Every "I don't know" is an open door.
Who can access your data, and from what devices? Is the email tied to your most sensitive systems protected? When were backups last tested? Answer a short set of questions and see where your business may need a closer look.
No passwords, no system details, nothing an attacker could use.
Who this is for
Built for businesses where the honest answer to "are we secure?" is "I think so."
- Financial firms holding client tax and identity data
- Energy and oilfield companies managing vendors and remote access
- Government contractors handling CUI or facing CMMC requirements
- Any business where the owner suspects there are gaps but can't name them
You don't need technical knowledge to take it. If a question stumps you, that's not a failure — that's the finding.
What it covers
Email and identity
MFA coverage, admin access, dormant accounts: the things attackers check before anything else.
Devices
Whether the machines touching sensitive data are managed, updated, and accounted for. Including the personal ones.
Data access
Who can reach what, whether files can be downloaded locally, and when permissions were last reviewed.
Vendors and remote access
Which outside parties can get in, and whether anyone's watching that list.
Backups and recovery
Whether backups exist, whether they're protected, and whether a restore has ever actually been rehearsed.
Compliance posture
Whether your documentation — WISP, security policies, insurance answers — describes the controls you actually have.
What happens after
Answer the questions
Plain-English, multiple choice. "I don't know" is always an option, and it's the most useful answer you can give.
See your exposure picture
Results group your risk by area (access, devices, email, vendors, backups, documentation) so you can see where attention should go first.
Decide the next step
Review the results with Droptine in a no-pressure consultation, or take them to whoever handles your IT. They're yours either way.
The assessment
Answer each category honestly. "I don't know" is a valid and useful answer.
What your results may look like
Results language stays honest: based on your answers, and "may" — a self-assessment can't see configurations, and we don't pretend it can.
Your basics look stronger than most.
Based on your answers, core controls appear to be in place. The next question is whether they're configured and maintained the way you believe — which is what an exposure review confirms.
A few doors may be open.
Your answers point to possible gaps in your top flagged areas. These are common, and they're the kind attackers look for first. Worth a closer review before they're found for you.
Your answers suggest meaningful exposure.
Several areas came back uncertain or unprotected. No alarm bells — but this is the picture worth changing, and most of these gaps close faster than you'd expect once they're ranked and sequenced.
Frequently asked questions
Is this a technical audit?
No. It's a structured self-assessment — it shows where risk may be concentrated based on what you know about your own business. The gaps it can't see are exactly why exposure reviews exist.
Do I have to share passwords or system details?
No. Nothing in the assessment asks for credentials, IP addresses, vendor names, or anything sensitive. If a version of this tool ever asks for those, close the tab — and that advice applies to anyone's assessment, not just ours.
Will this tell me if I'm compliant?
No, and be wary of any free quiz that claims it can. It flags areas to review. Compliance depends on your contracts, frameworks, and implemented controls — a conversation, not a quiz score.
What do you do with my answers?
We use them to make the follow-up conversation useful, if you choose to have one.
Website content, self-assessment results, and consultation materials are for general informational purposes only. They are not legal advice, certification, audit findings, or a guarantee of compliance or security. Final requirements depend on your contracts, systems, data, and applicable laws and frameworks.
Ten minutes now beats a hard lesson later.
You don't need every technical answer. You need to know which questions your business can't answer yet.