User Guide

CyberCore — Multi-Framework Cyber Assurance

How to run a cyber assurance assessment from zero: create an organisation, score controls against 12 frameworks, gather evidence, apply scoring rules, cross-map frameworks, and export an audit-ready report.

12Frameworks
~1,130Controls
105Cross-mappings
Open CyberCore

1 What CyberCore does

CyberCore is V/ergent's cyber-assurance module. You pick a framework (ISO 27001, NIST CSF, PCI DSS, and more), walk through each control, attach evidence, and record a verdict. CyberCore calculates coverage, flags gaps, and produces a defensible report. Supports 12 frameworks out of the box:

NIST CSF 2.0 ISO/IEC 27001:2022 CIS Controls v8 SOC 2 TSC PCI DSS v4.0 NCSC CAF NCAF Cyber Essentials DORA NIS2 COBIT 2019 HITRUST CSF v11

2 Signing in

  1. 1
    Open cyber.vergent.co.ke. You land on the CyberCore landing page.
  2. 2
    Click Sign in. If you already have V/ergent credentials, use those — CyberCore shares identity with V/ergent.
  3. 3
    First login drops you on the Dashboard, listing every organisation you belong to and any active assessments.

3 Exploring frameworks

  1. 1
    Click Frameworks in the nav. You'll see all 12 supported frameworks with their control counts.
  2. 2
    Click any framework to drill into its full control hierarchy (categories → subcategories → individual controls, with titles, descriptions, and guidance references).
You don't have to pick a single framework. CyberCore supports running multiple assessments against the same organisation — one per framework you're being audited on.

4 Creating a new assessment

  1. 1
    Click + New Assessment in the top nav.
  2. 2
    Pick the Organisation (or create one if it's a new client).
  3. 3
    Pick the Framework and give the assessment a name (e.g. Q2 2026 SOC 2 readiness).
  4. 4
    Click Create. The assessment opens in draft state.
  5. 5
    Click Initialize Scoring. CyberCore creates a row for every control in the framework, each starting at Inconclusive.

5 Uploading evidence

Every verdict must be backed by artefacts — screenshots, policy documents, config exports, tickets, signed attestations. CyberCore stores them against the control they support so an auditor can retrace your reasoning.

  1. 1
    Click Upload Evidence in the top nav, or click into a specific control and use its per-control upload button.
  2. 2
    Drag files in or click to browse. Supported: pdf, docx, xlsx, png, jpg, json, yaml, log.
  3. 3
    Tag each file with the control(s) it supports. A single artefact can back multiple controls.
  4. 4
    CyberCore computes a quality score per control: completeness (are all expected artefact types present?) × freshness (how old is the evidence?) × coverage (does it actually demonstrate the control?).
Evidence older than 12 months starts to decay the quality score automatically. Re-upload refreshed artefacts before audit windows.

6 Setting verdicts

Every control needs a verdict before the assessment can be marked complete. CyberCore uses a 5-level scale compatible with NCSC CAF / DORA / NIS2:

Achieved
Control is fully in place and operating effectively. Evidence proves it.
Largely Achieved
In place but minor gaps remain (non-critical). Evidence mostly complete.
Partially Achieved
Some elements in place; material gaps prevent full achievement.
Not Achieved
Control is absent, fundamentally broken, or unreviewable.
Inconclusive
Not yet scored or evidence insufficient to decide. Default for new assessments.
  1. 1
    Open the assessment from the Dashboard.
  2. 2
    Expand any control row to see its evidence, proposed verdict (auto-calculated from evidence quality), and Set Verdict widget.
  3. 3
    Pick a verdict and, optionally, type a reviewer rationale. Click Save Verdict.
  4. 4
    An immutable audit log entry captures the reviewer, original verdict, chosen verdict, and rationale — you can't edit history, only add new verdicts that supersede.

7 Automated scoring with rules

Hand-reviewing 200+ controls is slow. CyberCore lets you define scoring rules that auto-apply verdicts based on evidence metrics (completeness, quality, freshness, implementation strength). Five rule types are supported:

  • weighted_criteria — verdict from a weighted sum of metrics vs thresholds.
  • evidence_gates — require minimum completeness + quality before considering any verdict.
  • time_decay — reduce confidence as evidence ages.
  • confidence_ranges — gate the verdict on confidence level.
  • custom_formula — constrained expression language for one-off business logic.
  1. 1
    From the Dashboard, click into an assessment, then click Auto-score with rules.
  2. 2
    Confirm — CyberCore applies every active rule attached to the assessment. The highest-confidence rule wins per control.
  3. 3
    Changed verdicts get a rationale like "Auto-scored by rule: weighted_criteria (confidence 0.87)" and an OverrideLog entry with action="auto_score".
  4. 4
    Reviewers can still override any auto-scored verdict manually. Automation never silently stamps over a human judgement — nodes with a reviewer_verdict already set are left alone.
Rules are defined at the organisation level — create them once, re-use across every assessment. See the Settings → Scoring Rules panel.

8 Framework mapping graph

If you already run ISO 27001 and need to answer a NIST CSF questionnaire, the mapping graph shows which ISO controls cover which NIST subcategories — so you can reuse evidence instead of repeating work.

  1. 1
    Click Graph in the nav.
  2. 2
    Pick From Framework (the one you already have evidence for) and To Framework (the one you need to answer).
  3. 3
    Leave Mapping Type on "All types" and Min Strength on 0% for your first look. Click Load Graph.
  4. 4
    A force-directed graph renders — each node is a control, each edge is a mapping with a strength percentage.
  5. 5
    Filter to Equivalence + Min Strength 80% when you only want high-confidence mappings you can trust for audit evidence reuse.
"No mappings found" is not always a bug — not every framework pair has been mapped yet. Coverage is published in the admin guide; currently 105 mappings across 6 directions (NIST CSF ↔ ISO 27001, ↔ CIS, NCSC CAF ↔ NIST, NIST ↔ SOC 2, ISO ↔ PCI, NCSC ↔ ISO).

9 Exporting a report

  1. 1
    Open the assessment, click Report (appears once the assessment is marked complete).
  2. 2
    The generated report includes: cover page, executive summary, framework coverage heatmap, per-control verdict table, evidence inventory, reviewer override log, and remediation recommendations.
  3. 3
    Download as PDF (audit committee), DOCX (for editing), or XLSX (for tracking).

10 V/ergent integration

CyberCore is part of the V/ergent product family. Findings from V/ergent's ERP/cloud audits push into CyberCore so your technical findings and cyber-assurance posture live in the same place.

  1. 1
    Click CyberCore in V/ergent's nav — you see every CyberCore organisation you have access to.
  2. 2
    Click an organisation to view its CyberCore assessments inline within V/ergent.
  3. 3
    V/ergent can push ERP/SoD findings into CyberCore as supporting evidence for specific controls (e.g. an ISO 27001 A.5.15 Access Control finding from an SAP S/4HANA audit).

11 Troubleshooting

Verdict won't save? The rationale field is mandatory if you're overriding the proposed verdict. An empty rationale will be rejected by validation.
Can't see an organisation you expect? Organisation membership is controlled in Settings → Team. Ask the organisation admin to add you; V/ergent and CyberCore share the same identity so V/ergent admins can invite you too.
Report export fails? The assessment must be in "complete" state — every control must have a verdict other than Inconclusive. A partial report is available via the Preview button during the draft phase.
Questions or gaps in this guide? Email support@vergent.co.ke.