Frequently Asked Questions

BreachRisk™ is a series of services that measure cyber risk according to the perspective of cyber attackers. The services are highly automated and can be run without any technical experience.

Red teaming is a term describing the most advanced type of assessment and testing. A red team plays the part of the "bad guy" and tests defenses just like the bad guy. Similar to a futbol scrimmage, where the team prepares for a match by having 11 players wear red penny jerseys. The job of the red team is to think and act like cyber attackers. A red team is similar to a penetration test, but there are important differences. A penetration test is a list of specific items on a list for a security analyst to check. Modern penetration tests do involve testing of security defenses, but in a very limited and specific way. Penetration testing is a good practice and is essential for compliance needs, but red teaming is much more advanced. In red teaming, the red team takes on a more holistic and creative approach to the attack testing and is much more rigorous than a penetration test. For example, a penetration tester might merely check for an open port on a host and attempt to interact with it, whereas a red team might also see if interactions can enable follow on attacks that give the attacker progress towards a malicious goal. Or, the red team might be more creative and look for ways to trick an employee into giving them access to the open port. While penetration testing, attack surface discovery, vulnerability scanning, dark web analysis, spearphishing, and cloud attacks can be done by a large number of security vendors, it is important to know that attackers don't do those things in a vacuum. Real attackers use these methods all together - and when combined with the creative attacker mindset the whole of red teaming activity is far greater than the sum of these parts. BreachRisk is a continuous red teaming service which includes penetration testing as one of the activities.

BreachRisk is both red teaming and penetration testing. BreachRisk red teaming involves a number of security activities, including penetration testing, attack surface discovery, attack surface monitoring, vulnerability scanning, spearphishing, dark web analysis, and cloud testing.

BreachRisk™ services conduct risk scoring on a frequency based on the subscription level, ranging from monthly, to weekly, and on demand for premium level service.

BreachRisk™ Score is a 10-point risk rating that measures "can cyber attackers cause a breach?" The higher the score, the higher the risk. It includes the likelihood of a breach occurring and the nominal impact of such a breach. It is CVSS compatible and comparable across companies with a score. Sources of risk are primarily related to viable attack paths discovered by BreachRisk™. The easier the attacks are to succeed, and the more damage that can be done upon success, the higher the risk.

No, in fact BreachRisk™ was specifically designed from the ground up to neither require nor allow advanced configurations by users. Our AI and supervisors handle all configurations, including deciding exactly when to conduct analysis and testing activities. Non-technical users will appreciate how BreachRisk™ provides results in a way that focuses on risk management, i.e. concepts of likelihood and impact. These concepts don't require that you fully understand why risk is created because it helps you know what the risk is, where it is, and the potential impact to the organization if not addressed. Cyber experts will still appreciate the vast amount of technical detail that is provided in the BreachRisk™ dashboard. Well beyond BreachRisk™ Score and BreachRisk™ Report, we provide attack surface monitoring data and testing analysis and results. This allows cyber experts to spend less time actually conducting analysis and testing, and more time addressing the risks and aligning with company needs.

To establish a free BreachRisk dashboard, you'll need the following information to register your account: Name Company Email Company Website SMS, Email, or Authenticator App access to set up multi-factor authentication

Absolutely. BreachRisk will always quantify risk of breach based on what experienced attackers would believe to be true. Although we believe that the attackers are the true authority on cyber risk, there are definitely insights and data that BreachRisk does not aim to provide. Consider pairing BreachRisk with services that can provide these capabilities to round-out your risk monitoring program: Detect and test vulnerabilities behind your public firewall. Exhaustively map policy and security practices to important certification or regulator practice standards. Allow you to make extensive internal notes for asset management, especially for assets behind your firewall. Detect and test physical and hardware vulnerabilities that can only be accessed via physical access. Other risk rating platforms to allow for multiple assessments of third parties. Other phishing services that focus on wide testing and follow-up, performance-based training. A managed service provider that can deeply understand your IT and security needs to help you maintain business alignment and state-of-the-art security practices.

All you'll need is the name of the company and the official website. We'll do the rest. You'll get up to 10x better accuracy than other 3rd-party cyber risk monitoring services currently on the market. If you plan to seek the organization's participation in a monitoring or testing scheme in an effort to gain up to 100x better predictive accuracy, you'll just need a competent authority point of contact.

Depending on the size of the entity being analyzed, and whether active penetration testing will be a part of the analysis, it can take anywhere from minutes to days to complete a risk analysis.

Our approach achieves up to 10x greater accuracy in quantifying the cyber risk than legacy risk ratings because we are dedicated to the offensive security perspective. We are driven to maintain bleeding-edge discovery capability (to identify targets more precisely), significantly reduce false positives, and employ superior risk prioritization methods. Attackers are the true authority on risk. This multi-step process, compounded up to 100x by our ability to secure target participation for verification and testing, ensures unparalleled precision and reliability in our outcomes. Learn more by reading about the BreachRisk™ Method,

Its a bold claim for sure, but we stand behind it. You're reading this question because you appreciate that "words have meaning" and that lots of companies claim to do lots of things that turn out to just not be so. We mean that if you were to line up 1,000 companies in a row and ask BreachRisk to predict who would be breached over the next 12-24 months, we can give you a more accurate answer than other risk rating platforms. We're using a common-sense approach here. Here's how we're thinking about this: "Predict" means some version of "to know or state what will happen in the future." Easy enough for simple cause-effect phenomenon, like gravity or astrodynamics. But for complex things like driving a car, you've got multiple actors with different motives, capabilities, etc. "Choice plus randomness" is a tough situation for prediction. How can anybody predict what attackers will do? And yet, while we know we can never achieve perfect prediction, it is still extremely valuable to do the best we can. Consider this: if you know there are some things that are impossible to hack, then you then know attackers won't be able to cause a breach there. Furthermore, if you know there are some things that are very easy for attackers to hack, then you know attackers are more likely to breach in those areas. By narrowing the range of possible outcomes, you are starting to form a prediction. And if you knew what an attacker could see, think, and do - and you could know that continuously, then you'd really start to have a good ability to predict their actions. Furthermore, if you could prove through active red teaming and pen testing if certain login passwords could be cracked, vulnerabilities exploited, or configurations misused, then you're even more confident that experienced attackers would come to the same conclusions. Given enough time, attackers can breach anybody. Now add the fact that attackers have to breach someone. So in some ways a prediction is includes a comparative likelihood among all possible attack options. Attackers aren't always right in their predictions, but the point is that to know what attackers predict is a superpower that allows you to outsmart them before they breach. That's the general idea. BreachRisk is backed by a whole lot of science and quantitative math behind it, which allows us to generate predictive analysis continuously, at scale, in a standardized way.

If the FAQs, knowledge base, or dashboard materials don't help, or if you'd just prefer to talk with our team, you can contact support@breachbits.com. We act quickly on these emails and it is the fastest way to get our attention.

The most common problem is that our emails are being stopped by your spam filters. You can also check to ensure that we have your correct email by logging in to your dashboard. You can also contact support@breachbits.com and we can determine the issue.