A Threat and Risk Assessment (TRA) is a formal cybersecurity document used to identify, evaluate, and mitigate the security risks to an organization's digital assets, infrastructure, and sensitive data. It names the realistic threats to your systems, rates each risk by likelihood and impact, and documents the mitigations you have in place. In Canada it is common vocabulary in government procurement, in regulated sectors, and in enterprise vendor reviews.
People rarely read about TRAs out of curiosity. The ask usually arrives in a Government of Canada solicitation or from a prime contractor in the defence supply chain, from an enterprise procurement or vendor-risk team, from a federally regulated financial institution flowing its third-party requirements down, or from an insurer assessing a cyber policy. If you are looking one up, something in a contract or a review has asked for it.
A TRA is not a pen test and not a vulnerability scan, and the three get used interchangeably in procurement emails. A scan is automated and flags known issues; a pen test is human-led and proves what an attacker could actually do; the TRA puts those facts in business terms, covering threats, likelihood, impact, and mitigations. A TRA with no testing behind it is a guess in a nice template, so the assessment should be backed by hands-on testing of your environment.
traztech delivers Threat and Risk Assessments backed by real testing for startups and growth-stage companies, led by a published CVE researcher.
Book a call