Audience: CEO, CFO, CSO/CISO, Owners, and Board Members
Author: Northern Data Solutions, Office of the CTO
Service Line: Cyberwatch — Independent Third-Party Analysis. Penetration Testing Done Right. A turnkey, done-for-you recurring service and the foundation for Cyberwatch Advanced and every CyberSecureID enforcement program that follows.
“If you just want a laundry list of vulnerabilities, this is NOT for you. Our research team investigates, develops, and communicates HOW exploits happen and shows WHY you need to invest in our security maturity program.”
1. Executive Summary
You cannot manage what you cannot measure, and you cannot defend what you have never tested. Cyberwatch is the recurring, third-party cybersecurity assessment program from Northern Data Solutions that delivers continuous, objective visibility into your security posture — four times a year, every year. Cyberwatch is deliberately not a vulnerability scanner reseller. It is a research-led, penetration-testing-driven program that explains how exploits happen in your specific environment and shows why the remediation matters in business terms.
Cyberwatch produces the evidence the Board needs, the prioritized work plan the IT team needs, the regulatory crosswalk the compliance officer needs, and the underwriting documentation the cyber liability broker needs. It is the foundation on which every advanced enforcement control — including CyberSecureID Identity Access Management with CyberSecureID Verify — is layered through Cyberwatch Advanced.
“One-time assessments provide a snapshot, but security is a moving target. Cyberwatch delivers continuous visibility through quarterly comprehensive analysis and monthly external monitoring — ensuring you stay ahead of emerging threats and maintain compliance over time.”
2. The Business Problem: The One-Time Audit Has Failed
Most companies still treat cybersecurity assessment the way they treated Y2K planning: a project, with a start date and an end date, that produces a deliverable that goes on a shelf. That model fails for four reasons every Board needs to understand.
Threats are continuous. Adversaries do not pause their tooling because your audit ended in March.
Infrastructure is continuous. Every new SaaS license, vendor integration, employee laptop, and cloud workload changes your attack surface in real time.
Compliance is continuous. CMMC, FTC Safeguards, PCI DSS 4.0.1, NYDFS Part 500, HIPAA, and SEC cyber disclosure rules increasingly demand evidence of ongoing monitoring — not a single point-in-time letter.
Insurance is continuous. Cyber liability carriers now require attested controls at renewal and frequently re-verify mid-policy. A 12-month-old assessment is functionally useless to an underwriter.
Cyberwatch is built for that reality.
3. What Makes Cyberwatch Different
Cyberwatch is engineered around seven non-negotiable principles that distinguish it from a typical vulnerability scan or a one-off pen test:
Independent third-party analysis. Every report is individually reviewed by a third party so internal teams and incumbent MSPs cannot grade their own homework.
Errors-and-omissions coverage. Cyberwatch carries special E&O insurance for auditing networks — an explicit liability protection most assessment providers do not offer.
Research-led, not signature-led. Our research team investigates how exploits actually happen and translates that into business-language remediation, not just a CVE list.
Pre-packaged External Vulnerability Analysis delivered through a dedicated client portal.
Easy deployment. Scripts deploy via any RMM, Group Policy, or comparable mechanism — minutes of IT time, not days.
Stealth scanning. Our scanner runs as the user; no privilege elevation is required and no agents are persistent.
Underwriter-accepted. Cyberwatch reports are accepted by cyber-insurance underwriters as continuous-assessment evidence.
4. The Cyberwatch Approach: From Baseline to Maturity
Cyberwatch is engineered as a four-stage progressive maturity path so that organizations of any size can enter at the right level and graduate as their program matures.
Figure 1. The Cyberwatch maturity path, mapped to the formal Level 1/2/3 assessment depths.
