Security Delivery Orchestration Tool — SDOT
For the record.
You have already done the thinking. This tool makes sure the right people answer for it. Route questions to the people who own each area. Collect their evidence, accountability, and reasoning. Chase them when they do not respond. Present the status to the people who govern it.
Four responses to every question: yes, no, don't know, or skip. Supporting notes, files, and links on any answer. Deadlines and automated chasers on every delegation. Attribution and timestamps on everything. The complexity is in what gets asked, not how it gets answered.
What this is
Orchestrate the delivery, not the workshop.
This is not a threat modelling tool. It does not help you identify threats or draw diagrams. It takes the output of that thinking and orchestrates the collection of evidence, accountability, and decisions from the people who own each piece. Every answer is timestamped, attributed, and immutable. Every delegation has a deadline and a chaser. Every risk acceptance shows you the downstream impact before you commit.
Structured around NCSC CAF v4.0, NHS DSPT, UK GDPR, and Shostack's Four Question Framework. The methodology defines what to ask. The app orchestrates who answers, collects the evidence, and presents the statistics and status. For a PMO, status is observed, not collected.
How it works
Every question, four responses, then move on.
"?" sets a deadline and delegates to the person who has the answer. The chaser follows up every 48 hours. Silence is visible. Full methodology
The phases
Data Declaration
What data do we hold? What obligations apply? Who is the data owner under GDPR?
Data Journey
How does it move? Seven stages: collect, transmit, process, store, share, retain, dispose.
Cyber Wrapper
What protects it? Components, access, identity, logging, permissions, suppliers, geography.
Operational Upkeep
Who keeps it running? SOC, DFIR, vulnerability management, patching, monitoring, BCP/DR.
Outcomes
39 CAF outcomes assessed. Governance, protection, detection, response. DSPT Objective E for NHS.
Evidence
Architecture diagrams, policy documents, test results, audit reports. Attached to outcomes. Proof, not claims.
Who uses this
Practitioners
You have done the thinking. Route the questions you cannot answer to the people who can. Own everything until you hand it off. The tool chases them so you do not have to.
Management and PMO
Portfolio-level status without a single status meeting. See which projects have gaps, which stakeholders are bottlenecks, what is overdue, and whose desk the problems are on. Revoke anything sent in error.
Auditors and compliance
Timestamped, attributed, versioned record of every decision, delegation, assumption, and assessment. Evidence attached to outcomes. Compliance reporting generated as a byproduct of the work.
Start now. No account needed.
Try the assessment flow in your browser. Session-only storage. Create an account to persist, delegate, upload evidence, and unlock the management backend.
Structured around
CAF v4.0
39 contributing outcomes across governance, protection, detection, and response.
DSPT
NHS England Objective E overlay for health and social care.
UK GDPR
Articles 5–49 mapped to journey stages and outcomes.
Shostack 4Q
What are we working on. What can go wrong. What are we going to do about it. Did we do a good enough job.
Identify yourself
Who are you?
You own every response until you explicitly delegate. Your name, role, and email are used for attribution.
Start now
No account needed. Run the assessment in your browser. Nothing sent to a server. Create an account later to persist, delegate, and generate receipts.
More with an account
Accounts unlock persistent storage, evidence uploads, contributor attribution, cross-system pattern detection, accountability mapping, and full audit history.