Hexiosec for education

The widest attack surface in any sector. We already map it.

A university’s external estate is one of the largest and most devolved anywhere — hundreds of department and research domains, spin-outs, legacy systems, devolved IT — and it is probed daily. Hexiosec already scans the whole UK higher-education sector for Jisc to build a national picture of risk. Hexiosec ASM maps your estate the way an attacker would. Hexiosec Transfer secures the research and student data you exchange. Both UK-sovereign, both built by ex-government engineers.

  • Trusted to scan the sector for Jisc
  • NCSC ACD 2.0 (ASM)
  • Available on Jisc Chest
  • UK Sovereign
  • Cyber Essentials Plus
Two directions of risk

One institution, two exposures.

Inbound — The estate attackers see

A higher-education institution runs one of the largest, most fragmented external estates anywhere: faculty and research-group domains, partnerships and spin-outs, legacy and inherited systems, devolved and shadow IT, and open research infrastructure. Most institutions cannot fully map their own estate. It is probed continuously, and the sector has been a repeated target for ransomware and research-data theft.

Outbound — The data you exchange

Research data, often personal, sensitive or funder-controlled, plus student and applicant data, safeguarding, assessment material and inter-institution collaboration, moves constantly. Too often that happens through email, SharePoint or consumer tools never built for it.

Two directions of risk on the same institution. Hexiosec covers both, and already maps the first across the whole sector.

Sector-scale proof

We already scan the sector for Jisc.

In recent years, Hexiosec has been commissioned by Jisc to scan the full population of UK higher-education institutions every year to build a national picture of the sector's external risk — work Jisc has presented at its annual conference and shared with its community. The same enumeration engine that maps the sector maps your institution: continuous, independent, and built to find more with fewer false positives.

NCSC assessed Hexiosec ASM in the ACD 2.0 trials. Hexiosec is available through Jisc licensing.

Jisc
See Hexiosec on Jisc licencing →

Two products, one sector. Start with the risk that's top of mind.

Hexiosec ASM: see what attackers see

Continuous mapping of the institution's external estate, the engine Jisc trusts to scan the sector.

Hexiosec Transfer: secure the data you exchange

Research data, student and applicant collection, and multi-institution Spaces, encrypted end-to-end.

Hexiosec ASM for education

See the estate attackers see, across the whole institution.

Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. It is the same platform Jisc trusts to scan the sector, and the National Cyber Security Centre (NCSC) included it in the Active Cyber Defence 2.0 trials.

The estate no one fully owns

Faculties, research groups, spin-outs and partnerships stand up domains and services constantly, and devolved and shadow IT means central teams rarely have the full picture. ASM maps what the institution actually exposes today.

The systems you inherited

Mergers, reorganisations and decades of legacy leave sprawling, poorly-documented estates. ASM finds the forgotten subdomain, the exposed admin panel and the expired certificate before an attacker does.

Benchmark against the sector

Because Hexiosec scans the whole sector for Jisc, your exposure can be understood in context: not just your risk, but your risk relative to the sector picture.

What ASM is: continuous monitoring, not a pen test.

ASM is continuous external attack-surface monitoring, not a penetration test, and not a replacement for your in-house team. It keeps a point-in-time pen test and your team working from a current picture.

Hexiosec Transfer for education

Secure exchange for research and student data.

Hexiosec Transfer encrypts every exchange end-to-end before it leaves the device, and keeps the data in the UK. No recipient account needed: students, applicants and research partners open a secure link in the browser.

Research data exchange and collaboration

Share and collect research data, including personal, sensitive or funder-controlled data, with end-to-end encryption, plus persistent encrypted Spaces for multi-institution research collaboration with full audit.

Student & applicant data collection

Collect admissions, enrolment, support and consent information through encrypted, branded Forms, with no account for the student, encrypted on their device.

Assessment and awarding bodies

Secure exchange of examination and assessment material between institutions and awarding organisations.

Supplier and research partner onboarding

Collect compliance and identity documentation from suppliers and partners securely: structured, audited, and unreadable by us.

Compliance & Assurance

Mapped to the sector's assurance and procurement context.

Both products, mapped to what UK education expects.

Cyber Essentials and Cyber Essentials Plus

Widely expected across the sector. Hexiosec holds Cyber Essentials Plus, and both products support your own certification evidence.

JANET and Jisc connection expectations

ASM evidences the asset-management and exposure visibility that the sector's connection conditions and good practice expect.

UK GDPR and the Data Protection Act 2018

Research-data and student-data handling. See the compliance page for how both products support your compliance position.

DfE digital, technology and cyber standards

Relevant to further-education colleges, multi-academy trusts and schools across the wider-education audience.

  • NCSC ACD 2.0 (ASM)
  • DSIT Software Security Ambassador
  • Cyber Essentials Plus (confirmed)
  • UK-sovereign (GCP London), not subject to the US CLOUD Act
  • Available on Jisc Chest
Trusted across the sector

The sector's own body trusts us to scan it.

The Jisc National Picture of Risk

Hexiosec scans the full population of UK higher-education institutions every year for Jisc, building a national picture of the sector's external risk that Jisc has presented at its annual conference and shared with its community.

Hexiosec ASM gives us clear, real‑time visibility of our external attack surface and highlights risks we simply couldn’t see before. It’s helped us close gaps long before they could become incidents.

Declan Whelan

Cyber Information Security Officer · York St John University

  • Built by ex-government & defence intelligence engineers, Cheltenham
  • NCSC ACD 2.0 (ASM)
  • Cyber Essentials Plus
Tier fit & procurement

Both free to start. Bought how education buys.

ASM

Hexiosec ASM

  • Free — Weekly scans, no card — See your external attack surface at no cost.
  • Premium from £249/mo — Up to 300 assets, continuous monitoring.
  • Enterprise custom pricing — Common for institutions monitoring a large estate.

Transfer

Hexiosec Transfer

  • Professional £15/user/mo — For individuals and small teams.
  • Business £25/user/mo — Co-branding, audit retention, admin controls.
  • Enterprise custom pricing — Own domain, SSO, signed DPA + UK residency, framework procurement, 99.9% SLA, named CSM.

Available through Jisc licensing. View the listing →

FAQ

Questions from across the sector.

Do you really scan the whole higher-education sector?

Yes. Under a recurring agreement with Jisc, to build a national picture of risk. The same enumeration engine maps your institution.

What is attack surface management, in plain terms?

The outside-in view of everything attackers can see: domains, services, certificates, mapped continuously.

Does it cover devolved and inherited systems?

Yes. It maps what you actually expose today, including departmental and inherited systems.

Is ASM a pen test?

No. Continuous external monitoring that complements pen testing and your in-house team.

Are you on Jisc Chest?

Yes, the procurement route for both products. See pricing and the listing.

Can we share sensitive research data securely?

Yes. End-to-end encrypted and UK-hosted. See Files and Spaces.

Do students or partners need an account?

No. They open a secure link in the browser; no account required.

Is data hosted in the UK?

Yes. Both products are UK-hosted; Transfer on Google Cloud Platform, London, not subject to the US CLOUD Act.

Do the products work together?

They address two risks — inbound exposure and outbound exchange — on the same UK-sovereign, ex-government engineering. Most institutions start with one and add the other.

See your estate the way attackers, and Jisc, already do.

Most institutions start with the risk that's top of mind — seeing what attackers can see, or securing the research and student data they exchange — and add the other when they're ready. Both are free to start, and both are available on Jisc Chest.