CyberScore is an automated testing service that provides visibility of security posture, peer rating and third party risks across large organisations and their supply chains. CyberScore generates consistent, easy-to-understand Get Well Plans, and incorporates workflow features at an affordable price, making it a cost-effective alternative to penetration testing.


  • Automated technical testing service
  • Identifies technical vulnerabilities and offers a security score
  • Offers an easy to understand dashboard of potential impacts
  • Shows peer rating, performance trends and mitigation options
  • Creates get well plans and identifies local service providers
  • Offers a view of risk across thousands of partners
  • Identifies top / bottom performers, most improved etc
  • Provides guidance when new threats emerge
  • View suppliers by type, performance, location, criticality
  • PASS / FAIL advisory for Cyber Essentials Plus


  • Make security performance accessible to both tech and business users
  • Dramatically lower your compliance penetration testing costs
  • Receive consistent results based upon empirical evidence
  • Share results and get well plans via a workflow platform
  • Track mitigation and identify uplift in security posture
  • Gain a view of risk across large diverse organisations
  • Extend your view of risk across suppliers and partners
  • Embed cyber security within procurement processes
  • View suppliers performance versus Cyber Essentials Plus controls
  • Release technical testing resources for strategic (red team) projects


£1 per unit

Service documents

G-Cloud 9



David Carroll



Service scope

Service scope
Service constraints CyberScore requires a minimum hardware configuration as follows:

4GB RAM, 2GB free disk space, Windows 8.1, Windows 10 Pro or similar server operating systems, an Internet connection.

The service is subject to planned maintenance subject to appropriate customer notice.
System requirements
  • Windows 8.1, Windows 10 Pro or similar server operating system
  • 4GB RAM
  • 2GB free disk space
  • Internet connectivity

User support

User support
Email or online ticketing support Email or online ticketing
Support response times XQ's support hours are Monday to Friday 0900 - 1730.

All questions are responded to within 4 hours.

XQ aims to resolve all issues within 24 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels End users require email support only.

Larger clients with large numbers of third parties (suppliers, partners) can request on site support from XQ. A daily consultancy fee may apply in such cases at standard XQ consultancy rates.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started After initial registration, a series of explanatory screens guide users through the process of CyberScore installation and use. Users are shown the process via a series of screens explaining how the software works, what happens during scanning, where and how their data is stored, how to view performance, and how to create and share get well plans.

Users can create a scan for free, and are only required to pay for CyberScore if they require access to detailed technical information such as Get Well Plans.

CyberScore does not require onsite training, online training or user documentation. XQ is in the process of creating online tutorials to support customers and to enable them to get the most from CyberScore.

Larger customers wishing to implement CyberScore across their supply chain may request onsite support.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users can view and download reports at any point during the contract.

Users can contact support@xqcybercore.com and can elect to have their data destroyed when the contract ends.
End-of-contract process Customers are charged for what they consume. There are no additional costs at the end of the contract. There are no charges for the removal of data.

Using the service

Using the service
Web browser interface Yes
Using the web interface All operations are conducted via a web interface.

New users are invited to join the service via a series of easy to understand screens, explaining their options and associated procedures for conducting their first CyberScore.
Web interface accessibility standard None or don’t know
How the web interface is accessible The CyberScore interface does not rely exclusively on colour to convey meaning. Colour contrast is considered and buttons and text are readable for forms of colour blindness. Images have alt tags . All data tables have headers (important for screen readers). The interface employs aria tags and roles in HTML for screen readers. Heading tags and semantic HTML are also employed.
Web interface accessibility testing In-house testing only.
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources Service isolation and constraints, virtualisation with autoscaling, flexible provisioning.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types Other
Other metrics Service usage
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Not applicable
Backup controls Not applicable.
Datacentre setup Single datacentre with multiple copies
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability XQ strives to achieve 99.99% availability outside of scheduled maintenance periods.
Approach to resilience Available on request.
Outage reporting Not applicable.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels XQ stringently restricts administrative access to the CyberScore platform and utilises fully encrypted and authenticated remote access channels with independently issued user certificates. Support channels are accessible only with client certificates and from certain, specified locations.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations Cyber Essentials Scheme

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach XQ employs security governance to bind together the core elements of cyber security and effective risk management. Governance gives context to our controls, as defined in our ISO 27001 framework, based upon our business goals and our risk tolerance threshold. By adopting a holistic approach XQ aims to minimise the likelihood of a breach.

Governance is also the mechanism by which risk-related values are reflected in the direction and judgment of our business plans, information architecture, security policies and procedures and operational practices.

Security governance is part of our CISO’s remit and is discussed at every board meeting.
Information security policies and processes XQ is currently preparing for ISO 27001 certification; accreditation bodies will visit XQ during summer 2017. As such our current policies are aligned with the ISO27001 framework.

We ensure that these policies are appropriate and are regularly reviewed with time dedicated in board meetings for such activity.

All policies are stored centrally and are available to all staff at any time; new starters are required to read them before they are given access to XQ systems. All staff are reminded of their responsibilities annually as part of our performance management system.

XQ's CISO has a place on the Board. His direct reports include the Head of Infrastructure and Head of Development.

XQ undertakes regular audits and ad-hoc spot checks to ensure that policies are being adhered to, using external consultants where appropriate, in particular for penetration testing of both CyberScore and our infrastructure, and for incident response.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach XQ has an asset register of all CyberScore platform components, and makes extensive use of data centre infrastructure management tools

Each change is assessed by qualified security practitioners for potential security implications. All potentially service-impacting changes follow a strict 2-man authorisation rule.
Vulnerability management type Supplier-defined controls
Vulnerability management approach XQ conducts routine threat assessments. We have a standard weekly patching cycle with high profile patches implemented on a same-day basis. We subscribe to vendor security mailing lists and conduct our own in-house research. We are a member of the Cyber Security Information Sharing Partnership.
Protective monitoring type Undisclosed
Protective monitoring approach Undisclosed - available on request
Incident management type Supplier-defined controls
Incident management approach XQ adopts a Cyber Incident Response (CIR) approach to incident management. XQ retains pre-defined processes for common events within a playbook created in consultation with an external third party provider. XQ rehearses its management and technical response to common incidents via desktop and real world exercises on a bi-monthly basis. These exercises simulate:

Determining the extent of an incident;
Managing immediate impact;
Remediation of any compromise;
Incident reporting to describe the scope of the problem, the technical impact, mitigation activities and an assessment of business impact;
Impact Assessment – where the incident affects partners or customers; and Crisis Communications.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Other software controls, such as operating systems, web servers or other applications, provide separation between users of the service.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £1 per unit
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Users can initiate CyberScore scans free of charge. Users are only charged for CyberScore when they wish to gain access to detailed technical information and Get Well Plans, and/or to share information with other system users.
Link to free trial Www.xqcyberscore.com


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