Overview
The Cye Platform Questionnaire for Private Equity is a structured mechanism for collecting organizational information from subsidiaries/portfolio companies, such as internal security policies, manual processes, and operational practices, that cannot be discovered automatically.
The questionnaire is sent through Panorays, which serves as the data-collection layer for this feature. Panorays is an external platform for distributing questionnaires and collecting responses. Respondents access and complete the questionnaire in Panorays, and the submitted answers and evidence flow into the Cye Platform, where they are converted into Findings, Processes, and Technologies — the core entities that power Exposure, Maturity, and Cost of Breach calculations.
By bridging the gap between automated scanning and human-driven assessment, the questionnaire allows platform owners to:
Execute repeatable, consistent security assessments across multiple portfolios.
Convert external responses directly into standardized platform entities.
Maintain a strict audit trail, with full lineage connecting every generated entity back to its originating question and supporting evidence.
Note: The Cye Platform Questionnaire is a distinct feature from the Cost of Breach Questionnaire, which collects financial data inside the platform to estimate breach impact. For financial input, refer to [Inputting Cost of Breach Data].
The Questionnaire Sequential Pipeline
The Questionnaire Sequential Pipeline
The questionnaire moves through four distinct stages. Each stage is a prerequisite for the next:
Stage | Who | Primary Action |
Setup & Issuance | Cye Delivery | Configure the questionnaire in Panorays and distribute it to relevant portfolio companies. |
Filling Out | Portfolio Companies | Receive the secure link, answer questions collaboratively, attach evidence, and submit. |
Tracking & Oversight | PE Administrators | Track response progress across the portfolio via the Panorays interface to ensure completion (e.g., "42 of 60 subsidiaries completed"). |
Entity Generation | Cye Platform (automated) | Once a questionnaire is submitted, Cye Platform automatically retrieves the answers and generates the corresponding entities. |
How It Works: From Answers to Risk Metrics
How It Works: From Answers to Risk Metrics
The core value of the questionnaire lies in how it transforms structured and free-text answers into standardized platform data automatically, and within minutes of submission:
1. Mapping Methods
The platform applies a mapping rule set that links specific answers to platform fields using two methods:
Deterministic Mapping: Used for structured questions (e.g., multiple-choice). Specific answers trigger pre-defined entity types and severities.
AI-Based Extraction: Used for free-text responses and uploaded evidence files. An AI model analyzes the text to identify and create relevant Findings, Processes, or Technologies.
2. Entity Generation (New and Existing)
When a questionnaire is submitted, the platform compares the answers against the current organizational inventory. This results in three types of Changes:
Creation: If an answer describes a Finding, Process, or Technology that does not exist in the platform, a new entity is created.
Update: If an answer corresponds to an existing entity, the system updates its fields or changes its status.
Skip: If an answer matches an entity that already exists in the same state, no change is made, and the action is logged as skipped.
3. Impact on Risk Metrics
Questionnaire-sourced entities participate in platform calculations immediately upon creation:
Exposure: Findings flow into Exposure calculations and the Org Attack Graph.
Maturity: Processes and Technologies populate the security inventory and influence Maturity scoring.
Likelihood: Impacted indirectly via Exposure—new findings and control gaps update attack paths and control posture, which adjust likelihood estimates.
Cost of Breach: Entity creation does not change cost assumptions directly; cost is driven by the Cost of Breach model. However, overall risk (Expected Loss) changes when likelihood shifts due to Exposure/Maturity updates.
How Questionnaire Data Behaves
How Questionnaire Data Behaves
Questionnaire-sourced entities follow specific platform logic that differs from manually created or scan-imported data:
Initial Status: New findings are created with Status = Open and assigned to the engagement Panorays Questionnaire.
Duplicate Prevention: Reimporting the same questionnaire does not create duplicate entities. The system recognizes existing matches and skips them.
Automatic Reopening: A finding previously marked as Fixed is transitioned to Reopen status when re-triggered by a new questionnaire response. This means a questionnaire can reverse a closure — something no other import source does automatically.
Unmapped Questions: Some questionnaire questions do not correspond to a specific entity type in the platform. These questions do not generate Findings, Processes, or Technologies, but the skip is recorded in the audit log.
No Remediation Assets: Questionnaire-sourced findings do not include remediation assets. To add them manually, see Adding a Remediation Asset to a Finding.
Visibility, Traceability, and Audit Trail
Visibility, Traceability, and Audit Trail
Every entity generated from a questionnaire is integrated directly into the Cye Platform with full traceability and standardized formatting.
1. Identifying and Filtering Entities
To isolate questionnaire data from automated scans, manual entries, or other integrations, every questionnaire-sourced entity carries two specific identifying markers:
Source Field: Set to Panorays Questionnaire. You can use the standard Source filter across the platform to view this data exclusively.
System Tag: Set to Questionnaire <template name> (for example, Questionnaire Maturity Assessment 2026). This tag identifies the specific questionnaire template that produced the entity.
2. Platform Integration and Traceability
Standardized Entities: Questionnaire-sourced entities populate their respective pages under the Operations module: Findings appear on the Findings page, while Processes and Technologies appear on the Assets page. All entities share the identical visual format as native platform data.
Justification Comments: To provide a clear chain of evidence, each created or updated entity includes an auto-generated comment detailing its origin. This includes the questionnaire template name, the source question ID, the respondent's answer, and the creation date.
AI-Extraction Reasoning: For Findings created through AI-based extraction, a second auto-generated comment captures the AI model's specific reasoning for the finding. Findings created through deterministic mapping do not receive this additional comment.
Audit Log: The platform records every questionnaire-triggered action, creations, updates, and skips, in the audit log at the per-question level. Each log entry captures the template name, question ID, respondent answer, resulting entity, and action taken.
Wrap-Up/Next Steps
Wrap-Up/Next Steps
The Cye Platform Questionnaire for Private Equity turns critical information that automated scanning cannot reach into trusted, standardized platform data.
Automated Integration: Submitted answers instantly become Findings, Processes, and Technologies within the platform—no manual data entry required.
Clear Traceability: Every generated item includes its specific source field, system tag, and a comment linking it directly back to the originating question and answer.
Complete Audit Trail: The platform logs every action at the per-question level for easy verification.
These questionnaire-sourced entities act as first-class inputs, feeding directly into the organization's core risk model.
Next Steps - Completing the Cye Platform Questionnaire for Private Equity: A step-by-step respondent guide for portfolio companies.