This is a Cloud based security testing service. It allows us to test an organisation’s website for SQLi vulnerabilities, Cross Site Scripting (XSS) vulnerabilities and test for defacement. It is a fully automated scan.
- Automated test of website security (vulnerability scanning)
- Automated reporting and alerting
- Daily scheduled
- Ad-hoc re-test for no extra cost
- Fully automated test
- Reduces the need for manual security testing
- Scheduled testing, so you don't miss a test
- Build security testing into your organisation
- Free up your internal IT or Network Admin time
£75 per unit per month
- Education pricing available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|System requirements||List of website addresses to be tested|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within 1 hour 9-5 Mon-Fri|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Basic support is M-F 9-5 excluding the usual UK public holidays. This is free and included in all services.
24/7 support can be provided. This costs £50 per day. An out of hours call out is charged at a minimum of 3 hours of our Level 5 rate card. Thereafter it is charged at the hourly rate. Engineers handover after 3 hours to the next one, overlapping by one hour to ensure continuity of service.
A cloud support engineer or other technically qualified person will respond to the support call.
A dedicated support number exists. This is provided to the customer's team when a separate support contract has been established.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||We just need the details of the websites to be tested.|
|End-of-contract data extraction||No data is retained.|
|End-of-contract process||When the contract completes, the testing of the services will cease. There is no handover and no costs incurred.|
Using the service
|Web browser interface||No|
|Application to install||No|
|Designed for use on mobile devices||No|
|Accessibility standards||None or don’t know|
|Description of accessibility||
The software provides an alert to the user when there is a potential security vulnerability. This is by email.
Our team also see an alert on the dashboard.
If accessibility standards are needed for a customer, then we will implement these and may charge for the changes made.
|Description of customisation||Users may request custom features and reports. These can be implemented on a day rate basis.|
|Independence of resources||Runs on Microsoft Azure.|
|Service usage metrics||Yes|
|Metrics types||A report can be created to support your CISO needs. This can be implemented at cost on a day rate basis.|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||In-house|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||On request|
|Data export formats||
|Other data export formats|
|Data import formats||Other|
|Other data import formats||No data import|
|Data protection between buyer and supplier networks||Other|
|Other protection between networks||No data flows from the buyer's network and the software hosted in the cloud.|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||We provide one scan per day. If this fails to run a manual scan will be activated. A scan can be postponed or delayed, to allow for customer service downtime, and other factors that might mean a test is not possible at the scheduled time.|
|Approach to resilience||Available on request.|
Email alerts will be provided for short-term planned outages.
If a problem occurs for longer than the scheduled test interval, then the customer point of contact will be called.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||We run the service for you.|
|Access restrictions in management interfaces and support channels||Not applicable.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Other|
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||
Cyber Essentials Scheme
|Information security policies and processes||
Information Assurance and Computer Security are championed at board level. Cyber Risk is on our board level agenda.
Quarterly IA meetings are held, where audits are reviewed and actions raised.
Weekly team meetings are opportunities to raise/manage/action internal and external cyber risks.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Available on request.
Exposing these on a public facing website is perhaps not a good idea, as it may expose weaknesses or vulnerabilities in our end-to-end development lifecycle.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Available on request.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Available on request.|
|Incident management type||Supplier-defined controls|
|Incident management approach||Available on request.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£75 per unit per month|
|Discount for educational organisations||Yes|
|Free trial available||No|