Defensibility.ai opens pre-release of gap assessment tool

Defensibility.ai has opened a limited pre-release of its Defensibility Gap Assessment Tool for executives who want to see where their companies and officers may be personally exposed before an incident. The Seattle startup is pairing the tool with a broader governance platform as regulators increasingly pursue individual accountability in cybersecurity and privacy cases.

Why it matters: - Defensibility.ai is targeting a growing risk for CISOs, GCs, CCOs, CPOs and other executives: personal exposure when regulators review a company’s security or privacy failures. - The company’s tools are designed to help leadership document duties, authority, escalations and remediation before an incident, when records matter most. - The offering comes as enforcement actions have increasingly named individuals, not just companies.

What happened: - Defensibility.ai opened a pre-release of its Defensibility Gap Assessment Tool to a limited number of companies in exchange for feedback. - Executives can reserve access at defensibility.ai using a single role-based form. - The company includes a complimentary 30-minute founder briefing tailored to each executive’s industry. - The Seattle company built the tool on its Defensible Governance Framework. - The company also sells two annual-subscription products: the Defensible Governance application and the Minors Safety & Child Welfare application.

The details: - The Tool identifies three issues: the company’s top regulatory exposure gaps, each C-suite executive’s individual exposure, and the prosecutorial lens regulators may use to evaluate those gaps. - The company says the Tool highlights unmet obligations that could drive the most consequential fines if an enforcement matter arose. - The Tool maps where the CEO, CFO, CISO, TRO, GC, CPO and CRO carry personal risk and where leadership accountability is undocumented. - The Tool also shows how regulators such as the FTC, SEC, a state attorney general or an EU supervisory authority could build a case. - The Defensible Governance application handles remediation, including alternative safeguard review, CDAR risk thresholds, the remediation plan and the sealed evidence record. - The Tool is directional and does not close the gaps on its own.

The Personal Defensibility Review: - CISOs and TROs get an added in-product guided interview called the Personal Defensibility Review. - The Review generates a Job Record that captures the executive’s duties, responsibilities, accountability, mandate and authority as the official HR job description. - The Job Record is designed to be signed inside the platform and saved as an evidentiary record. - The Review also produces a personal protection plan that can include naming the role on the company’s D&O policy, securing personal indemnification and getting supervisor sign-off on the documented job description.

Between the lines: - The product reflects a legal strategy as much as a security workflow: document authority, escalate issues early and preserve proof of what leadership knew and did. - The focus on CISOs and TROs tracks with the SolarWinds case, where the SEC personally named former SolarWinds CISO Tim Brown in October 2023. - The SEC later voluntarily dismissed that case with prejudice in November 2025, after Brown had been named for more than two years. - Brown serves on Defensibility.ai’s strategic advisory board and helped shape the review around documentation gaps the case exposed. - The company’s broader pitch is that contemporaneous records may help executives show they did their jobs, even if they cannot eliminate enforcement risk.

The broader enforcement context: - Joe Sullivan, formerly chief security officer at Uber, was criminally convicted in October 2022 for obstruction of an FTC proceeding and misprision of felony tied to concealing Uber’s 2016 breach. - Sullivan was sentenced in May 2023 to three years of probation, 200 hours of community service and a $50,000 fine. - The Ninth Circuit affirmed the conviction in March 2025 and later denied rehearing en banc. - In January 2023, the FTC finalized a consent order against Drizly and its CEO, James Cory Rellas, after a 2020 breach exposed personal data of about 2.5 million consumers. - The order personally binds Rellas for 10 years if he is a majority owner, CEO or senior officer with information-security responsibility at a future qualifying business.

What’s next: - Reservations for the pre-release are open now at defensibility.ai. - Defensibility.ai says its two commercial applications are sold as annual subscriptions and are the subjects of pending U.S. provisional patent applications. - The company says the Minors Safety & Child Welfare application extends the same framework to gaming, social media, EdTech and consumer platforms subject to new psychological-welfare laws.

The bottom line: - Defensibility.ai is betting that the next wave of cybersecurity and privacy risk will be judged not only by what companies did, but by whether individual executives can prove they documented their decisions, authority and escalation trail before a regulator arrived.