4.1 Level 1 Assessment — Free for New Prospects (and paid engagements)
The ground-floor, basic-scan engagement that produces a snapshot covering user cyber hygiene, security misconfigurations, and surface-level vulnerabilities. The analysis is performed by sending a link to three to five users who click it. Passwords are not required and no privileged access is needed. It is a partial representation, but it consistently uncovers active pre-existing exposures — cracked passwords, dark web exposure, M365 misconfigurations — that justify the next step.
4.2 Level 2 Assessment — Existing Clients and Paid Engagements
A more detailed analysis covering at least 10 percent of devices and including a Mothership analysis of Microsoft 365 (which requires global administrator credentials). Level 2 produces the project-plan-grade baseline that IT teams can execute against.
4.3 Level 3 Assessment — Compliance & Cyber Insurance Grade
The full security analysis. Level 3 includes credentialed penetration testing using either an insider threat or a supply chain attack vector, covers at least 90 percent of devices, and includes a credentialed analysis of M365. Cyberwatch delivers Level 3 quarterly — four times per year — on a recurring basis to compliance- and insurance-driven clients.
4.4 Cyberwatch Advanced
M365 deep security analysis, vendor and supply chain assessment, and the bridge into the Cyberwatch Advanced enforcement layer where CyberSecureID Identity Access Management, CyberSecureID Verify multi-factor authentication, Zero Trust architecture, password management, and security awareness training are operationalized.
5. The Proprietary Cyberwatch Scanning Toolkit
Cyberwatch operates its own purpose-built stealth-scanning toolkit, not a third-party engine relabeled with a logo. Three named tools sit at the core of every engagement.
Figure 2. The proprietary Cyberwatch scanning toolkit.
MilkyWay — the default scanner. Looks for personally identifiable information, cracked passwords, dark-web associations, open ports, out-of-date software, and a great deal more. Runs as the logged-in user with no privilege elevation required.
ShieldsUp — an advanced firewall analysis tool that scans to verify the IDS/IPS is behaving properly by sending a fake malicious payload through the perimeter and confirming whether the controls actually catch it.
StarChart — Active Directory analysis. Gathers information about administrative accounts, stale and orphaned accounts, group policy hygiene, privilege sprawl, and Kerberos posture — the foundation domain attackers target first.
6. Penetration Testing Methodology — Internal and External
Cyberwatch’s penetration testing approach is grounded in two empirical facts about modern cyberattacks:
91% | of all cyberattacks start with a phishing email — placing the attacker directly inside your organization without ever touching the perimeter. |
19.8% | of employees click links in phishing emails — meaning roughly one in every five people receiving a malicious lure will compromise themselves before any control engages. |
6.1 Internal Testing — What Happens After Someone Clicks
Because more than 90 percent of attacks begin with phishing and roughly 20 percent of employees click, Cyberwatch focuses its internal testing on what an attacker actually gains access to when a normal user is phished. We deliberately target the employees most likely to be phished and most consequential when compromised: CEOs, CFOs, Directors, HR personnel, and sales team members. They communicate constantly with people outside the organization, they process more email than anyone else, and they have the highest material exposure to financial loss, legal exposure, and brand damage.
Our team uses a proprietary, patent-pending process to go beyond phishing-awareness training and quantify the realistic blast radius of a single successful phish.
6.2 External Testing — The Other 9 Percent
Sophisticated attacker automation is constantly scanning the internet for exposed services and exploitable vulnerabilities. Cyberwatch uses the same tactics — in partnership with our research network — to outline the perimeter of your organization, look for exposed services, find vulnerabilities, and attempt to exploit them. The reporting includes evidence of findings, prioritized remediation steps, and plain-language descriptions of the business risk associated with each issue.
Because new attack chains and vulnerabilities emerge constantly, best practice requires regular ongoing security assessments — the exact cadence Cyberwatch is engineered to deliver.
7. Cyber Hygiene — A Cyberwatch Exclusive
Users are the front line of defense and, statistically, the most common point of failure. Cyberwatch’s cyber-hygiene module is the most differentiated piece of the program and goes well beyond what scanners typically test.
