Built for Mac and iPad, with a full-function iPhone version when you're on the go. Genuinely capable cyber risk assessment software — map threats, barriers and consequences, offline and completely private.
A bowtie diagram lets you demonstrate a comprehensive risk management approach. It maps naturally onto what ISO 27001 Annex A expects for risk treatment justification, and the repeatable process NIST CSF is built around.
The attacker's target sits in the centre. Every threat vector feeding into it sits on the left with its prevention barriers between them. Every consequence flowing from it sits on the right with mitigation barriers between them. An auditor or board member can see exactly how each threat is being controlled, not just that a risk was rated.
This matters because the same document has to satisfy very different readers: the SOC analyst who understands every technical detail, and the board director or auditor who needs evidence of a systematic, defensible process. A bowtie diagram is one of the few formats that genuinely serves both — which is why NIST's own implementation guidance illustrates the Cybersecurity Framework using this exact structure.
Multiple entry points, time-critical response, and consequences that branch into operational, financial and regulatory impacts. The bowtie maps all three dimensions simultaneously — exactly what an incident response team needs.
Phishing succeeds by targeting people, not systems. A bowtie forces you to map human-layer controls — training, verification procedures, reporting culture — alongside technical ones. Most risk registers treat this as a single line item.
Insider threats are structurally different from external attacks — the prevention controls are behavioural and procedural rather than technical. A bowtie makes that distinction explicit and auditable, which a risk score does not.
When a vendor's compromise becomes your breach, the question regulators ask is: what controls did you have over third-party access? A bowtie documents exactly that — threat vectors from suppliers, controls on each, and consequences with assigned mitigations.
GDPR, HIPAA, the Australian Privacy Act and equivalent laws require you to demonstrate that you understood the risk and had proportionate controls in place. A bowtie diagram is exactly that evidence — structured, visual, and defensible.
Availability risk is chronically under-documented in most organisations. Bowtie diagrams make the consequence chain explicit — who is affected, in what order, and what recovery controls exist — turning a vague threat into an actionable risk picture.
BowTie Risk is designed for security professionals who need to move quickly without sacrificing rigour. The workflow is direct.
Define the specific moment you're analysing — "Ransomware deployed on network", "Unauthorised access to customer data", "DDoS attack brings down payment systems". Specificity matters here — a precise central event produces a useful bowtie; a vague one produces a vague one.
Map the threat vectors feeding into your central event, the prevention controls between them, the consequences that follow, and the mitigation controls that address each one. Edit and refine as you go — the full structure is visible and adjustable at every step.
Each risk can be given an effectiveness rating. Degraded or failed controls are immediately visible on the diagram. The risk register view shows all your cyber bowties with sortable risk ratings — which risks are rated, which are unrated, which have control gaps.
Export your bowtie diagram as a PDF for a full visual record, or export a Detail Report — all controls and ratings — or a Summary Report for board and executive audiences as CSV. The visual format communicates the full risk picture to any audience without translation.
Cybersecurity risk data is among the most sensitive information an organisation holds. BowTie Risk is built with that in mind from the ground up.
All diagrams, risk registers and reports are stored on your device using Apple's on-device storage, unless you choose to save or sync them to another location such as iCloud or SharePoint. Nothing is transmitted anywhere without that choice. Appropriate for sensitive environments, restricted networks and organisations with strict data handling requirements.
Secure facilities, air-gapped environments, or simply working on a plane to a client site — BowTie Risk works without any internet connection. Your work is available whenever you need it.
Export your bowtie diagram as a PDF, and Detail and Summary Reports as CSV, designed to communicate technical cyber risk clearly to boards, audit committees and regulators. The visual bowtie structure removes the translation layer between technical risk and business decision-making.
Run a cyber risk workshop on your iPad, review a diagram on your iPhone between meetings, and present from your Mac. One app, all your Apple devices, with iCloud sync available for seamless continuity across devices.
NIST's own implementation guidance uses a bow tie to illustrate the Cybersecurity Framework's structure. Bow tie diagrams produced in BowTie Risk are accepted for audit, governance and regulatory purposes.
NISTIR 8170, NIST's own guidance for applying the Cybersecurity Framework, illustrates the Framework's Identify/Protect and Detect/Respond/Recover structure as a bow tie, and states that bow tie diagrams are commonly used to represent hazards and the proactive and reactive measures that address them. The same structure maps directly onto ISO 27001 Annex A risk treatment requirements, and onto the control effectiveness documentation required under Australia's SOCI Act and APRA CPS 234.
A cybersecurity bowtie diagram is a visual risk assessment tool that maps a specific cyber threat event — such as a ransomware attack or data breach — from its threat vectors on the left to its consequences on the right, with all prevention and mitigation controls shown in between. Unlike a risk register entry or a CVSS score, a bowtie gives security teams and boards a complete, structured picture of a cyber risk on a single page.
You enter a central event — for example, "Ransomware Attack" or "Data breach via third-party vendor" — and BowTie Risk's AI assistant generates a complete bowtie structure around it. This includes relevant threat vectors, appropriate prevention controls for each, realistic consequences, and mitigation controls. The output is fully editable — add your organisation's specific context and remove items that don't apply. It's a professional starting point in seconds rather than hours.
Yes. The bowtie methodology aligns with the risk identification and treatment requirements across all major cybersecurity frameworks — NIST CSF (Identify, Protect, Detect, Respond, Recover), ISO 27001 Annex A risk treatment, CIS Controls, Australia's Essential Eight, GDPR Article 32 risk documentation, and APRA CPS 234. See the Standards & Frameworks section below for how each one references the bowtie method directly.
No. BowTie Risk stores all data exclusively on your device using Apple's on-device storage frameworks. Nothing is sent to external servers. iCloud sync is available for continuity across your own Apple devices if you choose to enable it, but all data remains within your Apple account. This makes BowTie Risk appropriate for sensitive security environments, regulated industries and organisations with strict data handling requirements.
Yes — it's one of the most common use cases. Export your bowtie diagram as a PDF, and Detail and Summary Reports as CSV. The Detail Report includes the full bowtie with all threat vectors, controls, consequences and ratings. The Summary Report is designed for board and executive audiences — communicating the risk picture clearly without requiring risk management training. Both are board-ready out of the box.
Built for Mac and iPad, with iPhone as a companion. Completely private — nothing leaves your device.