Threat and Risk Assessment

Threat and Risk Assessment (TRA)

A TRA is a formal document that identifies the threats to your systems and data, rates the risk of each, and lays out how you are mitigating them. In Canada it is a common requirement in government procurement, in regulated sectors, and in enterprise vendor reviews. If a contract or a buyer has asked you for one, we produce a TRA that stands up to scrutiny, backed by real testing of your environment rather than a template with your logo on it.

Request a TRA

Nobody reads about TRAs for fun

If you are on this page, something asked for one. Usually a form, a clause, or a reviewer. These are the four ways it normally shows up.

What is actually in the document

A TRA is a comprehensive cybersecurity document covering your digital assets, infrastructure, and sensitive data. Ours is built on what we found in your environment, so every risk rating traces back to something real. Here is what you get.

01

Scope and assets

What is covered and what is not: the systems, the data, the users, the third parties. Reviewers read this section first, because a vague scope makes the rest of the document meaningless.

02

Threats identified

The realistic threats to your assets, infrastructure, and sensitive data, informed by real testing rather than guesswork. Named, specific, and relevant to how you actually operate.

03

Risk register, rated

Each risk scored by likelihood and impact, so leadership and buyers can see what matters and why. This is the part a procurement reviewer will scan for evidence you thought about it seriously.

04

Testing findings

What we actually found when we tested. This is what separates a TRA that holds up from a generic template: the assessment is backed by evidence from your environment.

05

Mitigations documented

What you already have in place, how well it covers each risk, and where the gaps are. Honest, because the reviewer will notice if it is not.

06

Prioritized remediation plan

An ordered list of what to fix and in what sequence, so the TRA is something you act on rather than a file you email once and forget.

A TRA is not a pen test, and not a scan

These three get used interchangeably in procurement emails and they are not the same thing. Asking for the wrong one wastes a month.

They are not substitutes. A TRA with no testing behind it is a guess in a nice template. A pen test on its own does not answer the question a procurement reviewer is asking. We do the testing and write the assessment, so the document is backed by what we actually found. Testing is delivered with our offensive-security partner and led by a published security researcher with 6 CVEs. See our security services for the testing side.

How we run a TRA

Scoped up front. You know the deliverable and the timeline before you commit.

01

Read the ask, then scope it

We start with the thing that triggered this: the solicitation, the contract clause, the questionnaire, the underwriter's form. What the reviewer expects shapes the scope, so we read it before we quote it.

02

Test the environment

Hands-on testing scoped to what the assessment needs: web app, network, servers, or cloud. Delivered with our offensive-security partner. This is the part most TRA vendors skip.

03

Assess and rate

We build the threat model and the risk register, rate each risk by likelihood and impact, and document your existing mitigations and where they fall short.

04

Deliver and defend it

You get the document, the prioritized remediation plan, and a walkthrough so you can speak to it. If the reviewer comes back with questions, we help you answer them.

Where a TRA fits with your other requirements

The risk work overlaps. If a TRA is not the only thing being asked of you, build it once and use it in more than one place.

One honest note on scope: we are the assessment and prep expert. We write your TRA and we get you audit-ready, but we do not sign a SOC 2 or ISO 27001 audit, because those require an independent firm. See Compliance for the full picture.

Works well with

Send us what asked for the TRA

Forward the clause, the questionnaire, or the email. We will tell you what scope actually satisfies it, and what it takes to get there.

Request a TRA

Frequently asked questions

What is a Threat and Risk Assessment (TRA)?

A TRA is a formal cybersecurity document used to identify, evaluate, and mitigate the security risks to an organization's digital assets, infrastructure, and sensitive data. It names the realistic threats to your systems, rates each risk by likelihood and impact, and documents what you are doing about them. In Canada it is common vocabulary in government procurement, in regulated sectors, and in enterprise vendor reviews.

Who asks for a TRA?

Usually a Government of Canada solicitation or a prime contractor in the defence supply chain, an enterprise procurement or vendor-risk team, a bank or federally regulated financial institution flowing its third-party requirements down to you, or an insurer assessing a cyber policy. People rarely read about TRAs out of curiosity. If you are looking for one, something in a contract or a review has asked for it.

What is the difference between a TRA and a penetration test?

A penetration test is a human-led attack that proves what someone could actually do to your systems. A TRA is the assessment that puts those facts in business terms: what the threats are, how likely each one is, how bad it would be, and what mitigations are in place. A pen test answers what is broken. A TRA answers whether you have assessed your risk and can show your work. They complement each other, which is why we test first and then write the assessment.

Is a TRA the same as a vulnerability scan?

No. A vulnerability scan is automated and continuous. It flags known issues across your cloud, containers, and dependencies at a point in time. A TRA is a structured document covering threats, risk ratings, and mitigations across your environment. A scan can feed a TRA, but scanner output on its own will not satisfy a reviewer asking for a Threat and Risk Assessment.

What do we get at the end of a TRA?

A defensible document you can hand to a government buyer, regulator, or enterprise reviewer: the scope and assets covered, the threats identified, a risk register rated by likelihood and impact, the findings from hands-on testing of your environment, your documented mitigations, and a prioritized remediation plan you can act on. We walk you through it, and we help you answer follow-up questions from whoever asked.

How does a TRA relate to CPCSC, NIST CSF, SOC 2, and ISO 27001?

The risk work overlaps heavily. ISO 27001 is a risk-based standard, so the threat and risk analysis feeds your risk assessment and Statement of Applicability. SOC 2 readiness expects you to document how you assess risk, and the testing behind a TRA also serves as pen-test evidence. NIST CSF is assessed as current versus target profiles, and a TRA gives you the risk picture those profiles reflect. For the Government of Canada defence supply chain we deliver CPCSC Level 1 only, the self-assessed entry tier against the 13 requirements under ITSP.10.171, and the TRA risk work feeds it directly.