Hexiosec for the public sector

Two risks every public body carries. We cover both.

OFFICIAL-SENSITIVE data moving between agencies, contractors and citizens. And a public-facing estate (domains, services, the systems you inherited through reorganisation) that attackers probe daily. Hexiosec Transfer secures the data you exchange with end-to-end encryption. Hexiosec ASM maps the estate the way an attacker would. Both UK-sovereign, both built by ex-government engineers.

  • NCSC ACD 2.0 (ASM)
  • UK Sovereign
  • Cyber Essentials Plus
  • OFFICIAL-SENSITIVE aligned
The two risks in the public sector

Two directions of risk on the same public data.

The data you exchange

OFFICIAL-SENSITIVE casework, grant administration, Freedom of Information and subject access (FOI and SAR) responses, inter-agency working and contractor exchanges move sensitive data constantly, often by email, SharePoint or legacy tooling:

  • Casework and grant administration
  • Freedom of Information and subject access responses
  • Inter-agency and joint working
  • Supplier and contractor exchanges

What attackers can see

The public-facing estate is large and sprawling, and it is probed continuously. Most bodies cannot fully map their own estate:

  • Multiple domains and public service portals
  • Legacy systems and exposed services
  • Systems inherited through machinery-of-government changes
  • Estates merged through council reorganisation

Local government in particular has been a repeated target.

Two directions of risk on the same public data. Hexiosec covers both.

Classification

Built for OFFICIAL and OFFICIAL‑SENSITIVE.

Hexiosec is aligned to the handling of OFFICIAL and OFFICIAL‑SENSITIVE information, the classification that covers the overwhelming majority of public-sector data. Data is encrypted end-to-end and hosted entirely in the UK, and the platform is not subject to the US CLOUD Act. It is not accredited for SECRET or above; for those classifications, specialist accredited systems apply.

Two products, one sector. Start where your risk is.

Hexiosec Transfer: secure the data you exchange

OFFICIAL-SENSITIVE exchange, multi-agency casework and citizen-data collection, encrypted end-to-end, hosted in the UK.

Hexiosec ASM: see what attackers see

Continuous mapping of your public-facing estate, and evidence for NCSC CAF and GovAssure.

Hexiosec Transfer for the public sector

Secure exchange for OFFICIAL SENSITIVE work.

Hexiosec Transfer encrypts every exchange end-to-end before it leaves the device, and keeps the data in the UK. Cabinet Office, DSIT and other central government departments already use it. No recipient account needed: contractors and citizens open a secure link in the browser.

OFFICIAL SENSITIVE file exchange

Send and receive OFFICIAL-SENSITIVE documents between bodies, agencies and contractors: encrypted, audited, expiring, revocable. The default for inter-organisation exchange.

Multi-agency casework spaces

A persistent encrypted Space for joint working: safeguarding, shared services, joint investigations, inter-agency programmes. Admin-verified users, full audit, files and folders both ways under controlled access.

Citizen and resident data collection

Collect grant applications, service requests, consultation responses and FOI and subject access information through encrypted, branded forms, with no account for the resident, encrypted on their device before it reaches us.

Supplier and contractor onboarding

Collect compliance, identity and financial information from suppliers and contractors securely: structured, audited, and unreadable by us.

Hexiosec ASM for the public sector

See the estate attackers see, including what you inherited.

Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. The National Cyber Security Centre (NCSC) included Hexiosec ASM in its Active Cyber Defence 2.0 trials.

The exposure you can't see

Public bodies run large public-facing estates: portals, microsites, service domains, mail infrastructure. Forgotten subdomains, an exposed admin panel and expired certificates are what attackers find first. ASM finds them for you, continuously.

The estate you inherited

Machinery-of-government changes, unitary reorganisations and shared-service arrangements leave sprawling, poorly-documented estates. ASM maps what a body actually owns and exposes today, including the systems that arrived with a reorganisation and were never catalogued.

Evidence for CAF and GovAssure

Assurance against the NCSC Cyber Assessment Framework (CAF) expects a body to know and manage its assets and exposure. ASM provides a continuous, independently-validated view that evidences the relevant asset-management and discovery objectives, and reassures the Senior Information Risk Owner and the audit committee.

Continuous monitoring, not a pen test.

