Orpheus Cyber

Attack Surface Management

Orpheus' platform enables you to understand your attack surface from your adversaries' perspective. We use our accredited Threat Intelligence and award-winning Machine Learning to deliver predictive and actionable Attack Surface management, including Risk-Based Vulnerability Management. We also include your Third Parties and Supply chain in your continuous attack surface assessment.


  • Utilise threat intelligence to understand your attack surface
  • Utilise cyber risk scoring to report to your board
  • See all your attack surface issues in one place


  • Utilise cyber risk scoring to report to your board
  • Build your cyber threat-led defence


£20,000 to £60,000 a licence

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at oliver.church@orpheus-cyber.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

6 0 1 8 1 9 0 1 6 4 1 3 9 3 9


Orpheus Cyber Oliver Church
Telephone: 07734603630
Email: oliver.church@orpheus-cyber.com

Service scope

Software add-on or extension
What software services is the service an extension to
Vulnerability Scanning Technology
Cloud deployment model
Public cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 1 to 2 hours, during 9:30 to 6pm from Monday to Friday. However, during weekends, additional out of hours supports can be slower.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
All customers are given access to email support and a dedicated customer success manager and commercial account manager who provides technical support to customers for training and onboarding, and for also troubleshooting any issues that may occur.
Support available to third parties

Onboarding and offboarding

Getting started
Customers are given full onboarding training, including unlimited sessions with our customer success team (online) in order to complete training with the platform.
Service documentation
Documentation formats
End-of-contract data extraction
Customers have a period of 1 month to extract their data when their contract ends. The data can be obtained by contacting their customer success manager.
End-of-contract process
The customer will be able to contact their customer success manager to obtain any data and also be given the option to take their last cyber risk rating report from the platform.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No differences.
Service interface
User support accessibility
None or don’t know
What users can and can't do using the API
Users can access our attack surface monitoring data, utilising a variety of different data points. Each API can be bespoke depending specifically on the customer's use case.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available
Description of customisation
Customers can customise our service be specifically choosing what our software passively scans, remove false positives and edit key search terms in order to fine tune the platform to work specifically for their environment.


Independence of resources
Orpheus has autoscaling cloud architecture.


Service usage metrics
Metrics types
Customers can be provided with metrics specifically with how the attack surface has changed over time including number of open ports, critical vulnerabilities, expired certs, exposed database instances, email security issues and cyber risk ratings.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Inside the platform, there are a number of widgets, where customers can export to .csv or PDF in order to export their data.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Guaranteed SLA Uptime of 97% of Core Hours
Approach to resilience
Available on Request
Outage reporting
Email Alerts are sent to customers by our support team.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Orpheus employees are only given access to areas of the management interfaces when needed and required to have so. This follows the principle of least privilege.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
Orpheus has a senior Director responsible for its information security programme, supported by its COO and CTO and other team members.
In addition, as a company that is compliant with the ISO27001 Standard,

Orpheus maintains an information security programme that is suitable for maintaining the security and confidentiality of your data. Policies are introduced during induction and refresher training is conducted on a regular basis. This includes policies for:
• Identifying and protecting against threats;
• Preventing unauthorised access;
• Ensuring the proper disposal of your data. If your data is required to be permanently deleted from any storage media owned or operated by Orpheus, data will be disposed of in a manner meeting forensic industry standards such as the NIST SP800‐88 Guidelines for Media Sanitization;
• Background checks to be conducted on all personnel and in addition some personnel receive government security vetting depending on the client contract.

As a Cyber Essentials Plus certified company, Orpheus is audited annually on its technical measures and vulnerability management approach, and additionally on an ongoing basis Orpheus deploys its own proprietary technologies developed as a leading cyber security company to manage threats, attack surface and third-party cyber risks.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
We take a risk-based approach to change and configuration management in order to understand the potential security impact. This may involved establish a change assessment board to consider the change or configuration requirement, threat and potential impact of it not being done and of it being done incorrectly. Following which a plan of approach is developed and agreed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Orpheus has our own product for risk-based vulnerability management, which we sell commercially. As a highly accredited threat intelligence company (including by the FCA and the Bank of England) we have a leading understanding of threats which we link to vulnerabilities using skilled analysts and Machine Learning. This drives a threat-led approach to vulnerability management that means we focus on mitigating the highest risk vulnerabilities we face.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our approach to protective monitoring includes a defence in depth approach utlising a number of technologies and focus areas as follows:
Application Whitelisting
Custom Threat Intelligence
Database Encryption
Data Loss Prevention
DDOS mitigation
Email Filtering
Employee Awareness Training
Endpoint Protection
Incident Response Plan
Intrusion Detection System
Penetration Tests
Perimeter Firewalls
Vulnerability Scans
Web Content Filtering
Incident management type
Supplier-defined controls
Incident management approach
We have an incident response plan which is updated regulalry to take into account the most relevant threats likely to impact our organisation. Our incident response plan specifies immediate actions for common events.
Users report incidents to a dedicated contact and we provide incident reports using an established template form.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

Please enquire with Orpheus internally.
Covid-19 recovery

Covid-19 recovery

Please enquire with Orpheus internally.
Tackling economic inequality

Tackling economic inequality

Please enquire with Orpheus internally.
Equal opportunity

Equal opportunity

Please enquire with Orpheus internally.


Please enquire with Orpheus internally.


£20,000 to £60,000 a licence
Discount for educational organisations
Free trial available
Description of free trial
A 2 week period to test all the features of the Attack surface monitoring module of the platform.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at oliver.church@orpheus-cyber.com. Tell them what format you need. It will help if you say what assistive technology you use.