A method of cyber risk assessment includes receiving request for a quantitative cyber risk assessment from an entity associated with a domain name. Entity information is non-intrusively gathered from a plurality of data sources about the entity based on the domain name. A digital footprint of the entity is discovered based the associated domain name using non-intrusive information gathering. At least one characteristic of the entity is classified to determine an entity classification and at least one entity risk quantification parameter. At least one control item is fetched from the knowledge database. An entity technical finding is determined based on the fetched at least one control item and based on the discovered digital footprint. At least one industry-related quantification parameter is fetched based on the entity technical finding and based on the entity classification. A quantitative risk value is calculated from a determination of loss frequency and loss magnitude.