Frequently Asked Questions

Cybersecurity Scoring & Threat Levels

What is the 10-level cybersecurity threat severity framework described by Cymulate?

Cymulate's 10-level cybersecurity threat severity framework is a simple scale that categorizes threats from basic, non-targeted attacks (Level 1) to advanced, state-sponsored attacks and multi-party collusion (Level 10). This framework helps organizations and individuals understand the spectrum of cyber threats and assess their preparedness at each level. For example, Levels 1–3 cover basic threats like spam and phishing, while Levels 8–10 address advanced persistent threats and state-sponsored campaigns. Read the full breakdown.

How can organizations use the 10-point scale to assess their cyber risk?

The 10-point scale allows organizations to map out the types of threats they are most likely to face and evaluate whether their current defenses are sufficient. Levels 1–7 can generally be defended against with proper tools and training, while Levels 8–10 require advanced resources and are typically targeted at large enterprises or critical infrastructure. This framework helps prioritize investments and training based on realistic threat exposure. Learn more.

What types of attacks are included in Levels 1–3 of the threat scale?

Levels 1–3 cover basic, non-targeted attacks such as 'spray and pray' email spam, fake application downloads, and wide-scale phishing attempts. These attacks are generally easy to detect and avoid with basic cybersecurity hygiene, such as not clicking suspicious links and keeping software updated. Details here.

What are examples of advanced threats in Levels 8–10?

Levels 8–10 include organized multi-faceted threat campaigns (e.g., REvil, Loki, and other APT groups), state-sponsored cyber warfare targeting critical infrastructure, and attacks involving collusion between governments and service providers (e.g., Pegasus spyware, PRISM). These threats are highly sophisticated and often require advanced, layered defenses and continuous monitoring. See examples.

What are the key takeaways from the 10-point threat scale?

The main takeaways are: most attacks (up to Level 7) can be defended against by organizations of any size with the right tools and training, while only a small number of attacks (Levels 8–10) are exceptionally difficult to defend against and typically target large enterprises or governments. The scale helps organizations focus resources where they are most needed. Read more.

How does Cymulate help organizations prepare for threats across all levels?

Cymulate provides tools for continuous assessment and validation of security posture, enabling organizations to simulate attacks across the full threat spectrum. This helps identify weaknesses, improve defenses, and ensure readiness for threats from basic phishing to advanced persistent threats. Learn about the platform.

What is the role of exposure validation in Cymulate's approach?

Exposure validation in Cymulate involves automated, real-world attack simulations to test an organization's defenses. This process uncovers weaknesses and provides actionable insights to improve security posture, making advanced security testing fast and easy. More on exposure validation.

How can Cymulate help measure and baseline cyber resilience?

Cymulate enables organizations to assess their baseline cyber resilience, uncover weaknesses, and improve their security posture through continuous validation and actionable reporting. Read the solution brief.

Where can I find resources to learn more about security validation and best practices?

Cymulate offers a range of resources, including e-books, solution briefs, and blog posts, covering principles and best practices of security validation. Visit the Resource Hub for more information.

How does Cymulate's scoring system help prioritize remediation efforts?

Cymulate's scoring system provides a clear picture of an organization's security posture and highlights potential exposures. This allows teams to focus remediation efforts on the most critical risks, improving efficiency and effectiveness. See a customer example.

What customer feedback has Cymulate received regarding ease of use?

Cymulate is consistently praised for its intuitive, user-friendly interface and ease of implementation. Customers highlight the platform's simplicity, actionable insights, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager, said, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." Read more testimonials.

How quickly can Cymulate be implemented?

Cymulate is designed for rapid deployment, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment. Schedule a demo to see how quickly you can get started.

What are the main features of Cymulate's platform?

Cymulate's platform offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, and an extensive threat library with over 100,000 attack actions updated daily. Explore features.

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit the Partnerships and Integrations page.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a personalized quote, schedule a demo with the Cymulate team.

