Principles

Cyber Tzar was established with the goal of improving the understanding and management of cyber risk globally to facilitate more fully informed interactions in the marketplace and promoting a safer and more secure internet.

The credibility of the score is key to its adoption and we have developed a number of principles to guide and communicate our approach.

Accuracy – Our most comprehensive Cyber Security Score is based on hundreds of thousands of individual tests together with a number of additional actions not undertaken by our competitors including, SSL Health Checks, Port Vulnerability Scans, and scanning of APIs.
Fairness – Every client enjoys precisely the same level of scrutiny and a score based solely on the number and frequency of vulnerabilities discovered.
Universality – The service is universally available allowing comparisons to be made between organisations anywhere in the world
Stability – The score is based on a quantitative analysis of vulnerabilities, the only reason the score should change is either because new vulnerabilities emerge, new exploits are developed for old vulnerabilities or the site itself is changed.
Comparability – The scores should allow one organisation to be compared with another even those of different sizes in different sectors.
Resilient – The scores should also be comparable over time, the risk represented by a score this year should be broadly the same as the risk represented by a score the next year.
Transparency – Methodology behind the creation of scores should be open to scrutiny, the scores themselves should be easily understood and the relationship between the score and specific vulnerabilities should be clear to all. Edit visually

Frequently asked questions

Are there any other platforms like CyberTzar?
Cyber Tzar is a vendor of Cyber Security testing products, principally in the arena of qualifying and managing risk. There are other providers of testing products but few in any that carry out the number of individual tests provided by the Cyber Tzar platform. There are also providers of risk information services commonly known as “Third Party Risk Intelligence”. These organisations may not have undertaken any scanning of your site but will provide “proxy” risk information based on trends in attacks, your size and sector.
What is unique about Cyber Tzar?
Cyber Tzar provides a suite of products each building on the testing of individual websites. The suit includes:
- Score Products - Risk assessment scans of a sites in isolation;
- Benchmarking Products - The collation of risk across a particular sector providing a relative score and benchmarking your organisation against your actual competitors;
- Qualify Products - The collation of a 360 Degree analysis of risk taking in Competitors, Clients, Partners and Suppliers and;
- Assure Products - Designed to be used by actuaries in the Cyber Insurance Market where we provide analysis of systemic risk across an economy.
Does Cyber Tzar only test websites?
The fundamental building block of the Cyber Tzar offer is the testing of Websites. However it is in the analysis and presentation of the data garnered from these individual test that enables Cyber Tzar to provide far more useful and meaningful insights that creates Cyber Tzar’s unique offer.
What potential security issues doesn't Cyber Tzar check for?
The Cyber Tzar penetration test routinely checks for hundreds of thousands (and counting) known issues, in addition and uniquely Cyber Tzar also tests SSL Certificates Health, Port Vulnerability Scans and APIs. What we cannot check for is the “Bad Actor” in an organisation who criminally removes or releases data.
Why do I need a service like Cyber Tzar?
Threats to your cyber security emerge on an almost daily basis. Cyber criminals are becoming ever more sophisticated in the use of Artificial Intelligence and robotics to “spider” across the web searching for vulnerabilities to exploit. The only practical response is to maintain vigilance by regular and routine testing. Cyber Tzar’s commitment to clients is to stay abreast of developments in the exploitation of vulnerabilities and to provide timely analysis of risk.
Why choose Cyber Tzar?
Cyber Tzar is a World Class cyber security analysis platform and market leader in SaaS cyber security analysis and reporting. Cyber Tzar has been developed by some of the UK’s most experienced cyber security experts with decades of experience in the field to ensure that your websites are secure, your data is safe and your future is stable. Our objective is to maintain the most comprehensive risk analysis solution in the market.
Does CyberTzar check for all known website vulnerabilities?
A key component in the Cyber Tzar offer is that we test for all know vulnerabilities, indeed we have a team of developers dedicated to monitoring the internet for news of new vulnerabilities and exploits. Once identified we fast track the incorporation of testing for these new vulnerabilities into our scan platform.
Do I need to be a 'techie' or technically savvy to use CyberTzar?
Most definitely not! Cyber Tzar has been developed with the mission of “making cyber security simple”. To that end, in addition to highly technical scan results we provide a suite of Management Reports designed specifically to inform the non-technical. It is essential in our view that senior management are able to easily understand the threats posed to business continuity from cyber security breaches in order to make the resourcing decisions inevitably required to remedy and remove those risks.
Who owns the data Cyber Tzar generates about my website?
Whilst Cyber Tzar owns the data generated from the tests undertaken on your website we understand that this data has the potential to be extremely sensitive. Cyber Tzar takes the security of this data extremely seriously, indeed our business is built on the fact that Cyber Tzar is itself cyber secure.
Is Cyber Tzar secure?
The data produced by the Cyber Tzar platforms has the potential to be extremely sensitive. In the wrong hands it might be the key to a successful exploit by criminals. We take the security of this data extremely seriously, indeed our business is built on the fact that Cyber Tzar is it’s self cyber secure. Cyber Tzar is owned and operated from the UK, your data will be protected by some of the strictest data regulations anywhere in the world, including GDPR, the Data Protection Act (2018) and the Office of the Information Commissioner.
What happens to my data once Cyber Tzar has run scans/penetration tested my website?
The Cyber Tzar business model has been developed around the provision of insights based on 100s of thousands of scans. Indeed that is a part of our USP. Your data, albeit in an anonymized format, will become a part of that data set held securely in our database.
What technology is Cyber Tzar built on?
Our platform is based around open source and open standards technology, wherever possible. Development and management of the platform is undertaken in house by a dedicated team of technology experts. We use a mixture of technology components and languages including (in no particular order): Ruby on Rails, Java, OWASP Zap, SideKiq, PostgreSQL, Python, Stripe, Redis, Zabbix, Moberise, PostMan, and others.
Why would I want my company 'Risk Rated'?
There are a number of reasons why you should know your cyber security score. Firstly and perhaps most importantly so you can understand your vulnerability to business interruption from cyber attack. However, we believe that knowing your Security Score relative to your competitors can will confer competitive advantage. Already we are seeing moves to codify, standardise and publish cyber security scores to help create consumer confidence. Cyber Tzar is in the vanguard of this movement.
If our website is built purely with Javascript will it be 100% secure?
Much has been said about the relative security of JavaScript sites in our view without foundation. A JavaScript site can be as vulnerable as any other site and a Cyber Tzar scan will expose those vulnerabilities if present.

