Edgescan is a managed, Continuous Technical Security Vulnerability Assessment service with continuous, security testing and system visibility that delivers a unique service combining full-stack vulnerability management, asset profiling, alerting and risk metrics. As official partners, Securestorm, an NCSC certified company, will assist customers with on-boarding the service and portal configuration.
- Continuous security technical vulnerability testing
- "Full-stack coverage" - Web applications/sites & hosting /cloud environments
- False positive-free results, managed service with vulnerability analysis
- Variable testing frequency: fortnightly, monthly, quarterly or on demand
- Incredibliy detailed vulnerability reporting, including code injection & responce
- Continuous system visibility via secure online portal
- Super Rich API for painless integration with JIRA and ServiceNow
- Customisable Alerting, via email, SMS or other channels
- Highly Customisable reporting, in PDF, CSV and EXCEL formats
- 24/7 Governance Risk and Compliance Metrics
- Provides continuous visibility on premise and cloud environments
- Helps free up security staff to focus on other issues
- Helps comply with auditing and compliance standards
- Suitable for OFFICIAL (including OFFICIAL-Sensitive) classified services
- Enables to react quickly to security threats, by identifying issues
- Value for money over traditional security for start-ups to corporates
- Helps manage critical assets freeing up resources & time
- Expert analysts ensure risk reported accurately and rated appropriately
- High flexibility with systems accessibility as and when required
- Monitor security rating to help track performance and improvements
£3647 per licence per year
- Free trial available
Falanx Cyber Ltd
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Service constraints||No constraints.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within 2 days, excluding weekends.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
The managed service provides detailed support by Securestorm for on boarding and service management through out the subscription period, via the technical account manager.
The non-managed service only provides email and telephone support direct with the service provider.
|Support available to third parties||No|
Onboarding and offboarding
|Getting started||Securestorm provides on-boarding assistance and initial demonstration and training on the use of the Edgescan service portal. User documentation and documentation on integration to other services such as JIRA and ServiceNow is available.|
|End-of-contract data extraction||
Assessment reports can be downloaded at any time in PDF format.
Vulnerability lists can be downloaded at any time in CSV or EXCEL formats.
At the end of the subscription period the Edgescan continuous vulnerability assessment service will stop conducting tests. Customers can then elect to renew the subscription.
Under the managed service, the customer will be provided with a final assessment report in a PDF format, and a final outstanding vulnerability list will be provided in a CSV file by Securestorm.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Output and operation is the same.|
|Accessibility standards||WCAG 2.0 A|
|Accessibility testing||Web accessibility checkers were run against the service.|
|What users can and can't do using the API||The API can be configured to integrate with JIRA, ServiceNow or other services. Full documentation can be provided.|
|API documentation formats|
|API sandbox or test environment||No|
|Description of customisation||
Alerts can be configured for various different levels and via different channels, such as SMS, email or via webhooks into Slack etc...
You can download assessment reports, which can be configured for different levels of detail, depending on the target audience, form Management Reports to finely detailed Technical reports.
Configurations are made on initial on-boarding, and can be updated any point in the service period.
|Independence of resources||The Edgescan service is built on Amazon Web Services and is full designed to scale upon demand so that other user demand does not effect the service.|
|Service usage metrics||Yes|
|Metrics types||The service portal provides a dashboard detailing a range of metrics, including the number of vulnerabilities found, the systems under test and the frequency of the assessments.|
|Reporting types||Real-time dashboards|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Edgescan|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||European Economic Area (EEA)|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||In-house|
|Protecting data at rest||
|Other data at rest protection approach||The data centre physical security has been assessed using the UK Government's Classified Materials Assessment Tool (CMAT), as suitable for UK OFFICIAL (including OFFICAL - SENSITIVE).|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Downloadable assessment reports in PDF format at any time.
Downloadable vulnerability lists in CSV or EXCEL formats at any time.
|Data export formats||
|Other data export formats||
|Data import formats||Other|
|Other data import formats||No uploads are available|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
The Edgescan Service web portal for each web application under assessment shall be available to Customer not less than 95.5% of the time each calendar month.
