Natural Language Processing for Cyber Security

Risk Ledger

In September 2019, we were approached by Risk Ledger, a cyber security risk and compliance startup. They were facing a problem common for startups: how can you grow your team and your product without compromising on quality?

There were three paths ahead:

  1. Hire quickly but run the risk of hiring the wrong person
  2. Wait for the right hire but make limited product development progress in the meantime
  3. Get help from a trusted partner

Risk Ledger were only a small team at the time. Hiring the wrong person at this early stage could have catastrophic consequences. Equally catastrophic is delaying product development to find the right hire.

Option 3 was a no-brainer. By working with us Risk Ledger made serious progress on their software without rushing to hire.

Old Reliable came on board to increase our development capacity at a critical time for Risk Ledger. They rapidly developed a proof-of-concept natural language processing tool, then developed it into a cloud micro-service which integrated easily into our existing system. Our clients have been screaming for this tool - now we're using it to make their lives easier. A massive value-add for them and us!

Haydn Brooks
Haydn Brooks
CEO, Risk Ledger


If you're a supplier to a large company, chances are you have to fill out a cyber security compliance questionnaire to meet your client's standards. If you're also a supplier to another large company, chances are they have their own - slightly different - compliance questionnaire for you. For suppliers with lots of clients, filling in these questionnaires can be the equivalent of a full time job.

This is an absurd waste of effort. Can we use software to automate it?

We can.


The trick to innovation is trying out ideas quickly and cheaply. This lets you get a feel for whether an idea will work without using all of your company's resources to do it.

We suggested a three-phase project to let Risk Ledger experiment without over-committing:

  1. We sat down with Risk Ledger staff to understand the problem they want to solve and on the best way to solve it.
  2. We built a rapid proof-of-concept (PoC) aiming to apply natural language processing techniques to automatically answer cyber security questionnaires.
  3. Conditional on the success of the PoC phase, we developed the PoC into a more robust web service which integrated into Risk Ledger's wider existing system.

We took ownership of the development process so that Risk Ledger's team could focus on their own work.

To ensure that the solution aligned with Risk Ledger's vision and would integrate easily with their existing system, We used agile development techniques and communicated regularly with Haydn (Risk Ledger's CEO), Dan (Risk Ledger's CTO), and Bruno (one of Risk Ledger's Fullstack Software Engineers).

The project execution from R&D to the final service implementation has been exemplary. The hand-off was smooth and has allowed for an easy integration into our cloud infrastructure!

Bruno Calogero
Bruno Calogero
Fullstack Software Engineer, Risk Ledger


Proof of Concept

The goal was to explore ways to use existing answers to cyber security compliance questions to answer other previously-unseen questions. We kept our code as lightweight as possible to focus on quickly discovering the most effective solution.

The end result was a Python library which used natural language processing techniques for automatic question answering.

We used Black, mypy, and automated testing as standard to speed development and improve the maintainability of our code.


Once we had established the PoC, we focused on three areas. We improved:

  • The accuracy of the question-answering system using statistical analysis
  • Robustness and error handling
  • Maintainability by adding more tests

As an extra value-add, we also made it possible for Risk Ledger to include their own branding in the filled-in questionnaire.


We turned our PoC into a micro-service by wrapping our Python library in a lightweight server process. The server consumes jobs from AWS SQS and communicates with Risk Ledger's existing system with gRPC. Results are sent back to AWS SQS so that Risk Ledger's existing system can take further action - for example, by sending the filled-in questionnaire back to the client.


The result is a web service which Risk Ledger's clients can use to automate completion of their cyber security compliance questionnaires, saving them huge amounts of time and money.

Looking Forward

Risk Ledger continues to jump from strength to strength. In January 2020 they claimed a place on the highly competitive 2020 LORA Cyber accelerator program - a move which positions them as a global competitor in cyber security.

We had a blast working alongside Haydn, Dan, Bruno, and the rest of the Risk Ledger team. These are smart people, working hard on an important mission. We're proud to have been able to help realise their vision and look forward to working together again in the future.

You can follow Risk Ledger's journey on Twitter or LinkedIn.