About BreachRisk™
Clear, fair characterization of cyber risk - backed by rigorous attack tradecraft.
Summary
BreachBits® is a cyber-focused automation and A.I. company, and BreachRisk™ is our solution for understanding and communicating cyber risk.
We strongly believe that an effective cyber risk score is based on transparency, defensibility, and fair characterization.
BreachRisk is based on direct hacker measurements, and we're open about our method. We don't obfuscate the details you need to understand how our scores were generated or how to improve them.
We will point out dangers, but we will also tell you when suspected dangers probably aren't a danger at all. And we'll have the proof to support our claims.
Cybersecurity is everyone's business. Just as a borrower’s credit score informs lenders about risk of loaning money, cyber risk scores signal the strength of a company’s cyber defenses. When properly derived, it provides an easy-to-understand and actionable conclusion of a complicated process. There's no better way to find out if an organization can be breached than to ask a hacker.
BreachRisk™ is a family of concepts and solutions designed to fairly, accurately, and repeatably measure the likelihood and impact of cyber threats to an organization from our perspective - the hacker's perspective.
BreachRisk™ Score is a single number between 0 and 10 that communicates the relative risk of a cyber breach - without bogging you down with the technical details. The score also includes context such as the level of rigor, the fidelity achieved, and a risk range and category based on environmental factors. It enables easy comparisons for one organization over time, or between companies.
BreachRisk™ Report is the next level of detail. Similar to a credit report, BreachRisk Report provides insights that allow you to understand and influence the BreachRisk Score. BreachRisk Report is designed to be easy to understand by decision makers and is an ideal way to share your risk summary with trusted parties, such as cyber insurance providers, parent companies, or partners.
Our Risk Principles
A time-tested foundation.
Our risk scoring methods are based on dynamic and strategic risk management principles used by best-in-class organizations from the Pentagon to Wall Street.
Risk = Likelihood x Impact
Many risk paradigms can be reduced or rephrased to this classic equation. Every threat can be described by how likely it is to occur (likelihood) and the impact to the subject if it were to occur (impact). Risk is the product of the two. Although some popular cyber risk equations include terms such as threat and vulnerability, even these can be mathematically simplified into this classic equation. BreachRisk Score answers the question, "what is the relative risk that a cyber breach will occur to this organization in the foreseeable future?"
CVSS Compatible
Those familiar with cyber risk recognize the time-tested Common Vulnerability Scoring System (CVSS) maintained by the CVSS Special Interest Group. CVSS is used by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) to characterize the relative risk of known computer vulnerabilities. BreachRisk considers threats far beyond the NVD with active attack methods and incorporates the CVSS standard to characterize all threats in a way that is coherent and compatible.
Our Risk Innovations
Not the defender's point of view.
BreachRisk focuses on capabilities and opportunities of the attacker. We've integrated time-tested approaches with carefully curated innovations to achieve risk insights from the hacker's perspective.
Binary Point Vectors
Breaches can occur when hackers have the capability, opportunity, and intent to violate confidentiality, integrity, or availability. BreachRisk emulates an attacker with intent to harm, and focuses on finding alignments of opportunity and capability where attacks might result in a breach. A vulnerability (opportunity) is interesting, but only influences risk if there is a way to exploit it (capability). BreachRisk Report details all of these Point Vectors, but BreachRisk Score only considers a subset determined by proprietary attack tradecraft applications.
Temporal Dimension
Time matters, and it's a core innovation built into the BreachRisk calculus. Attackers take advantage of time. In some cases, they proceed cautiously over the course of many months or years. In others, they strike with blinding speed. They often don't move at a speed convenient for the security department. The time dimension directly contributes to whether a hacker will succeed or not. Incorporating time allows BreachRisk to control for factors between organizations that are commonly used but are less important for hackers. For example, BreachRisk is agnostic of contextual factors such as size - which is often overemphasized in other risk paradigms, making those approaches inappropriate for comparing different organizations.
"From my experience as a military cyber veteran working with best (and worst) in class, no insight is better than the hacker's perspective, and no language better than risk management."
J. Foster Davis, Co-Founder & COO
Naturally Continuous,
Powered by Hackers
Attackers don't rest, and neither should your risk assessments.
To keep up with ever-evolving cyber threats, BreachRisk solutions are built from the ground up to be used persistently. Using attack tradecraft, we emulate attackers with heavy automation and A.I. We employ the same methods as malicious hackers, and this gives us incredible insight into those we assess.
