Hexiosec for education
The widest attack surface in any sector. We already map it.
A university’s external estate is one of the largest and most devolved anywhere — hundreds of department and research domains, spin-outs, legacy systems, devolved IT — and it is probed daily. Hexiosec already scans the whole UK higher-education sector for Jisc to build a national picture of risk. Hexiosec ASM maps your estate the way an attacker would. Hexiosec Transfer secures the research and student data you exchange. Both UK-sovereign, both built by ex-government engineers.
- Trusted to scan the sector for Jisc
- NCSC ACD 2.0 (ASM)
- Available on Jisc Chest
- UK Sovereign
- Cyber Essentials Plus
One institution, two exposures.
Inbound — The estate attackers see
A higher-education institution runs one of the largest, most fragmented external estates anywhere: faculty and research-group domains, partnerships and spin-outs, legacy and inherited systems, devolved and shadow IT, and open research infrastructure. Most institutions cannot fully map their own estate. It is probed continuously, and the sector has been a repeated target for ransomware and research-data theft.
Outbound — The data you exchange
Research data, often personal, sensitive or funder-controlled, plus student and applicant data, safeguarding, assessment material and inter-institution collaboration, moves constantly. Too often that happens through email, SharePoint or consumer tools never built for it.
Two directions of risk on the same institution. Hexiosec covers both, and already maps the first across the whole sector.
We already scan the sector for Jisc.
In recent years, Hexiosec has been commissioned by Jisc to scan the full population of UK higher-education institutions every year to build a national picture of the sector's external risk — work Jisc has presented at its annual conference and shared with its community. The same enumeration engine that maps the sector maps your institution: continuous, independent, and built to find more with fewer false positives.
NCSC assessed Hexiosec ASM in the ACD 2.0 trials. Hexiosec is available through Jisc licensing.
Two products, one sector. Start with the risk that's top of mind.
Hexiosec ASM: see what attackers see
Continuous mapping of the institution's external estate, the engine Jisc trusts to scan the sector.
Hexiosec Transfer: secure the data you exchange
Research data, student and applicant collection, and multi-institution Spaces, encrypted end-to-end.
See the estate attackers see, across the whole institution.
Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. It is the same platform Jisc trusts to scan the sector, and the National Cyber Security Centre (NCSC) included it in the Active Cyber Defence 2.0 trials.
The estate no one fully owns
Faculties, research groups, spin-outs and partnerships stand up domains and services constantly, and devolved and shadow IT means central teams rarely have the full picture. ASM maps what the institution actually exposes today.
The systems you inherited
Mergers, reorganisations and decades of legacy leave sprawling, poorly-documented estates. ASM finds the forgotten subdomain, the exposed admin panel and the expired certificate before an attacker does.
Benchmark against the sector
Because Hexiosec scans the whole sector for Jisc, your exposure can be understood in context: not just your risk, but your risk relative to the sector picture.
What ASM is: continuous monitoring, not a pen test.
ASM is continuous external attack-surface monitoring, not a penetration test, and not a replacement for your in-house team. It keeps a point-in-time pen test and your team working from a current picture.
Secure exchange for research and student data.
Hexiosec Transfer encrypts every exchange end-to-end before it leaves the device, and keeps the data in the UK. No recipient account needed: students, applicants and research partners open a secure link in the browser.
Research data exchange and collaboration
Share and collect research data, including personal, sensitive or funder-controlled data, with end-to-end encryption, plus persistent encrypted Spaces for multi-institution research collaboration with full audit.
Student & applicant data collection
Collect admissions, enrolment, support and consent information through encrypted, branded Forms, with no account for the student, encrypted on their device.
Assessment and awarding bodies
Secure exchange of examination and assessment material between institutions and awarding organisations.
Supplier and research partner onboarding
Collect compliance and identity documentation from suppliers and partners securely: structured, audited, and unreadable by us.
Mapped to the sector's assurance and procurement context.
Both products, mapped to what UK education expects.
Cyber Essentials and Cyber Essentials Plus
Widely expected across the sector. Hexiosec holds Cyber Essentials Plus, and both products support your own certification evidence.
JANET and Jisc connection expectations
ASM evidences the asset-management and exposure visibility that the sector's connection conditions and good practice expect.
UK GDPR and the Data Protection Act 2018
Research-data and student-data handling. See the compliance page for how both products support your compliance position.
DfE digital, technology and cyber standards
Relevant to further-education colleges, multi-academy trusts and schools across the wider-education audience.
- NCSC ACD 2.0 (ASM)
- DSIT Software Security Ambassador
- Cyber Essentials Plus (confirmed)
- UK-sovereign (GCP London), not subject to the US CLOUD Act
- Available on Jisc Chest
The sector's own body trusts us to scan it.
The Jisc National Picture of Risk
Hexiosec scans the full population of UK higher-education institutions every year for Jisc, building a national picture of the sector's external risk that Jisc has presented at its annual conference and shared with its community.
Hexiosec ASM gives us clear, real‑time visibility of our external attack surface and highlights risks we simply couldn’t see before. It’s helped us close gaps long before they could become incidents.
- Built by ex-government & defence intelligence engineers, Cheltenham
- NCSC ACD 2.0 (ASM)
- Cyber Essentials Plus
Both free to start. Bought how education buys.
ASM
Hexiosec ASM
- Free — Weekly scans, no card — See your external attack surface at no cost.
- Premium from £249/mo — Up to 300 assets, continuous monitoring.
- Enterprise custom pricing — Common for institutions monitoring a large estate.
Transfer
Hexiosec Transfer
- Professional £15/user/mo — For individuals and small teams.
- Business £25/user/mo — Co-branding, audit retention, admin controls.
- Enterprise custom pricing — Own domain, SSO, signed DPA + UK residency, framework procurement, 99.9% SLA, named CSM.
Available through Jisc licensing. View the listing →
Questions from across the sector.
Do you really scan the whole higher-education sector?
Yes. Under a recurring agreement with Jisc, to build a national picture of risk. The same enumeration engine maps your institution.
What is attack surface management, in plain terms?
The outside-in view of everything attackers can see: domains, services, certificates, mapped continuously.
Does it cover devolved and inherited systems?
Yes. It maps what you actually expose today, including departmental and inherited systems.
Is ASM a pen test?
No. Continuous external monitoring that complements pen testing and your in-house team.
Are you on Jisc Chest?
Yes, the procurement route for both products. See pricing and the listing.
Can we share sensitive research data securely?
Do students or partners need an account?
No. They open a secure link in the browser; no account required.
Is data hosted in the UK?
Yes. Both products are UK-hosted; Transfer on Google Cloud Platform, London, not subject to the US CLOUD Act.
Do the products work together?
They address two risks — inbound exposure and outbound exchange — on the same UK-sovereign, ex-government engineering. Most institutions start with one and add the other.
See your estate the way attackers, and Jisc, already do.
Most institutions start with the risk that's top of mind — seeing what attackers can see, or securing the research and student data they exchange — and add the other when they're ready. Both are free to start, and both are available on Jisc Chest.