Investment catalog
Every product, hire, and service CISO Game makes available, grouped by category. 99 vendor-neutral entries — each with posture contribution, team requirements, and the cybersecurity risks it helps mitigate.
How a CISO budget actually breaks down
A modern CISO budget runs across roughly fourteen capability layers. The biggest line items are usually Headcount (the team itself), SIEM (analyst tooling that scales with log volume), IAM (the identity layer), and Compliance (audits + attestations). Operational tooling (EDR, NDR, AppSec, Cloud) makes up the next tier. Architecture investments and Insurance round out the bottom. The right mix depends on the company's stage, sector, and threat profile — a Series-B SaaS company won't budget like a regulated bank or a hospital network.
Best-of-Breed vs Platform — the consolidation question
Every CISO eventually faces the platform question: do you buy the best individual product in each category (best-of-breed) or commit to a platform that covers many categories at once (XDR, SASE, M365 E5, CNAPP, SSE)? Best-of-breed maxes posture per dollar but multiplies vendor management overhead. Platforms cap posture at a discount but reduce friction and integration cost. CISO Game models this trade-off explicitly — events occasionally fire that punish over-platform or over-best-of-breed strategies.
Why the catalog is vendor-neutral
The catalog uses category descriptors — Mid-Tier EDR, Continuous Control Monitoring, TPRM Platform, Customer Trust Center — instead of real vendor names. The mechanics reflect how each category of tool actually works in practice. This makes the game evergreen (vendor logos rotate, capabilities don't) and makes it useful as a thinking tool for real procurement: when you can't compare brand to brand, you compare capability to capability.
The full catalog
20 categories. Click a product for its posture contribution, team requirements, mitigated risks, and where it fits in a real CISO program.
AI Security 11
- AI Firewall (LLM I/O guardrails)Best-of-Breed
- AI Security Posture Management (AI-SPM)Standard
- AI Red Team engagement (annual)Standard
- AI usage & secure-prompting trainingStandard
- AI Governance & ISO 42001 programCompliance
- AI Prompt-DLP (LLM I/O classification)Standard
- Model SBOM + ProvenanceStandard
- AI Output Evals + HITL workflowStandard
- EU AI Act high-risk conformity programCompliance
- AI System Inventory & ClassificationStandard
- Third-Party Model Procurement DD ProgramStandard
AppSec 4
- SAST (static code analysis)Standard
- DAST (dynamic app testing)Standard
- SCA (dependency scanning)Standard
- Runtime API Security (schema-aware API gateway)Best-of-Breed
Architecture 3
- Zero Trust rollout (4 quarters)Architecture
- Network segmentation (3 quarters)Architecture
- Identity overhaul (4 quarters)Architecture
Awareness 3
- Compliance training (annual)Budget
- Phishing simulation platformStandard
- Premium tailored awareness programBest-of-Breed
Backup 2
Cloud Sec 3
Compliance 17
- SOC 2 Type IICompliance
- ISO 27001Compliance
- PCI DSSCompliance
- HIPAA Security/Privacy Rule programCompliance
- FedRAMP Moderate ATOCompliance
- FedRAMP High ATOCompliance
- StateRAMP authorizationCompliance
- CMMC Level 2 certificationCompliance
- IEC 62443 OT-Security programCompliance
- DORA — ICT Risk + Operational Resilience programCompliance
- Privacy Program (DSAR / ROPA / DPIA / consent)Standard
- HITECH Breach Notification + 405(d) HICPCompliance
- FDA Medical Device Cybersecurity (pre-/post-market)Compliance
- FISMA Moderate / HighCompliance
- CJIS — Criminal Justice Information Services Security PolicyCompliance
- CMMC Level 3 (assessor-led)Compliance
- Data Residency & Cross-Border Transfer ProgramStandard
Data Sec 3
- Basic DLP (email + endpoint)Budget
- Enterprise DLP with classificationBest-of-Breed
- Insider Risk Management (UEBA / IRM)Best-of-Breed
EDR 3
- Basic EDR (entry-level prevention)Budget
- Mid-Tier EDR (industry standard)Best-of-Breed
- Premium XDR (full endpoint+identity)Best-of-Breed
Email Sec 2
Endpoint Mgmt 1
Governance 9
- Risk Appetite & Strategy ProgramStandard
- Policy & Standards Lifecycle programStandard
- Board Oversight & Reporting programBest-of-Breed
- Cybersecurity Supply Chain Risk Management programStandard
- SBOM-as-Procurement-Gate (CRA / EO 14028 / SLSA)Standard
- PQC Migration Roadmap + Crypto InventoryStandard
- Customer Trust Center / CAIQ AutomationStandard
- Audit-Trail Integrity AttestationStandard
- Critical Vendor Mapping + Nth-Party Risk ProgramStandard
Headcount 8
- Hire Junior AnalystHire
- Hire Senior AnalystHire
- Hire Detection EngineerHire
- Hire IR SpecialistHire
- Hire GRC SpecialistHire
- Hire Deputy CISOHire
- Hire Network EngineerHire
- Hire Security EngineerHire
IAM 4
- Basic SSO + TOTP MFA (phishable)Standard
- Full IAM with PAMBest-of-Breed
- Phishing-resistant MFA (FIDO2 / passkeys)Best-of-Breed
- Identity Threat Detection & Response (ITDR)Best-of-Breed
Insurance 1
Network 8
- Next-Gen Firewall (NGFW)Standard
- Network Detection & Response (NDR)Best-of-Breed
- WAF + DDoS ProtectionStandard
- Secure Web Gateway (SWG)Standard
- Zero Trust Network Access (ZTNA)Best-of-Breed
- Cloud Access Security Broker (CASB)Best-of-Breed
- Remote Browser Isolation (RBI)Standard
- Intrusion Prevention System (IPS)Standard
Platform 4
- XDR Platform Suite (enterprise class)Platform
- SASE Platform (enterprise cloud-edge class)Platform
- Productivity Suite — Security TierPlatform
- CNAPP Platform (enterprise cloud-security class)Platform
Services 8
- MSSP — basic monitoringStandard
- MSSP — managed 24/7Best-of-Breed
- Annual penetration testStandard
- Incident Response retainerStandard
- Threat intelligence feedStandard
- Bug Bounty ProgramStandard
- TPRM Platform (continuous vendor risk monitoring)Standard
- Continuous Control MonitoringStandard
SIEM 3
- Open-Source SIEM (self-hosted)Budget
- Commercial SIEM (mid-market)Best-of-Breed
- Enterprise SIEM (heavy/full-featured)Best-of-Breed