Antan IRM - Intelligent Risk Management
An AI-powered cyber risk platform I built and use in my own quantitative risk and decision analysis. It started as a simple replacement for the risk register in a spreadsheet, which I have always felt is a poor home for real risk management, and grew, function by function, into this. It turns scattered security data into quantified, board-ready decisions across your own register, third-party and product risk, and compliance, expressing risk in money and probability rather than gut-feel ratings.
A tool I built and use in my own engagements, not a supported product, and very much a work in progress: it already does real work, and it keeps getting better. There is no trial to sign up for; try the demo, and if you would like to know more about Antan IRM, get in touch. Feedback is welcome, and who knows, it may go public one day.
One platform, from your register to the board pack
Your own risk register, third-party and product risk, decision analysis, and compliance, brought into one place. A closer look at what the application does.
AI & knowledge
A conversational assistant grounded in your own risks, assessments, and documents, not the open internet.
- Conversational AI grounded in your risk data, with source citations
- RAG knowledge base over your own documents
- Specialist agents (threat intel, cybersecurity, compliance audit, incident response, cost-benefit, implementation planning) that show their reasoning
- Multi-provider LLMs (local Ollama, OpenAI, Google, Azure, Groq) with automatic fallback
- Built-in AI cost tracking and a spend ceiling
Quantitative risk analysis
Risk expressed in money and probability, not a colour on a heat map.
- Monte Carlo simulation
- FAIR-CAM loss modelling: annual loss expectancy and loss-exceedance curves
- Sensitivity analysis to find the factors that move the needle
- Portfolio-level risk aggregation and optimisation
Decision analysis
Compare and justify treatment options on evidence, not instinct.
- Multi-criteria decision analysis (MCDA), including AHP and value functions
- Cost-benefit and control-effectiveness modelling
- Reusable decision projects to compare and defend options
Third-party & product risk
Vendor and product risk managed alongside your own register, in one place.
- Vendor and product registers with tiered risk ratings
- Standardised questionnaires: IRQ, SIG Lite/Core, CAIQ, NIST CSF 2.0, ISO 27001:2022, SOC 2 Type I & II, NZISM
- AI-scored responses with automatic gap detection
- OSINT research: open-source, CVE/KEV, end-of-life, exploit, and dark-web intelligence
- Product CVE-exposure analytics across the fleet
Automation & monitoring
Scheduled work and integrations so the register keeps itself current.
- Scheduled reports and recurring vendor/product investigations
- Vulnerability-scanner integrations: Wazuh, OpenVAS/Greenbone, Trivy
- Real-time monitoring with a full observability stack
- Webhooks and an agent-to-agent (MCP) interface for the wider toolchain
Compliance
One assessment mapped to many obligations.
- Built on ISO 27005, ISO 31000, and NIST SP 800-39
- Control mappings across ISO 27001:2022, NIST CSF 2.0, SOC 2, PCI-DSS, GDPR, NIS2, DORA, CIS, and NZISM
Reporting
Board-ready output in minutes, not a weekend of slide-building.
- Board-ready reports with charts and narrative
- Versioned report library with scheduled delivery
- Export to PDF/Word, and publish to Confluence
Security & platform
Built to the standard I would expect of any system holding this data.
- Role-based access control across five roles
- Multi-factor authentication, passkeys (WebAuthn), and SSO
- Full audit logging and multi-tenant isolation
A secure agentic framework - AI that guards the AI
Antan IRM runs a team of specialist AI agents and a dedicated Security Agent, “Tony Synt”, that polices the others. Before any model runs, every request passes through a deterministic security interceptor: a pure-code gate that screens for prompt-injection and jailbreak attempts and routes attacks to a dead end. The Security Agent then watches the agent network from a tamper-evident audit trail, reports anomalies, maps findings to ISO 27001, NIST CSF, and NIST SP 800-53, and can pause or resume the fleet under strict admin control.
A deterministic guardrail, not a chatbot
Injection and jailbreak screening is pure code, run before any model. You cannot talk a regex out of blocking, so the usual route, jailbreaking the guard's own model, does not exist.
Separation of duties
The Security Agent reads the audit log but can never write to it. It cannot fabricate a clean record or suppress what it observed; the trail is owned by the interceptor alone.
Fails closed
A detected attack is blocked before any model executes. No specialist agent, no LLM, and no tool runs on a flagged request.
Privileged actions are gated
Pausing or resuming the agent fleet requires super-admin, is rate-limited, and is logged at critical severity before it runs.
Nothing is truly unhackable, and I will not claim otherwise. But because these protections live in deterministic, run-first, fail-closed code rather than an LLM you can argue with, the design is jailbreak-resistant and tamper-evident by construction. That is the active application security I have pioneered in the tool.
How Antan IRM reasons about risk
The same quantitative methods I use in advisory engagements, made tangible.
FAIR loss quantification
Factor Analysis of Information Risk decomposes a scenario into loss event frequency and loss magnitude, turning a vague worry into a defensible number.
Monte Carlo simulation
Thousands of simulated years produce a distribution of outcomes, not a single point estimate, so you can reason about the tail, not just the average.
Scenario modelling
Model the scenarios that actually threaten your organisation, then test how proposed controls move the expected loss before you spend a dollar.
Heat maps don't survive a board meeting
A red square on a risk register tells a director nothing actionable. How much should we spend to make it amber? What is the expected loss if we do nothing? Which of three investments reduces exposure the most per dollar? Qualitative risk cannot answer these questions. Quantitative risk can.
Expressing risk in dollars and probabilities reframes the conversation from fear to finance. It lets you defend a security budget the way every other part of the business defends theirs: with numbers, ranges, and a clear line from spend to reduced loss. That is the conversation Antan IRM is built to start, and the one I help organisations have for real.
Want to know more about Antan IRM?
Try the demo, then get in touch. There is no trial to sign up for; if you would like to know more about how Antan IRM works, or whether it could fit your organisation, I would be glad to hear from you.