Attack Surface Management
Orpheus' platform enables you to understand your attack surface from your adversaries' perspective. We use our accredited Threat Intelligence and award-winning Machine Learning to deliver predictive and actionable Attack Surface management, including Risk-Based Vulnerability Management. We also include your Third Parties and Supply chain in your continuous attack surface assessment.
Features
- Utilise threat intelligence to understand your attack surface
- Utilise cyber risk scoring to report to your board
- See all your attack surface issues in one place
Benefits
- Utilise cyber risk scoring to report to your board
- Build your cyber threat-led defence
Pricing
£20,000 to £60,000 a licence
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
6 0 1 8 1 9 0 1 6 4 1 3 9 3 9
Contact
Orpheus Cyber
Oliver Church
Telephone: 07734603630
Email: oliver.church@orpheus-cyber.com
Service scope
- Software add-on or extension
- Yes
- What software services is the service an extension to
- Vulnerability Scanning Technology
- Cloud deployment model
- Public cloud
- Service constraints
- N/A
- System requirements
- N/A
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Within 1 to 2 hours, during 9:30 to 6pm from Monday to Friday. However, during weekends, additional out of hours supports can be slower.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- No
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- All customers are given access to email support and a dedicated customer success manager and commercial account manager who provides technical support to customers for training and onboarding, and for also troubleshooting any issues that may occur.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- Customers are given full onboarding training, including unlimited sessions with our customer success team (online) in order to complete training with the platform.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- Customers have a period of 1 month to extract their data when their contract ends. The data can be obtained by contacting their customer success manager.
- End-of-contract process
- The customer will be able to contact their customer success manager to obtain any data and also be given the option to take their last cyber risk rating report from the platform.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- No differences.
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
- Users can access our attack surface monitoring data, utilising a variety of different data points. Each API can be bespoke depending specifically on the customer's use case.
- API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- Customers can customise our service be specifically choosing what our software passively scans, remove false positives and edit key search terms in order to fine tune the platform to work specifically for their environment.
Scaling
- Independence of resources
- Orpheus has autoscaling cloud architecture.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Customers can be provided with metrics specifically with how the attack surface has changed over time including number of open ports, critical vulnerabilities, expired certs, exposed database instances, email security issues and cyber risk ratings.
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- European Economic Area (EEA)
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- In-house
- Protecting data at rest
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Inside the platform, there are a number of widgets, where customers can export to .csv or PDF in order to export their data.
- Data export formats
-
- CSV
- Other
- Other data export formats
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- Guaranteed SLA Uptime of 97% of Core Hours
- Approach to resilience
- Available on Request
- Outage reporting
- Email Alerts are sent to customers by our support team.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
- Orpheus employees are only given access to areas of the management interfaces when needed and required to have so. This follows the principle of least privilege.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- Between 6 months and 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- Between 6 months and 12 months
- How long system logs are stored for
- Between 1 month and 6 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
- Cyber Essentials Plus
- Information security policies and processes
-
Orpheus has a senior Director responsible for its information security programme, supported by its COO and CTO and other team members.
In addition, as a company that is compliant with the ISO27001 Standard,
Orpheus maintains an information security programme that is suitable for maintaining the security and confidentiality of your data. Policies are introduced during induction and refresher training is conducted on a regular basis. This includes policies for:
• Identifying and protecting against threats;
• Preventing unauthorised access;
• Ensuring the proper disposal of your data. If your data is required to be permanently deleted from any storage media owned or operated by Orpheus, data will be disposed of in a manner meeting forensic industry standards such as the NIST SP800‐88 Guidelines for Media Sanitization;
• Background checks to be conducted on all personnel and in addition some personnel receive government security vetting depending on the client contract.
As a Cyber Essentials Plus certified company, Orpheus is audited annually on its technical measures and vulnerability management approach, and additionally on an ongoing basis Orpheus deploys its own proprietary technologies developed as a leading cyber security company to manage threats, attack surface and third-party cyber risks.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- We take a risk-based approach to change and configuration management in order to understand the potential security impact. This may involved establish a change assessment board to consider the change or configuration requirement, threat and potential impact of it not being done and of it being done incorrectly. Following which a plan of approach is developed and agreed.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Orpheus has our own product for risk-based vulnerability management, which we sell commercially. As a highly accredited threat intelligence company (including by the FCA and the Bank of England) we have a leading understanding of threats which we link to vulnerabilities using skilled analysts and Machine Learning. This drives a threat-led approach to vulnerability management that means we focus on mitigating the highest risk vulnerabilities we face.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Our approach to protective monitoring includes a defence in depth approach utlising a number of technologies and focus areas as follows:
Application Whitelisting
Custom Threat Intelligence
Database Encryption
Data Loss Prevention
DDOS mitigation
DMARC
Email Filtering
Employee Awareness Training
Endpoint Protection
Incident Response Plan
Intrusion Detection System
Penetration Tests
Perimeter Firewalls
Vulnerability Scans
Web Content Filtering - Incident management type
- Supplier-defined controls
- Incident management approach
-
We have an incident response plan which is updated regulalry to take into account the most relevant threats likely to impact our organisation. Our incident response plan specifies immediate actions for common events.
Users report incidents to a dedicated contact and we provide incident reports using an established template form.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
Please enquire with Orpheus internally. - Covid-19 recovery
-
Covid-19 recovery
Please enquire with Orpheus internally. - Tackling economic inequality
-
Tackling economic inequality
Please enquire with Orpheus internally. - Equal opportunity
-
Equal opportunity
Please enquire with Orpheus internally. - Wellbeing
-
Wellbeing
Please enquire with Orpheus internally.
Pricing
- Price
- £20,000 to £60,000 a licence
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- A 2 week period to test all the features of the Attack surface monitoring module of the platform.