Vulnerability Analysis

Security maturity interview plus technical scans, ending with a consultative video call summary.

The Vulnerability Analysis is designed to provide a snapshot of the state of security in your business and provide tailored immediate and mid-term guidance for practical risk reduction.

Figure 1 - Short Term Guidance
Figure 1 - Short Term Guidance
Figure 2 - Mid Term Guidance
Figure 2 - Mid Term Guidance

We gather data through a series of technical scans, open-source intelligence (OSINT), interviews, and other discretionary techniques. The output of these processes are then collectively interpreted and used to produce a customized Executive Summary.

The project concludes with an interactive executive briefing with prioritized findings and guidance for security maturity. After the briefing, the written summary and any supporting documentation will be delivered electronically. These deliverables may be used either internally or with 3rd parties to guide risk reduction efforts.

How we do it

  1. Data Gathering: Conduct security interview(s), network scans, and open-source intelligence gathering
  2. Data Processing: Collectively analyze the data gathered and build an executive summary
  3. Consultative Briefing: Lead a video call to present findings and provide guidance for security maturity.

Conclusion: Consultative Briefing

The Risk Analysis ends with a consultative executive briefing video call. During the call, we'll review findings in an Executive Summary report and have some discussion around our prioritized recommendations to provide direction for your growth in security maturity.

Prioritized Recommendations

Figure 3 - Remediation Guidance
Figure 3 - Remediation Guidance


Inputs

  • Security maturity interview
  • External vulnerability scan
  • Internal vulnerability scan
  • Open-source intelligence gathering (OSINT)

Outputs

  • Educational executive summary briefing with business-focused, prioritized findings
  • Consultative security maturity guidance
  • Technical remediation punch list
  • Technical vulnerability scanner reports (supporting documentation)
Figure 4 - Technical Punch List
Figure 4 - Technical Punch List

In addition to your unique Executive Summary report, we provide a punch list which your technical team can use to start cleaning house and locking things down. This is an excellent tool for task-level technicians and provides for immediate and significant improvements to your cybersecurity posture.

Q&A

What’s the difference between a Vulnerability Analysis and a Vulnerability Assessment?

  • A Vulnerability Analysis is a process of combining objective technical scan findings with an understanding of your business priorities gained through a personal interview. It results in a customized executive summary and a consultative final briefing. It’s focused on collaborative planning for security maturity.
  • A Vulnerability Assessment is typically a set of technical scan reports. It may or may not come with a customized interpretation for your business, but briefings are generally technical in nature. In short, a list of technical things that are wrong and which you need to do something about. There is much variability in whether you’ll receive strategic or tactical business guidance related to technology.

Who should purchase THIS vulnerability analysis? / Who is this for?

  • This is most beneficial for organizations of any size with low-to-moderate security maturity
  • This assessment will give very practical, prioritized guidance to improve the overall security maturity of the organization

Is this a pentest / penetration test / hacking?

  • No, this is live interview(s), open-source research, and a review of technical settings on various devices
  • We believe that penetration tests are a waste of money until an organization reaches a moderate-to-high security maturity level; this vulnerability analysis can be used to determine if a penetration test will be cost-effective

Is this an audit? Will this make me compliant?

  • No, this is not an audit
  • Since this analysis produces security best-practice recommendations, it may assist with compliance, but it is not designed to be a compliance consultation; compliance is broad and you would need to pursue a "gap analysis" for the particular regulation/standard for which you're seeking compliance