The risk intelligence platform

From mandatory to meaningful.

Speculo turns your compliance programme into risk intelligence your board can act on, defend, and fund. One platform for framework assessments, risk reporting, and strategic cyber planning.

Get a demoSee how it works
Assessment to board report, one platformDefensible reporting, every timeBuilt in New Zealand

Used by central government and regulated enterprises.

MCSS and NZISM built in.

0

Report types, built in

Pre-configured for every role: board, CISO, project manager, assessor, auditor, and more. Export to Word, PDF, or CSV.

0

Assessment workflow stages

One clear path from scoping to sign-off. Each stage captures the right information at the right time.

0

Risk assessment types

From a rapid control self-assessment through to a full maturity programme with audit-ready evidence. Choose the depth your situation calls for.

Your maturity score, your top risks, and what to prioritise next. All in one report you can re-run when the data moves.

Inside the platform

Four views your team will live in.

Speculo dashboard showing total assessments, certification and accreditation status, evidence progress and open remediations, a recertification countdown, an assessments-due-for-renewal donut, a recent activity feed, and current risk distribution by severity.

How it works

From compliance activity to risk intelligence your board can act on.

1

Set the brief

Pick your framework and your starting point: compliance-led, risk-led, or both. Speculo works from what your organisation already uses and is designed to convert that work into a risk picture your business can act on, not just a score your auditor accepts.

2

Run the assessment

Score your controls against your chosen framework. Evidence attaches at the control level, so your compliance record and your risk position build at the same time. Whether you're starting fresh or moving from another tool, the workflow is the same.

3

See where you're exposed

Every control gets a risk reduction score. Speculo calculates the exact impact each control has on your overall risk position, so you know before you start where assessment effort will produce the most reduction.

4

Plan what to fix first

Most cyber security audit approaches treat every control as equally important. Speculo focuses your team's effort on the controls that materially move your risk position. The capacity you save goes toward maturing those controls to their target, not working through a uniform list.

5

Take the funded case forward

The compliance work your team did becomes the risk language your board needs. Same data, no translation. Speculo surfaces the gap analysis, risk position, and prioritised roadmap your funding case requires. The case itself is yours to take forward.

Deterministic engine

Same inputs, same report, every time. Defensible to your auditor and your Audit and Risk Committee.

Prioritised by impact

Every control is scored by the exact risk reduction it delivers. Focus your team's effort on the controls that move the needle, then use freed capacity to mature them toward target.

Close to the work

Decades across public sector, banking, and consulting. We've done this work and we understand the environment you're operating in.

Hands-on support

Founder-reachable. A direct line to people who've done this work, not an offshore ticket queue.

By sector

Built for the cyber work your team already does.

Government

MCSS native, NZISM ready. The funding case your Chief Executive will sign.

Learn more

Healthcare

Cyber risk for clinical and corporate systems. HISF native, end of May 2026.

Learn more

Finance

Built for FMA- and RBNZ-regulated entities. NIST CSF and ISO 27001 coming soon.

Learn more

Critical Infrastructure

Built for utilities, telcos, transport, and three-waters operators. Ready for the CIPS regime as it lands.

Learn more

Education

From single-school to tertiary CISO. Risk assessments your whole team can run, evidence held in one place.

Learn more

Tech

Cyber risk, evidence, and ISO 27001 readiness in one platform. Used by tech companies selling into government to demonstrate security posture.

Learn more

From the team

Field notes from NZ cyber and compliance work.

Why the MCSS Spreadsheet is a Trap

13 May 2026 · 8 min read

Why the MCSS Spreadsheet is a Trap

Every NZ agency doing MCSS starts in a spreadsheet. It seems fine at first. Here's where it breaks down, and what it costs you when it does.

MCSS is the business case you haven't written yet

13 May 2026 · 8 min read

MCSS is the business case you haven't written yet

Most cyber vendors will sell you MCSS as a compliance headache. We think that's the wrong way round. The Minimum Cyber Security Standards are mandatory. The only question is whether you treat that work as a cost centre, or as the cheapest business case you'll ever write.

NZISM Explained: What NZ Government Agencies Need to Know

13 May 2026 · 1 min read

NZISM Explained: What NZ Government Agencies Need to Know

The New Zealand Information Security Manual is the government's security framework for agencies handling official information. Here's what it covers, who it applies to, and how it fits alongside MCSS.

All posts

Turn your compliance programme into a risk position your board can act on.

Get a demo. See how the platform works against your actual situation. No pitch, no procurement.

Get a demoSee how it works