About BreachRisk

Clear, fair characterization of cyber risk - backed by rigorous attack tradecraft.

Businessman making presentation with his colleagues and business tablet digital computer a
 

Summary

We strongly believe that an effective cyber risk score is based on transparency, defensibility, and fair characterization.


BreachRisk is based on direct hacker measurements, and we're open about our method. We don't obfuscate the details you need to understand how our scores were generated or how to improve them.

We will point out dangers, but we will also tell you when suspected dangers probably aren't a danger at all. And we'll have the proof to support our claims.


BreachBits® is a cyber-focused automation and A.I. company, and BreachRisk is our solution for understanding and communicating cyber risk.

Cybersecurity is everyone's business. Just as a borrower’s credit score informs lenders about risk of loaning money, cyber risk scores signal the strength of a company’s cyber defenses. When properly derived, it provides an easy-to-understand and actionable conclusion of a complicated process. There's no better way to find out if an organization can be breached than to ask a hacker.

BreachRisk™ is a family of concepts and solutions designed to fairly, accurately, and repeatably measure the likelihood and impact of cyber threats to an organization from our perspective - the hacker's perspective.


BreachRisk™ Score is a single number between 0 and 10 that communicates the relative risk of a cyber breach - without bogging you down with the technical details. The score also includes context such as the level of rigor, the fidelity achieved, and a risk range and category based on environmental factors.

BreachRisk™ Report is the next level of detail. Similar to a credit report, BreachRisk Report provides insights that allow you to understand and influence the BreachRisk Score, and may want to provide to trusted parties, such as cyber insurance providers.

 

Our Risk Principles

A time-tested foundation.

Our risk scoring methods are based on dynamic and strategic risk management principles used by best-in-class organizations from the Pentagon to Wall Street.

Risk = Likelihood x Impact

Many risk paradigms can be reduced or rephrased to this classic equation. Every threat can be described by how likely it is to occur (likelihood) and the impact to the subject if it were to occur (impact). Risk is the product of the two. Although some popular cyber risk equations include terms such as threat and vulnerability, even these can be mathematically simplified into this classic equation. BreachRisk Score answers the question, "what is the relative risk that a cyber breach will occur to this organization in the foreseeable future?"

CVSS Compatible

Those familiar with cyber risk recognize the time-tested Common Vulnerability Scoring System (CVSS) maintained by the CVSS Special Interest Group. CVSS is used by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) to characterize the relative risk of known computer vulnerabilities. BreachRisk considers threats far beyond the NVD with active attack methods and incorporates the CVSS standard to characterize all threats in a way that is coherent and compatible.

Business people in a meeting.jpg
 
Research department working process.Photo woman showing business reports modern tablet. St

Our Risk Innovations

Not the defender's point of view.

BreachRisk focuses on capabilities and opportunities of the attacker. We've integrated time-tested approaches with carefully curated innovations to achieve risk insights from the hacker's perspective.

Binary Point Vectors

Breaches can occur when hackers have the capability, opportunity, and intent to violate confidentiality, integrity, or availability. BreachRisk emulates an attacker with intent to harm, and focuses on finding alignments of opportunity and capability where attacks might result in a breach. A vulnerability (opportunity) is interesting, but only influences risk if there is a way to exploit it (capability). BreachRisk Report details all of these Point Vectors, but BreachRisk Score only considers a subset determined by proprietary attack tradecraft applications.

Temporal Dimension

Time matters, and it's a core innovation built into the BreachRisk calculus. Attackers take advantage of time. In some cases, they proceed cautiously over the course of many months or years. In others, they strike with blinding speed. They often don't move at a speed convenient for the security department. The time dimension directly contributes to whether a hacker will succeed or not. Incorporating time allows BreachRisk to control for factors between organizations that are commonly used but are less important for hackers. For example, BreachRisk is agnostic of contextual factors such as size - which is often overemphasized in other risk paradigms, making those approaches inappropriate for comparing different organizations.

 
Foster Davis Headshot Web Quality Square.jpg

"From my experience as a military cyber veteran working with best (and worst) in class, no insight is better than the hacker's perspective, and no language better than risk management."

J. Foster Davis, Co-Founder & COO

 

Naturally Continuous,

Powered by Hackers

Attackers don't rest, and neither should your risk assessments.

To keep up with ever-evolving cyber threats, BreachRisk solutions are built from the ground up to be used persistently. Using attack tradecraft, we emulate attackers with heavy automation and A.I. We employ the same methods as malicious hackers, and this gives us incredible insight into those we assess.

When a thief attacks, there is a difference between looking at the safe and attempting to crack the safe. We continuously use attack tradecraft, but we don't cross the line. First, we observe from every angle and interact with systems in a benign manner consistent with applicable law and the physics of cyberspace. We blend those observations with our knowledge of hacker tools and tricks. If we are able to obtain consent, we can increase the fidelity by actively attempting to breach the subject in a safe and professional manner.

Most BreachRisk plans offer no-obligation flexibility to make it easy, but you'll get the most insight when maintaining a subscription. This ensures high fidelity and frequent observations, and unlocks the trend analysis you'll need to have the best context. As threats breaches emerge in the news, alerts and periodic summaries will help you know where you stand.

 
Smiling bearded indian businessman working on laptop at home office. Young indian student

Three Levels of Detail

BreachRisk™ solutions deliver the right information to the right people.

BreachRisk™ Score

An easy-to-understand snapshot.

Not everyone has the time to get bogged down with the technical details of cybersecurity. BreachRisk™ Score provides a scalable, realistic, and understandable metric, enabling productive decisions and conversations. Included in all solutions.

BreachRisk™ Report

Enhance the conversation.

In some cases, knowing just the BreachRisk Score is only half the battle. When you need to know why, BreachRisk Report provides insights on helpful and harmful factors, as well as deeper insights on threats that attackers could use to cause a breach. We facilitate secure sharing of this information with organizations you select so that you can further prove security and work with others without divulging unnecessary and potentially harmful technical details. Included with BreachRisk™ for Business Pro (and higher) and BreachRisk™ Portfolio.

BreachRisk™ Technical

All the gritty details.

There is some information that you would never want to share outside of your organization because attackers could use it against you - but your technicians could use it to make you better. This information is kept confidential and only available for those with a BreachRisk™ for Business plan (Pro level and higher).

 

Why Cyber Risk Scoring Matters

Silence Helps Attackers

Attackers already know where to find you.

It is natural for defenders to want to guard sensitive IT and security information for fear that hackers can obtain and exploit that information. Certainly to a degree that is true, but it deprives defenders of their main advantage. There are more defenders than attackers. Like a school of fish, if defenders can share the right information they can actually learn from each other and coordinate faster than attackers can organize. A main goal of BreachRisk is to facilitate secure communications between defenders, even if the other defender is a market competitor.

Group of worried and disappointed business people working in office and analyzing bad resu

Communication is Security

Cyber is everybody's business

If you’re not already considering cyber risk when making decisions, you should be. BreachRisk Scores are conversation starters, providing the cornerstone for your cybersecurity discussion. They are rigorous enough to provide an accurate representation, but simple enough to be understood by even the least tech-savvy member of your company. Cybersecurity will be an accessible and comfortable conversation for every member of your organization.

business team discussing financial performance.jpg
 

Learn More

We're revolutionizing the way the world talks about cyber.

Subscribe

Solve