Mitigate Cyber Limited


Mitigate is an innovative internal risk mitigation solution, which has been certified by the UK’s Government Communications Headquarters (GCHQ). Mitigate calculates and presents level of internal risk according to a range of metrics from Cyber, Compliance and GDPR. Mitigate reduces risk and strengthen's resilience within organisations.


  • Real time risk reporting
  • Measure internal risk
  • Policy management
  • Employee and admin dashboard
  • Detailed user reporting
  • 16 GCHQ Certified training courses
  • Template cyber security policies
  • Policy enforcement & generator tool
  • Algorithm for assessing resilience
  • User assessments


  • Improve internal compliance
  • Build internal resilience
  • Reduce internal cyber liability
  • Employees receive GCHQ certified training certificate
  • Policy management process is ISO 27001 & GDPR compliant
  • Improves HR efficiency
  • Presents audit trail for insurance, compliance and GDPR purposes
  • Count towards CPD points
  • Save time and cost
  • Updates annually and regulatory changes


£2.50 per user per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

3 7 2 0 3 5 4 1 8 0 3 1 2 3 5


Mitigate Cyber Limited

Zain Javed

0333 323 3981

Service scope

Software add-on or extension
Cloud deployment model
Hybrid cloud
Service constraints
System requirements
  • Access to the Internet via browser
  • Valid email address

User support

Email or online ticketing support
Email or online ticketing
Support response times
Mon-Fri: Response time up to 24 hours.
Sat-Sun: Response time up to 48 hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Standard: Mon-Fri 9-5 - Response up to 24 hours. Support available by email and ticket.

Premium: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket and phone.

Bespoke: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket, phone and on-site. Additional Cost. Dedicated account manager.
Support available to third parties

Onboarding and offboarding

Getting started
For end users, they have access to a user guide and built in walk through when logging into solution for the first time. A get started and continue button is built into the solution to allow users to 'pick up where they left off' when logging back in.

For client admins remote and on-site training is provided. User documentation is also provided to assist with the roll out of the Mitigate solution.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The client raises a support ticket and mitigate support will export all requested data and provide this in a suitable format for the client.
End-of-contract process
The client will go through the renewal process and if the client decides not to renew the data is stored in line with GDPR unless the client has requested permanent deletion.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Service interface
Customisation available
Description of customisation
e-Learning content can be customised at additional cost. This can include the following customisation's: Branding, Text Changes, Translations, Audio Voice Overs, Video Embedding.
This customisation is controlled by Mitigate Support and no user can customise the e-learning content directly.

Client admins can also customise their own training, assessments and policies.

Re-sellers of the Mitigate solution can customise the logo, re-seller web interface login to be hosted on the re-sellers sub domain.


Independence of resources
As we our services are based on AWS we can theoretically expand and contract our server pool to meet expectations. Our development team is looking into ways of making this more efficient to do, moving more resources into the cloud.
The development team is also looking at AWS Shield and Web Application Firewall, to improve our capability in this area.


Service usage metrics
Metrics types
Real-time dashboard and risk scales.

Real-time report generation
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users cannot directly export their data.

If a user wishes to get access to exported data they submit a request to the support team who will supply this information directly.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
The Company shall provide at least a 99.5% uptime service availability level (Uptime Service Level). This availability refers to an access point on the Company hosting provider’s backbone network. It does not apply to the portion of the circuit that does not transit the hosting provider’s backbone network, as the Reseller is responsible for its own internet access. Availability does not include

Maintenance Events as described in paragraph 2.1 of Schedule 6, Reseller-caused or third party-caused outages or disruptions (except to the extent that such outages or disruptions are caused by those duly authorised third parties sub-contracted by the Company to perform the Services), or outages or disruptions attributable in whole or in part to force majeure events within the meaning of Clause 18.

3.1 If availability falls below the Uptime Service Level (as defined in paragraph 1 of Schedule 7) in a given calendar month (Service Delivery Failure), the Company shall credit the Reseller’s account by an amount calculated as the product of the total cumulative downtime (expressed as a percentage of the total possible uptime minutes in the month concerned) and the total Monthly Hosting Fee and Monthly Software Licence Fee owed for that month (Service Credit).
Approach to resilience
Information available upon request
Outage reporting
Email alerts are issued to company admins and user reporting any minor or major incidents.

Users are kept up to date depending on the stage of the incident
Fix Released

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
There are various different user roles with access to management interfaces and support channels.
Mitigate support team has access to front end support and there are two levels of Mitigate support:
Support Admin
Support SuperAdmin

For the back end, this is limited to the development team and is restricted to the office IP. There is also 2-Factor Authentication enabled.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Other
Description of management access authentication
Restricted to IP address

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials Plus
  • GCHQ Certified Training

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We use our internal Mitigate software to train, test and store policies available to all employees in Xyone. It is mandatory training for new starters to complete the training and sign the relevant information security policies. The following policies are on the Mitigate portal:
Password policy; Communications Policy; Internet Usage Policy;
Information Classification Policy; Cryptographic Controls Policy; Back-Up Policy;
Social Engineering Policy; Disposal & Destruction Policy; Clean Desk Policy;
Remote Working Policy; Public Wi-Fi Policy; BYOD Policy;
Data Protection Policy;

The mitigate portal tracks user compliance and logs when users sign each policy. If a policy is updated on the portal then 'Compliance' status is revoked and users are alerted to re-sign the relevant policies.

It is a requirement that all training, assessments and policies are taken at a minimum of every 12 months.

More information on Mitigate can be found here which has been certified by GCHQ-

As per our ISO 27001 accreditation and Cyber Essentials Plus accreditation we have to provide evidence that our information security policies are not only in place but up to date and understood by all employees.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The specification is put forward to Management. A course of action and priority are decided by them and development team. This committee will also factor in predicted development time and number of users affected to decide a project ordering.
Once development is completed and tests run, new features are deployed to a live-like staging area.

Deployment and user tests are carried out.

If this passes with no incident the new feature is merged into the main codebase and put live at the next available window.
After that we are reliant on error catching software and customers to identify future issues.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
On a regular basis we make use of code reviews to make sure there are no glaring vulnerabilities. As part of the ongoing project maintenance we make sure that the underlying software our projects rely on is kept up to date.

The error catching software used to find errors can be used to discover vulnerabilities and when on is discovered a fix is written, tested and deployed with the higher priority. Critical and high level vulnerabilities are patched immediately. Threat alerts gathered from university research.

Finally, we penetration test the portal at a minimum quarterly and on every major release.
Protective monitoring type
Protective monitoring approach
As our resources AWS we make use of the monitoring tools to observe several different diagnostics. Should one of these diagnostics change dramatically we’ll investigate to find the cause and deploy any patches required.

Critical and high level issues are investigated on the same day.

We are currently investigating the use of additional AWS services to streamline this process.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
ISMS Section 16 Incident Management process is followed. Users can report incidents through our support functionality and built in support ticketing system. In the case of major incidents, immediate notification to the CTO/ISM is required in order to ascertain how best to contain and rectify the incident.

Incident reports are logged and stored in line with our ISMS as part of our ISO 27001 certification.
Incident reports are documented and stored internally. If requested users can ascertain redacted incident reports.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£2.50 per user per month
Discount for educational organisations
Free trial available
Description of free trial
Free 14 day trial with access to 3 cyber security modules, 1 assessment and 1 policy.

No certificate of completion.

Service documents

Return to top ↑