FAQ
How does CVE Find help with nFADP compliance?
The nFADP requires appropriate technical measures to protect data. Vulnerability monitoring is one of these measures: identifying and fixing flaws in your systems demonstrates proactive security management. CVE Find provides the traceability needed in the event of an inspection by the FDPIC.
How does CVE Find use data from MITRE, NVD and CISA?
CVE Find is Bexxo's vulnerability monitoring tool. It aggregates three world reference sources: (1) the MITRE CVE programme, which assigns a unique identifier to each known vulnerability (250,000+ CVEs published); (2) the NIST National Vulnerability Database (NVD), which enriches each CVE with a CVSS score from 0 to 10 and detailed technical data; (3) the CISA KEV Catalog, which lists vulnerabilities actively exploited in real-world attacks. This combination allows CVE Find to alert our clients not only about new vulnerabilities, but above all about those that represent an immediate exploitation risk.
How does a collaboration with Bexxo work?
Our process follows 4 steps: listening to your needs, in-depth analysis of your systems, fixing and strengthening detected vulnerabilities, then continuous monitoring to anticipate new threats.
How does a simulation campaign with PhishTrainer work?
In a few clicks, you configure a campaign: select recipients, choose a fraudulent email template (fake Microsoft login, parcel delivery, HR request…), define the timing. Emails are sent to employees. Every action is recorded: opening, clicking a link, entering data. Employees who interacted immediately receive an educational message. A detailed dashboard presents results by team, department, or business unit.
How does the Bexxo Academy phishing simulator work?
The phishing simulator is integrated into Bexxo Academy and works in synergy with PhishTrainer, our dedicated software. Simulated fraudulent email campaigns are sent to employees — with no real danger. Clicks and actions are recorded, and each employee who clicked immediately receives corrective training. Managers have access to detailed reports by department or team to target training actions. AI-generated phishing emails have a click-through rate 4 times higher than manual emails (APWG / Keepnet 2025).
How does the CVE Find alert system work?
You configure the list of products and technologies you use (servers, CMS, libraries, network equipment). CVE Find continuously monitors the MITRE database and alerts you by email or SMS as soon as a new vulnerability affects one of your products, with the severity score and patch recommendations.
How is artificial intelligence transforming phishing attacks?
Generative AI has radically changed the phishing threat since 2023. Three major developments:
- Perfectly written emails — gone are the spelling mistakes that used to help detect phishing. LLMs generate flawless emails in perfect English, adapted to the tone of the targeted company. AI-generated emails have a click rate four times higher than manually crafted ones (APWG / Keepnet 2025).
- Personalization at scale — AI can analyze a target's LinkedIn profile, public posts, and company website to create an ultra-realistic spear phishing in seconds. What used to take a human attacker hours now takes seconds.
- Voice and video deepfakes — vishing calls imitating a manager's voice, or entire video conferences with deepfake avatars, have already been used to trigger fraudulent bank transfers (documented cases in 2024 in Hong Kong: 25 million USD lost).
The direct consequence: human vigilance alone is no longer sufficient. Regular simulation (PhishTrainer) and continuous training (Bexxo Academy) are indispensable to maintain a level of defense adapted to the current threat.
How is the effectiveness of simulations measured over time?
PhishTrainer generates detailed reports after each campaign: open rate, click rate, data entry rate — by team, department, and employee. By running multiple campaigns over 6 to 12 months, you observe the progression: companies that simulate regularly reduce their average click rate by 60 to 70% (Proofpoint 2024). These reports document the evolution of your organization's cybersecurity maturity and can be presented during internal audits or FDPIC controls.
How long does a cybersecurity audit take?
A Bexxo audit takes between 3 and 10 business days depending on the package chosen (Essentiel, Standard or Premium) and the size of your infrastructure. You receive a detailed report with a prioritised action plan.
How long does a network audit take?
From 2 to 10 business days depending on the package and the size of the infrastructure. The Essential package takes 2 to 3 days, the Standard 3 to 7 days, the Premium 5 to 10 days. You receive a detailed report with a criticality-prioritised action plan at the end of the audit.
How long does a network security audit take?
The duration depends on the package and the size of the infrastructure:
- Essentiel: 1 to 2 working days for a network of fewer than 50 devices.
- Avancé: 3 to 5 working days depending on topology complexity.
- Premium: 1 to 2 weeks for a multi-site infrastructure or complex architecture (VPN, hybrid cloud, OT/IT).
The report is delivered within this timeframe, with a presentation session included for the Premium package.
How long does a ransomware intervention take?
The initial intervention begins within 2 hours of contact. The total recovery time varies from 24 hours (data accessible via intact backups) to 5 to 10 business days for complex cases requiring forensic extraction or advanced decryption. An accurate assessment is provided after the initial analysis phase, before any commitment.
How long does a web audit take?
From 2 to 10 business days depending on the package and the complexity of the site. The Essential package takes 2 to 3 days, the Standard 3 to 7 days, the Premium 5 to 10 days. You receive a detailed report with a prioritised action plan at the end of the audit.
How long does a website security audit take?
The duration varies depending on the package and the complexity of the site:
- Essentiel: 1 to 2 working days.
- Avancé: 3 to 5 working days.
- Premium: 1 to 2 weeks depending on the size of the site and scope (APIs, database, third-party applications).
The report is delivered within this timeframe, followed by a presentation session (Premium package) or an email exchange.
How long does it take to obtain ISO 27001 certification?
On average 6 to 12 months for a Swiss SME, depending on existing maturity. The process includes the gap analysis (1-2 months), ISMS implementation (3-6 months), internal audit (1 month) and certification audit (1-2 months). Bexxo supports its clients throughout this journey.