User Hygiene | Local & Active Directory Configuration | Endpoint & Server Misconfigurations |
|---|---|---|
|
|
|
Account and policy hygiene is rarely “sexy” on a board agenda — but it is exactly the discipline that prevents an attacker from converting a single leaked credential into total network compromise.
8. STOPS Email Impersonation & BREACH Detection
Two specialty capabilities operate continuously in the background of every Cyberwatch engagement.
STOPS Email Impersonation | Cyberwatch ensures that criminals cannot successfully use fake email messages that impersonate your organization for fraudulent gain. Domain alignment, SPF/DKIM/DMARC posture, and brand-protection telemetry are continuously validated. |
BREACH Detection | Cyberwatch monitors multiple sources — including the dark web — to detect if your organization’s systems, user credentials, or personal information have been compromised, and surfaces those findings into the quarterly executive report. |
9. How Cyberwatch Uncovers Hidden Vulnerabilities
Cyberwatch’s methodology is engineered to find what automated tools miss. We examine technical infrastructure, business processes, regulatory exposure, financial impact, and human behavior side-by-side.
Cyberwatch examines every layer where attackers actually operate.
Critical Assessment Areas | Technology Stack Analysis | Business & Regulatory Domains |
|---|---|---|
|
|
|
10. The Cyberwatch Reporting Suite
Each quarterly engagement produces a layered set of reports tailored to different stakeholders. Boards receive a scorecard; IT teams receive a remediation backlog; auditors receive evidence; insurers receive an attestable record.
Figure 3. Quarterly outputs cover every stakeholder, plus a monthly external scan.
Executive Summary Report & Dashboard — board-ready scorecard highlighting critical findings, risk trends, and progress metrics for leadership decision-making.
Detailed Technical Report — comprehensive analysis covering all findings, including items not prioritized for executive review but critical for IT teams.
Personally Identifiable Information (PII) Report — focused assessment of risks to PII, documenting exploited vulnerabilities that could expose sensitive data.
Cracked Password Report — detailed analysis of compromised credentials discovered during assessment, with immediate remediation requirements.
IoT Security Analysis Report — comprehensive assessment of connected device vulnerabilities with actionable hardening guidance.
Supply Chain Attack Vector Report — detailed analysis of vendor and partner risks, enabling informed third-party risk decisions.
Comprehensive Vulnerability Report — deep analysis of weaknesses across network infrastructure, applications, and systems with tailored remediation solutions.
Cyber Risk Progress Report — longitudinal assessment tracking security maturity improvements quarter over quarter.
Remediation & Recommendations — every report includes prioritized action items with implementation steps, resource requirements, and expected outcomes.
Monthly External Vulnerability Report — focused analysis of external network attack surface, identifying new vulnerabilities and verifying remediation of previously discovered issues.
11. Real-World Examples: What Cyberwatch Has Surfaced
11.1 The Manufacturer With “Good Enough” MFA
A 280-employee manufacturer believed they were protected because their MSP had enforced “basic MFA.” A Cyberwatch quarterly engagement uncovered M365 token theft exposure on 11 mailboxes — legacy authentication was still enabled, and stolen session tokens were bypassing MFA entirely. The remediation plan and graduation to Cyberwatch Advanced (with CyberSecureID Verify) closed the exposure inside 30 days.
11.2 The Professional Services Firm With Dark Web Exposure
A 90-person firm engaged Cyberwatch following a near-miss wire fraud attempt. The Cracked Password Report identified 27 active employee credentials on dark web marketplaces, including the controller’s. Forced rotation, conditional access, and CyberSecureID rollout removed the attacker’s playbook before it was executed.
11.3 The DIB Subcontractor Preparing for CMMC
A defense subcontractor required CMMC Level 2 certification to retain $14 million of pipeline. Cyberwatch’s regulatory compliance gap analysis mapped every NIST 800-171 control to current state and produced a 90-day remediation roadmap. The firm passed assessment on first attempt.
