Frequently Asked Questions

What is our Methodology?


Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyberattacks developed by MITRE. CTSA quantitatively assesses a system's inability to resist cyberattack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs).

To generate the scorecard, NormShield needs only the company domain. The engine collects information from VirusTotal, Passive DNs servers, web search engines, and other Internet-wide scanners, as well as NormShield's proprietary databases, which hold more than 10 billion historic items. The engine searches the databases to find all IP address ranges and domain names that belong to the company. NormShield uses what is called Open Source Intelligence (OSINT) to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites, or even legitimate security services like VirusTotal, Censys, Cymon, Shodan, or Google Safe Browsing.

NormShield compiles this data into a simple, readable report with letter-grade scores to help identify and mitigate potential security risks. It identifies the risks (CVE/CWE), the risk score of the corresponding vulnerabilities/weaknesses (CVSS/CWSS) and attack patterns (CAPEC/FIPS-199 impact level). NormShield also classifies the findings into FISMA Cyber Security Framework Area and Maturity Level, NIST 800-53 Control Family, FIPS-200 Area, and NIST 800-37 Process Step. NormShield does all of this without scanning or modifying any of the organization’s business assets.

3rd party risk management is the process of ensuring that the use of external IT service providers and other IT vendors (third parties) does not create unacceptable potential for business disruption or negative impact on business performance. IT 3rd party risk management solutions support enterprises that have to assess, monitor and manage their exposure to risks arising from their use of third parties, which provide IT products and services or have access to enterprises' client information. Many solutions' capabilities now extend to identifying, assessing and tracking a vendor's subcontractors (or fourth-party relationships), a feature that is increasingly important to enterprises.

High-profile failures of IT service providers, increasing rollouts of enterprise risk management programs and third-party access to regulated information are contributing to the demand for third-party risk management solutions. Still, regulatory requirements to address vendor risks, vendor performance, and mandates for the risk monitoring of third parties that access personal data (such as payment card and protected health information) are the biggest drivers of vendor risk management. These mandates include U.S. state-level data breach notification laws, the Payment Card Industry (PCI) standard, privacy and data protection regulations worldwide, and industry-specific regulations in the banking, financial services, healthcare, and telecom sectors.

Organizations want assurance that the software products they acquire and develop are free of known types of security flaws. Today, high-quality tools and services for finding security flaws and weaknesses in code are new and the question of which tool/service is appropriate/better for a particular job is hard to answer given the lack of structure and definition in the code assessment industry. Cyber Threat Susceptibility Assessment (TSA) is a methodology for evaluating the susceptibility of a system to cyber-attack developed by MITRE.

The NormShield Comprehensive Cyber Risk Scorecard and Rapid Cyber Risk Scorecard are nonintrusive. We don't use any intrusive vulnerability scanners like Nessus, Netsparker, Acunetix, Nexpose, nmap, openvas, and others. These passive scan solutions can be used for any company at any time. As seen in the following diagram, passive scan doesn't touch the target company assets. Instead we find all required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.

Passive Scan

Only the main domain (example.com) name of the target organization.

No. NormShield will not generate any intrusive or malicious traffic if you request a scorecard. On the other hand, you may need to whitelist NormShield IP ranges if you are a NormShield Threat & Vulnerability Orchestration customer.

NormShield knowledge base (customers only) includes description, remediation and references of a weakness / vulnerability, along with CWE-ID, CAPEC-ID, FIPS-199 impact level, NIST 800-53 control familiy, FISMA maturity level, and more.

NormShield Knowledge Base

The Rapid Cyber Risk Scorecard (RCRS) is a subset of the Comprehensive Cyber Risk Scorecard (CCRS). RCRS checks about 250+ control items across 10 categories in 60 seconds. CCRS checks 500+ items across 20 different categories and can estimate the compliance level (NIST 800-53, FISMA, GDPR) of an organization. The Rapid Cyber Risk Scorecard can run in seconds while the Comprehensive Cyber Risk Scorecard requires a few hours, depending on the company size.

Yes, absolutely. You can get your free scorecard at our Rapid Cyber Risk Scorecard page or schedule a demo for the Comprehensive Cyber Risk Scorecard or threat and vulnerability orchestration.