Frequently Asked Questions

BreachRisk™ is a series of services that measure cyber risk according to the perspective of cyber attackers. The services are highly automated and can be run without any technical experience.

Red teaming is a term describing the most advanced type of assessment and testing. A red team plays the part of the "bad guy" and tests defenses just like the bad guy. Similar to a futbol scrimmage, where the team prepares for a match by having 11 players wear red penny jerseys. The job of the red team is to think and act like cyber attackers. A red team is similar to a penetration test, but there are important differences. A penetration test is a list of specific items on a list for a security analyst to check. Modern penetration tests do involve testing of security defenses, but in a very limited and specific way. Penetration testing is a good practice and is essential for compliance needs, but red teaming is much more advanced. In red teaming, the red team takes on a more holistic and creative approach to the attack testing and is much more rigorous than a penetration test. For example, a penetration tester might merely check for an open port on a host and attempt to interact with it, whereas a red team might also see if interactions can enable follow on attacks that give the attacker progress towards a malicious goal. Or, the red team might be more creative and look for ways to trick an employee into giving them access to the open port. While penetration testing, attack surface discovery, vulnerability scanning, dark web analysis, spearphishing, and cloud attacks can be done by a large number of security vendors, it is important to know that attackers don't do those things in a vacuum. Real attackers use these methods all together - and when combined with the creative attacker mindset the whole of red teaming activity is far greater than the sum of these parts. BreachRisk is a continuous red teaming service which includes penetration testing as one of the activities.

BreachRisk is both red teaming and penetration testing. BreachRisk red teaming involves a number of security activities, including penetration testing, attack surface discovery, attack surface monitoring, vulnerability scanning, spearphishing, dark web analysis, and cloud testing.

BreachRisk™ services conduct risk scoring on a frequency based on the subscription level, ranging from monthly, to weekly, and on demand for premium level service.

BreachRisk™ Score is a 10-point risk rating that measures "can cyber attackers cause a breach?" The higher the score, the higher the risk. It includes the likelihood of a breach occurring and the nominal impact of such a breach. It is CVSS compatible and comparable across companies with a score. Sources of risk are primarily related to viable attack paths discovered by BreachRisk™. The easier the attacks are to succeed, and the more damage that can be done upon success, the higher the risk.

No, in fact BreachRisk™ was specifically designed from the ground up to neither require nor allow advanced configurations by users. Our AI and supervisors handle all configurations, including deciding exactly when to conduct analysis and testing activities. Non-technical users will appreciate how BreachRisk™ provides results in a way that focuses on risk management, i.e. concepts of likelihood and impact. These concepts don't require that you fully understand why risk is created because it helps you know what the risk is, where it is, and the potential impact to the organization if not addressed. Cyber experts will still appreciate the vast amount of technical detail that is provided in the BreachRisk™ dashboard. Well beyond BreachRisk™ Score and BreachRisk™ Report, we provide attack surface monitoring data and testing analysis and results. This allows cyber experts to spend less time actually conducting analysis and testing, and more time addressing the risks and aligning with company needs.

To establish a free BreachRisk dashboard, you'll need the following information to register your account: Name Company Email Company Website SMS, Email, or Authenticator App access to set up multi-factor authentication

Absolutely. BreachRisk will always quantify risk of breach based on what experienced attackers would believe to be true. Although we believe that the attackers are the true authority on cyber risk, there are definitely insights and data that BreachRisk does not aim to provide. Consider pairing BreachRisk with services that can provide these capabilities to round-out your risk monitoring program: Detect and test vulnerabilities behind your public firewall. Exhaustively map policy and security practices to important certification or regulator practice standards. Allow you to make extensive internal notes for asset management, especially for assets behind your firewall. Detect and test physical and hardware vulnerabilities that can only be accessed via physical access. Other risk rating platforms to allow for multiple assessments of third parties. Other phishing services that focus on wide testing and follow-up, performance-based training. A managed service provider that can deeply understand your IT and security needs to help you maintain business alignment and state-of-the-art security practices.

All you'll need is the name of the company and the official website. We'll do the rest. You'll get up to 10x better accuracy than other 3rd-party cyber risk monitoring services currently on the market. If you plan to seek the organization's participation in a monitoring or testing scheme in an effort to gain up to 100x better predictive accuracy, you'll just need a competent authority point of contact.

Depending on the size of the entity being analyzed, and whether active penetration testing will be a part of the analysis, it can take anywhere from minutes to days to complete a risk analysis.