11.4 The Healthcare Practice With High-Risk Domain Score
A multi-location specialty practice was the target of a sophisticated brand-spoofing campaign aimed at patients. The Domain & Email Security analysis identified missing SPF, broken DKIM, and a permissive DMARC policy. Reconfiguration eliminated the spoofing payoff and was used as evidence in the next HIPAA risk assessment.
11.5 The SMB Retailer Where Existing Tools Were Failing
A regional retailer was paying for an EDR product, a SIEM, and a 24x7 SOC. Cyberwatch’s technical assessment proved the SOC had missed three live malicious activities during the 30-day window leading into the engagement. The board redirected spend toward Cyberwatch Advanced enforcement controls instead of additional detection tools.
12. Why This Materially Improves Your Cyber Posture
Identity-centric, evidence-based metrics belong on the board dashboard.
The data is unambiguous. Organizations that operate a continuous third-party assessment program experience materially better outcomes than those relying on annual audits:
Faster mean time to detect (MTTD). Findings are surfaced quarterly — sometimes monthly via the External Vulnerability Report — instead of 12 months after the fact.
Lower breach cost. IBM’s long-running Cost of a Data Breach research consistently shows that organizations with mature risk-management programs experience meaningfully lower breach costs than peers.
Demonstrable progress over time. The Cyber Risk Progress Report converts “security” from an opinion into a measurable, trended, board-reportable metric.
Audit and certification readiness. Evidence is generated continuously, so auditors receive packaged artifacts rather than consuming weeks of staff time.
Insurance bindability and pricing. Underwriters increasingly require proof of continuous testing — Cyberwatch produces exactly that artifact.
Reduced “security tool sprawl.” Cyberwatch’s security tool effectiveness evaluation often eliminates redundant or under-performing products before the next renewal.
Posture Outcome | What It Means for the Business |
|---|---|
Continuous Visibility | Quarterly assessments and monthly external scans replace stale, point-in-time audits. |
Quantified Risk | Findings tied to financial impact and regulatory exposure inform real capital allocation. |
Independent Validation | Third-party objectivity that internal teams and incumbent MSPs cannot provide. |
Maturity Trajectory | A defined path from Free Test through Cyberwatch Advanced enforcement and CyberSecureID rollout. |
13. Compliance Framework Mapping
One assessment program produces evidence for every framework you are measured against.
Cyberwatch is not just a vulnerability scanner. It is a controls-mapped assessment program that produces evidence aligned to every major framework your business is exposed to. The mapping below is a board-level summary; the full control-by-control crosswalk is delivered as part of every quarterly engagement.
Framework | Who It Applies To | How Cyberwatch Produces Evidence |
|---|---|---|
CMMC 2.0 (Levels 1, 2, 3) | Defense Industrial Base, prime and subcontractors handling FCI / CUI | Maps findings to Access Control, Audit, Configuration Management, Identification & Authentication, Risk Assessment, Security Assessment, and System & Information Integrity domains. Produces assessor-ready evidence. |
NIST SP 800-171 / 800-172 | Any organization handling Controlled Unclassified Information | Direct gap analysis against the 110 NIST 800-171 controls; Cracked Password and PII reports support 3.5.x and 3.13.x evidence. |
NIST Cybersecurity Framework 2.0 | Universal best-practice framework, expected by boards, regulators, and insurers | Cyberwatch is structured around GOVERN, IDENTIFY, PROTECT, DETECT, and RESPOND outcomes, producing artifacts for each. |
FTC Safeguards Rule (Revised) | Auto dealers, mortgage brokers, tax preparers, accountants, finance companies, investment advisors | Satisfies 16 CFR 314.4(d) periodic risk-assessment requirement and 314.4(e) continuous monitoring expectation. Documents the qualified individual’s oversight and reporting evidence. |