Cyber Tzar Risk Score

Understanding your Cyber Tzar Risk Score

The

Cyber Tzar Score provides an indicative number out of 1,000 of the risk of your on-line assets falling victim to a cyber attack and also allows comparison of your cyber security performance with peer companies.

The score is based purely on the technical risk of cyber attack; the business risk of such attacks requires specific understanding of associated risk factors such as the quantity of Personally Identifiable Information (PII), regulatory requirements, the loss of revenue associated with web site downtime and the impact on your brand of cyber attack disclosure.

Cyber Tzar’s unique cyber security risk management platform scans your websites and other accessible on-line assets for known vulnerabilities. These vulnerabilities range from “built in” problems such as weaknesses in the configuration or errors in the coding to “maintenance” problems such as out of date security protocols or libraries and “new” previously unknown exploits.

Cyber Tzar’s team of cyber security experts keep these vulnerabilities under constant review and assign each vulnerability to one of twenty five risk groups. The allocation of issues and vulnerabilities to these groups allows IT personnel to prioritise remedial actions.

For example vulnerabilities assigned to risk groups 1-11 ("red groups") suggest areas of priority for immediate action. Risk groups 12-15 ("orange groups") suggest areas of priority for near term action.

Scores are derived from the individual vulnerabilities identified weighted by the security group to which they are assigned.

We provide three mechanisms to help qualify, quanitify, prioritise actions, and help you decide your "remediation pathway", they include:

The "Re-score" function (available in the "Issues" breakdown in the "Scan dashboard") to exclude specific vulnerabilities and gain insights into the impact of resolving those issues (available in Gold and above).
The Risk Impact Distribution ("RID") shows distribution of vulnerabilities and indicates prioritisation of management for risk and budget (available in Silver and above).
The Risk Impact Assessment ("RIA") summarises the current Cyber Tzar Score in highest risk group discovered, the result of taking recommended immediate and near term action, and the best score possible (also available in Silver and above).

