Essential
€700 / year
For organisations that need the security baseline — and not much else.
Just the baseline (Cybsis Baseline), single instance, Core ISMS stripped to essentials.
Start with Essential →/ˈkyp.sis/ (Cybersecurity & Standards Implementation Software)
A typical ISO 27001, BSI GS++, or E-ITS implementation takes six months and pulls 15–25 people into workshops, drafting, and review. With AI Assistant, AI Documents, and Ludwig doing the bulk of risk identification, policy drafting, evidence analysis, and gap detection, customers reach audit readiness in about two months with 3–5 reviewers — a fraction of the staff time.
Or assemble exactly what you need from the à la carte catalogue.
€700 / year
For organisations that need the security baseline — and not much else.
Just the baseline (Cybsis Baseline), single instance, Core ISMS stripped to essentials.
Start with Essential →€2,950 / year
The full ISMS suite, one standard of choice — same price as Cybsis 1.x.
Full Core ISMS, one standard of choice, one instance.
Start with Reasonable →€14,950 / year
Everything Cybsis 2.0 does today — and every paid module Cybsis ships tomorrow.
17 paid modules + 3 standards bundled + 3 sub-instances. Every future paid module folds in at no extra charge — that's the load-bearing part.
Start with Complete →A single Cybsis 2.0 installation can run any number of standards concurrently — assets, business processes, risks, and controls are shared across them, not duplicated per framework. The catalogue spans ISMS, privacy, financial regulation, AI governance, sector-specific operations, business continuity, and sustainability reporting, and any framework — in the catalogue or not — is mapped into your instance on request, typically in about two weeks. No upper limit on concurrent standards in one installation.
Most ISMS platforms ship in English regardless of locale and call that internationalisation. Cybsis treats UI strings and the standards catalogue as the same problem: an Estonian municipality reads E-ITS in Estonian, a German enterprise reads BSI Grundschutz auf Deutsch, a Spanish buyer reads ENS in Spanish. Translation is done by people with subject-matter context, not a generic translation API — which is why the catalogue grows in lockstep across locales rather than one language racing ahead with poor phrasing in the others.
Sparkle buttons across the product. Suggests risks from asset descriptions, surfaces next-best-actions on the dashboard, analyses uploaded policies for coverage gaps, walks you through implementing a single control. Never auto-applies — you confirm, edit, or reject every suggestion.
€400/yrbring your own provider
Drafts policies, procedures, risk assessments, and BCM plans from your instance data plus a structured questionnaire. Output flows through the same 5-stage document lifecycle as hand-written documents; on approval, the controls each document satisfies auto-link to it.
€600/yrbring your own provider
A seasoned information-security specialist in chat form. Reads your live instance data, answers questions about standards, controls, risks, audits, and the platform itself, and proposes actions you approve before they run. Refuses out-of-scope questions politely.
€1,500/yrbring your own provider
Three provider modes. (1) Bring your own key — Anthropic, OpenAI, Gemini, or Azure OpenAI. (2) A self-hosted OpenAI-compatible endpoint (Ollama, vLLM, or any in-house LLM) for air-gapped and high-security deployments where no prompt leaves the network. (3) Or let RaulWalter provide the AI key — we wire up the provider, you get everything from one place, inference billed alongside your annual subscription.
Most compliance tools are built for the implementation sprint — get to the first audit, pass it, declare victory. The next year is silent decay: assets get added without their risks recalculating, processes change without the policies catching up, control owners leave and nobody notices the gap until the next audit lands.
Cybsis is built for the year between audits. Every asset, business process, risk, control, and document is linked to the others — when one moves, the things that depend on it surface as work, not as silent drift. The dashboards track control status, evidence freshness, and overdue reviews — the living state of the ISMS, not just what existed at sign-off.
The next audit becomes a snapshot of a system you've been keeping running, not a project you have to rebuild.
Return on security investment
Every control you implement lowers expected loss; Cybsis puts a money figure on it. Using the ENISA ROSI method, it takes the annual loss expectancy before controls — how likely a risk is, multiplied by what it would cost — subtracts the loss that remains once controls are in place, and weighs the difference against what those controls cost to run. The cost side counts both licence spend and people-time, and the people-time is derived from real activity in the system, not self-reported hours. Figures surface on each risk, roll up across the register and the dashboard, and export as a board-ready PDF or spreadsheet. It's free in every installation and opt-in per instance — and it ships no invented numbers: you set the loss values for your own organisation, or it waits in configure to enable until you do.
Annual loss expectancy = how likely × how costly
ROSI = (loss avoided − annual control cost) ÷ annual control cost
Any framework runs side by side in a single installation — ISO 27001, GDPR, NIS2, DORA, NIST CSF, SOC 2, HIPAA, EU AI Act, TISAX, E-ITS, Cybsis Baseline, BSI GS++ and more — with no limit on how many. Assets, business processes, risks, and controls are shared across them, not duplicated per framework. We map each framework into your instance on request, typically in about two weeks. Compare with the typical pattern: a different tool per regulation, then a separate integration tool to keep them in sync.
Three deployment options: RW Hosting on AWS eu-north-1 (managed, with same-day updates and active support, flat €300/yr), your own cloud via Docker (no extra charge), or on-premise for high-security buyers. Pick the trade-off you want; nothing leaves your network on self-hosted, and even on RW Hosting only an AI feature with your provider key sends content outside your trust boundary.
Most ISMS platforms ship a username-and-password form and call it secure. Cybsis defaults to passkeys (WebAuthn) — hardware security keys like YubiKey included — and supports Active Directory / LDAP for enterprise SSO. Estonian public-sector buyers get TARA, the state SSO covering ID-card, Mobile-ID, and Smart-ID; private-sector buyers authenticate users with ID-card via Web eID. Commercial Mobile-ID and Smart-ID added on request — Estonia's two decades of digital-government authentication sets the floor, not the ceiling.
À-la-carte modules from €400/year, three combos at €700, €2,950, and €14,950, standards at €600 each beyond what's bundled. No per-user pricing, no per-asset pricing — adding the eleventh staff member costs the same as the first. Every list price sits on the website, the configurator does the maths in your browser, and the quote you receive matches the selections you made. No expansion path priced behind a sales call.
Cybsis quantifies return on security investment the ENISA way — expected loss avoided versus what controls cost to run, counting both licence spend and the people-time inferred from real activity. Every risk carries a money figure; the register, dashboard, and a board-ready report roll them up. Free in every installation, opt-in, and built on your own loss values, never invented ones.
Three opt-in AI features — Ludwig the chat advisor, AI Assistant in the workflow, and AI Documents for policy drafting — all off by default, and none of them auto-applies anything: every suggestion is confirm, edit, or reject. You choose the model, not us. Bring your own key (Anthropic, OpenAI, Gemini, Azure OpenAI), point at a self-hosted endpoint (Ollama, vLLM, or your in-house LLM) so no prompt ever leaves your network, or let RaulWalter supply the key on a single invoice. Most platforms bolt AI on and quietly route your compliance data through their own account; Cybsis treats the model as infrastructure you control.
Pick a combo, add the modules you need, request a quote. We respond with a draft licence — a 12-month term with fixed pricing and updates included. Sign, we invoice, we deploy where you want it. No phone calls, no demos required upfront.