PCI DSS 4.0.1 | Any merchant or service provider that stores, processes, or transmits cardholder data | Supports Requirement 11 (test security regularly), Requirement 12.6 (security awareness), and Requirement 6 (develop and maintain secure systems) with quarterly evidence. |
HIPAA Security Rule | Covered entities and business associates handling Protected Health Information | 164.308(a)(1)(ii)(A) Risk Analysis, 164.308(a)(8) Evaluation, and 164.312(b) Audit Controls evidence. |
SOX (Sarbanes-Oxley) ITGCs | Public companies and their subsidiaries | Independent assessment evidence for IT general controls testing; quarterly cadence aligns with audit committee reporting cycles. |
GLBA Safeguards | Banks, credit unions, and federally regulated financial institutions | Periodic risk assessment, ongoing monitoring, and third-party oversight evidence. |
SEC Cybersecurity Disclosure Rules | Public companies (Form 8-K Item 1.05, Form 10-K Item 1C) | Documents board-level cyber risk oversight, management processes, and material risk identification — the exact disclosures the SEC requires. |
NYDFS Part 500 (23 NYCRR 500) | Any entity licensed by NY Department of Financial Services | 500.09 risk assessment, 500.05 penetration testing and vulnerability assessments, 500.04 CISO oversight reporting. |
SOC 2 (Type I and Type II) | Any service organization whose customers demand attestation | Common Criteria 4 (Monitoring Activities) and CC7 (System Operations) evidence packages. |
ISO/IEC 27001:2022 | Global standard, frequently required by enterprise customers | Annex A.5 (policies), A.6 (organization), A.8 (asset/vulnerability management), and A.12 (operations) artifacts. |
GDPR / CCPA / state privacy laws | Any business handling personal data of EU, California, or other regulated residents | Article 32 security-of-processing evidence; PII Risk Report directly supports DSAR investigations. |
CIS Critical Security Controls v8.1 | Universal best-practice baseline | Findings cross-walked to all 18 CIS Controls with implementation-group prioritization. |
HHS HPH CPGs and 405(d) HICP | Healthcare and public health sector | Identifies CPG essential and enhanced practices, aligned to organizational size. |
14. Cyber Liability Insurance: Why Continuous Assessment Is Now an Underwriting Requirement
Continuous third-party assessment is now a precondition for binding coverage.
Cyber liability insurance has fundamentally changed in the last 36 months. Carriers absorbed catastrophic ransomware and business-email-compromise losses and responded by tightening underwriting. Cyberwatch reports are explicitly accepted by cyber-insurance underwriters as continuous-assessment evidence. Today, every major U.S. carrier (Travelers, Chubb, AIG, Beazley, Coalition, At-Bay, CNA, Hartford, Liberty Mutual, Tokio Marine HCC, and others) asks specifically:
When was your last independent third-party penetration test or vulnerability assessment?
How frequently do you conduct external attack-surface scans?
Do you have documented remediation plans for findings, with owners and target dates?
Have you assessed your supply chain and vendor cybersecurity posture?
Have you tested your domain and email security configuration (SPF/DKIM/DMARC)?
Do you have evidence of dark web monitoring for exposed employee credentials?
Do you produce executive-level cyber risk reporting to your board or owner group?
An honest “no” or “over a year ago” on the first question typically results in declination, reduced limits, materially higher retentions, or premium increases of two to four times. After a claim, carriers routinely send forensics teams to verify that the controls and assessments attested in the application were actually in place; misrepresentation can void coverage entirely.
Cyberwatch converts every one of those questions to a verifiable “yes” with documentation an underwriter can accept. Northern Data Solutions clients consistently report:
Successful renewals when peers were declined.
Premium reductions of 10–30 percent on renewal.
Reduced retentions and broader sublimits, particularly for ransomware, social engineering, and business interruption.
Faster underwriting because Cyberwatch reports are exportable directly to the broker.
For a CFO, this is a direct, measurable, hard-dollar return on the Cyberwatch investment in addition to the risk reduction it produces.
