For IT, OT, cybersecurity teams, engineers, and cybersecurity consulting
The Security Engineering Tool (SET) is a software tool for structured cyber risk assessment and explainable compliance.
It combines business and cyber contexts in a coherent methodology and creates a transparent decision-making framework—including verifiable documentation for NIS 2, CRA, ISMS, and all prevailing EU regulations at the touch of a button.
1. You have no common, systematic model to start from.
Relevant information about business, IT, and OT is spread across many departments. Without an explicitly modeled cyber system, there is no firm foundation for a structured risk assessment.
2. Risk assessments are inefficient and resource-hungry.
System experts are called on repeatedly; knowledge is exchanged manually; results are hard to replicate.
There is no structured process to consistently prioritize risks and draw logical conclusions for decision-making.
3. Decisions cannot be clearly justified.
There is no coherent and transparent line of argument between risks, measures, and regulatory requirements.
Security decisions cannot be justified convincingly to customers, suppliers, management, authorities, auditors, certification bodies, or conformity assessment bodies.
What happens when there’s no decision-making logic in cyber risk assessments?
The process eats into your time and budget, yet fails to yield a convincing, verifiable framework for decision-making.
This leads to audit discrepancies, rejected reports, and regulatory objections under NIS 2, KRITIS, CRA, or other EU requirements.
CE markings are delayed or expire—fines and personal liability risks become very real.
SET uses intuitive diagrams to get business and cyber, IT and OT, engineers and users on the same page, so they can find the most streamlined security measures.
SET guides you swiftly and systematically through cybersecurity risk assessments that comply with common standards. Your security decisions are backed up by a crystal-clear rationale.
SET provides a transparent argumentation and decision-making logic that guides you through to compliance with international security regulations (NIS 2, CRA, etc.)—including legally watertight documentation at the touch of a button.
Contact an expert„I have seen Sarah and her team in action and I can confirm that these processes work wonders. highly recommended.”
Mitchell Impey
Former ICS Security Manager, Norlys
„Until recently, our IT department didn't have the confidence to work on our devices and I didn't know how to explain the context to the admins in a way they could understand. Security aspects often went unnoticed as a result. With the support of the admeritia team, I finally found a clear language to connect IT and OT. Thanks to their comprehensible presentation of network models and functions, our IT is now actively involved. Collaboration is noticeably more efficient and we are implementing meaningful measures together - something I previously thought was impossible.”
Process Control Engineer
Chemical Company
„Risk analyses used to feel like endless, pointless spreadsheet work. I filled out Excel lists without understanding what use they had. With SET and the support of the team, this has changed. The risks are now clearly structured and prioritized, and every measure makes sense. Instead of filling tables, we work along the functions of our plant. I can finally see how the risk analyses really contribute to improving our plant safety - a real relief and time saver.”
OT Security Manager
Operator of Critical Infrastructures
„Previous consultants worked rigidly according to checklists without really understanding our plants. Their recommendations were mostly unrealistic and impossible to implement. With Sarah and her team, it was different: they took a close look at our systems and processes to develop realistic, reasonable security measures. The recommendations were clearly prioritized, so we knew where to start. For the first time, I felt like I was working with experts who really understood us and offered actionable solutions.”
Operation Manager
Operator of Critical Infrastructures and SEVESO-III
SET’s intuitive diagrams create a shared understanding between business and cyber perspectives, IT and OT, engineers and users—the basis for well-founded decisions to make security as streamlined as possible.
SET guides you swiftly and systematically through cyber risk assessments, in compliance with all common standards (ISO/IEC 27001, IEC 62443, ISO/SAE 21434, etc.)—based on experience drawn from thousands of consulting workshops. SET turns complex security decisions into logical conclusions—a crystal-clear line of argumentation that you can explain at any time.
SET is a tool that guides you toward compliance with the European security regulations: NIS 2, CRA, GPSR, RED, Machinery Regulation, or Seveso III/Major Accidents Ordinance (KAS 51). At the touch of a button, you can generate legally watertight documentation and reports that auditors and authorities understand and accept.
We define which damage scenarios, cyber system functions, and regulatory requirements are really critical for your business.
The focus is not on abstract cyber risks, but on real impacts on your operations, customers, and organization.
Architecture, functions, dataflows, human interactions, and intended purpose are mapped in a common system model.
This creates a firm foundation for structured and transparent risk assessments.
