From the Lab

Products and tools

The workshop behind RiskByDesign. Some of this is released and in your hands today; some is still on the bench. Everything here follows the same rules: local-first, offline, no cloud, no telemetry. Here is the detail the front page doesn't have room for.

FORLAS CRQ

Flagship Beta · v0.2.0

A local-first quantitative cyber risk platform built on the FAIR methodology. It turns loss scenarios into defensible numbers a board can act on, and it does it entirely on your own machine.

FORLAS CRQ portfolio dashboard showing a A$16.1M portfolio ALE, tail metrics, a ranked top loss drivers table, and a portfolio loss exceedance curve

Monte Carlo simulation

Every scenario is run 100,000 times to produce a full loss distribution and an exceedance curve, with reproducible seeds.

Sensitivity analysis

Rank the FAIR inputs by how much they drive the result, so effort goes to the estimates that actually change the answer.

Tolerance measurement

Probability of breach, utilisation, headroom, and a within-tolerance verdict, all measured against the risk appetite you set.

Portfolio aggregation

Combine every scenario into one organisation-wide loss picture, ranked by contribution, with a portfolio exceedance curve.

Analysis & Evidence

Capture the reasoning beside each number: narrative, confidence, data relied upon, assumptions, gaps, and a rationale per input.

Executive reporting

PDF and Word reports with FORLAS-branded covers, written for boards and auditors, generated straight from your scenarios.

Governance built in

Role-based access, an audit log, review scheduling, and segregation of duties on approvals. On by default.

Yours, and offline

One desktop application, one SQLite database file that you own. No cloud, no accounts, no telemetry, no external services.

  • Python
  • FastAPI
  • React
  • TypeScript
  • Tauri
  • SQLite
View on GitHub Changelog Free and open source

Read more: a full tour of FORLAS CRQ, why cyber risk needs numbers, and what shipped in v0.2.0.

Calibrated Course

Open source

A quantitative model is only as good as the humans feeding it. Calibrated Course trains subject matter experts to give probability estimates that match their real accuracy, before their inputs ever reach a risk model.

Practice trainer

90% confidence-interval rounds and true/false rounds with immediate feedback, hit-rate tracking, and Brier scoring.

Live calibration curve

An SVG calibration curve shows, at a glance, where stated confidence is drifting from measured accuracy.

Nine-module course

A self-paced course that teaches the method, verifies your practice rounds, and issues a printable completion certificate.

Verified question bank

240 general-knowledge questions with a published answer key, so the training data can be independently checked.

Runs from disk

Single HTML files with all CSS and JavaScript inline. No build step, no CDN, no network calls. Works on a locked-down laptop.

Nothing leaves the browser

Profiles and progress live in local storage, with JSON and CSV export for backup. No telemetry, no accounts.

  • Vanilla JS
  • Single-file HTML
  • Offline
View on GitHub Free and open source

Read more: why calibrated humans matter to a risk model.

BowCRQ

In development

On the bench. BowCRQ is a local-first desktop application for quantified Bow Tie risk analysis with Cyber Risk Quantification, pairing the clarity of a bow tie diagram with data-backed numbers on both sides of the knot.

Bow tie, quantified

Threats, the top event, and consequences laid out visually, with quantified likelihood and loss driving the picture.

Local-first and offline-first

The same foundations as the rest of the Lab: everything runs on your machine, with nothing sent anywhere.

No external dependencies

No cloud, no SaaS, no telemetry, no external services, no API dependencies. Built to work in isolation.

Register interest In development. Watch this space.