{"id":1144,"date":"2024-09-30T08:00:00","date_gmt":"2024-09-30T15:00:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=1144"},"modified":"2025-04-14T09:29:48","modified_gmt":"2025-04-14T16:29:48","slug":"think-your-attack-surface-is-covered-lets-look-at-the-math","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/","title":{"rendered":"Think your attack surface is covered? Let&#8217;s look at the math."},"content":{"rendered":"\n<p>When it comes to security, organizations often consider themselves well-covered. But in today\u2019s landscape, where cybersecurity threats evolve at breakneck speed, even the most well-prepared teams cannot afford to have testing gaps.&nbsp;<\/p>\n\n\n\n<p>The reality is that if your primary strategy for removing security testing gaps is tightening scanning policies or expanding penetration test scope, you are trying to patch a dam with bubble gum.&nbsp;<\/p>\n\n\n\n<p><strong>Is your attack surface covered?<\/strong> Let\u2019s take a deeper look at the reality behind security testing and how common approaches may leave you with larger gaps than you expect.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Math of Security Gaps<\/h2>\n\n\n\n<p>To calculate security testing gaps we need a risk model and relevant test criteria. <strong>Multi-criteria decision analysis<\/strong> (MCDA) is a great fit. For security testing criteria, we\u2019ll use <strong>coverage<\/strong>, <strong>accuracy<\/strong>, and <strong>frequency<\/strong>.<\/p>\n\n\n\n<p>Why these criteria? Security testing gaps are not just about coverage. Gaps in test frequency and test accuracy are just as problematic.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Does \u201cIdeal\u201d Security Testing Look Like?<\/h2>\n\n\n\n<p>We all know there\u2019s no standard when it comes to security testing. Each organization must tailor its strategy to its unique business needs, risks, skills and budgets.<\/p>\n\n\n\n<p>While this means the concept of ideal is subjective, the following are agreed upon truths:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Test Everything:<\/strong> It\u2019s not enough to just test what you know about or what you think is most visible \u2013 <em>everything<\/em> exposed must be tested.<\/li>\n\n\n\n<li><strong>Test Accurately:<\/strong> High accuracy means less noise and deeper, more meaningful results. With fewer false positives, your team can focus on actual vulnerabilities rather than chasing false alarms.<\/li>\n\n\n\n<li><strong>Test Frequently:<\/strong> Your test cadence may be dictated by compliance and also your team\u2019s capacity to respond. Weekly tests is considered an ideal target.<\/li>\n<\/ul>\n\n\n\n<p>So, let&#8217;s put a stake in the ground. \u201cIdeal\u201d testing is <strong>full coverage<\/strong>, <strong>very high accuracy<\/strong>, and <strong>very<\/strong> <strong>high frequency. <\/strong>Combined, these should result in a perfect score of 100 and a gap of 0%. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"994\" height=\"213\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp\" alt=\"\" class=\"wp-image-1150\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp 994w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7-512x110.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7-768x165.webp 768w\" sizes=\"auto, (max-width: 994px) 100vw, 994px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>For those of you double-checking the math, note that while the graphic shows basic multiplication, the actual MCDA model is more sophisticated. This graphic is for visualization only. Reach out if you would like to discuss the model (or use our calculator at the end of this blog to determine your own gaps!).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Calculating the Actual Security Testing Score<\/h2>\n\n\n\n<p>On average, companies deploy <a href=\"https:\/\/cloudsecurityalliance.org\/blog\/2024\/05\/23\/2024-report-reveals-hundreds-of-security-events-per-week-highlighting-the-criticality-of-continuous-validation\"><strong>53 security tools<\/strong><\/a> across their environments. These tools include a mix of commercial and open-source testing solutions, running at varying frequencies across different assets.<\/p>\n\n\n\n<p>Many of these tools are not designed for the coverage, accuracy, or frequency required for ideal security testing. Stretching these tools beyond their capabilities in order to maximize budget leaves staff with more work, less value and a false sense of security.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s look closer at three common test approaches: <a href=\"https:\/\/www.cycognito.com\/glossary\/vulnerability-scanners.php\"><strong>network vulnerability scanning<\/strong><\/a>, <a href=\"\/learn\/application-security\/dynamic-application-security.php\"><strong>application testing (DAST)<\/strong><\/a>, and <a href=\"https:\/\/www.cycognito.com\/glossary\/penetration-testing.php\"><strong>penetration testing<\/strong><\/a>.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">1. Network Vulnerability Scanning<\/h5>\n\n\n\n<p>Network scanners scan known subnets for vulnerabilities and misconfigurations on exposed systems and services. Here is a realistic deployment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Coverage: <\/strong>Medium to high (70 to 80% of known assets).<\/li>\n\n\n\n<li><strong>Accuracy:<\/strong> Medium. Vulnerability scanners are well-known for producing false positives since they often rely solely on passive scanning techniques, CPE to CVE mappings and unvalidated results.<\/li>\n\n\n\n<li><strong>Frequency:<\/strong> Ranges from weekly to monthly on average; let\u2019s call it bi-weekly for this example.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1050\" height=\"142\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-4.webp\" alt=\"\" class=\"wp-image-1151\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-4.webp 1050w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-4-512x69.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-4-768x104.webp 768w\" sizes=\"auto, (max-width: 1050px) 100vw, 1050px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The result is a score of 55, which is a <strong>45% gap from ideal<\/strong>. Probably bigger than you thought. And even if you increase scanning frequency to weekly, you\u2019re still left with a 35% gap.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">2. Application Testing (DAST)<\/h5>\n\n\n\n<p>Dynamic Application Security Testing (DAST) is a form of black-box testing for web applications. Here is a realistic deployment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Coverage: <\/strong>Low (20% or less of known web applications). This is usually due to labor and license costs, coupled with long test management time and risk of impact.<\/li>\n\n\n\n<li><strong>Accuracy:<\/strong> High. DAST tools have built-in success criteria, which lowers false positives and validates more complex issues.<\/li>\n\n\n\n<li><strong>Frequency:<\/strong> Low. Ranges depending on size of attack surface, but in general monthly is considered best case (see our <a href=\"https:\/\/www.cycognito.com\/resources\/reports\/cycognito-state-of-web-application-security-testing-2024\/\">2024 State of Web Application Security Testing<\/a> report for more info).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1045\" height=\"142\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-2-3.webp\" alt=\"\" class=\"wp-image-1152\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-2-3.webp 1045w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-2-3-512x70.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-2-3-768x104.webp 768w\" sizes=\"auto, (max-width: 1045px) 100vw, 1045px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The result is a score of 33, which is a <strong>gap of 67% from ideal<\/strong>. While DAST tools offer high accuracy, its coverage and accuracy pull it down. This is a major testing gap, despite web applications being one of the <a href=\"https:\/\/www.verizon.com\/business\/en-au\/resources\/reports\/2024\/dbir\/2024-dbir-data-breach-investigations-report.pdf\">largest threat vectors.<\/a><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">3. Penetration Testing<\/h5>\n\n\n\n<p>Legacy penetration testing is a manual offensive security exercise that includes scoping, reconnaissance, vulnerability scanning, and testing. Here is a realistic use case:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Coverage:<\/strong> Low (5 to 10%, focused only on high-value assets). High labor costs and long test times make it difficult to scale to even a large fraction of full coverage.<\/li>\n\n\n\n<li><strong>Accuracy:<\/strong> High. Pen testing involves human verification, which brings a higher level of expertise and curiosity to the process.<\/li>\n\n\n\n<li><strong>Frequency:<\/strong> Low (typically annually or twice a year).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1043\" height=\"148\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-3-3.webp\" alt=\"\" class=\"wp-image-1154\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-3-3.webp 1043w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-3-3-512x73.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-3-3-768x109.webp 768w\" sizes=\"auto, (max-width: 1043px) 100vw, 1043px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The result is a score of 12, which equates to a considerable <strong>gap of 88% from ideal<\/strong>. Pen testing is highly valuable and can be highly accurate, but with coverage and frequency so low it is hard to have it move the needle on real-time risk.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Should You Be Satisfied with 45%?<\/h2>\n\n\n\n<p>Is it a surprise that the three examples have a best case scenario <strong>45% gap from ideal<\/strong>? If you are like many, this number is large enough that you are comparing it to your own deployments.<\/p>\n\n\n\n<p>You can relax (a bit) since this is a high-level exercise, not a multi-month onsite audit of your InfoSec department. For example, your compensating controls reduce the risk from testing gaps (e.g., a WAF in front of an untested web app), and isn\u2019t part of this measurement.