What security and compliance certifications does Cymulate hold?

Cymulate holds several industry-leading certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. See details.

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and compliance with GDPR. The platform also features mandatory 2FA, RBAC, IP address restrictions, and secure development practices. Learn more.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. See role-specific solutions.

What problems does Cymulate solve for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. See case studies.

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and exposure analytics, continuous threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and measurable customer outcomes. It is recognized as a market leader by Frost & Sullivan and a Customers' Choice in Gartner Peer Insights. See comparisons.

What measurable outcomes have customers achieved with Cymulate?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. See Hertz Israel's case study.

How does Cymulate support continuous innovation?

Cymulate updates its SaaS platform every two weeks with new features, such as AI-powered SIEM rule mapping and advanced exposure prioritization, ensuring customers have access to the latest capabilities. Learn more.

Where can I find Cymulate's latest news, events, and research?

Stay up-to-date with Cymulate through the blog, newsroom, and events & webinars pages.

Does Cymulate provide educational resources like a blog or glossary?

Yes, Cymulate offers a blog for the latest threats and research, a cybersecurity glossary, and a Resource Hub with whitepapers, e-books, and more.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity. About Cymulate.

How does Cymulate address pain points for different security roles?

Cymulate tailors solutions for CISOs (metrics and risk prioritization), SecOps teams (automation and efficiency), red teams (automated offensive testing), and vulnerability management teams (in-house validation and prioritization). See role-based solutions.

What support and resources does Cymulate offer for new customers?

Cymulate provides email and chat support, a knowledge base, webinars, e-books, and an AI chatbot to help customers get started and optimize their use of the platform. Contact support.

Where can I find Cymulate's case studies and customer success stories?

Cymulate's case studies and customer success stories are available on the Customers page, featuring examples from finance, healthcare, energy, and more.

How does Cymulate help organizations stay ahead of emerging threats?

Cymulate's platform continuously updates its threat library and provides daily threat intelligence, ensuring organizations can validate defenses against the latest attack techniques. Learn more.

Where can I find a central hub for Cymulate's insights and product information?

All Cymulate resources, including insights, thought leadership, and product information, are available in the Resource Hub.

Does Cymulate have resources on preventing lateral movement attacks?

Yes, Cymulate has a blog post titled 'Stopping Attackers in Their Tracks' that discusses lateral movement attacks and prevention strategies. Read the blog post.

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Cybersecurity Scoring in Plain English: On a Scale from One to Ten

By: Cymulate

Last Updated: June 23, 2025

cymulate blog article

Many readers have asked how to lay out threat severity (and what should be deflected) in a simple way. While I can't claim to have all the answers there, I am reminded of what a good friend of mine (@snipeyhead on Twitter) once explained to me when I was starting out in Cybersecurity. She referenced a ten-point scale to spell out different levels of threat and threat preparedness to make the whole thing a lot more visible and easier to understand through cybersecurity scoring.

Levels 1–3: Basic Threats

  • Level 1: Non-Targeted "spray and pray" attacks like "blind email" attacks and SMS malicious spam - such as so-called "adult behavior extortion" attacks or fake money transfer schemes that are sent to half the internet and very rarely contain any non-public personal data at all. 
  • Level 2: False advertising of what a download really is - such as fake application downloads. 
  • Level 3: Non-Targeted phishing attacks - most commonly wide-scale provider spoofing as fake Netflix, IRS, and other emails trying to trick consumers into giving up login information.

These first three levels should be defended against by every single person who uses a computer. They do not require technical knowledge to either detect or avoid interacting with and, therefore, can be deflected by not clicking on links in emails, only downloading software from known and recognized vendors, keeping anti-malware tools updated, and keeping the OS patched/updated, etc.  

