CyberIQ is the competency-evidence layer the audit conversation actually needs — built by Continuum Security, by a team that spent decades watching awareness programmes drift from outcome to completion.
Never stop playing.
Awareness training that ends after onboarding decays inside a quarter. The score moves because the playing never stops.
Cybersecurity awareness has been measured by completion for too long. Modules finished. Clicks counted. Phish-prone percentage tracked over a quarter. The dashboards were honest about what they measured — they just measured the wrong thing.
None of that is competency. Completion proves your team showed up to a training session. Competency proves your team can act on what it learned. The first is a logistics metric. The second is the one the auditor came for.
CyberIQ measures the second thing — and shows it to the CISO on one screen, layered on whatever you already run. That's the work.
Never stop playing.
Denis brings decades of combined cybersecurity industry experience to CyberIQ — the kind built by sitting on both sides of the audit table. Long enough to watch awareness programmes graduate from "we ran the training" into "we have an actual measurement", and long enough to notice that the measurement quietly slipped back to completion every time budgets tightened.
The founder principle is never stop playing. It started as a half-joke about not letting awareness training become rote — and stuck because it turned out to be the single most predictive thing about whether a programme actually compounds. Teams that keep playing keep getting better. The playful side keeps the learning loop alive when the urgency of the breach memo fades.
CyberIQ is the product of that principle, built under Continuum Security — the parent company — and shaped by every meeting where a CISO said "I have the training; I don't have the evidence." We built the evidence.
Continuum Security is the holding company. Proudly South African. The legal entity behind CyberIQ; the operational discipline behind every release; the name on the invoice when an enterprise procurement team needs one.
The team blends people who've sat inside enterprise security functions with people who've shipped games for large audiences. That mix is unusual — and it's why the product feels like both at once. The security side keeps the audit logic honest. The games side keeps the learner coming back. Neither alone would have built CyberIQ; both together is the only reason it works.
We are deliberately small. The competency-evidence layer is a focused product, not a platform play. We don't want to be the awareness platform you already have. We want to be the layer that finally proves it's working.
The regulatory environment changed first. NIS2 Article 20(1) made management-body training evidence a board-level requirement. ISO 27001 A.6.3 keeps tightening the bar for awareness-control evidence. The audit conversation has moved from "did the training run" to "can your people demonstrate competency." That is a different question, and most awareness platforms were built to answer the first one.
The buyer changed second. The CISOs we talked to had already paid for an awareness platform. They didn't want to replace it; they wanted to layer competency evidence on top of it — without ripping out the procurement they fought for last year. So that's what we built. A layer. The thing the audit conversation actually needs, sitting cleanly above the thing the procurement team already approved.
The doctrine sits underneath every product decision — including the decay model in the score. Three things follow from it.
The half-life of a one-and-done awareness module is shorter than the quarter you booked it in. CyberIQ assumes that as a baseline; the score reflects what your people can do now, not what they could do at the end of last year's drill.
A leaderboard, a wave you almost cleared, a domain you want to top — these are the things people come back to on a Tuesday morning. Compliance modules are not. The repetition is what compounds the competency.
Last year's gold-star wave shouldn't carry a Novice band into this quarter's audit. The model is reviewable under engagement — but the principle is public: the score reflects today, not the day you signed the contract.
The audit answer is one page. Per-employee. Per-domain. Per-quarter.
Keep the awareness platform you already have. Add the competency-evidence layer your CISO is being asked for. Twenty minutes is enough for the first call.
No credit card · Scoped to your environment · Cancel anytime