Most organisations think they understand their security posture. They run pen tests, invest in tools, build out teams. Then a breach happens through an asset no one knew existed. That gap is what we built CyCognito to close.
Recently I had a chance to sit down with Richard Stiennon, Chief Research Analyst and founder of IT-Harvest, to unpack why external attack surface management is fundamentally different from vulnerability management, and how AI is accelerating both the problem and the solutions.
It was the kind of conversation I wish more security leaders were having. I hope you find it valuable. Watch it in the video below.
Takeaways:
- How AI is reshaping attack surface discovery and exposure management
- Why blind spots, not known assets, are where most breach risk lives
- How attack surface complexity has grown exponentially in the last decade
- The difference between external ASM and vulnerability management
- Why mean time to remediation is the metric that matters most
Transcript
Richard Stiennon: Help us understand the complexity of external attack surface management.
Rob Gurzeev: Most vendors and most technologies take what we call the lazy approach of asking the team, "What do you know about your attack surface?" And they'll tell you about some adjacent things — like you give them this IP range, they'll say, "Ah, this domain name is directly related to this IP range," voilà, we found something. There is value in that. But where most of the risk is, is the complete blind spots that no one knows about.
Richard Stiennon: If you had to leave CISOs and CIOs with one last thought to take away — what would it be on external exposure management?
Rob Gurzeev: I would say: look at your mean time to remediation of whatever you call critical issues, and try to be honest with you and your team — is that in the couple of hours, or few days, few weeks?
And then ask yourself: are our current efforts, processes, and technologies going to lead us to reducing that to an hour or two, or do we need a different approach?
Richard Stiennon: Welcome to the Security Strategist podcast, where we explore real-world cybersecurity challenges and the strategies leaders are using to address them. I'm Richard Stiennon, chief research analyst at IT-Harvest and your host.
In this episode, we're focusing on one of the most persistent challenges facing security teams today, which is gaining visibility into and effectively managing the external attack surface in an increasingly complex digital environment.
To help unpack this, I'm joined by Rob Gurzeev, who's CEO of CyCognito. He was recognized on the Forbes 30 Under 30 list for enterprise technology, and is known for his work in attack surface management. Rob, welcome to the show.
Rob Gurzeev: Thank you, Richard. Great to be here.
From Intelligence Work to Attack Surface Management
Richard Stiennon: So Rob, you've been recognized early on for your work in enterprise technology. What led you to focus specifically on attack surface management, and how has that perspective changed as organizations have grown more complex?
Rob Gurzeev: Interestingly, I feel like I haven't chosen attack surface management — it sort of chose me. When I grew up, IRCs were big, and kids — I also played basketball — but kids as pranks would de facto exploit their friends' computers and prank them that way. So I grew up as sort of a pentester, I guess.
Then I was fortunate enough to get into an intelligence agency when I was 18 years old, where I spent a bunch of years on what in cybersecurity is called attack surface management. I really did the realm of finding the path of least resistance into stuff in that context, to acquire relevant intelligence.
I found it fascinating — like puzzle solving — but frankly very stressful for an 18-year-old, where you have real lives on the line. You know that if you fail, you'll read about it in the news. Super fascinating, very stressful — which eventually, after finishing my service, led to building CyCognito.
Richard Stiennon: I can see how it was stressful, but you didn't have the stress of many founders I talk to who were hacking — where the stress was that law enforcement would knock on the door.
Rob Gurzeev: Yeah. In intelligence agencies, at least you don't have that problem.
It was a fascinating way to learn this whole domain and the attacker-versus-defender perspective, and how different they are. It was especially fascinating to then go into the pure blue side and the cybersecurity industry as we know it — where over the last 25 years we've built all of these layers of defense.
99% of these layers, interestingly and counterintuitively to me, are based on deploying stuff and knowing where your stuff is. Whereas the way I came from — I was taught that you never know what the reality is, and you need to find that path of least resistance.
Eight or ten years ago, very few risk leaders were thinking that way. Folks who spent time in the military or defense found it more intuitive, but not necessarily folks who came from standard software engineering or IT.
Why Organisations Still Can't See Their Full Attack Surface
Richard Stiennon: Despite years of investment in layers and layers of security tools, why do so many organizations still lack a clear picture of their external attack surface?
Rob Gurzeev: If you study software engineering in a university, the school of thought is: how do I build the right architecture? I have these things, I want to protect them. But how often do you stop and ask: where is this most likely to fail? What are the things I know the least about?
In the enterprise world, people want to keep their jobs and get promoted. Are you going to be more appreciated by showing you're hitting your KPIs — or by criticizing processes and technologies that took years to build, and saying "we don't know"?
Say you're spending $2 million on manual pen testing, but apparently you're testing 1% of your internet-facing applications. If you go to a board meeting and say, "We were not testing 99% of these things" — most board members are not technical, they don't understand what this means, and you're not necessarily rewarded for bringing it up.
