Quoll transforms security metrics into the financial language your board demands โ so every cyber investment decision is backed by evidence, not anxiety.
Our Mission
We believe every organisation deserves to know their true cyber exposure โ not as a colour on a heatmap, but as a dollar figure their board can act on.
"Security teams speak in vulnerabilities. Boards speak in dollars.
Quoll is the translator."
The founding principle behind Quoll
Too many organisations spend millions on cybersecurity without knowing whether those investments actually reduce risk. CISOs present heatmaps and acronym-laden slides; boards nod politely and approve budgets based on fear rather than evidence. The result? Misallocated resources, unquantified exposure, and a widening gap between security operations and business strategy.
Quoll was built to close that gap. By combining graph-based threat modelling with the internationally recognised FAIR (Factor Analysis of Information Risk) methodology, Quoll produces what every CFO and board director actually needs: a dollar figure for cyber risk, backed by thousands of simulated scenarios, updated continuously.
The Platform
An end-to-end cyber risk quantification system โ from threat model to board report in a single platform.
Financial Risk Quantification
Annual Loss Expectancy (ALE) with confidence intervals โ the same probabilistic modelling your treasury team uses for market risk, applied to cyber.
Graph-Based Threat Modelling
Visualise how attackers move through your environment as interconnected pathways. See exactly where a control investment blocks the most attack routes.
MITRE ATT&CK Integration
Pre-built attack scenarios based on real-world threat intelligence โ ransomware, APT, insider threat, data breach โ mapped to your specific environment.
Continuous Validation
Ralph, our autonomous validation agent, continuously tests theoretical risk estimates against live infrastructure data โ so your numbers stay grounded in reality.
Multi-Framework Compliance
ISO 27001, ISO 31000, IRAP, SOC 2, SOCI Act, CMMC 2.0, GDPR โ generate audit evidence as a byproduct of doing risk management properly.
Executive Dashboards
Board-ready reporting: portfolio-level Value at Risk, risk appetite gauges, control ROI analysis, and trend tracking โ all in financial terms.
Sovereign & Air-Gapped Deployment
Docker and Helm-based deployment for on-premises, classified, and air-gapped environments. Classification banners from UNCLASSIFIED through TOP SECRET.
The Founder
Sam Keogh
Founder & CEO
Sam Keogh built Quoll to solve a problem he saw repeatedly across enterprises: security teams couldn't speak the language of the boardroom, and boards couldn't evaluate cyber investment decisions with the same rigour they applied to every other business risk.
With a career spanning cybersecurity, risk management, and enterprise technology, Sam recognised that the gap between security operations and executive decision-making wasn't a people problem โ it was a tooling problem. Existing platforms either produced qualitative heatmaps that couldn't answer financial questions, or required armies of consultants to operate.
Quoll was designed from the ground up to be different: an open-methodology platform built on the FAIR international standard, producing the same kind of probabilistic financial analysis that CFOs already trust in every other domain. Graph-based threat modelling makes the attack landscape tangible. Monte Carlo simulations make the numbers defensible. And executive dashboards make the conversation productive.
Based in Australia, Sam leads Quoll's development with a focus on serving organisations that operate in regulated, high-stakes environments โ from critical infrastructure operators to defence contractors to financial institutions.
What We Stand For
๐ Transparency
Open methodology. No black boxes. Every risk estimate in Quoll can be traced back to its inputs, assumptions, and evidence โ because defensibility matters more than a dashboard score.
๐ฐ Financial Rigour
Cyber risk deserves the same analytical treatment as market risk, credit risk, and operational risk. If it can't be expressed in dollars, it can't drive a budget decision.
๐๏ธ Sovereignty
Your risk data stays where you put it. Quoll deploys on-premises, in your cloud, or air-gapped. No SaaS lock-in. No data leaving your jurisdiction. Your infrastructure, your control.
๐ Standards-Based
Built on FAIR, integrated with MITRE ATT&CK, aligned to ISO 27001/31000, IRAP, SOC 2, SOCI, and CMMC. We follow international standards so your auditors don't have to learn proprietary frameworks.
๐ Continuous, Not Annual
Risk doesn't wait for your annual assessment cycle. Quoll continuously validates and updates risk estimates as your environment, threat landscape, and controls change.
๐ค Bridge-Building
We exist to bridge the gap between the people who understand security and the people who control budgets. When both sides share a common language, better decisions follow.
The Journey
From a frustration with heatmaps to a platform trusted in regulated environments.
The Problem Identified
After years of watching boards make multi-million dollar security decisions based on coloured squares, Sam began building a platform that could give them actual numbers.
FAIR + Graph Theory
Combined the internationally recognised FAIR methodology with graph-based threat modelling โ creating a platform that models how attacks actually propagate, not just how they score on a checklist.
Ralph & Continuous Testing
Introduced the Ralph validation agent โ an autonomous system that continuously tests risk estimates against live infrastructure data, keeping theoretical models grounded in operational reality.
Enterprise-Ready Platform
Full compliance coverage (ISO 27001, IRAP, SOC 2, SOCI, CMMC, GDPR), executive dashboards, sovereign deployment, and a growing community of organisations that finally know their cyber exposure in dollars.
Ready to Know Your Real Exposure?
See how Quoll turns your threat landscape into financial intelligence your board can act on.