ASM is continuous external attack-surface monitoring, not a penetration test, and not a replacement for your in-house team. It keeps a point-in-time pen test and an internal team working from a current picture.

Compliance & Assurance

Mapped to how the public sector assures and buys.

OFFICIAL-SENSITIVE aligned

Hexiosec Transfer is aligned to the handling of OFFICIAL and OFFICIAL-SENSITIVE information, the classification that covers the overwhelming majority of public-sector data.

NCSC Cyber Assessment Framework

Hexiosec ASM evidences the asset-management and discovery objectives, and Hexiosec Transfer evidences the secure-data-handling objectives, for NCSC CAF and GovAssure.

GovAssure

The government cyber-assurance regime, based on the NCSC Cyber Assessment Framework. Hexiosec ASM provides evidence relevant to in-scope bodies.

UK GDPR / DPA 2018

Citizen-data handling aligned to UK GDPR and the Data Protection Act 2018. See the compliance page for how both products support your compliance position.

  • Central Government (Transfer customers)
  • NCSC ACD 2.0 (ASM)
  • Cyber Essentials Plus
  • DSIT Software Security Ambassador
  • UK-sovereign, not subject to the US CLOUD Act
  • CCS-listed
Trusted across UK Government

The people who protect governments, built for the public sector.

Cabinet Office
NCSC ACD 2.0 Partner
UK Government
NHS

Hexiosec ASM was a reference EASM product during NCSC ACD 2.0 trials. Hexiosec Transfer is used by UK Central Government departments. Both products are built in Cheltenham, by engineers with UK government and defence intelligence experience.

  • NCSC ACD 2.0 (ASM)
  • DSIT Software Security Ambassador
  • Cyber Essentials Plus

Find your tier on each product.

A quick fit guide, not a pricing table. Each card routes to the full pricing.

ASM

Hexiosec ASM

  • Free weekly scans, no card — See your external attack surface at no cost.
  • Essential from £99/mo — Up to 200 assets, weekly monitoring.
  • Premium from £249/mo — Up to 300 assets, continuous monitoring.
  • Enterprise custom pricing — Larger estates, third-party scope and advanced needs.

Transfer

Hexiosec Transfer

  • Team £15/user/mo — Smaller teams getting started.
  • Business £25/user/mo — Co-branding, 1-year audit retention, admin controls.
  • Enterprise custom pricing — Own domain, SSO, signed DPA + residency guarantee, framework procurement, 99.9% SLA, named CSM.

FAQ

Both products, answered.

Can it handle OFFICIAL SENSITIVE data?

Yes. Aligned to OFFICIAL and OFFICIAL-SENSITIVE handling. It is not accredited for SECRET or above.

Do contractors or citizens need an account?

No. They open a secure link in the browser; no Hexiosec account required.

Can we run multi-agency casework spaces?

Yes. Persistent encrypted Spaces with admin-verified users and full audit. See /transfer/spaces/.

Is it available on G-Cloud / CCS?

Yes. Hexiosec is CCS-listed, and the framework route is the public-sector buying path. See pricing.

How does it compare to Egress?

See the comparison at /switch-from-egress/.

Do the products work together?

They address two different risks — outbound exchange and inbound exposure — and share the same UK-sovereign, ex-government engineering. Most bodies start with one and add the other.

What is attack surface management, in plain terms?

The outside-in view of everything attackers can see of your estate: domains, services, certificates, mapped continuously.

Does it cover legacy and inherited systems?

Yes. ASM maps what you actually expose today, including systems inherited through reorganisation.

Does ASM support NCSC CAF / GovAssure?

It evidences the relevant asset-management and discovery objectives. CAF objectives are referenced, not claimed as formal certification.

Is data hosted in the UK?

Yes. Both products are UK-hosted; Transfer on Google Cloud Platform, London, not subject to the US CLOUD Act, with a signed DPA and residency guarantee on Enterprise.

What classification can the platform handle?

OFFICIAL and OFFICIAL-SENSITIVE. Not SECRET or above.

Cover both risks. Start with the one that brought you here.

Most public bodies start with the risk that's top of mind — securing the OFFICIAL-SENSITIVE data they exchange, or seeing what attackers can see of their estate — and add the other when they're ready. Both are free to start.