EVOITSEC
EVOITSEC
About Evoitsec
Our Services
We serve
Blog
Contacts us
About Evoitsec
Our Services
Who we serve
Blog
Contacts us
sales@evoitsec.com
Cyber Quiz: priorities and services
Company profile
Select the vertical
Oil & Gas
Banking / Finance
Telecom
Gov
Healthcare
Ecommerce
Production
Transport / Logistics
Education
Company size (number of employees)
Choose the size of the company
1 - 200
200 - 2 000
2 000 +
Select the mode
(For C‑level, Business Risks is better suited. The technical mode is for information security/network.)
Business risks
Technical mode
What is more critical for you in the next 6-12 months?
Network / Segmentation
Wireless / Access
Routing Security
Time / NTP
Availability / Hardening
Availability / DDoS
Identity / Sessions
Crypto / TLS
PKI / Certificates
Web / API Security
DNS Security
Email Security
Content Security
DevSecOps
Endpoints
Web/App
Zero Trust / Access
Endpoint / Email / Data
Cloud / SaaS
Operations / SOC / IR
People
*Select one or more options
Problem Network / Segmentation
Flat LAN; no VLANs/micro-segmentation; IT/OT mixed
No switchport security (unauthorized devices can connect)
No STP protection (BPDU/Root guard); loop risk from rogue switches
No DHCP Snooping / Dynamic ARP Inspection (spoofing risk)
Branch traffic not encrypted end-to-end
No egress filtering for outbound traffic
*Select one or more options
Problem Wireless / Access
Wi-Fi security weak (WPA2-PSK shared; no guest isolation)
*Select one or more options
Problem Routing Security
OSPF/BGP not authenticated; no TTL/Hold-down hardening
*Select one or more options
Problem Time / NTP
NTP not authenticated; time drift affects logs/IR
*Select one or more options
Problem Availability / Hardening
Open TCP/UDP services are not minimized; no baseline of allowed ports
*Select one or more options
Problem Availability / DDoS
Regular or targeted volumetric DDoS risk observed
*Select one or more options
Problem Identity / Sessions
Weak session management (no SSO timeout, no re-auth for sensitive actions)
*Select one or more options
Problem Crypto / TLS
Legacy TLS (v1.0/1.1), weak ciphers; no HSTS; certificates not rotated
*Select one or more options
Problem PKI / Certificates
No private PKI governance; no OCSP stapling/CRL; manual key rotation
*Select one or more options
Problem Web / API Security
API endpoints lack authorization and rate limiting
Bots and credential stuffing not mitigated
No secure secrets management in CI/CD
*Select one or more options
Problem DNS Security
DNS not protected (no sinkhole/DoH policy); no DNSSEC validation
*Select one or more options
Problem Email Security
SEG absent; DMARC/SPF/DKIM not enforced
*Select one or more options
Problem Content Security
File uploads not scanned (malware/ransomware risk)
*Select one or more options
Problem DevSecOps
Secrets/keys in CI/CD and repos
Vulnerabilities reaching prod (no SAST/DAST gates)
Infrastructure drift; misconfigurations
Unmanaged dependencies / no SBOM
*Select one or more options
Problem Endpoints
Missing/weak EDR on endpoints/servers
No baseline hardening/patching
Unauthorised apps execution
Uncontrolled removable media/USB
No full-disk encryption / weak key mgmt
Admin ops from regular workstations
*Select one or more options
Problem Web / App
No WAF for web/API and no virtual patching
Bot attacks / credential stuffing
Weak TLS/expired certs/no mTLS
No CSP/SRI (frontend integrity)
*Select one or more options
Problem Zero Trust / Access
No enforced MFA for admin/remote users
No device posture checks before granting access
Third-party/vendor access not isolated or monitored
*Select one or more options
Problem Endpoint / Email / Data
No EDR on servers and workstations
No data classification and DLP scope defined
*Select one or more options
Problem Cloud / SaaS
Cloud misconfigurations not continuously monitored
Shadow IT without governance
*Select one or more options
Problem Operations / SOC / IR
No central log management and correlation
No incident response runbooks and tabletop exercises
*Select one or more options
Problem People
NCSP/UAE IA controls not mapped to implemented controls
No supplier security assessment (third-party risk)
No awareness program with measurable outcomes
Users fall for phishing/BEC/social
Low cyber hygiene / no role-based training
Missing/outdated security policies
Weak mail filtering / no DMARC/SPF/DKIM
No at-scale MFA / vendor gaps
No incident reporting and runbooks
*Select one or more options
Business-Risk
Attacks spread laterally and can halt IT/OT operations; downtime, supply disruption, regulatory penalties, and reputational damage.
