Ward explains that “historically, if we’re looking at threat actors and tracking their tactics, techniques, and procedures (TTPs), ranking vulnerabilities by severity, or assessing controls around assets, all we’re doing is assessing one aspect of the risk equation.” Ward further states that “CRQ is about the entire picture – what we’re not doing is exposing and understanding what can happen in the outcome; the impact of an adversary acting against an asset, bypassing controls, and causing some harm.”