Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Security often feels like an uphill battle. Let’s say your organisation has done the basics – you’ve got Cyber Essentials certification, and also started regular penetration testing. Firstly, congratulations – you’re well on your way to stopping the majority of opportunistic attacks. But after the pen test comes the report, and for business who aren’t prepared, a whole new problem emerges: how do you tackle the remediations effectively?
There will always be more remediations to do than resource to do them. That’s a sad fact of business life that troubles the sleep of every security manager. So the problem is how do you know where to spend your limited remediation resources for maximum security impact? Your remediation efforts need to be effective but they also need to be efficient. And that’s where data comes in.
Our 2023 report covers all areas of cyber security and compliance, and comes packed with insights and advice to help you secure your business in 2023 and beyond.
They key to effective remediations is understanding that not all findings are created equally. Bulletproof penetration test reports include the vital ‘effort to fix’ metric and we pooled data from the thousands of penetration tests we conduct to identify quick wins.
Looking at this data we see that almost all critical and high severity flaws are low or medium effort to fix. So there’s our first clear priority target for remediation efforts. Critical and high severity flaws are as serious as their name suggests, so in this way you’ll get maximum impact for minimum effort. But after we’ve scooped up these easy wins, what comes next?
You now have a crucial decision to make: do you invest your remaining remediation budget into fixing the few number of remaining critical & high severity findings, or into a much greater number of medium severity findings? This where data needs to walk hand-in-hand with context. The different split of severity according to the category of the finding may influence how much you prioritise them. We’ve laid out the severity by category, along with some helpful narrative on why you might prioritise them – or not.
Only 1 in 10 findings are rated high severity, and at 47.64%, nearly half are rated medium. Encryption-based attacks are often trickier to exploit, so they’re more likely to be used by determined attackers rather than opportunistic ones. This means you need to think carefully about where your cyber threats are coming from.
Almost 7 in 10 findings are rated as low or recommendation, and less than 4% are rated critical or high. This makes Information Disclosure weaknesses generally a low priority for remediation activities.
There are about as many critical and high-rated findings as there are mediums – 32% and 37% respectively. Injection attacks can be low-effort and high reward for a hacker which makes them a good contender for remediation: you can count on these flaws regularly being tried.
These are an even split between medium, and low or recommendation. Medium severity issues can be chained together as part of a larger attack action, but the lack of any critical or high findings make it a difficult category to prioritise for most businesses.
Misconfiguration is another category of mostly low or medium findings, but with 1 in 6 rated high or critical it pays to look deeper into what exactly is misconfigured, and how.
1 in 6 findings are rated critical, and when critical and high are combined it’s over 40%. Outdated components are used by all types of bad actors, as they typically they present very accessible flaws. This makes it a quick win for remediation, but as every security manager knows, patching brings its own set of challenges
The potluck bin of the pen testing finding categories, critical and high vulnerabilities account for a little over 20% of findings. This will need a technical eye to look over the vulnerabilities and make a judgement call.
Over a quarter are rated high or critical, which is a significant percentage. However, it’s the 55% of findings being medium that’s worthy of scrutiny. The sheer ubiquity of Windows and the frequency of new exploits being discovered puts all medium-severity findings worth fixing – especially as it’s not uncommon for several medium vulnerabilities can be chained together as part of a larger attack.
Ultimately, it all comes down to risk management. Secretly you knew this – that’s why you’re doing a pen test in the first place. We’re always banging the drum for taking risk-based approaches to cyber security, rather than rashly implementing technical controls as a scattergun approach. If you’re taking a risk-based approach then you’ll have a clear idea of whose likely to be challenging your cyber defences, their motivations, and where your biggest weaknesses exist in your infrastructure. This data together can be leveraged to make your pen test remediations as efficient and effective as possible.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Human expertise and automated scanning to uncover more threats.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.