What security certifications does Cymulate hold?

Cymulate is certified as SOC2 Type II, has multiple ISO certifications (ISO 27001:2013, ISO 27701, ISO 27017), and holds CSA STAR Level 1 certification. These demonstrate Cymulate's commitment to industry-leading security and compliance standards. Learn more .

What does SOC2 Type II certification cover for Cymulate?

SOC2 Type II certification for Cymulate covers security, availability, confidentiality, and privacy, providing a third-party attestation of Cymulate's robust security practices. Source .

Which ISO standards does Cymulate comply with?

Cymulate complies with ISO 27001:2013 (Information Security Management System), ISO 27701 (Privacy Information Management), and ISO 27017 (Security controls for cloud services). These standards are audited by independent bodies. Source .

What is CSA STAR Level 1 certification and how does Cymulate meet it?

CSA STAR Level 1 certification demonstrates Cymulate's adherence to the Cloud Controls Matrix (CCM), ensuring transparency, rigorous auditing, and harmonization of standards for cloud security and compliance. Source .

How often does Cymulate undergo third-party audits and penetration tests?

Cymulate conducts third-party network vulnerability scans and penetration tests at least annually, in addition to continuous internal and external security testing. Source .

What encryption standards does Cymulate use for data protection?

Cymulate uses TLS 1.2+ for data in transit and AES-256 for data at rest, ensuring strong encryption for all customer data. Source .

Where does Cymulate host customer data?

Cymulate hosts customer data in secure AWS data centers located in the United States, Europe, and Asia Pacific, with multiple data locality options available. Source .

How does Cymulate ensure physical security at its data centers?

Cymulate leverages AWS data centers with ISO 27001:2022, PCI DSS Service Provider Level 1, and SOC 2/3 Type II certifications. Physical security includes security guards, fencing, intrusion detection, and more. Learn more .

What secure development practices does Cymulate follow?

Cymulate follows a strict Secure Development Lifecycle (SDLC), including secure code training for engineers, code reviews, static and dynamic code analysis, and vulnerability scanning before code is committed. Source .

How does Cymulate manage vulnerabilities in its applications?

Cymulate continuously scans its core applications for vulnerabilities using third-party tools, conducts annual third-party penetration tests, and performs software composition analysis as part of its CI/CD pipeline. Source .

What authentication and access controls does Cymulate provide?

Cymulate enforces two-factor authentication (2FA) for all employees and offers 2FA or SSO for customers. Role-based access controls (RBAC) and IP address restrictions are also available for granular access management. Source .

How does Cymulate protect its help center and support communications?

Cymulate provides free TLS encryption for host-mapped Guide help centers, using Let's Encrypt for certificate management and automatic renewal. Source .

What employee security measures does Cymulate enforce?

All Cymulate employees undergo ongoing security awareness training, phishing campaign tests, and must sign non-disclosure and confidentiality agreements. Security policies are shared with all employees. Source .

How does Cymulate separate testing and production environments?

Cymulate logically separates testing and staging environments from production, ensuring no real data is used in development or test environments. Source .

How can I report a security issue to Cymulate?

You can report security issues or concerns to the Cymulate support team at support@cymulate.com .

What are the key capabilities of the Cymulate platform?

Cymulate offers continuous threat validation, breach and attack simulation (BAS), continuous automated red teaming (CART), exposure analytics, attack path discovery, automated mitigation, AI-powered optimization, and complete kill chain coverage. Learn more .

How does Cymulate help organizations prioritize and remediate exposures?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence, enabling organizations to focus on the most critical vulnerabilities. Learn more .

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How does Cymulate automate threat validation and mitigation?

Cymulate automates threat validation with 24/7 attack simulations and integrates with security controls to push updates for immediate threat prevention and remediation. Learn more .

What technical documentation is available for Cymulate?

Cymulate provides guides, whitepapers, solution briefs, and data sheets covering topics like CTEM, detection engineering, exposure validation, and automated mitigation. Access these resources at the Resource Hub .

How is Cymulate priced?

Cymulate uses a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a quote, schedule a demo .

How long does it take to implement Cymulate?

Cymulate is designed for quick, agentless deployment. Customers can start running simulations almost immediately after deployment, with minimal resources required. Learn more .

What support options does Cymulate offer?

Cymulate offers email support at support@cymulate.com , real-time chat support, a knowledge base, webinars, e-books, and an AI chatbot for technical assistance and best practices. Resource Hub .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more .

What business impact can customers expect from Cymulate?

Customers have reported up to a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. Learn more .

What pain points does Cymulate address for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies, and post-breach recovery challenges. See case studies .

Are there case studies showing Cymulate's effectiveness?

Yes. For example, Hertz Israel reduced cyber risk by 81% in four months, and a sustainable energy company scaled penetration testing cost-effectively with Cymulate. Read more case studies .

How do Cymulate's solutions differ for different security roles?

Cymulate tailors solutions for CISOs (metrics and risk communication), SecOps (automation and efficiency), red teams (offensive testing), and vulnerability management (validation and prioritization). Learn more .

How does Cymulate compare to AttackIQ?

Cymulate surpasses AttackIQ in innovation, threat coverage, and ease of use, offering the industry-leading threat scenario library and AI-powered capabilities. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant Security Validation is an original BAS platform but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth Cymulate provides to fully assess and strengthen defenses. Cymulate optimizes defense, scales offensive testing, and increases exposure awareness. Read more .

How does Cymulate compare to Picus Security?

