The ICT Minimum Standard is a framework developed by FOEE (Federal Office for National Economic Supply) in collaboration with the NCSC. It defines 106 measures based on the NIST CSF, adapted to the Swiss context. Free and available in French, German and Italian, it includes an Excel self-assessment tool.

If a security incident occurs due to risky behavior by a poorly informed employee, the company remains largely responsible. The law, including the nLPD in Switzerland and the GDPR in Europe, requires organizations to take the necessary measures to protect data and reduce risks. This includes training and awareness for staff.

In the event of a dispute or investigation, a company unable to demonstrate that it has implemented preventive actions (such as regular training, awareness campaigns, or reminders of best practices) could be deemed negligent. This can lead to fines, damage to reputation, and a loss of trust from customers and partners.

Online training (academy.bexxo.ch) is available 24/7, individual and self-paced — ideal for regular awareness, ongoing tracking and geographically dispersed teams. In-person sessions in Ins (BE) are recommended when you wish to train 5 to 20 people simultaneously, run interactive workshops with real-life scenarios, or anchor a security culture during a company event (seminar, thematic day). For teams of more than 10 people, we generally recommend a combination: initial online awareness, then an in-person session to consolidate learning and address issues specific to your organisation.

Tesweb SA is the legal entity founded in 2006, which operates two areas of expertise: SOS Data Recovery (data recovery, leading Swiss service) and Bexxo (cybersecurity, brand launched in 2023). Bexxo is a registered and protected brand dedicated exclusively to digital protection for businesses. This dual expertise — data recovery and protection — represents a unique positioning in Switzerland.

The NVD (National Vulnerability Database) from NIST is the official US source. CVE Find aggregates this data and adds a layer of personalised alerts, product filtering and EPSS scoring (real-world exploitation probability) that the NVD does not offer natively. The interface is available in English.

The cve.org website, managed by MITRE, is the official source of CVE identifiers. It is essential for ensuring the uniqueness and structure of entries. However, cve.org focuses on the administrative aspect and does not provide EPSS scores, exploitation indicators, or advanced sorting functionalities.

Our CVE Find service takes this official data, enriches it with complementary metrics (KEV, EPSS, CVSS), and presents it in a more modern, faster, and filterable interface. It is therefore a practical monitoring tool, designed for operational and decision-making use on a daily basis.

ISO 27001 defines the requirements for an information security management system (ISMS) and enables certification. ISO 27002 is a guide to best practices that details the implementation of the 93 controls in Annex A. In short: 27001 says 'what to do', 27002 says 'how to do it'.

They are two complementary tools:

• PhishTrainer works through practice: it sends fake phishing emails to your employees and measures who clicks and who reports the attack. This is the behavioural approach — learning by experience. The dashboard shows the click rate, the reporting rate and the trend over time.
• Bexxo Academy works through knowledge: video modules, interactive quizzes, educational games on cyber threats. Available 24/7 online, complemented by in-person sessions in Ins (BE). Ideal for onboarding new employees and updating knowledge.

Both tools together cover the complete loop: raise awareness → test → measure → improve.

PhishTrainer and Bexxo Academy are two complementary tools: PhishTrainer tests (attack simulation, vulnerability identification, click rate measurement), Bexxo Academy trains (e-learning modules, quizzes, videos, in-person sessions). They work in synergy: PhishTrainer results identify at-risk teams or profiles, Bexxo Academy provides the adapted training paths. For effective protection, Bexxo recommends using both tools together following the Simulate → Train → Measure method.

White Box provides access to network diagrams and configurations (most comprehensive, ideal before ISO certification). Grey Box simulates an employee or contractor with partial VPN access (most balanced for SMEs). Black Box tests from the outside with no prior knowledge, like a real attacker. Bexxo recommends Grey Box as the standard for SMEs.

White Box analyses the source code and internal architecture (most comprehensive). Grey Box simulates a user with partial access (most balanced for SMEs). Black Box tests from the outside with no prior knowledge, like an attacker (most realistic). Bexxo recommends Grey Box as the standard for SMEs.

The main difference between black box, gray box, and white box testing lies in the level of information provided to the tester before starting the simulated attack.

• In black box, the attacker has no prior knowledge of the system. They act as an external hacker and attempt to access resources without any assistance. This type of test is realistic for simulating an external attack, but it is often limited to what can be guessed or discovered from the outside.
• In gray box, the tester has some technical information or partial access (such as a user account). This reflects a scenario where the attacker has already infiltrated part of the system or possesses internal knowledge, such as a former employee.
• In white box, all information is provided: source code, technical documentation, administrator access. This type of test provides a complete view and allows for the identification of deep vulnerabilities, often invisible from the outside.

Each approach has its advantages, and the choice depends on the objectives of the test and the level of risk to be covered.

A vulnerability scan is an automated analysis performed by a tool that examines a system or application for known vulnerabilities, typically by comparing software versions or testing configurations. It is fast and inexpensive, but often produces raw or incomplete results, with false positives.

A pentest, on the other hand, goes beyond detection: it seeks to actually exploit vulnerabilities to demonstrate their concrete impact. It is a manual and methodical process that validates detected vulnerabilities, identifies new ones, and provides realistic attack scenarios. The pentest is therefore much more thorough and contextual, but requires time, expertise, and planning.

A security audit is a one-off technical assessment (vulnerabilities, penetration tests, report). Consulting is a continuous strategic support service: it often starts with an audit, but goes further by defining the security policy, training teams and overseeing improvements over the long term.

Security awareness aims to spread a general security culture, accessible to all employees, regardless of their profession or technical level. It covers concrete topics: phishing, passwords, mobility, social networks, vigilance in teleworking, etc. The goal is to make everyone an actor in security in their daily uses.

Technical training, on the other hand, is aimed at more specialized profiles (IT teams, devs, admins) and focuses on specific skills such as system hardening, secure development, or incident management. It often requires prerequisites and aims to strengthen security through technical mastery.