The State of External Attack Surface Management (EASM)

When Dima and I co-founded CyCognito four years ago, our goal was simple: change the attacker/defender dynamic by proactively giving security teams insight about their attack surface and guidance about what they had to do to prevent breaches.

It was at a time when the concept now known as “External Attack Surface Management” didn’t even have a name. Enterprises still had to defend themselves and, in most cases, they focused on putting more locks--newer, shinier locks--on their known assets.

But with the connectedness of everything, the move to the cloud, and continued breach after breach after breach, those tactics have been proven to simply not work. Organizations continued to get compromised because of unknown, unmanaged assets.

Changing the game - moving from defense to offense

Our initial concept was to provide organizations with insights about how they looked to attackers, and to do so with the same skill and rigor that we used as former cyber intelligence soldiers ourselves.

A key part of our doctrine was that most organizations don’t know their attack surface. And because of this, all solutions that rely on their knowledge of what’s theirs will fail at preventing breaches.

So we taught our customers how attackers think. How they look for the path of least resistance on their target’s attack surface. How they get creative with their strategies and tactics. How relatively easy it is to find likely abandoned but still alive and connected assets to use as beachheads into an organization.

We wanted our customers to understand the kind of reconnaissance that attackers did on their targets, and then to do that reconnaissance for them.

And we did. And from this idea, we’ve seen this market grow into something truly impactful. External Attack Surface Management is now a recognized category by Gartner (and it even has its own acronym – EASM) and its core technologies are something that enterprise security teams everywhere are familiar with.

To understand where we’re going, we need to
remember where we’ve been

The concept of scanning networks for connected devices has been around since the late ‘90s with the creation of Nmap. Since it was free, a few commercial products were launched based on this technology, and some of these tools are still in existence today.

Ten years ago, new advancements made this scanning much faster and more efficient. This meant that the concept could now be applied to the entire internet. New software companies began collecting this internet-wide data and allowing organizations to query for things that were alive and exposed behind known IPs that were assigned to them. This was the next iteration of attack surface tools focused on inventory and visibility.

And while inventory and visibility is a critical first step in the prevention of breaches, it’s not enough. What does a security operations team (and IT team, red team, and vuln management team) need to do in order to take their knowledge of their attack surface and actually protect it?

CyCognito has built the only platform to answer that question.

External Attack Surface Management is a lot more than just discovering a list of IPs or websites. It’s the understanding of how your internet-exposed assets tie back into your business. The processes they’re a part of. The data they have access to. Not every device, website, web app, or IT asset is equal, and they can’t be treated like they are.

Our view on EASM is that it must enable organizations to prevent breaches. To automatically maintain an asset inventory, test and validate whether a security gap or vulnerability could actually be exploited, and provide the guidance necessary to improve their security posture. And above all, to be proactive in solving security issues before they’re exploited by attackers.

Aside from CyCognito, no other EASM or enterprise security solution has lived up to this promise.

To infinity and beyond

It turns out, it’s not just enterprise security teams that have taken notice of the importance of and need for EASM.

In the last year alone, we’ve seen our competitors—some that have been around for more than a decade, some less than a year—get major funding and get acquired by some of the giants in enterprise security.

We’re happy for them, we really are, but we also know for sure that there’s a lot more to this EASM market beyond their off-ramps.

I am just as excited about the future of our company and this category as I was on the day we decided to form CyCognito. In fact, I’m more excited.

I’m proud that our machine learning and protection capabilities have surpassed those of manual, human-led, intensive engagements. As someone who was the CTO of the Product department of the 8200 unit of the Israel Defense Forces (IDF), this is exactly what technological progress looks like.

Our peers have said that we have found more unique and significant findings than any other vendor. We’ve been recognized as leaders. We’ve had explosive growth in both enterprises looking for a solution to their attack surface problem and in customers who have trusted their external visibility to us.

At the same time, we’ve seen our friends get acquired at near-unicorn price tags. But the problem isn’t solved. So we’re going to be here for years to come. We’re solving the attack surface protection problem. We’re helping customers beat attackers at their own game. We’re building a company that’s critical to our industry.

Of course, we wouldn’t be here without the phenomenal people behind the business. The chance to work with some of the brightest minds in cybersecurity and tech is nothing short of a dream come true. And it’s with great honor and privilege that I say thank you to our team, our investors, and our customers.

We’re just getting started.