More detailed explanations, including breakdowns of the vulnerabilities with each security group, a count of the number of instances of the vulnerability, a description of the vulnerability and its remedy and the location of the vulnerabilities by URL can be found on the Cyber Tzar portal.

Cyber Tzar Risk Groups

Understanding Your Cyber Tzar Risk Groups

Cyber Tzar, using a standard risk rating matrix, allocates vulnerabilities to individual risk groups depending on the potential impact of a cyber security breach and the likelihood of an attack taking place.

Impacts are rated from “Negligible” to “Significant” and are defined as follows:

Negligible - A vulnerability with a negligible impact is one which is not alone a major concern but might enable or facilitate other attacks.
Low - A vulnerability with a low impact is one which, if exploited, might impact a single user session and include compromising user data and potentially payment information.
Meaningful - A vulnerability with a meaningful impact is one which, if exploited, might impact multiple user sessions again compromising user data and potentially payment information.
High - A vulnerability with a high impact is one which, if exploited, might facilitate access to and theft of large amounts of user data whilst the site continues to operate.
Significant - A vulnerability with a significant impact is one which, if exploited, might lead to a massive loss of user data, payment information and bring down the site altogether causing the business to cease trading on-line.

Likelihoods are rated from “Unlikely” to “Almost Certain” are defined as follows:

Unlikely - The exploitation of a vulnerability is deemed to be “Unlikely” if there are no or very few known attacks based on the vulnerability or if knowledge of the exploits that do exist is very rare.
Possible - The exploitation of a of vulnerability is deemed to be “Possible” if there are known exploits but that knowledge of such exploits is uncommon.
Likely - The exploitation of a vulnerability is deemed to be “Likely” if there known exploits and knowledge of these exploits is widely distributed.
Extremely Likely - The exploitation of a vulnerability is deemed to be “Extremely Likely” if knowledge of the exploits is widely distributed and the tools (programs) have been developed to automatically seek out and exploit these vulnerabilities.
Almost Certain - The exploitation of a vulnerability is deemed to be “Almost Certain” when there is very widespread adoption of easy to use automated tools used to “spider” across the web seeking to exploit the vulnerability in every on-line asset it can find. In this case we argue it’s only a matter of time before an exploit is affected.

Features

Security led innovation

We use the OWASP Zap framework. This is easily the current "best in class" automated penetration test that is available today.

Comprehensive Testing

We use other best in class tools to provide: subdomain discovery, SSL certificate health checks, and port vulnerability scanning.

Standards Compliant

Our outputs are rigorously mapped to, and include reporting in, OWASP Zap Top Ten (2021), the MITRE Framework, and the NIST Framework.

Security with DevOps

We provide an API interface so that you can easily combine and integrate security testing, engineering, and remediation into the software development life-cycle ("SDLC").

Track change over time

We provide a full range of analytic graphs and ways for you to view your data. Change over time history allows you to understand how you are improving as well as the changes in vulnerabilities.

Scan your APIs too

As well as scanning your web sites for code and configuration issues our platform can also check your APIs for security vulnerabilities.

Capabilities

Ultimate Website Vulnerability Identification and Risk Management Platform

Using the very latest cyber-security penetration testing scanning systems CyberTzar is at the forefront of comprehensive vulnerability scanning, allowing you to have complete visibility of all your internet architecture autonomously with easy to use analytics and tools.

Know your risks and your weak points

1) Scan continuously for vulnerabilities.
2) hundreds of thousands of attack points and counting
3) instant cyber-security score calculations
4) API to plug into automated DevOps continuous integration and continuous delivery (aka "CI/CD") pipelines.

Advanced Vulnerability Scanning for everyone

With thousands of novel vulnerabilities scanned daily, continuous and autonomous scanning by CyberTzar enables you to identify or rediscover any gaps as they are introduced through your development cycles, giving any team visibility and the ability to act.

Comprehensive and cost-effective vulnerability identification

1) only buy what you need
2) instructed by top cyber-security experts
3) pay per scan or via subscription
4) tailored for your industry

British engineering excellence with international reach

CyberTzar combines the best engineering excellence from both academic and industry to ensure all bases are covered.
With international monitors and developers, we monitor cyber-security threats based upon industrial and geography to ensure you are protected regardless of where your physical or digital infrastructure is based.