<\/p>\n\n\n\n<p><strong>But that doesn\u2019t mean the gaps aren\u2019t real.<\/strong> Protection-based security tools are important, but resolving an issue before it becomes an incident (or a breach) eliminates the associated emergency overnight patching panic.<\/p>\n\n\n\n<p>Take a look at your current testing technologies through the lens of coverage, accuracy and frequency. How do they compare to ideal, and what do you feel it would take to bring it there?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Remove Your <\/strong>Security<strong> Testing Gaps in One Step<\/strong><\/h2>\n\n\n\n<div class=\"inset narrow pullquote right\">\n<p class=\"lede medium-blue\">\u201cCyCognito provides a true platform that cuts across multiple market categories. It gives us greater visibility to our attack surface than other solutions we\u2019ve used and the type of risk assessment depth that normally requires an expert pen tester.\u201d<\/p>\n<h6 class=\"smaller light gray \">CISO, Publicly traded global investment management firm<\/h6>\n<\/div>\n\n\n\n<p>CyCognito is an automated testing solution with integrated recon, discovery and prioritization. Designed from the ground up to remove the complexity of security testing, CyCognito provides a single interface for safe testing of both network systems and web applications.<\/p>\n\n\n\n<p>With CyCognito, your teams know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All exposed assets are continuously identified, validated and actively tested \u2013 including web apps using DAST.<\/li>\n\n\n\n<li>New business structures and related exposed assets will be added automatically, without manually entered seed information or prompts.<\/li>\n\n\n\n<li>Attacker interest in the vulnerability, through integrated threat intelligence, including <a href=\"https:\/\/www.cycognito.com\/blog\/cycognito-operationalizes-cisa-known-exploited-vulnerabilities-catalog\/\">CISA known exploited vulnerabilities<\/a> (KEV).&nbsp;<\/li>\n\n\n\n<li>Remediation planning workflows with steps to reach your desired security grade<\/li>\n\n\n\n<li>Issues that are in violation six cybersecurity frameworks (including ISO, NIST and CIS).<\/li>\n<\/ul>\n\n\n\n<p>CyCognito provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Issues that represent true risk to your organization.<\/li>\n\n\n\n<li>Validation that an issue was remediated.<\/li>\n\n\n\n<li>Detailed risk grading and scoring per asset, per subsidiary and per brand, with evidence<\/li>\n\n\n\n<li>Remediation instructions and an estimate of remediation effort.<\/li>\n\n\n\n<li>Complex recon such as asset business function, business owner and asset location details (for example autonomous system number, or ASN) that is proven to reduce your mean time to remediation (MTTR).<\/li>\n<\/ul>\n\n\n\n<p>With CyCognito, you can reach a security testing score of <strong>95+<\/strong>, with no installation, configuration, or management challenges.&nbsp;<\/p>\n\n\n\n<p><strong>Curious about your security testing gap? <\/strong>Answer a few questions in the <a href=\"https:\/\/www.cycognito.com\/security-gap-calculator\/\">CyCognito Security Testing Gap Calculator<\/a> to receive a custom report that includes individual test scores, gaps, and customized insight as to how to improve your score.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"891\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1.webp\" alt=\"\" class=\"wp-image-1157\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1.webp 886w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1-509x512.webp 509w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1-150x150.webp 150w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1-768x772.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Many organizations believe their security testing is robust, but common tools like vulnerability scanning and penetration testing often leave surprising gaps. Infrequent tests, limited asset coverage and inaccurate results leave exposure and risk. Achieving ideal security goals requires full coverage, high accuracy, and frequent testing\u2014criteria most approaches struggle to deliver. CyCognito bridges these gaps with automated testing for network systems and web applications, helping organizations strengthen their security, continuously.<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[229,1],"tags":[181,20,34,186],"class_list":["post-1144","post","type-post","status-publish","format-standard","hentry","category-featured","category-perspectives","tag-dast","tag-infographic","tag-pen-testing","tag-vulnerability-scanning"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Think your attack surface is covered? Let&#039;s look at the math. | CyCognito Blog<\/title>\n<meta name=\"description\" content=\"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Think your attack surface is covered? Let&#039;s look at the math.