Cytix Value Propositions

Question 1

How do we define Cytix

Specifically the product

As stated on our website

Answer 1

A continuous testing platform for application security teams

Question 2

What does Cytix promise to do for customers?

As stated on our website

Answer 2

Threat model live development tickets & prioritise your security testing plan

Question 3

Name two security benefits of automatically threat modelling live development tickets

Answer 3

1) Increasing visibility on development changes they didn’t know were happening; typically minor changes pass the need to be security checked, which allows vulnerabilities to slip through the net

2) Giving confidence that the right tests and actions are happening for every change, to ensure coverage of all relevant vulnerabilities

Question 4

We can integrate into any development ticketing system… How many can you name?

There are 8 listed in the answer

Try to name at least thee top 3

Answer 4

Jira
Azure DevOps (ADO)
Linear
Notion
ServiceNow
ManageEngine
Trello
Monday

In order of popularity

Jira is used by over 50% of our customers

Question 5

Unlike most competitors, we offer a hybrid of what two forms of security testing?

Answer 5

Manual penetration testing and automated DAST scanning

Question 6

The main benefit of offering the hybrid is that it means we can identify which type of vulnerability more reliably?

Answer 6

Business logic flaws

“Identity and access management issues” and “complex injection flaws” ar

Question 7

How long does it take for us to threat model a development ticket?

Answer 7

An average of 13 - 30 seconds

Question 8

From identifying a change to completing all testing, how long does it typically take us?

Including threat modelling the ticket and delivering the testing

Answer 8

2-3 days

Question 9

What is a micro-pentest?

Think of the “Three As”

Answer 9

Testing A particular area of An Application for A specific set of vulnerabilities

Question 10

How long does a micro-pentest take to complete?

Including only the actual time spent testing

Answer 10

Between 15 minutes and 2 hours

Question 11

What are the main limitations of traditional (baseline) penetration testing?

Answer 11

It is slow and laborious, and therefore expensive

Most businesses are only able to perform the testing once per year

This leads to vulnerabilities going undetected for a long time

Question 12

SAST and DAST are unable to identify roughly ____ % of recognised classes of security vulnerability

This is supported by research done with Lancaster University

Answer 12

25%

Question 13

Why might poor quality output from automated tooling create friction inside a business?

Answer 13

It frustrates development teams who are expected to remediate false positives and findings based on limited information

Question 14

Who do we see as our biggest competitors?

Answer 14

We operate in quite a unique space where we don’t really have major competitors, however our customers are often comparing us to their existing penetration testing and scanning suppliers

There are companies like SnyAck and CovertSwarm also trying to solve the continuous testing challenge

Question 15

Cytix is capable of finding security vulnerabilities in Cloud Infrastructure

True or False?

Answer 15

False

We are exclusively focused on application security

Question 16

How can companies better understand the value Cytix provides?

Answer 16

We offer a low-burden proof of concept

As well as our change analysis tool on our website