AI Threat Readiness Assessment

How ready is your organisation for AI-specific threats?

A structured 24-capability assessment built on NIST CSF 2.0, purpose-authored for organisations deploying, integrating, or being targeted by AI. Delivers a findings report, heatmap, and roadmap in days.

See a sample report

$4,995 one-time · No subscription · Full report delivered within your assessment

Standard frameworks were not designed for AI-era threats

Traditional NIST CSF assessments cover the controls that matter for conventional attacks. They do not specifically address adversary use of AI, exposure of your own AI systems, model-targeting attacks, AI-assisted social engineering, or supply-chain risk in AI components.

This assessment starts from NIST CSF 2.0 as its backbone, then applies AI-specific capability definitions, BARS anchors, and crosswalks to the frameworks that speak to AI threats directly: MITRE ATLAS, CSA MAESTRO, NIST AI RMF, and NIST SP 800-218.

The result is a credible, audit-defensible baseline that a board, regulator, or cyber insurer can read — and that your security team can action.

Adversary AI use
AI-assisted phishing, deepfake social engineering, AI-accelerated reconnaissance and exploitation
Your AI systems as attack surface
Model gateways, vector stores, inference endpoints, training pipelines, and MLOps tooling
AI supply-chain risk
Third-party model provenance, training data exposure, embedded AI in vendor SaaS
Governance gaps
Risk appetite not calibrated for AI-era threats; board visibility without measurable thresholds

24 capabilities across all six NIST CSF 2.0 functions

Each capability has BARS anchors (L1–L5) and a target maturity level calibrated to the buyer profile. Respondents are routed to the capabilities relevant to their role.

GV Govern 4 capabilities
  • Board AI threat awareness
  • Risk appetite recalibration for AI-era threats
  • Third-party AI risk policy and contracting
  • Security budget posture vs threat trajectory
ID Identify 4 capabilities
  • Asset inventory including AI assets and data flows
  • Vulnerability management coverage and SLA
  • External attack surface management
  • SBOM and software supply-chain transparency
PR Protect 5 capabilities
  • Patch and vulnerability remediation cadence
  • Configuration hardening automation
  • Phishing-resistant MFA coverage
  • Privileged access containment and segmentation
  • Secure-by-design SDLC, including AI-using systems
DE Detect 4 capabilities
  • Detection telemetry coverage
  • Behavioural and anomaly detection
  • AI-augmented triage and threat hunting
  • Detection time discipline and measurement
RS Respond 4 capabilities
  • SOAR and response automation maturity
  • Decision rights and escalation paths
  • Stakeholder and regulator communication playbooks
  • Tabletop exercise frequency and realism
RC Recover 3 capabilities
  • Immutable backup posture
  • Critical-service RTO realism
  • Business continuity tested vs AI-attack scenarios

Framework crosswalks included

Every capability is mapped to the frameworks that security teams, auditors, and regulators already reference — so findings slot directly into your existing risk and compliance vocabulary.

MITRE ATLAS v5.4

Adversarial threat landscape for AI systems — maps your capabilities to known AI attack techniques and tactics.

CSA MAESTRO

Cloud Security Alliance's 7-layer AI security model — covers the full stack from hardware to orchestration.

NIST AI RMF

AI Risk Management Framework — the emerging standard for AI governance, risk, and control obligations.

NIST SP 800-218

Secure Software Development Framework — covers secure-by-design practices for AI-using and AI-producing systems.

NIST SP 800-30

Risk assessment guide — underpins the risk-appetite and threat-modelling capabilities in the Govern and Identify domains.

OWASP LLM Top 10

Top 10 risks for LLM-integrated applications — relevant to protect and detect capabilities covering AI-using systems.

What you receive

The assessment produces a complete set of findings in the platform and a DOCX export you can rebrand and deliver directly to your board or client.

  • Capability heatmap — maturity scores across all 24 capabilities and 6 CSF functions, with gap-to-target overlaid
  • AI findings narrative — per-function findings written by the AI engine against your survey responses
  • Prioritised recommendations — ordered by impact and gap severity, not alphabetically
  • Phased roadmap — 30/60/90 day and 6-month horizon, editable in Word
  • DOCX export — full report in an editable Word document, ready to rebrand

Who runs this assessment

CISOs and security leadership

Establishing a credible baseline for board reporting, cyber insurance renewal, or regulatory engagement. The assessment produces findings in the language boards and auditors recognise.

Risk and legal teams

Building an evidence base for AI governance obligations, third-party AI risk reviews, or pre-contract due diligence on AI vendors.

Technology consultants

Running AI threat readiness engagements for clients without building a custom rubric. The assessment ships with all anchors, crosswalks, and scoring logic already authored.

Internal audit teams

Preparing for AI-related regulatory scrutiny or commissioning an independent view of the security team's self-assessment. Survey distribution to multiple stakeholders is included.
AI Threat Readiness Assessment
$4,995. One assessment. Full findings.

No subscription. Includes the full capability assessment, multi-stakeholder survey, AI findings report, and DOCX export.

See all plans →

Common questions

Who fills in the survey?
You choose. Each invite can be scoped to the role groups relevant to that person — executive sponsors see eight capabilities, security leaders see all 24, data and AI specialists see the capabilities most relevant to their work. The platform routes the right questions automatically.
How long does it take?
Survey collection typically takes 1–2 weeks depending on stakeholder availability. The platform generates findings immediately after the last response is submitted. No waiting for a consultant to write up notes.
Do I need a Meridant account first?
No. New customers complete checkout and receive a set-password email. Your assessment credit is waiting when you log in for the first time. Existing subscribers add the credit to their account.
Can I use this for a client engagement?
Yes. The DOCX export is editable and rebrandable. Professional subscribers can run this inside a named client workspace with team-member access. Consultants running multiple AI Threat Readiness engagements should consider Professional for unlimited credits.
What frameworks are the crosswalks mapped to?
MITRE ATLAS v5.4, CSA MAESTRO, NIST AI RMF, NIST SP 800-218, NIST SP 800-30, and OWASP LLM Top 10. Each capability includes the relevant framework references, so your findings report speaks the language your auditors and regulators already use.
What if I need multiple assessments?
Each purchase covers one assessment run. If you're running several AI threat readiness engagements — for multiple clients or re-assessing the same organisation annually — talk to us about volume pricing at info@meridant.io.