Our approach achieves up to 10x greater accuracy in quantifying the cyber risk than legacy risk ratings because we are dedicated to the offensive security perspective. We are driven to maintain bleeding-edge discovery capability (to identify targets more precisely), significantly reduce false positives, and employ superior risk prioritization methods. Attackers are the true authority on risk. This multi-step process, compounded up to 100x by our ability to secure target participation for verification and testing, ensures unparalleled precision and reliability in our outcomes. Learn more by reading about the BreachRisk™ Method,

Key differences include methodology, capabilities, transparency, and the fundamental questions that our insights aim to answer. Many people ask "How is BreachBits different?" but they are really asking, "should I use BreachRisk?" Here's the shortest answer. If: You want to know, "How would experienced attackers quantify the risk of my/that company?" You need the answer on a weekly or monthly basis. You need a fully automated experience that non-technical people can understand. ...then BreachRisk is your best (and possibly only) option. Some ditch their other ratings or pen-testing service. Others add us to the risk perspectives they consider. Only you can decide what voices you want in the room. Here's a summary of key differences that we often discuss. There are trade-offs and it may depend on your use case to know which is "best" for you. Here are some of the most relevant trade-offs: We ask how attackers would quantify risk of breach. Others tend to ask what defenders consider risk to be. We use both passive and (optionally) active testing means to measure. Others tend to only use passive methods. Others tend to have incredible datasets spanning a long history of observation. Ours go no earlier than 2020 when we entered the market, and is based on continuous observation. If you need to know instantly the rating of a company and its ok if that data is up to 6 months old, other ratings may satisfy your needs. But if you need fresh and continuous results, you may have to wait a few hours or days to get our results. Others tend to be able to offer a variety of great services. We focus on the BreachRisk family of fully-automated products, which combines layers of attack surface monitoring, penetration testing, spearphishing, and dark web monitoring. Others may have opaque scoring methods or rubrics. BreachRisk is basically a fork and tailoring of CVSS expanded to full-spectrum attack approaches, with enhanced risk quantification. Other have proven track records of large enterprise use cases, but may not have scalability to make economics work for mid and small businesses. We are size-agnostic. BreachRisk works equally well in very large and very small paradigms. Others have well-known reputations. We entered the market in 2020. Others may not enable or allow cooperation, participation, or interaction with 3rd parties. We provide such tools to allow organizations to optionally include 3rd parties. This enhances mutual risk understanding in order to support organizational maturity according to the NIST Cybersecurity Framework maturity model. In other words, we help organizations communicate risk effectively with each other to create a risk information sharing ecosystem, which makes all participants more resilient against attackers worldwide. We believe the more false-positives you output, the less "accurate" the risk rating is. We have extremely low tolerance for false-positives, while other models may consider false-positives to be a desired output. In other words, they provide indications (which might later be shown to be false-positive) as a useful data point, which is genuinely useful for some cyber defenders to consider. Although we provide access to some of these raw indications, tend to eliminate false positives by verifying they don't exist and never reporting them in the first place. This means you may get more data with other rating services. Here's a longer answer that expands on some of those concepts: SecurityScorecard, BitSight, and other market-leading risk-rating services provide incredible products, but it might be more helpful to consider these services as alternative and complimentary approaches to cyber risk quantification than simply as competing models. These services use passive measurement capabilities to answer specific data and risk-related questions. Those insights are important for technical defenders to consider. There are many use cases where multiple risk perspectives will yield the most comprehensive results. One major difference is in our BreachRisk methodology. We closely align with the offensive security model, which means we provide insights on what attackers think. (As opposed to what defenders would think.) This methodology, combined with a broader and deeper passive detection capability, yields up to 10x more accurate results in discovering viable breach pathways for typical use cases. We are hackers with military offensive cyberwarfare experience. The fact is, most attackers don't care about most theoretical vulnerabilities. Why? Because in practice they can't actually use them to cause a breach. Attackers also care about breach pathways and aren't based on CVEs, which are almost always forgotten by other rating models. Why do they care? Because these other pathways actually work, even if they are considered "solved" by defenders. This fact is the primary reason why the question we answer is: "How would attackers quantify the risk of breach?" or, (more precisely for those with a technical background) "How would attackers quantify the risk of an initial access breach based on continuous, passive monitoring of cloud and public-accessible attack surface and (optionally), after using actual active attacker methods to attempt a breach?" SecurityScorecard and BitSight may be asking more general or less-nuanced risk-related questions and they may provide details in their literature. A major BreachRisk technology difference is that while other rating systems only use passive means to measure and characterize risk, we also have built-in capability to actively test suspected vulnerabilities. This has the potential to improve accuracy by more than 100x in typical use cases. As our customers have noted, we are very transparent about the methodology we use, and the exact data, observations, and test results that influence BreachRisk™ Score. This methodology is not fully described in this FAQ, but it might be helpful to thinking of our insights as a fork of the CVSS standard maintained by First.org , except that instead of merely scoring CVEs, we are also scoring non-CVE vulnerabilities, configuration, social, data exposure, and credential-based risks. The value of our insights relies less on keeping our methods proprietary in nature, and more on our proven capability to execute on an We hope this extremely long answer has been insightful. We understand there is a lot of development in the technology risk ratings space. If you think we've missed something here, please Contact Us. Disclaimer: We do not claim to speak for nor do we fully understand the capabilities or methodologies of SecurityScorecard or BitSight or other risk rating services. Their services and capabilities evolve over time and the information herein may be outdated.

