spartacus is designed so less experienced contributors can work within governed boundaries, while senior practitioners retain oversight, decision authority, and quality control across the wider programme.

Spartacus helps consultancies turn cybersecurity delivery into a more repeatable and commercially resilient service model. It reduces avoidable rework, improves consistency across teams, and supports stronger productisation by keeping delivery outputs, evidence, and reporting aligned within one governed workflow rather than relying on bespoke manual effort for every engagement.

That commercial value is reinforced by the way reporting is handled in the platform. Analysis outputs and charts are generated from the underlying assessment context, while scoring, findings & recommendations, and report structure remain connected to the same governed model. This helps teams produce more consistent outputs with less reconstruction and formatting effort, allowing consultants to spend more time on interpretation, advice, and client value, and less time rebuilding material manually.

Over time, this supports stronger margin confidence, safer use of mixed-seniority teams, lower delivery variance, and clearer routes into follow-on work such as remediation programmes, advisory retainers, and multi-year client engagements. It also helps consultancies protect and operationalise their methodology and IP more safely as delivery scales.

Yes. Spartacus is designed to support long-term cybersecurity governance and improvement rather than stopping at a single assessment event. Because evidence, outputs, findings, projects, and trends remain connected over time, organisations can revisit prior work more easily, compare results across cycles, and maintain continuity even when teams, stakeholders, or priorities change.

This makes Spartacus particularly useful where maturity tracking, portfolio oversight, reassessment, and sustained programme delivery matter. It helps organisations move from isolated exercises to a more durable operating model for cybersecurity decision-making.

Spartacus currentlysupports four approved Framework Products : NISTCSF 2.0, ISO 27001:2022, CIS Top 18, and CMMC 2.0. Each is delivered asa distinct governed framework product with its own structure, scoring logic,reporting alignment, and value model. 

These frameworks are separate from Spartacus productised capabilities such as Controls,Third-Party Risk Management, Custom Frameworks, Standard Risk, andComprehensive Risk. That distinction matters because Spartacus is designed tosupport multiple decision types, not just one framework view.

Yes. Spartacus includes Custom Frameworks, which enables organisations and consultancies to design, digitise, and govern proprietary, internal, hybrid, and sector-specific methodologies within the same structured platform used for recognised standards.

This is valuable because bespoke models often become inconsistent as delivery scales. Spartacus gives them the same discipline of structured assessment, evidence handling, reporting, projects, and trends, helping preserve the integrity of the methodology across teams, clients, regions, and repeated cycles.

Yes. Spartacus is designed to support more than maturity or compliance-style assessment. In addition to recognised framework packs, it supports complementary decision lenses such as quantitative risk, controls and investment, third-party assurance, and bespoke frameworks, all within one broader governed platform model.

That matters because organisations rarely need just one type of cybersecurity answer. They may need to understand posture, financial exposure, supplier risk, control investment, or internal methodology at different points, and Spartacus is built to support that wider picture.

Yes. Spartacus includes two standalone quantitative risk products: Standard Risk and Comprehensive Risk. These allow organisations and consultancies to express defined cyber risk scenarios in financial terms, adding a different decision lens alongside maturity assessment, implementation review, assurance, and control-led work.

This is useful because not every cyber decision starts with the same question. Some organisations begin with posture or capability, while others need to understand material financial exposure first. Spartacus supports those different starting points without breaking the overall platform model.

No. Spartacus does not provide certification, audit sign-off, or formal attestation against cybersecurity frameworks. Its role is to support structured assessment, evidence-backed review, analysis, reporting, and improvement planning in a more governed and defensible way.

That means Spartacus can help organisations and consultancies improve audit readiness, strengthen traceability, and produce clearer outputs for internal review, external assurance, and stakeholder scrutiny. But responsibility for formal certification, audit judgement, or contractual sign-off remains outside the platform. This distinction is particularly important for standards and frameworks such as ISO 27001 and CMMC, where readiness and defensibility matter, but Spartacus is not positioned as the certifying or auditing authority.

Spartacus uses a governed lifecycle in which assessment, evidence, analysis, reporting, findings, recommendations, improvement planning, and trend visibility remain connected over time. That means work performed at one stage continues to support the next, rather than having to be manually reconstructed in separate files, presentations, or delivery threads.

