PRESS RELEASE: Attack Surface Management is Critical

By CyCognito Marketing Team | December 3, 2020

Organizations mostly monitor what they already know about, leaving unknown assets unprotected and open to attackers

Palo Alto, Calif. CyCognito, the leader in attack surface protection and digital risk protection, today announced new research in partnership with Enterprise Strategy Group (ESG) that revealed most security professionals recognize that attack surface protection is important, but their operational practices and tools used aren’t up to the challenge.COVER-ESG report

The new report, Gaps in Attack Surface Monitoring and Security Testing for Cyber-risk Mitigation, was based on a survey of 200 cybersecurity and IT professionals who are directly involved with their organization’s cybersecurity strategies, controls, and operations. Respondents came from companies with at least 4,000 employees in industries like technology, manufacturing, financial services, and healthcare, among others. According to 98 percent of survey respondents, attack surface monitoring is a “Top 10” security priority at organizations. But that positive perspective belies what is actually being done. A deeper analysis of survey responses reveals significant gaps across attack surface monitoring coverage and cadence.
The reality is that organizations struggle to get even limited visibility into their complete attack surface, despite investing resources across a broad range of piecemeal solutions and processes. The report finds that organizations focus only on assets they already know exist and therefore never know about significant portions of their attack surfaces. That exposes them to attackers that target blind spots specifically because they are unmonitored by organizations. The practice of scrutinizing the known and ignoring the unknown is a form of “security theater” where security teams are doing something, but it does little to improve the security of their organizations. Additionally, despite its self-evident criticality, many organizations use an assortment of tools and manual processes for attack surface monitoring, making the process fraught with operational complexity, human error, and best-guess analysis.

“Why is attack surface monitoring so critical? To paraphrase an old business adage, ‘You can’t manage what you can’t measure,’” said Jon Oltsik, ESG senior principal analyst and fellow. “By discovering and monitoring these assets, security professionals can then find the ‘path of least resistance’ that hackers may use as a doorway to penetrate corporate networks and commence a cyber-attack. Armed with this intelligence, security teams can close the gaps, fine-tune security controls, and develop countermeasures.”

Other key findings from the report include:

  • Attack surface monitoring typically involves only known attack surface. As a result, attack surface visibility is limited. Many organizations never know about numerous attack surface assets, exposing them to unknown and likely easily fixable cyber-risks.

  • Security testing remains separate, and periodic. Rather than tight integration between attack surface monitoring and security testing, many organizations keep these activities stovepiped and continue to conduct security testing — such as penetration tests — only on a periodic basis. While penetration tests are valuable, they are limited in scope due to costs and rarely identify out-of-scope attack surfaces, leaving organizations open to cyber-attack.

  • Organizations must create a continuous closed-loop process between attack surface monitoring and security testing. The attack surface grows and changes all the time, opening new conduits for attackers to penetrate organizations as well as leaving business systems exposed. To get ahead of this, CISOs must create a closed loop that starts with attack surface monitoring, proceeds immediately to security testing and risk prioritization, and concludes with the right remediation actions like controls adjustments or new security investments.

“It’s great to see the validation that monitoring all aspects of an organization’s attack surface and testing for critical weaknesses has become a point of emphasis across all industries, but the data in this report shows there is still much work to be done,” said Rob Gurzeev, CEO and co-founder, CyCognito. “Because so many organizations are using inefficient and costly legacy processes to manually monitor and test their attack surfaces, they’re not able to discover the paths of least resistance that attackers are likely to target first.”

Key Insights:
  • 68 percent of organizations have experienced an attack originating from an unknown, unmanaged, or poorly managed company asset. Even more (75 percent) expect they will experience this type of attack in the future.

  • Security testing must be done frequently across all vulnerable attack surface assets to maximize benefits. 98 percent say testing is a Top 10 security issue, yet only 43 percent claim they perform penetration testing continuously, and only 9 percent claim to test 100 percent their entire attack surface.

  • Nearly half of organizations do not include SaaS applications and public cloud workloads in their definition of "attack surface." Similarly, less than half consider partners and affiliates as extensions of their “attack surface.” Organizations need scalable methods to continuously discover unknown and unmanaged assets–including those in cloud, vendor, partner, and subsidiary environments.

LI-ESG Ad2To download the complete report, visit:


To gather data for this report, ESG conducted a comprehensive survey of IT and security professionals with purchase process responsibility for security technologies in use at their organization, as well as their organizations’ future security strategies. Respondents were based in North America (US and Canada) and employed at large enterprises with 4,000 or more employees. The survey was fielded between July 15, 2020 and July 29, 2020.

About CyCognito

CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. The Palo Alto-based company is funded by leading Silicon Valley venture capitalists, and its mission is to help organizations protect themselves from even the most sophisticated attackers. It does this with a category-defining, transformative platform that automates offensive cybersecurity operations to provide reconnaissance capabilities superior to those of attackers.

About ESG

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community. Learn more at


About CyCognito Marketing Team

CyCognito Marketing Team: Raphael Reich, VP of Marketing, Jim Wachhaus, Director of Technical Product Marketing, Lisa Bilawski, Director of Content Marketing, Sam Curcuruto, Senior Director of Product Marketing, Mayura Garg, Director of Integrated Marketing, Simon Spencer, Director of GTM Operations, Laura Givens, Director of Marketing Events, and Michelle Helling, Senior Director of Channel Marketing.


Start Eliminating Your Shadow Risk

Demo Request