Cyber Vulnerability Investigations (CVIs) are socio-technical assessments used to identify cyber risks. Uniquely, CVIs take an ‘aggressor’ view, applying adversary techniques to locate vulnerabilities, exercise viable attacks paths and develop mitigations. CVI output benefits a wide audience and a program of CVIs can support enterprise-level risk management.
As socio-technical investigations, close attention is paid to how people, processes and technology work together and the potential vulnerabilities this creates, which are often key to an attacker being able to exploit a vulnerability. CVIs therefore consider human elements relevant to cyber (behaviours, culture) in parallel with traditional ‘harder’ technical cyber assessments.