Independent External Risk Assessment (IT)

Overview

Asset RangeEst. DurationPrice
Less than 1002 days$4,800
101 – 5003 days$7,200
501 – 10005 days$12,500
More than 1000Ask for quote

External Risk Assessment services for IT environments are critical for safeguarding your digital assets and ensuring the resilience of your IT infrastructure. These services are designed to uncover vulnerabilities that could potentially be exploited by threat actors, thereby preventing potential breaches before they occur. Our approach not only identifies security weaknesses but also helps prioritize remediation efforts based on the severity and potential impact of the identified risks.

Our service offerings include a Comprehensive Vulnerability Assessment, non-credentialed scanning, Open Source Intelligence (OSINT) gathering, and an optional Web Application Assessment aligned with OWASP guidelines. We target high and medium vulnerabilities with high confidence and integrate OWASP’s top 20 risks into our findings. Additionally, SSL reviews and Attack Surface Discovery with a detailed DNS review are integral parts of our assessments.

A key component of our service is the delivery of an easy-to-read report that translates technical findings into manageable terms. This report is designed to assist management in decision-making by highlighting critical vulnerabilities and suggesting the top ten mitigation activities. By providing a clear and concise report, we enable executives and IT managers to understand their security posture quickly and make informed decisions about their next steps in cybersecurity management.

This service is indispensable for any organization looking to proactively manage its cybersecurity risks, ensure compliance with industry standards, and protect its operations from external threats.

Scope of Service:

Asset Coverage

The assessment will cover up to the specified number of assets based on the chosen pricing tier:

  • Less than 100 assets
  • 101 – 500 assets
  • 501 – 1000 assets
  • More than 1000 assets (requires a custom quote)

Estimated Duration

The duration of the assessment is fixed based on the asset range:

  • 2 days for less than 100 assets
  • 3 days for 101 to 500 assets
  • 5 days for 501 to 1000 assets

Extensions or additional days are subject to separate negotiation and billing.

Services Included

  • Comprehensive Vulnerability Assessment: A full evaluation of the IT environment to identify security vulnerabilities that could be exploited by external threats. This assessment includes a systematic review of all software systems, network devices, and security configurations.
  • Non-Credentialed Vulnerability Scanning: Deployment of scanning tools that perform checks without requiring system credentials. This helps identify vulnerabilities that can be exploited remotely without authentication, providing an attacker’s perspective of the network.
  • Open Source Intelligence (OSINT): Gathering and analyzing information from publicly available sources to identify potential exposures or data leaks related to the organization. This includes checking for exposed credentials, sensitive documents, or unsecured endpoints that are accessible via the internet.
  • Web Application Assessment (optional): An in-depth security analysis of web applications using both automated tools and manual testing techniques to identify vulnerabilities like SQL injection, XSS, CSRF, and more. This assessment can be tailored to focus on specific applications or conducted broadly across all external-facing web services.
  • OWASP Top 20 Risk Analysis: Mapping identified vulnerabilities against the OWASP Top 20 most critical web application security risks. This helps prioritize vulnerabilities based on their potential impact and prevalence in web applications, providing a focused approach to web security.
  • SSL Review: Examination of the organization’s SSL/TLS configuration and certificates to ensure they meet industry best practices for secure encrypted communications. This includes checking for weak ciphers, expired certificates, and other common SSL vulnerabilities.
  • Attack Surface Discovery with DNS Review: Comprehensive mapping of the organization’s digital footprint by examining DNS configurations and records. This includes identifying all active domains, subdomains, and associated services to provide a clear view of the potential entry points for attackers.
  • High & Medium Vulnerabilities with High Confidence Reporting: Special emphasis on high and medium-severity vulnerabilities that are identified with high confidence, ensuring that the most critical and likely issues are prioritized for remediation.

Reporting

  • Detailed Vulnerability Report: A comprehensive report is provided at the conclusion of the assessment, detailing all identified vulnerabilities. Each vulnerability includes a description of its potential impact, likelihood of exploitation, and its context within the IT environment.
  • Top Ten Suggested Mitigation Activities: This prioritizes the top ten mitigation strategies tailored to address the most critical vulnerabilities identified during the assessment. Each strategy is outlined with step-by-step guidance for remediation, offering a clear path to enhance security defenses.
  • Executive Summary: An executive summary offers a high-level overview of the assessment findings, ideal for senior executives or board members. This summary highlights key vulnerabilities and urgent priorities, emphasizing their potential business impacts.
  • Risk Scoring and Prioritization: Each identified vulnerability is scored based on severity, potential impact, and exploitation complexity. This scoring system aids in prioritizing the vulnerabilities that present the most significant risk.
  • Actionable Recommendations: The report provides actionable recommendations for immediate fixes and strategic security enhancements. Suggestions include updates to security policies, system configuration changes, and improvements to preventive security measures.
  • Graphical Representations and Analytics: The report includes charts, graphs, and other visual aids that clearly depict the data, facilitating an easy understanding of the distribution and severity of vulnerabilities across the network.
  • Raw Evidence and Methodology:  Detailed methodologies used during the assessment are outlined to ensure transparency and allow for repeatability. Raw evidence such as logs, screenshots, and configurations that substantiate the findings are included to validate the assessment results.

Exclusions:

The service does not include remediation of identified vulnerabilities; this is available as a separate service.

Does not cover physical security assessments or social engineering attempts.

On-site visits are not included and can be arranged for an additional fee.

Additional Costs:

Any work outside the predefined scope, such as additional assets or services, will be quoted and approved separately.

Travel and accommodation expenses for any required on-site work will be billed additionally, with prior approval from the client.