When a thief attacks, there is a difference between looking at the safe and attempting to crack the safe. We continuously use attack tradecraft, but we don't cross the line. First, we observe from every angle and interact with systems in a benign manner consistent with applicable law and the physics of cyberspace. We blend those observations with our knowledge of hacker tools and tricks. If we are able to obtain consent, we can increase the fidelity by actively attempting to breach the subject in a safe and professional manner.
Most BreachRisk plans offer no-obligation flexibility to make it easy, but you'll get the most insight when maintaining a subscription. This ensures high fidelity and frequent observations, and unlocks the trend analysis you'll need to have the best context. As threats breaches emerge in the news, alerts and periodic summaries will help you know where you stand.
Three Levels of Detail
BreachRisk™ solutions deliver the right information to the right people.
BreachRisk™ Score
An easy-to-understand snapshot.
Not everyone has the time to get bogged down with the technical details of cybersecurity. BreachRisk™ Score provides a scalable, realistic, and understandable metric, enabling productive decisions and conversations. Included in all solutions.
BreachRisk™ Report
Enhance the conversation.
In some cases, knowing just the BreachRisk Score is only half the battle. When you need to know why, BreachRisk Report provides insights on helpful and harmful factors, as well as deeper insights on threats that attackers could use to cause a breach. We facilitate secure sharing of this information with organizations you select so that you can further prove security and work with others without divulging unnecessary and potentially harmful technical details. Included with BreachRisk™ for Business Pro (and higher) and BreachRisk™ Portfolio.
BreachRisk™ Technical
All the gritty details.
There is some information that you would never want to share outside of your organization because attackers could use it against you - but your technicians could use it to make you better. This information is kept confidential and only available for those with a BreachRisk™ for Business plan (Pro level and higher).
Why Cyber Risk Scoring Matters
Silence Helps Attackers
Attackers already know where to find you.
It is natural for defenders to want to guard sensitive IT and security information for fear that hackers can obtain and exploit that information. Certainly to a degree that is true, but it deprives defenders of their main advantage. There are more defenders than attackers. Like a school of fish, if defenders can share the right information they can actually learn from each other and coordinate faster than attackers can organize. A main goal of BreachRisk is to facilitate secure communications between defenders, even if the other defender is a market competitor.
Communication is Security
Cyber is everybody's business
If you’re not already considering cyber risk when making decisions, you should be. BreachRisk Scores are conversation starters, providing the cornerstone for your cybersecurity discussion. They are rigorous enough to provide an accurate representation, but simple enough to be understood by even the least tech-savvy member of your company. Cybersecurity will be an accessible and comfortable conversation for every member of your organization.
Other Benefits
The next revolution in cyber defense isn't in the server room, it's in the boardroom.
Advancements in automation and Artificial Intelligence have enabled your business but have also enabled malicious cyber hackers. When security stakeholders can coordinate effectively, attackers lose. Reliable, predictive, scalable cyber risk scoring enables this vision.
Align Incentives
Often, the person that cares most about security isn't in the security department or even in the same company. External pressures have been critical in decades past to drive security actions, but compliance often fails to deliver secure outcomes. Acknowledging third-party forcing functions and harnessing them towards productive security outcomes gives defenders the network-effect advantage needed to thwart attackers consistently.
Promote Transparency
Attackers benefit when defenders try to keep secrets about their security. It is natural to protect your brand reputation in a world where cyber attacks are fringe occurrences. But we are not in that world. The war in cyberspace is persistent and attackers are well funded, well trained, and anonymous. There will be losses, so the goal is to manage the losses, not just avoid them. Secure organizations recognize that too much secrecy is harmful. Cyber risk scores that fairly characterize an organization while respecting intimate security details are essential to creating a productive ecosystem where defenders from different organizations can reclaim the advantage of coordination.
Optimize Internal Coordination
Cyber is everyone's business because it affects all part of the business. So coordination between business functions and business lines is critical for sustained performance. But the challenge is that cyber technologies are complicated - so discussions about cybersecurity are quickly overcome by small details with big impacts.
When we lose sight of the big picture and the things that really matter, it is extremely difficult to make optimal decisions consistently. Effective organizations know how to simplify the details of each business function into risks, impacts, and probabilities. Cyber risk scores enable the security experts to join the risk management process in a way that is familiar to the rest of the organization.
Learn More
We're revolutionizing the way the world talks about cyber.