Falanx Cyber

Edgescan - Continuous Technical Security Vulnerability Assessment

Edgescan is a managed, Continuous Technical Security Vulnerability Assessment service with continuous, security testing and system visibility that delivers a unique service combining full-stack vulnerability management, asset profiling, alerting and risk metrics.

As official partners, Falanx Cyber will assist customers with on-boarding the service and portal configuration.

Features

  • Continuous security technical vulnerability testing
  • "Full-stack coverage" - Web applications/sites & hosting /cloud environments
  • False positive-free results, managed service with vulnerability analysis
  • Variable testing frequency: fortnightly, monthly, quarterly or on demand
  • Incredibly detailed vulnerability reporting, including code injection & response
  • Continuous system visibility via secure online portal
  • Super Rich API for painless integration with JIRA and ServiceNow
  • Customisable Alerting, via email, SMS or other channels
  • Highly Customisable reporting, in PDF, CSV and EXCEL formats
  • 24/7 Governance Risk and Compliance Metrics

Benefits

  • Provides continuous visibility on premise and cloud environments
  • Helps free up security staff to focus on other issues
  • Helps comply with auditing and compliance standards
  • Suitable for OFFICIAL (including OFFICIAL-Sensitive) classified services
  • Enables organisations to react quickly, by identifying security issues
  • Value for money over traditional security for start-ups to corporates
  • Helps manage critical assets freeing up resources & time
  • Expert analysts ensure risk reported accurately and rated appropriately
  • High flexibility with systems accessibility as and when required
  • Monitor security rating to help track performance and improvements

Pricing

£4558 to £13127 per licence per year

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

9 1 9 1 8 1 6 5 2 9 5 5 0 4 5

Contact

Falanx Cyber

Tom Evans

0207 856 9450

info@falanx.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No constraints
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 days, excluding weekends
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels See Service Definition document or contact us for further information.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started See Service Definition document or contact us for further information.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction See Service Definition document or contact us for further information.
End-of-contract process See Service Definition document or contact us for further information.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No difference in user experience.
Service interface Yes
Description of service interface See Service Definition document or contact us for further information.
Accessibility standards None or don’t know
Description of accessibility See Service Definition document or contact us for further information.
Accessibility testing Web accessibility checkers were run against the service.
API Yes
What users can and can't do using the API The API can be configured to integrate with JIRA, ServiceNow or other services. Full documentation can be provided.
API documentation Yes
API documentation formats PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Alerts can be configured for various different levels and via different channels, such as SMS, email or via webhooks into Slack etc...
You can download assessment reports, which can be configured for different levels of detail, depending on the target audience, form Management Reports to finely detailed Technical reports.
Configurations are made on initial on-boarding, and can be updated any point in the service period.

Scaling

Scaling
Independence of resources The Edgescan service is built on Amazon Web Services and is full designed to scale upon demand so that other user demand does not effect the service.

Analytics

Analytics
Service usage metrics Yes
Metrics types The service portal provides a dashboard detailing a range of metrics, including the number of vulnerabilities found, the systems under test and the frequency of the assessments.
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Reseller (no extras)
Organisation whose services are being resold Edgescan

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach The data centre physical security has been assessed using the UK Government's Classified Materials Assessment Tool (CMAT), as suitable for UK OFFICIAL (including OFFICAL - SENSITIVE).
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Downloadable assessment reports in PDF format at any time.
Downloadable vulnerability lists in CSV or EXCEL formats at any time.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • PDF
Data import formats Other
Other data import formats No uploads available or required

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The Edgescan Service web portal for each web application under assessment shall be available to Customer not less than 95.5% of the time each calendar month.
Customer shall not receive any credits in connection with any failure or deficiency of Service Availability to the extent caused by or associated with: (i) a force majeure event; (ii) regularly scheduled or emergency maintenance and upgrades; (iii) any causes attributable to Customer or its contractors, (iv) software or hardware not provided or controlled by Securestorm; and (v) outages elsewhere on the Internet, including but not limited to interruptions at any Customer or third party data center or ISP, that hinder Customer’s access to the Service.
Approach to resilience The Edgescan service is built on Amazon Web Services cloud infrastructure, and has been built to be resilient by design. Further details can be provided on request.
Outage reporting The Edgescan service runs at the frequency requested by the customer, as such, the testing is intermittent by design. However, the Edgescan reporting portal is always available. Email alerts will be provided for any scheduled or unscheduled down time.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels There are no remote administration interfaces exposed on the Edgescan service external infrastructure. Edgescan have scanning and profiling services that run 24/7 against all infrastructure. Alerts are setup for the exposure of any restricted services. Access to AWS and into the VPC is organised through AWS and their security controls. Access to the Edgescan AWS infrastructure is restricted to specific users coming from specific locations (restricted to edgescan IP's only) via VPN. Authentication is username/password and certificate based authentication.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Coalfire Systems, Inc.
PCI DSS accreditation date 25/01/2018
What the PCI DSS doesn’t cover The AWS PCI DSS certification covers the AWS infrastructure that the Edgescan service is built on. The application and service portal are not covered by the certification.
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes We operate an Integrated Management System covering all of our certifications.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach See Service Definition documents or contact us for further information.
Vulnerability management type Supplier-defined controls
Vulnerability management approach See Service Definition documents or contact us for further information.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach See Service Definition documents or contact us for further information.
Incident management type Supplier-defined controls
Incident management approach See Service Definition documents or contact us for further information.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £4558 to £13127 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial A trial proof of concept can be arranged for a single assessment.

Service documents

Return to top ↑