Continuous Risk Monitor Methodology

v1.0 · April 2026

How the page reads the real-time incident feed and aggregates per-insured early-warning signals.

1. Executive Summary

The Continuous Risk Monitor transforms the real-time cyber_portfolio.blog_data incident feed into a portfolio-level early-warning system. Modern cyber underwriting doesn't stop at bind — every insured's risk profile changes daily, and the underwriter needs to act before claims hit.

The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market.

2. Real Incident Feed

Source: cyber_portfolio.blog_data — the same MongoDB collection that powers the Incidents page. Each document represents an externally-reported cyber incident with rich metadata.

{ linkid: ["company_id_1", ...], title: "Ransomware attack on ...", type: ["Ransomware", ...], date: "2026-04-08", severity: 85, incident_details: { threat_actor: "LockBit successor", ransomware: { ransomware_strain: "LockBit 3.0", ... }, mitre_correlation: [{ techniques: [{ technique_id: "T1486", ... }] }] } }

3. Per-Insured Signals

Incident counts (30 / 60 / 90 / 180d) — actual count of incidents where the insured appears in linkid
Velocity 30d — incidents in last 30 days minus incidents in days 31-60
Severity sum 90d — sum of incident severities (0-100) over last 90d
Latest incident — date, title, and source URL of the most recent
Threat actors observed — extracted from incident_details.threat_actor
Ransomware families observed — extracted from incident_details.ransomware.ransomware_strain
MITRE ATT&CK techniques — from incident_details.mitre_correlation
Leak-site hit — flagged when title/description matches leak/extortion patterns

4. Severity Classification

severity = "alert" if ( leak_site_hit OR incidents_30d ≥ 2 OR max_severity_90d ≥ 75 OR velocity_30d ≥ 2 ) severity = "watch" if ( incidents_90d ≥ 2 OR max_severity_90d ≥ 50 OR velocity_30d ≥ 1 OR any threat actor observed ) severity = "ok" otherwise

5. Loss-Ratio Leading Indicator

A composite green/amber/red index that combines portfolio-wide velocity, severity intensity, leak hits, and distressed share into a 60-90 day look-ahead on portfolio loss ratio:

lr_index = min(50, velocity_total × 4) + min(30, severity_per_insured × 0.3) + min(40, leak_hits × 6) + min(40, distressed_share × 80) lr_band = green if lr < 20 | amber if lr < 45 | red otherwise

6. Portfolio Threat Intelligence

Aggregates across the whole book, returning ranked lists of:

Top threat actors observed
Top ransomware families observed
Top MITRE ATT&CK techniques (with technique IDs)
Top incident types

7. Data Sources

Source	Used For
cyber_portfolio.blog_data	Real incident feed (counts, severity, actors, ransomware, MITRE)
Portfolio collection	Insured list — only incidents touching portfolio insureds are counted
Saved bordereaux	Alternative portfolio source for pre-bind monitoring

8. Glossary

Term	Definition
Velocity	Δ in incident rate vs the prior period
Leak site	Ransomware operator's victim shaming page
MITRE ATT&CK	Standard taxonomy of adversary tactics and techniques
LR leading indicator	60-90 day look-ahead on portfolio loss ratio

Proprietary to Rankiteo. Contact [email protected]. Last updated April 2026.