Picus Security offers an on-premise BAS option but lacks the comprehensive exposure validation platform Cymulate provides, which covers the full kill-chain and includes cloud control validation. Read more .

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation, offering the industry’s largest attack library and a full CTEM solution. Read more .

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns, but Cymulate provides a more comprehensive exposure validation platform with actionable remediation and automated mitigation. Read more .

What do customers say about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. For example, Raphael Ferreira, Cybersecurity Manager, said, “Cymulate is easy to implement and use—all you need to do is click a few buttons.” Read more testimonials .

Security at Cymulate

Certifications

Cymulate conducts a variety of audits to ensure continuous compliance with industry standard best practices.

Cymulate is SOC2 Type II certified and provides its customers with a third-party attestation report covering security, availability, confidentiality, and privacy.

An independent body has audited and certified Cymulate’s compliance with ISO standards. Cymulate’s compliance with these internationally recognized standards and code of practices is evidence that its security and privacy programs are in accordance with industry leading best practices.

ISO 27001:2013 – Information Security Management
A leading information security standard detailing how an organization should manage its Information Security Management System (ISMS).
ISO 27701 – Security Techniques
Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management requirements and guidelines.
ISO 27017 – Information Technology — Security Techniques
Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). This certification allows Cymulate to show current and potential customers its security and compliance posture, including the regulations, standards, and frameworks it adheres to.

The Cymulate platform is developed using strict secure development life cycle procedures. All code modifications are reviewed prior to committing them, including static and dynamic code analysis and vulnerability scanning.

Cymulate employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of policies, applications, systems, and networks. Cymulate follows strict international standards and regulations in order to keep information safe and is SOC 2 Type II and ISO 27001 certified.

The Cymulate privacy and security team includes a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). Both continuously ensure that Cymulate’s practices and products comply with GDPR and similar regulations. Cymulate’s Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA) are up-to-date and reflect its GDPR readiness.

Data Center

All of Cymulate servers are located within Cymulate’s own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers.

Cymulate conducts third-party network vulnerability scans and penetration tests at least once annually.

Cloud Security

Facilities

Cymulate hosts Service Data primarily in AWS data centers that have been certified as ISO 27001:2022, PCI DSS Service Provider Level 1, and/or SOC 2/3 Type II compliant.

Learn about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.

Learn about Data Center Controls at AWS.

On-Site Physical Security

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

Learn about AWS physical security.

Data Hosting Location

Cymulate leverages AWS data centers in the United States, Europe, and Asia Pacific.

Cymulate offers multiple data locality choices, including the United States (US), Europe (EU), India, and more.

Encryption in Transit

All communications with Cymulate UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between Cymulate and its customers is secure during transit. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

Data is encrypted at rest in AWS and DB using AES-256 key encryption.

Redundancy

Cymulate employs service clustering and network redundancies to eliminate single points of failure. The service and configuration allow Cymulate to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Cymulate’s Disaster Recovery Plan ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and periodically testing procedures.

Application Security

Secure Code Training

Annual secure code training is required for all engineers.

Quality Assurance

Cymulate’s Quality Assurance (QA) department reviews and tests all products before production

Separate Environments

Testing and staging environments are logically separated from the Production environment. No real data is used in development or test environments.

Vulnerability Scanning

Cymulate employs third-party security tooling to continuously scan its core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. Cymulate’s in-house product security team tests and works with its engineering teams to remediate any discovered issues.

Software Composition Analysis

As part of Cymulate’s CI/CD, the organization continuously scans the libraries and dependencies used in its products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to an extensive internal and external scanning and testing program, Cymulate employs third-party security experts to perform detailed penetration tests on different applications within its family of products at least annually.

HR Security

Policies

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Training

All employees attend an ongoing security awareness training. The security team provides phishing campaign tests and security awareness updates.

Confidentiality Agreements

All new hires are required to sign non-disclosure and confidentiality agreements

Product Security

Cymulate has developed a comprehensive set of security policies covering a range of topics that comply with industry standards. These policies are shared with and made available to all employees.

Cymulate enforces (2FA) for all employees, internally and externally. Customers can choose between 2FA enforcement or SSO.

Access to data within Cymulate applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. Cymulate supports various permission levels for users (Supervisors, Users, Read-Only).

Any Cymulate customer can restrict access to their Cymulate account to users within a specific range of IP addresses. Only users from the allowed IP addresses will be able to sign in to the Cymulate account.

Cymulate provides free TLS encryption for host-mapped Guide help centers. Zendesk uses Let’s Encrypt to request certificates and automatically renews the certificate before it expires.

FAQ

Cymulate is certified as SOC2 Type II, has many ISO certifications, and is CSA STAR Level 1. For a more detailed list, check out the certifications section.

Yes, Cymulate has security controls like single sign-on (SSO), two-factor authentication (2FA), hardening policies, segregation of duties, encryptions, 24/7 monitoring, and more to ensure that only certified people can access company data.

Cymulate performs rigorous security testing, including threat-modeling, automated scanning, and third-party audits. If there is a gap, Cymulate resolves the issue quickly using its proven security incident response practices.

Cymulate conducts third-party network vulnerability scans and penetration tests at least annually.

Cymulate’s privacy & security team includes a Data Protection Officer (DPO), a Chief Information Security Officer (CISO), and an IT Manager.

The Cymulate support team is here for any questions or issues. They are available at [email protected]

Frequently Asked Questions

Security & Compliance Certifications