Untrusted devices can access the network: data theft, malware introduction, and audit failure risk.
L2 loops can cause network-wide outages and downtime, leading to SLA penalties and revenue loss.
ARP/DHCP spoofing enables traffic interception and outages; credential theft and downtime likely.
Unencrypted traffic can be intercepted; trade secrets leak and compliance is breached.
Without egress control, data exfiltration and C2 go unnoticed; higher compromise and reputational risk.
Weak Wi-Fi lets attackers bypass the perimeter; data leaks and privacy incidents follow.
Routing compromise enables hijack/blackhole; service downtime and large-scale incidents.
Time drift breaks investigations and access control; risk of fines and SLA claims.
Excess open ports expand attack surface; higher breach likelihood and remediation cost.
DDoS takes services offline; direct revenue loss, operational disruption, and brand damage (especially in OT).
Weak session controls enable account takeover and fraud; financial loss and customer claims.
Weak TLS exposes data and breaks compliance; risk of leaks and fines.
Poor PKI causes outages from expired certs and impersonation risk; revenue and trust loss.
Unprotected APIs drive data theft and abuse; direct losses and incident costs rise.
Bots and credential stuffing lead to account takeover, fraud, and customer churn.
Secrets leaking from CI/CD can grant full access; supply-chain attack risk.
Weak DNS enables malware comms and phishing; DNS abuse can trigger outages.
Missing SEG/DMARC increases phishing and domain spoofing; financial loss and brand damage.
Unscanned uploads import ransomware; process stoppage and costly downtime.
Supply-chain compromise; unauthorised access; fines
Data loss/fraud; downtime; reputation damage
Perimeter/cloud breach; non-compliance fines
Library vulns exploited; licensing risks
Ransomware; lateral movement; downtime
Known CVEs exploited; repeat incidents
Attack tools/malware execution; policy bypass
Exfiltration; malware ingress
Device loss → data breach; fines
Privileged account compromise
Website/API compromise; data loss; fines
Account takeover; fraud; overload
Interception/tampering; non-compliance
Third-party script injection; Magecart
Without MFA, privileged compromise causes catastrophic impact and prolonged downtime.
Access from infected/unmanaged devices accelerates spread; more incidents and cost.
Unisolated vendor access turns third-party breaches into yours; legal and financial exposure.
Without EDR, attacks are detected late; ransomware halts operations.
No classification/DLP means sensitive data will leak; fines and contract loss.
Unmonitored cloud misconfigs cause public leaks and account takeovers.
Shadow IT creates blind spots and non-compliance (data residency/ownership).
Without SIEM, breaches go undetected; delayed response increases damage.
Without IR plans, recovery drags on; incidents cost multiples more.
No control mapping means audit failure, fines, and project stops.
Without supplier assessment, third-party breaches become yours; contract sanctions and supply chain downtime.
Without awareness, people keep clicking phishing; incidents recur and get costlier.
Account takeover; payment fraud; reputation damage
Systemic human errors; social engineering
Audit failure; regulatory risk; process chaos
Phishing/spoofing; BEC; losses
Account takeover; lateral movement
Late detection; long recovery
Select the problem you are interested in
Flat LAN; no VLANs/micro-segmentation; IT/OT mixed
No switchport security (unauthorized devices can connect)
No STP protection (BPDU/Root guard); loop risk from rogue switches
No DHCP Snooping / Dynamic ARP Inspection (spoofing risk)
Wi-Fi security weak (WPA2-PSK shared; no guest isolation)
Branch traffic not encrypted end-to-end
No egress filtering for outbound traffic
OSPF/BGP not authenticated; no TTL/Hold-down hardening
NTP not authenticated; time drift affects logs/IR
Open TCP/UDP services are not minimized; no baseline of allowed ports
Regular or targeted volumetric DDoS risk observed
Weak session management (no SSO timeout, no re-auth for sensitive actions)
Legacy TLS (v1.0/1.1), weak ciphers; no HSTS; certificates not rotated
No private PKI governance; no OCSP stapling/CRL; manual key rotation
API endpoints lack authorization and rate limiting
Bots and credential stuffing not mitigated
No secure secrets management in CI/CD
DNS not protected (no sinkhole/DoH policy); no DNSSEC validation
SEG absent; DMARC/SPF/DKIM not enforced
File uploads not scanned (malware/ransomware risk)
Secrets/keys in CI/CD and repos
Vulnerabilities reaching prod (no SAST/DAST gates)
Infrastructure drift; misconfigurations
Unmanaged dependencies / no SBOM
Missing/weak EDR on endpoints/servers
No baseline hardening/patching
Unauthorised apps execution
Uncontrolled removable media/USB
No full-disk encryption / weak key mgmt
Admin ops from regular workstations
No WAF for web/API and no virtual patching
Bot attacks / credential stuffing
Weak TLS/expired certs/no mTLS
No CSP/SRI (frontend integrity)
No enforced MFA for admin/remote users
No device posture checks before granting access
Third-party/vendor access not isolated or monitored
No EDR on servers and workstations
No data classification and DLP scope defined
Cloud misconfigurations not continuously monitored
Shadow IT without governance
No central log management and correlation
No incident response runbooks and tabletop exercises
NCSP/UAE IA controls not mapped to implemented controls
No supplier security assessment (third-party risk)
No awareness program with measurable outcomes
Users fall for phishing/BEC/social
Low cyber hygiene / no role-based training
Missing/outdated security policies
Weak mail filtering / no DMARC/SPF/DKIM
No at-scale MFA / vendor gaps
No incident reporting and runbooks
*Select one or more options
Business-Risk
Attacks spread laterally and can halt IT/OT operations; downtime, supply disruption, regulatory penalties, and reputational damage.
Untrusted devices can access the network: data theft, malware introduction, and audit failure risk.
L2 loops can cause network-wide outages and downtime, leading to SLA penalties and revenue loss.
ARP/DHCP spoofing enables traffic interception and outages; credential theft and downtime likely.
Weak Wi-Fi lets attackers bypass the perimeter; data leaks and privacy incidents follow.
Unencrypted traffic can be intercepted; trade secrets leak and compliance is breached.
Without egress control, data exfiltration and C2 go unnoticed; higher compromise and reputational risk.
Routing compromise enables hijack/blackhole; service downtime and large-scale incidents.
Time drift breaks investigations and access control; risk of fines and SLA claims.
Excess open ports expand attack surface; higher breach likelihood and remediation cost.
DDoS takes services offline; direct revenue loss, operational disruption, and brand damage (especially in OT).
Weak session controls enable account takeover and fraud; financial loss and customer claims.
Weak TLS exposes data and breaks compliance; risk of leaks and fines.
Poor PKI causes outages from expired certs and impersonation risk; revenue and trust loss.
Unprotected APIs drive data theft and abuse; direct losses and incident costs rise.
Bots and credential stuffing lead to account takeover, fraud, and customer churn.
Secrets leaking from CI/CD can grant full access; supply-chain attack risk.
Weak DNS enables malware comms and phishing; DNS abuse can trigger outages.
Weak DNS enables malware comms and phishing; DNS abuse can trigger outages.
Please provide your name and email address to receive a business risk assessment.
Required field
Please enter a valid email address
Please enter a valid name
Please enter a valid phone number
Value is too small
Required field
Please enter a valid email address
Please enter a valid name
Please enter a valid phone number
Value is too small
Next
Check the result