\" \/>\n<meta property=\"og:description\" content=\"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-30T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-14T16:29:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-09-30-2400x1256-email.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jason Pappalexis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jason Pappalexis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\"},\"author\":{\"name\":\"Jason Pappalexis\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d24c88adb69cc9e8748425394054a55b\"},\"headline\":\"Think your attack surface is covered? Let&#8217;s look at the math.\",\"datePublished\":\"2024-09-30T15:00:00+00:00\",\"dateModified\":\"2025-04-14T16:29:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\"},\"wordCount\":1300,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp\",\"keywords\":[\"DAST\",\"Infographic\",\"Pen Testing\",\"Vulnerability Scanning\"],\"articleSection\":[\"Featured\",\"Perspectives\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\",\"name\":\"Think your attack surface is covered? Let's look at the math. | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp\",\"datePublished\":\"2024-09-30T15:00:00+00:00\",\"dateModified\":\"2025-04-14T16:29:48+00:00\",\"description\":\"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp\",\"width\":994,\"height\":213},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Think your attack surface is covered? Let&#8217;s look at the math.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d24c88adb69cc9e8748425394054a55b\",\"name\":\"Jason Pappalexis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a3e2da561c68bc740a2a280b72b231ff?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a3e2da561c68bc740a2a280b72b231ff?s=96&d=mm&r=g\",\"caption\":\"Jason Pappalexis\"},\"description\":\"Sr. Technical Marketing Manager\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/jason-pappalexis\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Think your attack surface is covered? Let's look at the math. | CyCognito Blog","description":"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/","og_locale":"en_US","og_type":"article","og_title":"Think your attack surface is covered? Let's look at the math.","og_description":"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.","og_url":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/","og_site_name":"CyCognito Blog","article_published_time":"2024-09-30T15:00:00+00:00","article_modified_time":"2025-04-14T16:29:48+00:00","og_image":[{"width":2400,"height":1256,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-09-30-2400x1256-email.png","type":"image\/png"}],"author":"Jason Pappalexis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jason Pappalexis","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/"},"author":{"name":"Jason Pappalexis","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d24c88adb69cc9e8748425394054a55b"},"headline":"Think your attack surface is covered? Let&#8217;s look at the math.","datePublished":"2024-09-30T15:00:00+00:00","dateModified":"2025-04-14T16:29:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/"},"wordCount":1300,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp","keywords":["DAST","Infographic","Pen Testing","Vulnerability Scanning"],"articleSection":["Featured","Perspectives"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/","url":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/","name":"Think your attack surface is covered? Let's look at the math. | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp","datePublished":"2024-09-30T15:00:00+00:00","dateModified":"2025-04-14T16:29:48+00:00","description":"Many believe their security is complete, but gaps in coverage, frequency, and accuracy exist. CyCognito fills gaps with automated testing and insights.","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-7.webp","width":994,"height":213},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/think-your-attack-surface-is-covered-lets-look-at-the-math\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Think your attack surface is covered? Let&#8217;s look at the math."}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d24c88adb69cc9e8748425394054a55b","name":"Jason Pappalexis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a3e2da561c68bc740a2a280b72b231ff?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a3e2da561c68bc740a2a280b72b231ff?s=96&d=mm&r=g","caption":"Jason Pappalexis"},"description":"Sr. Technical Marketing Manager","url":"https:\/\/www.cycognito.com\/blog\/author\/jason-pappalexis\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=1144"}],"version-history":[{"count":12,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1144\/revisions"}],"predecessor-version":[{"id":1454,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1144\/revisions\/1454"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=1144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=1144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=1144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}