So it trickles down to the whole organization. That's why some things are more obvious when you focus on offense and path-of-least-resistance orientation — versus building systems, completing projects, and hitting KPIs. With AI massively disrupting all of this, things are different now. But ten years ago, that was definitely the dynamic.
Richard Stiennon: Give us a feel for the complexity that's entered the IT environment. At some of the large companies you work with — how big is the attack surface, and how did it get that big?
Rob Gurzeev: They can be huge, diverse, and complex. 20 years ago it was simple — Apple and Google had one website, one thing connected to the internet. Now, large companies have between 100,000 applications, devices, and cloud assets exposed to the internet. Our biggest customer has 100 million things connected to the internet that external attackers can interact with.
Manual pen testing can cover 100, 500, maybe 1,000 web applications. What about the rest?
Over the last ten years, it has become exponentially easier to build applications and change network configurations. 20 years ago, one person in the whole company could make big changes to network elements. Now you can have people in HR and finance using tools like Claude Code or Lovable, cobbling together sensitive information, building applications, exposing them to the internet — by purpose or accidentally — and they can be completely exploitable.
Has manual pen testing, vulnerability management, or the way findings are prioritized changed significantly to match that? Not that much. That has been a huge challenge for enterprises.
External ASM vs Vulnerability Management
Richard Stiennon: When I think of external attack surface management, there's a lot of confusion with vulnerability management — but some similarities as well. Help us understand the complexity of external attack surface management.
Rob Gurzeev: They are very adjacent, and we believe that "exposure management" as a category name actually connects them. Both are very hard to do well.
Vulnerability scanning and management is about mapping potential vulnerabilities. Attack surface management is about mapping, classifying, and understanding what you have. The internal and external perspectives on this are massively different.
Internal ASM you can do with simple integrations — you can even use Claude Code and connect it to your ServiceNow, your endpoint protection tool, your AWS instances. The biggest challenge there is deduplication and presenting the data nicely. But the data is there.
On the external side, it's a completely different ballgame — because no one knows what reality is. You have a third party that built a marketing campaign for you: it's de facto your application, with your logo, your customers' PII — but built by another company and you have no control over it. You have 100 subsidiaries, each with their own tech stack, some of whom won't cooperate with your global security team.
Between 10 and 50% of those applications, devices, and cloud assets will not be known by any technology or database when we come in. That's huge — because you only need one asset to be unknown or undermanaged to enable a breach.
A useful way to think about it is recall and precision. Recall: how much of the stuff am I finding? If you have 100 assets and I found 99, my recall is 99%. Precision: how accurate am I? I can say a million things are yours, including the 100 you have — but if I'm wrong about 99% of what I'm claiming, that's not helpful either. Balancing the two is really hard.
Most vendors take the lazy approach — asking the team what they already know about their attack surface. There is value in that. But where most of the risk is, is the complete blind spots: the engineer somewhere, the subsidiary in whatever country, the joint venture in China. Those are hardest to find, and they carry the most risk.
How AI Is Changing the Attack Surface Problem
Richard Stiennon: Let's talk about AI. Is the threat going to be exacerbated by the ability of advanced models to find those vulnerabilities? Do they, working for the attacker, help them break into systems?
Rob Gurzeev: Yeah, big time. There's now consensus that AI is changing the conversation on mean time to remediation — it needs to be in hours, not days. In many companies it's still months, even for critical issues.
It seems like there's now an understanding that even a not-too-technical person, anywhere in the world, can exploit applications and complex systems within minutes. So the importance of knowing what's out there — and when a new emerging threat arises, being able to figure out in a minute where your relevant assets are — that's become critical.
I'm hearing from our customers a few times a week that they now have code-red emerging threats. And in terms of the testing portion, we're spending a lot of time expanding our deterministic security testing capabilities into how you use AI for creative testing at scale.
Testing one thing at a time very deeply is almost a solved problem with AI. Testing all of your assets continuously, and not for $50 million but within budget — that's the next big problem to solve, and an area where we're spending a lot of time.
Richard Stiennon: So Rob, if you had to leave CISOs and CIOs with one last thought to take away — what would it be on external exposure management?
Rob Gurzeev: I would say: look at your mean time to remediation of whatever you call critical issues, and try to be honest with yourself and your team. Is that in the couple of hours, or few days, few weeks?
And then ask yourself: are our current efforts, processes, and technologies going to lead us to reducing that to an hour or two, or do we need a different approach? That's a great conversation to have — important, and also interesting and fun intellectually.
Richard Stiennon: Thank you so much for this, Rob. And to our audience — thank you for joining us. For further information on what we've talked about, please head over to cycognito.com. We'll be back next week with another episode. Until then, make sure you subscribe on all major platforms and follow the conversation on our socials at EM360Tech.
