Click here to sign up for a Free RiskTree trial >>

Risk Analysis


Cyber Security Expertise

risk analysis pyramid
Risk Analysis
Security Review
Security Architecture
Security Monitoring

RiskTree puts you on the front foot. It is a unique piece of software that distils complex, evolving risks into clear components that can be analysed, understood and balanced.

It’s the brainchild of 2T security. That means it is born out of decades of experience working at the highest level in cyber security and critical infrastructure. It is a unique way of cutting through the grey mist, anxiety and complexity of cyber threats.

Understanding is translated into clear visualisation that allows you to prioritise your efforts for maximum results. And this clarity evolves alongside the risks you are monitoring allowing you to keep ahead of cyber threats. And all this is possible through your browser. No data ever leaves your system.

RiskTree is quick. Most projects take days not weeks. This speed of turnaround brings savings and means RiskTree works with projects that change and develop rapidly.

Risk Management with RiskTree

2T Security has developed RiskTree as a structured approach for risk management. Based around the well-established concept of attack trees, RiskTree provides a systematic way of capturing and prioritising the risks to your business and systems. It presents its results in an easy-to-understand format that integrates well with existing business processes. Attack trees are a well-known approach to risk assessment, looking at the risks from the perspective of an attacker and constructing tree structures that show the relationships between different risks. This allows the risk profile of the asset to be easily explored, even by people who haven't been involved in the assessment.

Key Benefits

There are a number of business benefits to using RiskTree:


  • Risks and reports are written in business language, and avoid putting off non-technical readers through the use of jargon.
  • It is much faster than other processes to create a risk assessment. A typical system can be assessed in a few days, and the assessment report will then take a couple more. This reduces the cost to the client and allows risks to be understood sooner.
  • Getting the technical architect and business owner into the same workshop to discuss risk is often the first time that this has happened. We typically find that many assumptions about how the system works and how the system is used are raised and challenged during these sessions, leading to a far better understanding of the system by the key business stakeholders.
  • Links to control frameworks, such as ISO27001 and NIST 800-53 allow statements of applicability to be quickly prepared.
  • The risk data are stored as data sets, allowing them to be aggregated for reports in different ways, or for creating risk assessments at departmental or organisational levels within an organisation.
  • Works well with agile project delivery, but supports other approaches (or assessment of existing systems) equally well.
  • It allows risk assessments to be quickly updated without needing to start from scratch.

Tried and Trusted

RiskTree has already been deployed by clients in both the public and private sectors. One client has replaced their previous information risk management processes completely, and is already seeing the benefits of the RiskTree approach from better business engagement, end-to-end lifecycle support for security from projects, and more comprehensive risk registers - all leading to better assurance.


A number of UK Government Departments are using RiskTree, and we have also created a bespoke version for one department that needed it as part of a major new programme of work.


The RiskTree software allows creation of the trees within the browser environment. This can be done during the workshops, or as a data-capture exercise afterwards. The tree is built quickly and efficiently, and can then be submitted to the on-line service for secure assessment. No sensitive data ever leave the client environment as part of this assessment.


RiskTree reports can be created using attack trees with and without controls applied, and so can be used to give a view of intrinsic risk (at the very start of a project), and residual risk (once controls have been planned); this allows the effect of the controls to be demonstrated. The Processor analyses the risk data and generates a prioritised table of risks. The default is that this is sorted on a traditional six-point scale (Very High - Very Low), but a configuration tool allows this to be modified to suit your own requirements.