This connected model is one of the main reasons Spartacus creates long-term value. It helps teams preserve context, reduce rework, and maintain confidence that conclusions, outputs, and next-step decisions are all grounded in the same underlying work.

Spartacus applies governance across framework configuration, scoring, reporting, and workflow through its core governance engines. That helps keep assessments, analysis, reports, projects, and trend views aligned, reducing interpretation drift and making outcomes more repeatable across teams, regions, and repeated engagements.

In practice, that consistency is reinforced through structured assessment models, governed reporting templates, consultant guidance, seeded report content, and workflow alignment across the wider platform. This means delivery confidence depends less on undocumented working habits or individual interpretation, and more on a governed and repeatable model.

Spartacus helps leadership teams and sponsors move beyond isolated reports or point-in-time dashboards. Because assessment, evidence, analysis, reporting, recommendations, projects, and trends remain connected, it becomes easier to understand where issues exist, what they mean, what should be prioritised, and how progress is changing over time.

This is especially valuable in larger or longer-running programmes, where executives need clear visibility without being drawn into draft work or internal delivery mechanics. Spartacus supports that through structured reporting, portfolio views, and longitudinal comparisons that make priorities and progress easier to review at the right level.

Yes. Spartacus supports controlled, read-only client access to approved outputs such as analysis, reports, projects, and trend views. This allows clients and stakeholders to review the outputs they need while keeping internal notes, draft content, review activity, and other protected working material out of view.

That balance matters because transparency is useful, but only when it does not undermine governance. Spartacus allows organisations and consultancies to give stakeholders a clearer and more professional view of progress while retaining control over interpretation, publication, and quality assurance.

Spartacus allows framework products and productised capabilities to be used in a more connected way without forcing them into one rigid sequence. For example, a framework assessment can sit alongside Quantitative Risk, Controls, or Third-Party Risk Management where those decision lenses are useful, allowing organisations and consultancies to expand from one starting point into adjacent services more naturally.

This is valuable commercially because it supports broader cybersecurity conversations without blurring product boundaries. Framework packs remain distinct from productised capabilities, but Spartacus makes it easier to use them in complementary ways when organisations need a wider decision picture.

Spartacus pricing is shaped primarily by the products deployed and the way the platform is used. That means pricing can vary depending on whether you are using Spartacus for framework delivery, quantitative risk, controls, third-party assurance, custom frameworks, or a broader combined deployment.

Where organisations or consultancies use multiple complementary products together, bundled usage can reduce overall cost compared with adopting those capabilities separately. This allows pricing to reflect both the breadth of deployment and the value of a more connected operating model.

TBC

Spartacus uses a strong tenant-isolation model in which each tenant operates as a fully isolated platform instance with its own users, clients, products, assessments, activity data, and configuration settings. Other tenants are not visible, and platform-level administration remains separate from tenant delivery. No data, configuration, or activity is shared across tenant boundaries unless explicitly exported. 

At platform administration level, each tenant is assigned a primary region. That region supports authentication, hosting, and regulatory alignment, while remaining separate from product behaviour and delivery workflows within the tenant. This gives organisations and consultancies clearer governance boundaries, stronger access control, and better alignment to the regional and regulatory context in which tenant data is hosted and accessed.

Yes. Spartacus supports tenant-level authentication configuration, including Microsoft identity and third-party identity providers. Authentication is configured at the tenant boundary, allowing organisations to align platform access with their wider identity approach while keeping internal role and permission models governed separately.

This is useful for organisations that need a more controlled and enterprise-ready access model without losing clarity over who can access specific products, clients, and assessments within the platform. Authentication controls entry to the tenant environment, while role and permission settings govern what users can view, manage, or contribute to once inside it.

Spartacus uses a governed role model with Platform Admins, Product Admins, and Standard Users, with permissions applied across tenant, product, and assessment level. Platform Admins have full administrative authority within the tenant, including managing users, clients, products, settings, and assessments. Product Admins have administrative control limited to the products they are assigned to. Standard Users work within more limited permission boundaries and can be granted read-only or read/write access at assessment level.

This gives organisations a clearer and more controlled way to manage access without relying on informal workarounds. It also means authority can be delegated where appropriate, while still keeping administrative boundaries explicit and auditable.

TBC

TBC

XX