🔍
Data Discovery
Find personal and financial data on Windows endpoints, business cloud, and network shares.
Every match is scored for confidence, classified by severity (Critical / High / Medium / Low), and presented with verification guidance so reviewers can prioritise correctly.
24 patterns
Legacy Office
Custom term search
OCR
UK-tuned
GDPR / PCI-DSS / DPA Quick-Check
What it detects
UK NHS numbers, NI numbers, postcodes, sort codes, credit card PANs, IBANs, passport numbers, driving licence numbers, plus 16 more patterns. Custom term search alongside pattern detection.
What it reads
Modern Office (.docx / .xlsx / .pptx), legacy Office (.doc / .xls / .ppt), Outlook .msg, PDF (native + OCR), images (PNG / JPG / TIFF), text, code, and config files.
Where it scans
Local folders, personal OneDrive, SharePoint, OneDrive for Business, Microsoft Teams, network shares — scope mapped to your licence tier.
How it scales
Adaptive scan strategy switches between full-content, smart-sampling, header-footer, and metadata scans based on file size. No more 230-second hangs on a 6 MB PDF.
Scan transparency
Every scan reports Files Scanned: 143 of 247 — 22 with PII, 121 clean, 104 skipped with per-category breakdowns. No silent drops.
Privacy
100% on-device. No file content leaves your machine. No SaaS account. Operational logs record file counts and categories — never contents.

🛡
Application Security
Find known vulnerabilities in installed software with confidence-scored CVE matching.
PCRiskPro enumerates installed Windows applications from the registry, looks each one up against the NIST National Vulnerability Database, OSV.dev, and the CISA Known Exploited Vulnerabilities catalog, and presents the results — but with one critical difference from typical scanners: every match is classified as direct, bundled dependency, or possible match, with high / medium / low confidence.
Direct vs dependency
CISA KEV ransomware flag
EPSS exploit probability
7-day database freshness gate
Offline-capable after first scan
Confidence-aware matching
Word-boundary CPE matching, known-bundled-library detection, consensus-bound outlier filtering. Tooltip discloses both raw and direct match counts for audit.
CISA KEV integration
Vulnerabilities in the CISA Known Exploited Vulnerabilities catalog are surfaced as priorities — including ransomware-association flags from the official KEV metadata.
EPSS scoring
Exploit Prediction Scoring System probabilities for direct high-confidence matches so you can prioritise patches by likelihood of being attacked.
Database freshness
The bundled CVE database is rebuilt at each release; builds with databases older than 7 days are blocked. You always ship with current data.

📋
Cyber Essentials
Would you pass a Cyber Essentials audit today?
5 official themes + 1 extension
Pass / Fail / Warning per control
Plain English remediation
Print-ready HTML report
🛡️
Firewalls
Windows Defender Firewall enabled across domain, private, and public profiles.
⚙️
Secure Configuration
Removal of unnecessary admin rights, default-credential checks, and active service analysis.
👤
User Access Control
Password complexity policy, lock-out thresholds, inactive accounts, and MFA presence cues.
🦠
Malware Protection
Antivirus installed, signatures current, real-time protection active, and endpoint protection verification.
🔄
Security Update Management
OS patches and third-party software updates verified within the mandatory 14-day release window.
🔒
Data Encryption (Extension)
BitLocker or device encryption status checked on active system and data volumes.

Eleven advanced Windows hardening checks per device.
Secure Boot
TPM 2.0
Credential Guard
SMBv1 check
UAC audit
RDP configuration
11 checks total
Firmware Hardening
Verify Secure Boot active and TPM 2.0 present, which form the hardware roots of trust on your workstations.
Credential Guard
Ensure Windows Credential Guard is active to isolate hashes and prevent LSASS memory dumping exploits.
Legacy Protocol Risk
Checks if SMBv1 or AutoPlay are enabled, blocking entry routes commonly exploited by ransomware and worm payloads.
Ransomware Shield
Inspects Controlled Folder Access settings, verifying that only trusted binaries can write to critical user folders.
Network & RDP
Audits Remote Desktop configurations, guest account activation status, and network share exposure properties.
Access Policies
Enforces local password policies, screen lock idle timeouts, and User Account Control (UAC) slider elevation settings.

Built for the audit packs and client deliverables you actually produce
📊
Dashboard
At-a-glance Security Overview card mirroring the HTML export, plus four module preview cards with status, score, and top findings.
📄
HTML report
Print-ready, branded, executive-friendly. Every finding includes a What / Why / How card with owner role and estimated score uplift.
📈
Excel report
Sortable, conditional-formatted spreadsheet. Purpose-built for IT leads and MSPs tracking findings across multiple systems.
🔌
JSON / CSV
Full database fidelity exports. Perfect for ingestion into SIEM tools, ticketing software, or custom internal compliance pipelines.
⏳
Scan history & deltas
Compare scans over time automatically. Spot newly introduced vulnerabilities, track active items, and prove remediation progress.
✓
Remediation tracking
Mark each finding as Open / In progress / Fixed / Accepted risk / False positive. Custom state persists across repeated system scans.