Levels 4–7: Targeted and Sophisticated Threats 

  • Level 4: Targeted blind email/SMS attacks - where all the employees of a specific company get a malicious email that includes public - but organization-specific - information within the email itself. 
  • Level 5: Targeted generic phishing - aimed at a specific industry but not personalized to the victim. A typical example is someone pretending to be the CEO or VP and asking for a gift card - they may have just enough information to do an accurate impersonation and win employee trust. 
  • Level 6: Co-opting legitimate software for illegitimate purposes, such as compromising a software vendor's update systems and inserting a rogue update that users automatically download and apply. 
  • Level 7: Tailored email, text messaging, and phishing attacks - where the attack email is highly targeted to specific individuals and/or company principles and uses details that make the user who gets it significantly more likely to interact with it due to the targeted tailoring. 

At these levels, an individual would have some issues making sure the attacks are fully deflected, but any organization can obtain and use appropriate toolsets like Email Gateway defenses, behavioral-based anti-malware, firewalls with DNS, and known-bad IP filtering, Group Policies, etc. 

Levels 8–10: Advanced Threats and State-Sponsored Attacks

At this level, organizations begin to see targeted attacks that utilize a combination of techniques - and often manual intervention by the attackers - to bypass common controls. While more difficult to both fully detect and fully deflect, the proper application of Cybersecurity policies and procedures can derail a lot of this level of attack, breaking the kill-chain and preventing the attacker from acting on their objectives.  

  • Level 9: State-Sponsored attacks and acts of cyber-warfare - such as surgical strikes on critical infrastructure or enterprise businesses for political or hacktivism reasons or as part of a military operation. 

While this level is not impossible to defend against, an organization would have to bring quite a lot of both technology and personnel to the table to effectively deal with these forms of threats. Multiple layers of defenses and hardening of systems, combined with continual overwatch (such as a Security Operations Center), are necessary and may be out of reach for smaller businesses and organizations. 

  • Level 10: Multiple party collusion - such as when a government either partners with or coerces a service provider to give them information. 

This final level is nearly impossible to defend against. Since the attack occurs outside of you or your organization's sphere of influence, you cannot exert security controls over the areas where the attack happens and, therefore, cannot effectively mount a defense. One very recent example is the Pegasus Spyware situation, where a third-party (NSO) cooperated with government agencies to attack in a way that neither organization could accomplish on their own. Another example from some time ago was the PRISM system and other state-run operations that siphoned data directly from mobile phone networks with the help (willing or unwilling) of the network providers themselves.  

Key Takeaways from the Ten-Point Scale

From this ten-point scale, we can take away two very positive points: 

  1. The vast majority of attacks can be defended against by any company or organization of just about any size. Anything up to Level 7 can be defeated with tools and training and can fit within most budgets. While an individual would have trouble defending against Level 4 and up, an organization can layer on the additional defenses necessary.
  2. For the few levels that are exceptionally difficult to defend against, the good news is that there are not a lot of these going on in the world. Though do occur, and sometimes even impact smaller businesses and individuals, they are nearly exclusively targeting enterprise organizations and/or entire countries.   

Hopefully, this article helps answer some of the questions we received from readers on how to map out threat activity on a scale that is easy to understand.

Of course, you can utilize the tools provided by Cymulate to help determine if you are ready to meet the challenges faced at different levels and ensure your organization is defended to the highest level it can be - just let us know if you'd like more information or to see the platform at work in your unique environment.

image
Cymulate
Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.
More about Author
Table of Contents
Levels 1–3: Basic Threats Levels 4–7: Targeted and Sophisticated Threats  Levels 8–10: Advanced Threats and State-Sponsored Attacks Key Takeaways from the Ten-Point Scale
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
Solution Brief

Measure and Baseline Cyber Resilience 

Use Cymulate to assess baseline cyber resilience, uncover weaknesses, and improve your organization’s security posture.

Read More
image
E-book

10 Cybersecurity Exposures You Can’t Afford to Ignore

Learn why continuous validation is essential to keeping your organization safe

Learn More
image
E-book

The Principle of Security Validation​

Explore the principles and best practices of security validation in this e-book

Learn More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo