A cybersecurity gap analysis,
explained from the ground up.
A gap analysis compares what your security program does today against a recognized framework and shows where the distance is. This page covers what that means, how it is traditionally done, what it usually costs, and where a guided first pass fits in.
What a cybersecurity gap analysis measures
A cybersecurity gap analysis is a structured comparison between your current security posture and the controls a chosen framework expects you to have. Each gap is the difference between where a control stands today and where the framework says it should be, and the result is an ordered list of what to close first.
THE GAP
The gap is the distance between the two, ranked by what to close first.
How the analysis works, step by step
The method is a repeatable workflow, not a one-off report.
Framework selection
Choose the standard you measure against. NIST CSF 2.0 sets the structure here.
Guided assessment
Answer focused questions about your controls, with guidance on what each one asks for.
Scoring
Your answers map to framework categories and produce a maturity score per area.
Gap identification
Each area is compared to the expected control level, surfacing where you fall short.
Remediation roadmap
Gaps become prioritized actions, ordered by severity and tagged to the relevant CSF categories.
Expert review
A practitioner checks the findings and helps plan the work where the stakes justify it.
How a gap analysis is traditionally run
Run the classic way, it is a consulting engagement across four phases over roughly four to eight weeks. The work is largely manual, which is what drives both the timeline and the price.
Understand your obligations
1–2 weeksMap the regulations and frameworks that apply to you.
Assess current state
2–4 weeksInventory assets, policies, and systems as they exist today.
Map requirements to measures
1–2 weeksCompare each requirement against what is actually in place.
Document and categorize gaps
1 weekRecord each gap and rank it by severity and business impact.
What the traditional approach costs
A manual gap analysis is expensive in two currencies, money and time. These are typical ranges for a consulting engagement, not fixed prices.
Typical engagement
for a mid-size organization, before internal hours.
The tradeoffs of the manual method
It produces a thorough report, but the cost shows up in three dimensions. Because it captures a single point in time, the picture also begins aging once the engagement ends.
High costs
- Mid-size org
- $15K–$40K
- Large enterprise
- $40K–$100K+
- Internal time
- 40–80 hrs
Plus the staff hours pulled off other work.
Long timelines
- Scheduling
- 1–2 wks
- Manual assessment
- 2–4 wks
- Roadmap prep
- 1 wk
Roughly one to two months end to end.
Quality issues
- Consultant variability
- inconsistent
- Manual errors
- possible
- Scope
- budget-bound
A single point-in-time snapshot.
Traditional consulting vs a guided first pass
A common pattern: run the guided pass first for a consistent baseline, then bring in experts for the areas that warrant it.
Traditional consulting
- Timeframe
- 4–8 weeks
- Cost
- $15,000–$40,000
- Method
- Manual, varies by consultant
- Outcome
- Static, point-in-time
CyberGapAudit first pass
- Timeframe
- 10–15 minutes
- Cost
- Free
- Method
- Consistent, repeatable
- Outcome
- Prioritized, with evidence
What the guided pass produces
A guided first pass turns your answers into a concrete deliverable: a maturity score, coverage by NIST function, and a prioritized list of what to fix, each item tagged to a CSF category with the evidence you would be expected to show. The numbers below are a sample output, shown to illustrate the format. They are not your results.
Sample output · illustrative. Not your results.
Maturity score
sample figure
Coverage by NIST function
Prioritized remediation
Evidence · IdP configuration export
Evidence · SIEM ingestion config
Evidence · RACI matrix
Frameworks you can measure against
The guided assessment is built on NIST CSF 2.0 and its six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Others are being added over time.
How different sectors map to frameworks
The same method applies across regulated industries. Each maps its obligations to one or more cybersecurity frameworks.
Questions people ask
How long does the free assessment take?
About 10–15 minutes for a first pass. It covers the foundations of your posture and returns a maturity score mapped to NIST CSF categories.
Which framework does it use?
It is aligned to NIST CSF 2.0. ISO 27001, CIS Controls, SOC 2, PCI DSS, HIPAA, and GDPR are on the roadmap.
Does this replace a formal audit?
No. A gap analysis identifies and prioritizes gaps. A formal certification audit still requires a qualified auditor.
Are my answers stored?
Yes, in your encrypted account, so you can revisit them and track progress over time. You can delete your account at any time.
What do the paid tiers add?
A deeper assessment, per-control breakdowns, remediation planning, evidence guidance, scheduled reruns, and a framework-aligned action plan with status tracking.
Run your first pass
Begin with a free, NIST-aligned assessment. You will end with a maturity score and a prioritized starting point. No credit card required.