Fortis Arena
War-game your cyber risks. Quantify the impact.
FAIR-aligned Cyber Risk Quantification (CRQ) engine with Monte Carlo simulation. Model ransomware attacks, vendor breaches, supply chain disruptions, and insider threats with probabilistic loss distributions. Cascade dependency analysis shows how a single point of failure propagates through assets, vendors, and controls. Export simulation results as DORA resilience testing evidence (Art. 24-27) or NIS2 risk assessment documentation.
What you get
Monte Carlo Probabilistic Simulation
Run configurable Monte Carlo simulations (1,000 to 100,000 iterations) to generate probabilistic loss distributions for each risk scenario. Results show expected loss ranges at the 50th, 90th, 95th, and 99th percentiles, giving leadership a statistically grounded view of potential financial impact rather than single-point estimates.
Pre-Built Scenario Types
Eight pre-built scenario types cover the most common cyber risk events: ransomware attack, vendor/supply chain breach, data exfiltration, DDoS/availability disruption, insider threat, cloud misconfiguration, regulatory non-compliance penalty, and business email compromise. Each scenario type includes default parameters calibrated from industry incident data that can be customised to your organisation's profile.
Cascade Dependency Analysis with Visual Graph
Model how a single point of failure propagates through your asset inventory, vendor dependencies, and control framework. The cascade graph visualises failure paths — a vendor breach affecting your identity provider cascades through every application relying on SSO, impacting 85% of business operations. This analysis directly supports DORA Article 28 ICT concentration risk assessment.
Organisation Calibration
Calibrate simulation parameters to your organisation's specific profile including industry sector, annual revenue, employee count, geographic operating footprint, and regulatory exposure. Calibration adjusts loss magnitude distributions, threat frequency estimates, and control effectiveness assumptions to produce organisation-specific results rather than generic industry benchmarks.
MITRE ATT&CK Coverage Heatmap
Overlay your control framework against the MITRE ATT&CK matrix to visualise which tactics, techniques, and procedures (TTPs) are covered by existing controls and which represent gaps. The heatmap integrates with simulation scenarios to show how ATT&CK coverage gaps translate to increased risk exposure for specific attack types.
Evidence Export for DORA Art. 24-27 Resilience Testing
Export simulation results, scenario configurations, and analysis reports as structured evidence for DORA Articles 24-27 digital operational resilience testing requirements. Exports include methodology documentation, scenario parameters, result distributions, and remediation recommendations in a format aligned with ESA technical standards for resilience testing evidence.
How it works
Select Scenario
Choose from 8 pre-built scenario types or create a custom scenario. Pre-built scenarios include default parameters calibrated from industry incident data, which serve as a starting point for organisation-specific customisation.
Calibrate Parameters
Adjust scenario parameters to your organisation's profile — threat frequency, vulnerability window, asset exposure, control effectiveness, and loss magnitude distributions. Organisation calibration pre-populates reasonable defaults based on your industry, size, and regulatory exposure.
Run Simulation
Execute the Monte Carlo simulation with configurable iteration count. The engine processes each iteration through the FAIR-aligned loss model, accounting for threat event frequency, vulnerability, loss magnitude factors, and cascade dependencies. Results are available within seconds for standard configurations.
Analyse Results & Export Evidence
Review probabilistic loss distributions, cascade impact paths, and risk reduction opportunities. Compare scenarios to evaluate the risk reduction impact of proposed security investments. Export results as DORA resilience testing evidence or board-ready risk quantification reports.
Built for your team
Board-Level Risk Quantification
The CISO uses Fortis Arena to translate technical cyber risks into financial terms that board members understand. Instead of presenting a heatmap of red/yellow/green risks, the CISO demonstrates that the organisation faces a 15% annual probability of a ransomware event with a 90th-percentile loss of EUR 4.2M. This financial quantification enables informed investment decisions — the board can evaluate whether a EUR 500K security investment that reduces the 90th-percentile loss by EUR 2.1M delivers acceptable ROI.
Scenario Planning & Investment Prioritisation
The risk manager models multiple scenarios to compare the risk reduction impact of proposed security investments. By simulating current state versus post-investment state for each scenario, the risk manager builds a prioritised investment roadmap ranked by risk reduction per euro invested. Cascade analysis reveals which single investments reduce risk across multiple scenarios due to shared dependency paths.
DORA Resilience Testing Evidence
External auditors reviewing DORA Article 24-27 compliance use Fortis Arena exports as evidence of digital operational resilience testing. Simulation documentation demonstrates that the organisation has systematically modelled relevant threat scenarios, quantified potential losses, analysed cascade dependencies, and identified risk reduction opportunities. The structured export format provides auditors with the methodology transparency required to validate testing rigour.
Supports your compliance stack
Common questions
How does Fortis Arena align with the FAIR methodology?
Fortis Arena implements the core FAIR (Factor Analysis of Information Risk) taxonomy for structuring risk scenarios. Loss Event Frequency is decomposed into Threat Event Frequency and Vulnerability, while Loss Magnitude is decomposed into Primary Loss (productivity, response, replacement) and Secondary Loss (fines, reputation, competitive advantage). The Monte Carlo engine samples from probability distributions for each FAIR factor, producing output distributions that represent the full range of possible outcomes. This alignment ensures results are methodologically defensible and comparable across organisations using FAIR.
How accurate are Monte Carlo simulation results?
Monte Carlo simulation accuracy depends on the quality of input parameter calibration. With well-calibrated inputs, simulations produce statistically valid probability distributions that reflect the range of possible outcomes. FortisEU improves calibration accuracy by pre-populating parameters from industry incident databases, your organisation's historical incident data, and threat intelligence feeds. Results should be interpreted as probabilistic ranges rather than precise predictions. At 10,000 iterations, results are stable to within 2-3% variance between runs for the same input parameters.
What is the relationship between Fortis Arena and DORA TLPT requirements?
DORA Articles 24-27 establish requirements for digital operational resilience testing, including threat-led penetration testing (TLPT) for significant financial entities per Article 26. Fortis Arena complements TLPT by providing scenario-based risk quantification that covers the broader resilience testing requirement under Article 24-25. While TLPT tests technical defences through simulated attacks, Arena models financial impact and cascade dependencies. Arena exports provide structured evidence of scenario analysis that satisfies the Article 24 advanced testing requirement, while TLPT results can be imported to calibrate Arena's control effectiveness parameters.
Does Fortis Arena include a historical incident library?
Yes. Arena includes a curated library of historical cyber incidents with documented financial impacts, drawn from public breach disclosures, regulatory enforcement actions, and industry reports. Historical incidents are categorised by scenario type, industry sector, organisation size, and geographic region. You can use historical incidents as calibration references — selecting comparable incidents to validate that your simulation parameters produce realistic loss distributions. The library is updated quarterly with newly disclosed incidents and regulatory penalty decisions.
Can Fortis Arena be used for tabletop exercise facilitation?
Yes. Arena includes a tabletop exercise mode that presents scenario injects step-by-step, simulating an evolving incident for leadership teams to respond to. Each inject reveals new information — initial detection, scope expansion, cascade impacts, regulatory notification triggers — with decision points where participants choose response actions. Participant decisions affect the simulation path, demonstrating how different response strategies lead to different outcomes. Post-exercise reports compare participant decisions against optimal response paths and quantify the financial impact of decision delays or suboptimal choices.
Related features
See Fortis Arena in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.