Solutions designed for your specific cyber-security management needs

We have developed modular, cloud-based services to suit your business needs and specifically engineered to have maximum impact within your industry. From manufacturing, e-commerce, financial services or anything that involves a website: we have you covered with our portfolio of solutions.

Autonomous monitoring and analytics of every page you publish on the world wide web

With our paid plans you get complete control of your cybersecurity monitoring needs from the comfort of your desktop. Keep full visibility in the confines of your safest environment by running scans from our cloud-based secure platform 24/7.

An interlocking set of solutions that can be integrated into your full-stack or website architecture in a modular fashion

We believe you should only pay for what you need to protect your business at the right level. Hence CyberTzar can guide you with experts from every sector and environment with enterprise and industrial IT management.

Ease of Use

Our platform is built with you, the user, in mind. Scanning a domain and getting your results couldn't be easier.

Choose your product (aka scan type)

Either during enrolment, or afterwards in the "Add Products" page choose the scan type you want to perform; we offer three non-intrusive tests, "Free", "Bronze", and "Silver", and one thorough and intrusive test, "Gold" (a "penetration test" which interacts with your website as though it's an actual user, filling out forms, et cetera).

Add your domain and choose subdomains to scan

Add your domain, during product selection, and we discover all subdomains that it represents. "Silver" and "Gold" scan users can then select which subdomains you want to include in their scan.

Start your scan

The non-intrusive "Free", "Bronze", and "Silver" tests are allowed without validation and can be started as soon as the sub-domain discovery process is complete. Before allowing any "Gold Score” dynamic or penetration tests we will need to be able to confirm you are either; the legal owner of the web site, or acting on behalf of the legal owner of the web site.

Get your results

We will contact you as soon as your results are available. A sample scan (“Free” or “Bronze”) will usually be complete within a few minutes. A full dynamic or penetration tests of a large site with many sub-domains can take anything up to 24 hours. For each test you will be able to interrogate the aggregate "score", as well as each individual issue found (an issue is where your site has been identified as having a weakness to a given vulnerability). Break down your site by pages or issues.

Validation

We care deeply about your information and your right to test your systems for cyber security vulnerabilities; our products include industrial strength automated penetration testing. Before allowing any "Gold" tests we will need to be able to confirm you are either; the legal owner of the web site, or acting on behalf of the legal owner of the web site. We use a process that should be familiar to anyone that has opened a bank account. The example below is from the UK. We are registered with the UK's Office of the Information Commissioner and all of your data is held securely (both in transit and at rest).

Acceptable forms of legal entity verification
Two of: VAT Registration; Certificate of Incorporation; Companies House Document; HHMRC VAT Certificate; HMRC Account Statement; Charity Commission Document; or OSCR Scottish Charity Regulator.
Acceptable forms of identification
One of: Passport; Driver license; Resident permit; Citizen Card; Electoral ID; or Validate UK.
Acceptable forms of address verification
One of: Driver license; Utility Bill; Statement from a financial institution; Government issued letter; Solicitors letter; Council or housing association documentation; Benefits Agency documentation; Electoral Register entry; NHS Medical Card; GP letter of registration with the surgery.
Acceptable forms of domain verification
One of: Invoice from Domain Register; Registration with a Matching Email Address; DNS Text Record; Matching Legal Entity

Our technology

Our platform is based around open source and open standards technology, wherever possible.
All development is done in house, by a dedicated team of technology experts, and the platform is managed in house too.
We use a mixture of technology components and languages including (in no particular order):
Ruby on Rails, Java, OWASP Zap, SideKiq, PostgreSQL, Stripe, HoneyBadger, IPinfo, Python, PayPal, Redis, Zabbix, Moberise, PostMan, and others.

They are arranged in a typical n-tier architecture, where there is clear separation of presentation & display logic, from application & business logic, and from the data persistence logic and the database itself. We use in memory messaging technology for job coordination. User accounts and data are multi-tenanted, both in terms of the cloud hosting we use and in the architecture, and we use strongly typed code and security modules to provide user account management and separation of form between user accounts.

We host in the cloud, taking advantage of IaaS, both on virtual machines and containers, based on Linux exclusively, using Linode. The physical servers we use from our cloud provider are located UK South and UK West. All servers are monitored 24/7, as is the platform and applications.

We use IPinfo to provide IP geolocation services, so that we can tailor the user experience we provide.