Strategic cyber capability advisory

Clarity in a complex world.

Principia Ratio is a strategic cybersecurity advisory for organisations facing complex risks and delivery challenges

We help leaders make risk and cost informed decisions, giving organisations the agility to move with urgency.

Request a consultation Explore Solutions →
Alpha

Hopdox is in active alpha testing. It accelerates and structures compliance assessment, but a qualified assessor remains accountable for every result. During alpha, do not process classified or sensitive material, or enter real identifiers, credentials, or PII.

Documentation in.
Defensible assessment out.

Hopdox is built as a compiled Go application with an embedded React interface, REST API, live Server-Sent Events progress, assessment-local evidence indexing, checkpointed stage execution, and generated DOCX, PDF, and ZIP report outputs.

Six
Sequential stages from boundary analysis through generated reports
20
Controls per batch, with checkpointing for pause, retry, and resume
Review
Conflicts, overrides, evidence, and report readiness remain under human control

The six-stage pipeline.

01
Boundary
Identifies assets, scope, and system context from uploaded architecture and design evidence.
02
Applicability
Determines which ISM controls apply using retrieved evidence and trusted framework guidance.
03
Effectiveness
Assesses control evidence, gaps, recommendations, confidence, and cited source excerpts.
04
Maturity
Scores Essential Eight maturity levels with rationale against the available evidence.
05
Conflict
Detects competing directives and routes them to human-in-the-loop review before reports are used.
06
Reports
Builds ISM Control Assessment and E8 reports from the same structured document model.

Built as an assessment system,
not a prompt demo.

The alpha includes the application surfaces needed to run, inspect, pause, correct, and export an assessment, not just generate prose.

Evidence ingestion
Accepts common office, PDF, text, configuration, infrastructure, and policy formats, with document-type labelling at upload.
Evidence trace
Findings retain source references and excerpts so reviewers can inspect the evidence behind an assessment result.
Live progress
The running assessment view receives stage, validation, pause, resume, and completion events through a live stream.
Reviewer controls
Human reviewers can resolve conflicts, override selected control fields with reasons, retry stages, and check readiness.
Audit trail
System, sanitisation, validation, model, and human decision events are written to an append-only NDJSON audit log.
Report outputs
DOCX and PDF reports are generated from a shared model, with ZIP download support for complete assessment packages.

Security is the architecture —
not a feature.

Hopdox is designed to minimise exposure of sensitive material, separate uploaded evidence from trusted guidance, constrain external calls, and keep a human decision-maker in control.

Mandatory masking
Infrastructure identifiers and selected named entities are masked before model-assisted reasoning, with token mappings restored for reports.
Trusted guidance boundary
Uploaded files are treated as assessment evidence only; ISM, E8, PSPF, and guidance material stay in a separate trusted corpus.
Constrained runtime
Network allowlisting, redirect controls, strict file permissions, and signed cache files narrow the runtime surface.
A person decides
A qualified reviewer accepts, rejects, resolves, or overrides before results are relied on.

Join the Hopdox alpha.

We are inviting a small group of assessors and security leaders to test Hopdox during alpha.

Become an alpha tester

Contact

Get in touch to discuss how we can support your organisation.

General enquiries Enable JavaScript to reveal email Email Hopdox alpha Enable JavaScript to reveal email Email