Functions of the cyber system are assigned to specific damage scenarios.
Business and cyber perspectives are combined—priorities arise from a real impact, not from a gut feeling.
Risks and threats, likelihoods and impacts are evaluated in a structured manner.
Security requirements are derived logically—streamlined, reasoned and always explainable.
Risks, security requirements, and regulatory requirements are consistently linked.
SET clearly indicates where requirements from NIS 2, CRA, RED, or other guidelines have been fulfilled—and what still needs to be added.
A coherent decision-making logic leads to consistent documentation.
Legally watertight reports for auditors, authorities, and management are transparent, complete, and robust.
SET is your one-stop shop for CRA-compliant risk evaluations and documentation:
Product models including intended purpose | Reusable for large product portfolios or tailored products | CRA showstopper management | Interpretation of essential requirements | Guided threat modeling and risk evaluation (TARA) | Technical documentation and user information | Compliance evaluations
SET is your impact-based cyber-risk-management and compliance tool for IT and OT:
Definition of events with severe consequences | System functions and architecture diagrams | Threat modeling and risk evaluation in line with industry standards (IEC 62443, ISO 27001, etc.) | Security requirements | Compliance check | Audit-ready reports for ISMS, NIS 2, etc.
admeritia has specialized in cybersecurity for industrial systems and critical infrastructure since 2004. More than 760 companies trust in our expertise for the structured evaluation of cyber risks and the implementation of regulatory requirements in real IT and OT environments.
SET is the result of over 20 years of working in industrial cybersecurity, state-funded research, and active involvement in designing international standards such as ISO/IEC 27001 and IEC 62443. It consolidates this knowledge in a coherent methodology for traceable security decisions and explainable compliance.
SET is a cost-efficient tool for performing consistent cybersecurity risk assessments. It enables engineers to share critical system and process knowledge with cybersecurity teams, ensuring compliance with regulatory standards and focusing on real-world risks.
Absolutely. SET stays up-to-date with evolving standards and regulations, and we don’t just monitor them—we help shape them.
SET is designed for OT cybersecurity teams and engineers working together. It helps engineers contribute their operational expertise while ensuring cybersecurity teams manage compliance and risk effectively—all without overburdening anyone.
Yes, SET features a step-by-step guided workflow that simplifies the risk assessment process, making it faster, easier, and more consistent—even for those new to risk assessments.
SET saves engineers and cybersecurity teams time with automation and libraries, simplifying data entry and reducing repetitive tasks. This ensures assessments are efficient without adding unnecessary work to engineers' plates.
Yes, SET includes built-in compliance evidence capabilities, ensuring adherence to regulations like NIS-2, CRA, ISO 27001, and ISA/IEC 62443, while delivering reports that auditors and stakeholders can easily understand.
SET provides intuitive charts and graphs for comparing OT cyber risks across multiple sites. Drill-down capabilities offer detailed insights into individual site risks, empowering management with a clear overview.
SET offers a cost-effective, scalable alternative to external consultants. It empowers in-house teams to maintain control, ensures compliance, and delivers consistent results without ongoing dependency on outside expertise. That said, if you do prefer some consulting to get your risk assessments up to speed, admeritia -- the consulting company that created SET -- is happy to help, click here.
SET focuses on engineer-driven assessments and actionable insights tailored to your specific sites. Unlike generic solutions that rely on high-level scoring, SET ensures real-world relevance and accuracy.
SET saves time and resources through automation, pre-built libraries, and a streamlined workflow. This efficiency enables faster, more accurate assessments while reducing costs associated with manual processes or external support.
Cyber-informed engineering is a great concept, but it implies that engineers shoulder the cybersecurity burden. With our small twist to “engineering-informed cyber”, the emphasis is on the core point: That engineers’ knowledge is used for cybersecurity assessments. No matter who actually does them.
SET is available both as Software as a Service (SaaS) and On-Premise. The functionality of both versions is identical. You can choose which option best suits your needs.
SET is a web application that runs in your browser—it does not need access to any of your critical systems. SET doesn’t scan any assets and doesn’t need any agents. All we do is scan your engineers’ brains ;)
The cyber decision diagrams, a core concept behind SET, has been developed in a three-year government-funded research project on security by design. Its benefits have been validated in real projects at two large companies (chemical sector, component manufacturer). Dive deeper into the results at https://openhsu.ub.hsu-hh.de/entities/publication/16760.