Customer shall not receive any credits in connection with any failure or deficiency of Service Availability to the extent caused by or associated with: (i) a force majeure event; (ii) regularly scheduled or emergency maintenance and upgrades; (iii) any causes attributable to Customer or its contractors, (iv) software or hardware not provided or controlled by Securestorm; and (v) outages elsewhere on the Internet, including but not limited to interruptions at any Customer or third party data center or ISP, that hinder Customer’s access to the Service.
|Approach to resilience||The Edgescan service is built on Amazon Web Services cloud infrastructure, and has been built to be resilient by design. Further details can be provided on request.|
|Outage reporting||The Edgescan service runs at the frequency requested by the customer, as such, the testing is intermittent by design. However, the Edgescan reporting portal is always available. Email alerts will be provided for any scheduled or unscheduled down time.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||There are no remote administration interfaces exposed on the Edgescan service external infrastructure. Edgescan have scanning and profiling services that run 24/7 against all infrastructure. Alerts are setup for the exposure of any restricted services. Access to AWS and into the VPC is organised through AWS and their security controls. Access to the Edgescan AWS infrastructure is restricted to specific users coming from specific locations (restricted to edgescan IP's only) via VPN. Authentication is username/password and certificate based authentication.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||EY CertifyPoint|
|ISO/IEC 27001 accreditation date||11/11/2016|
|What the ISO/IEC 27001 doesn’t cover||
The AWS certification includes the infrastructure that the service is built on.
The Edgescan applications and portal are not included within the certification currently, however Edgescan are currently preparing to go through ISO27001 certification.
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Coalfire Systems, Inc.|
|PCI DSS accreditation date||25/01/2018|
|What the PCI DSS doesn’t cover||The AWS PCI DSS certification covers the AWS infrastructure that the Edgescan service is built on. The application and service portal are not covered by the certification.|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Securestorm is Cyber Essentials certified.
Edgescan is also Cyber Essentials certified, and is currently working towards ISO27001:2013 certification.
The underlying infrastructure is provided by Amazon Web Services, who are: ISO27001:2013, PCIDSS, CSA CCM, SOC2, BSI C5 and Cyber Essentials certified.
|Information security policies and processes||Securestorm has implemented: an Information Security Policy, including: Data Protection and Privacy, Classifications, Backup and Recovery, Encryption, Data Erasure and Destruction, Change Management and Testing. All processes that staff are required to follow are detailed in the Securestorm Employee Handbook.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Edgescan maintains and applies documented configuration and change management processes to ensure changes e.g. updates, patches or fixes are timely and in line with business risk / needs. Full version and change control is enforced over all production systems and applications.
Prior to changes being applied to the live production environment:
• Change requests must be documented (e.g. on a change request form) and accepted only from authorised individuals.
• The possible impact of changes must be assessed (e.g. in terms of overall risk and on other components of the installation).
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
The Edgescan service runs daily vulnerability testing against its servers, tools and the online portal, using a library of over 80,000 known vulnerabilities (CVE's).
The latest vulnerabilities and threats are updated all the time from national and international sources, such as Mitre, NIST, CiSP and CERTUK.
Patches are assessed and deployed whenever available.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||The Edgescan service is security tested on a daily basis, as well as going through extensive security testing during development. All code is required to undergo both peer review and static testing. All live systems must undergo regular dynamic testing. Currently Edgescan use CHEF to help ensure all components are current and managed automatically. Security incidents are classified by type; each of which requires a different approach to containment and remediation. The severity level of an incident is used to determine the anticipated response timeliness: Severe and High = Immediate; Moderate = 2-3 Hours; and, Low = 4-12 hours.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
Both Securestorm and Edgescan have pre-defined policies and processes for incident management and response.
Users can report any incidents in regards to the Edgescan service and online portal either direct to Edgescan or to Securestorm via email: firstname.lastname@example.org
Incident reports are provided on a case by case basis depending on the type of incident. Any incidents report by users will have a response give as to the outcome of the incident.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£3647 per licence per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||A trial proof of concept can be arranged for a single assessment.|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|