Its a bold claim for sure, but we stand behind it. You're reading this question because you appreciate that "words have meaning" and that lots of companies claim to do lots of things that turn out to just not be so. We mean that if you were to line up 1,000 companies in a row and ask BreachRisk to predict who would be breached over the next 12-24 months, we can give you a more accurate answer than other risk rating platforms. We're using a common-sense approach here. Here's how we're thinking about this: "Predict" means some version of "to know or state what will happen in the future." Easy enough for simple cause-effect phenomenon, like gravity or astrodynamics. But for complex things like driving a car, you've got multiple actors with different motives, capabilities, etc. "Choice plus randomness" is a tough situation for prediction. How can anybody predict what attackers will do? And yet, while we know we can never achieve perfect prediction, it is still extremely valuable to do the best we can. Consider this: if you know there are some things that are impossible to hack, then you then know attackers won't be able to cause a breach there. Furthermore, if you know there are some things that are very easy for attackers to hack, then you know attackers are more likely to breach in those areas. By narrowing the range of possible outcomes, you are starting to form a prediction. And if you knew what an attacker could see, think, and do - and you could know that continuously, then you'd really start to have a good ability to predict their actions. Furthermore, if you could prove through active red teaming and pen testing if certain login passwords could be cracked, vulnerabilities exploited, or configurations misused, then you're even more confident that experienced attackers would come to the same conclusions. Given enough time, attackers can breach anybody. Now add the fact that attackers have to breach someone. So in some ways a prediction is includes a comparative likelihood among all possible attack options. Attackers aren't always right in their predictions, but the point is that to know what attackers predict is a superpower that allows you to outsmart them before they breach. That's the general idea. BreachRisk is backed by a whole lot of science and quantitative math behind it, which allows us to generate predictive analysis continuously, at scale, in a standardized way.

If the FAQs, knowledge base, or dashboard materials don't help, or if you'd just prefer to talk with our team, you can contact support@breachbits.com. We act quickly on these emails and it is the fastest way to get our attention.

The most common problem is that our emails are being stopped by your spam filters. You can also check to ensure that we have your correct email by logging in to your dashboard. You can also contact support@breachbits.com and we can determine the issue.

Our pricing for non-enterprise (small and midsize organizations) is transparent and affordable: - BreachRisk™ Pro: $1000/mo - BreachRisk™ Premium: $3000/mo We offer annual discounts and occasionally offer discounts. If you are interested in partnerships, enterprise pricing, or corporate discounts, please Contact Sales.

BreachRisk™ provides Certified Penetration Test reports at the BreachRisk™ Pro and BreachRisk™ Premium service levels. BreachRisk™ Pro gives you 2 reports per year, with the option to purchase additional tests and reports. BreachRisk™ Premium allows you unlimited number of Certified Penetration Test reports, which can be downloaded from your dashboard or by contacting support@breachbits.com.

To assess other companies, you need BreachRisk™ Portfolio, which is our 3rd-party risk management solution. There are a few ways to get a portfolio. Directly purchase a BrachRisk™ Portfolio subscription. Purchase a BreachRisk™ Premium subscription, which includes a BreachRisk™ Portfolio of 100 companies with an option to add additional companies. Purchase a BreachRisk™ Pro subscription, which includes a complimentary allotment of 5 third parties. Contact Sales and we can tailor a service for you that includes everything you need

BreachRisk™ Pro and BreachRisk™ Premium both offer active spearphishing testing built-in.

BreachRisk™ Pro and BreachRisk™ Premium both include Dark Web intel analysis built-in. Not only do we provide dark web intel, we put it to use in our testing. A common usage of dark web intel is where we discover compromised usernames and passwords, and we attempt to use those credentials to breach authentication interfaces that we detect.

BreachRisk™ 1st-party services require enterprise pricing in any of the following situations: You have more than 200 public-facing hosts The annual revenue of your organization exceeds $1B You need tailored Terms & Conditions BreachRisk™ 3rd-party services require enterprise pricing in the following situations: You want to tailor your pricing package in a way that is different than the standard 100 entity groups You need a hyper-scaled deployment You need heavy professional services or other contractual requirements You need API access

For non-enterprise subscriptions, there are monthly and annual options. Annual options provide a discount and may also provide access to better prices for add-on services, such as Certified Penetration Test reports. Subscription levels can generally be changed at any time if there is not a contract or annual obligation.

No. Currently our subscriptions allow for unlimited number of users. They are priced per company.