QFX Assessment Framework

QFX ASSESSMENT FRAMEWORK™

100% automated vendor questionnaire scoring with zero subjectivity. AI-assisted completion, maturity-based scoring, and multi-framework compliance — all without a security analyst.

Try 5 Vendors for Free →
85%
Auto-Fill Rate
Hours
vs. Weeks
100%
Automated Scoring
0
Chase Emails
// KEY INNOVATIONS

WHAT MAKES QFX DIFFERENT

🚫

Zero Binary Questions

Eliminates guessable yes/no formats. Every question uses maturity-based options that capture the full spectrum of security implementation.

📊

Maturity-Based Scoring

Security controls exist on a continuum. QFX recognizes partial implementation — 0% (none) through 100% (industry-leading) with meaningful thresholds at every stage.

📎

Smart Documentation

Attachments required when claiming implementation (score ≥70%). Justifications required when lacking controls (score <50%). Nothing for partial (50–69%).

🔗

Framework Agnostic

Adaptable to any framework — NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA. Map a single question to multiple frameworks simultaneously.

🤖

100% Auto-Scorable

All expert judgment encoded into question design, option sets, and weighted scoring algorithms. Zero human interpretation required.

AI-Assisted Completion

QFX reads vendor SOC 2 reports, security documentation, and public filings to auto-fill responses with source citations.

// HOW IT WORKS

FOUR STEPS TO AUTOMATED ASSESSMENT

01

Document Ingestion

QFX reads vendor SOC 2 reports, security docs, ISO certs, and public filings.

02

Intelligent Mapping

AI maps documentation to questionnaire requirements across compliance frameworks.

03

Auto-Completion

Responses pre-filled with verified answers and source citations. 85% average auto-fill rate.

04

Review & Score

Verify AI suggestions and approve. Scores calculate automatically via maturity-based partial scoring.

THE QFX SCORING MODEL

QFX uses a two-dimensional risk model. Every question carries a Risk Weight (1–4) and Risk Impact (1–4), producing a combined criticality score from 1 to 16. Individual question scores are weighted by this criticality to produce the overall assessment score.

Maturity Levels

90–100% Optimized
Industry-leading, automated, continuously improved
75–89% Managed
Comprehensive, measured, regularly improved
60–74% Defined
Documented, consistent, periodically reviewed
40–59% Developing
Partially implemented, improvement planned
20–39% Initial
Basic implementation, ad-hoc processes
0–19% Ad-hoc
Minimal or no implementation

Partial Scoring Patterns

QFX supports multiple scoring patterns for real-world complexity. Linear Progression awards incremental credit based on how many correct options are selected (ALL7=100, ANY4=55, NONE=0). Critical Combinations prioritize specific high-value selections — for example, MFA for privileged accounts scores 50% even without broader rollout. Maturity Stages map to review frequency — continuously (100%), quarterly (90%), annually (60%), ad-hoc (30%), never (0%).

Multi-Framework Compliance

Every QFX question maps to multiple frameworks through ControlIDs (NIST PR.AC-01, ISO A.9.4.2, SOC2 CC6.1, PCI 8.3.1) and Control Measures (business-friendly names like "Multi-Factor Authentication" or "Data Loss Prevention"). A single assessment generates compliance scores across all mapped frameworks simultaneously.

EXECUTIVE REPORTING

QFX produces hierarchical dashboards translating technical compliance into executive language. The overall enterprise security score breaks down into functional areas (Governance, Protection, Detection & Response), each with business-understandable control measures. This enables board-ready reporting, multi-framework compliance tracking, risk-based remediation prioritization, and maturity progression tracking.

// TEMPLATE LIBRARY

PRE-BUILT TEMPLATES

🏛️

NIST CSF

Full Cybersecurity Framework mapped to Govern, Identify, Protect, Detect, Respond, and Recover functions.

🌐

ISO 27001

Annex A controls mapped and scored with certification-specific questions and organizational context adjustments.

🔒

SOC 2

Trust Services Criteria alignment with continuous monitoring emphasis and period coverage options.

💳

PCI DSS

Specific requirement numbers, network segmentation validation, and compensating control workflows.

🏥

HIPAA

Security Rule safeguards with required vs. addressable distinctions and workforce training specifics.

📋

Custom Templates

Build your own using the 20-column QFX template specification. Full control over question types, scoring, and documentation.

DON'T BE A LARRY. TRY LIVETHREAT FREE.

Assess your first vendors free — no credit card, no contract, no gym membership required.

Try 5 Vendors for Free →