Black Kite is the world’s only fully transparent, standards-based cyber ratings platform, ensuring all users know exactly how their findings are calculated. That’s why Forrester says we tackle the industry’s ratings integrity problem head-on.
You deserve more than a vague letter grade. You deserve clarity on risk calculation.
Black Kite is the only vendor risk intelligence provider using industry standards like MITRE, NIST, and Open FAIR™ to translate raw data in a language that everyone in the industry can understand.
At Black Kite, we believe in complete transparency when it comes to your cyber risk. Our cyber risk grades aren’t arbitrary. They are meticulously calculated by weighting scores across multiple critical risk categories. This comprehensive methodology ensures the final grade accurately reflects your risk, aligning directly with industry best practices.
The total score is a weighted average of 20 category components, providing unmatched breadth and insight into detected vulnerabilities.
The first step in the Cyber Threat Susceptibility Assessment (CTSA) methodology developed by MITRE is to establish the scope of the evaluation, which can be characterized in terms of:
Black Kite establishes the assessment scope during the asset discovery process, which discovers all publicly visible accessible domains, subdomains, IP/CIDR ranges, etc.
Once the scope of CTSA is established, the next step is to evaluate the cyber asset’s architecture, technology, and security capabilities against TTPs in the Mission Assurance Engineering (MAE) Catalog.
Unclassified sources of adversary TTPs in the catalog include MITRE-hosted resources such as Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Enumeration (CWE), and Common Vulnerability Enumeration (CVE).
This initial set of candidate TTPs undergoes a narrowing process to eliminate TTPs considered implausible. Several factors can make a TTP an implausible method of a cyber attack. Many TTPs have prerequisites or conditions that must hold true in order for that TTP to be effective.
Candidate TTPs that cannot be eliminated are ranked using a scoring model. The TTP scoring model assesses the risk associated with each TTP relative to the other 10 plausible TTPs considered in the assessment. This ranking helps set priorities on where to apply security measures to reduce the system’s susceptibility to cyber-attack. CAPEC severity levels, CVSS scores, and CWE severity ranks are the main parameters to calculate the TTP risk scores.
CTSA produces a Threat Matrix, which lists plausible attack TTPs ranked by decreasing risk score and their mapping to cyber assets as a function of adversary type. Black Kite has over 500 TTPs (APPSEC001, APPSEC002, … DNS001, DNS002,… etc.) with different risk scores.
The Black Kite threat matrix is calculated by using the Common Weakness Scoring System (CWSS™) that provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. When used in conjunction with the Cyber Threat Susceptibility Assessment (CTSA) or Common Weakness Risk Analysis Framework (CWRAF™), organizations are able to apply CWSS to those CWEs that are most relevant to their own specific businesses, missions, and deployed technologies.
Black Kite’s Strategy Report shares feedback to help executives to understand their cyber risk posture and scale return on cybersecurity investments. The report provides simple, technical steps to help remediate issues and mitigate cyber risks with suppliers and partners.
Tired of guessing? See how our standards-based, fully transparent data eliminates uncertainty and powers a truly defensible risk program.