15. Deployment & Operations — Frequently Asked Questions
What permissions does the scanner require? | The scanner runs as the logged-in user. No privilege elevation is required. This is what makes Cyberwatch “stealth” from an operational impact standpoint — we do not change your privilege model in order to assess it. |
What are the system requirements? | Anything running Windows 7 or Windows Server 2008 R2 or higher is fully supported. macOS Ventura (13) and higher is supported as well. |
How is the scanner deployed? | Through easily-deployed scripts that work with any RMM (Remote Monitoring and Management), Group Policy, or comparable mechanism. Deployment is measured in minutes of IT time, not days. |
How does Ongoing Analysis work? | We perform quarterly assessments across every machine on your network and monthly external vulnerability assessments, both delivered as fully-formatted reports rather than raw exports. |
Are reports reviewed by a human? | Yes. A third party individually reviews each report generated or requested before it is delivered, ensuring accuracy and prioritization. |
Is liability coverage included? | Cyberwatch carries special errors-and-omissions coverage for auditing networks — an explicit liability protection most assessment providers do not offer. |
16. The Path Forward: Cyberwatch → Cyberwatch Advanced
Identification is necessary but not sufficient. Cyberwatch tells you where you are exposed; Cyberwatch Advanced — including CyberSecureID Identity Access Management with CyberSecureID Verify — is the enforcement layer that eliminates the exposure.
Figure 4. Cyberwatch is the foundation; Cyberwatch Advanced and Compliance-as-a-Service complete the program.
Cyberwatch composes with the rest of the Northern Data Solutions portfolio:
Cyberwatch Advanced — CyberSecureID IAM, CyberSecureID Verify adaptive MFA, principles of least privilege, Zero Trust architecture, attack-surface visibility, password management, and the cybersecurity awareness training platform with employee attestation.
Compliance-as-a-Service — the platform that manages your full compliance program and converts Cyberwatch findings into auditor-ready evidence for every framework above.
Virtual CSO (VCSO) — an executive-grade security leader who sits at your board and audit committee, owns the Cyberwatch outcomes, and reports in business terms.
17. Recommended Next Steps for the Board
Approve a Cyberwatch Level 1 Free Test within 30 days. A no-cost engagement against 3–5 representative users will validate the baseline and almost always uncovers material findings.
Commit to a Level 2 Full Comprehensive Assessment within 60 days of the Free Test, including the M365 Mothership analysis.
Adopt the quarterly Level 3 cadence. Receive the Executive Summary & Dashboard at every audit committee meeting and the Monthly External Vulnerability Report between meetings.
Brief the cyber liability broker. Use Cyberwatch reports as primary underwriting evidence at the next renewal.
Plan the graduation to Cyberwatch Advanced. Once the remediation backlog is in motion, layer on CyberSecureID enforcement to convert “known risks” into “eliminated risks.”
18. Conclusion
Cyberwatch is the executive’s answer to the question every Board now asks: “How do we know our cybersecurity program is actually working?” Continuous, third-party, evidence-based assessment is the only credible answer. It satisfies regulators, it satisfies insurers, it satisfies auditors, it satisfies customers, and most importantly it gives the C-suite and the Board the visibility required to make capital allocation decisions on real data instead of vendor marketing.
Cyberwatch is the foundation. Cyberwatch Advanced — with CyberSecureID Identity Access Management and CyberSecureID Verify — is the enforcement that closes the loop. Compliance-as-a-Service and the VCSO offering convert the entire program into a defensible, board-reportable, auditor-ready posture.
Let’s secure your future. Schedule a 26-minute executive briefing with Northern Data Solutions.
Get Your Free Assessment Now · Schedule a Call · Connect With Us
Ready to strengthen your cybersecurity posture and ensure compliance? Our experts will assess your needs and provide a tailored plan to protect your organization. We look forward to partnering with you on your journey to comprehensive security maturity. To schedule an executive briefing or readiness review, contact your Northern Data Solutions account executive or the Office of the CTO.