The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us
Resources

The knowledge you need to manage and protect your attack surface.

What's New Blog
Perspectives

BYOPT (Bring Your Own Pen Tester) A CyCognito Use Case for Pen Testing

Phillip-Wylie
By Phillip Wylie
Hacker in Residence
June 2, 2022

Some Attack Surface Management (ASM) platform vendors provide an ASM solution that intends to fully replace pen testing, but at CyCognito we think a little differently. While some organizations may be fine with an ASM solution that automatically bundles in pen testing, for more companies I think CyCognito, supplemented with a dedicated pen testing team, is a better solution.

Pen Testing Challenges 

Pen testing and vulnerability management are important and necessary parts of a cybersecurity program, but that doesn’t mean that they don’t have their own complexity and issues. I’ve already gone in-depth about some of the gaps and challenges when performing pen tests in my blog post How To Get The Most Out Of Pen Tests, but, in short, they’re limited in time, resources, and scope. Depending on the scope of assets being tested, a pen testing team may be limited in the testing methods they can use, or they may miss some high-value assets that are outside their specific list. This can lead to inadequate reconnaissance and skipping open-source intelligence, which can limit asset discovery. Time limitations affect reconnaissance and inadequate discovery affects results: after all, you can’t test what you don’t know about.

Pen Testing Tools Evolution

Pen testing tools have evolved over the years. Prior to vulnerability scanners, pen testers were required to perform more in-depth reconnaissance and used more manual pen testing techniques. Before exploitation frameworks such as the Metasploit Framework, pen testers had to rely more heavily on manual testing techniques and individual exploits. These tools have made it easier, faster, and more efficient for pen testers to perform security assessments and are useful for new pen testers to get up to speed more quickly. For example, before the web application pen testing tool Burp Suite, pen testers would have to cobble together multiple tools to achieve the same functionality. 

Instead of replacing pen testing, CyCognito’s reconnaissance and vulnerability discovery tools can be used as part of the pen tester toolkit. CyCognito’s prioritization features, including the Remediation Planner, help pen testers focus on the critical assets that need the most attention instead of relying on scoped lists that may miss important assets or vulnerabilities. The vulnerabilities, stats, and other information CyCognito delivers can be used in pen test reports. The information from the Remediation Planner can provide information for the remediation guidance in the pen test report and the Exploit Intelligence in CyCognito gives pen testers guidance on how to exploit vulnerabilities by providing the exploit details and the steps to execute the exploit against vulnerable assets. This feature is especially useful for junior pen testers or vulnerability management team members. Leveraging CyCognito, pen testers can spend more time on the highest value work: exploiting vulnerabilities.

Using an EASM solution that enhances pen testers’ work instead of replacing pen testing with an ASM platform with a bundled pen testing service frees organizations to find the best pen testing solution for their own attack surface. You may have a vendor that is great at web application testing, and others that are great with infrastructure pen testing or cloud pen testing! You can also diversify the way you have your testing done by including bug bounties alongside your pen testing resources. 

When you leverage CyCognito as an extension of your evolved toolset, the insights and information generated by CyCognito are shared with your pen testers much like you might share the results of a vulnerability scan. The insights from CyCognito, however, are more like a full vulnerability assessment. CyCognito also tracks the results of your pen testers’ insights; once pen tests are completed and vulnerabilities are remediated, the status in the dashboard will be updated to show your organization’s improved security posture. 

Addressing Pen Testing Gaps

CyCognito extends the pen tester’s toolset and addresses the challenges that pen test teams face – such as time limitations, and inadequate reconnaissance including OSINT – and helps address gaps. By automating the tedious work of defining the attack surface and finding unknown assets for a complete asset inventory, CyCognito gives your organization the flexibility to customize your pen testing strategy. 

To learn more about the challenges and gaps of pen testing read my blog post How To Get The Most Out Of Pen Tests or reach out to me through email.

To learn more about CyCognito’s approach to attack surface management please watch our demo video or request a demo here. 


Topics





Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.