The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us

The knowledge you need to manage and protect your attack surface.

What's New Blog

Active testing is a process involving repeated interaction with a digital asset to reach success criteria defined by the test methodology. 

An attack path is one or more security gaps that attackers can exploit to gain access to an IT asset and to move from one IT asset to another. A clear understanding of possible attack paths helps security teams accurately gauge cybersecurity risk. 

An attack surface is the sum of an organization’s attacker-exposed IT assets, whether these assets are secure or vulnerable, known or unknown, in active use or not and regardless of IT/security team is aware of them.  

Attack surface discovery is an initial stage of attack surface management. It’s the process of automated searching to identify digital assets across an organization’s external IT (or Internet-exposed) ecosystem. 

Attack surface management (ASM) is the process of continuously discovering, classifying and assessing the security of your IT ecosystem.  

Attack surface protection is the process of continuously discovering, classifying and testing the security of your attacker-exposed IT ecosystem.  

An attack vector is a path that an attacker can use to gain access to an organization’s network. Attack vectors can include exposed assets or abandoned assets, but they can also include unpatched software vulnerabilities, misconfigured software, weak authentication, and domain hijacking. 

The process of tracking, identifying, and assigning assets to the party that manages them.  

Banner grabbing is a process of collecting intelligence about IT assets and the services available on those assets.  

A botnet is a collection of internet-connected systems each running remotely controlled software that performs a variety of tasks. Botnets are highly useful for performing distributed, coordinated activities.  

BAS is an advanced method of testing security environments by simulating likely attack paths and techniques commonly used by attackers. This process identifies vulnerabilities, much like a penetration test, except it's continuous and automated.  

The business context is identifying an asset or service that is associated with the organization or team that controls it. Understanding the business context provides insight into the extent of the organization’s true attack surface, locating and monitoring otherwise “hidden” assets. 

Center for Critical Security Controls gives pragmatic, actionable recommendations for cyber security. The CyCognito platform maps to 14 of the CIS controls at least partially and provides extensive coverage around inventory of assets, vulnerability and penetration testing, and security of ports and services. 

Cloud security is a broad term referring to the tools and processes organization’s use to protect assets and data stored in the cloud from cyber attacks and threats. This also includes data running in the cloud’s workloads, and anything housed in Software-as-a-Service (SaaS) applications. 

CPE is a structured naming scheme for IT systems, software, and packages. The naming scheme is based on the generic syntax of uniform resource identifiers (URI), and includes a formal name format that checks names against a system, as well as a description format for binding text to a name. 

CVE is a database of publicly disclosed security vulnerabilities and exposures occurring in publicly released software packages. 

CVSS is an open framework articulating the severity of a threat through the principal characteristics of a vulnerability. These consist of three metric groups: base, temporal, and environmental. Once a number score is produced, the score is translated into low, medium, high, or critical risk categories. 

Continuous attack surface testing is the process of monitoring an organization’s IT ecosystem to identify and provide timely visibility into cyberthreats or risks. 

Continuous Threat Exposure Management (CTEM) is a risk reduction strategy designed to unify traditional silos of visibility, risk assessment, issue prioritization, and validation. With CTEM, exposed systems are continuously identified and comprehensively tested. Threat and business impact data is communicated frequently, allowing teams to make informed decisions and take prompt action. 

A cyber kill chain is a series of 7 stages that model the primary actions conducted in a cyberattack. Lockheed Martin developed the cyber kill chain model in 2011 to help cyber defenders identify and prevent the steps of an attack. Other organizations have slightly different models and critics have noted that attackers increasingly flout the cyber kill chain model, but there is broad agreement that organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain. 

Cyber reconnaissance is a cybersecurity term built from the French word “reconnaissance,” which means “surveying” and adapted from the military practice of reconnaissance, conducting an exploratory survey of enemy territory. 

Cyber risk management involves continuously identifying, assessing, and mitigating potential cyber risks as well as understanding their potential impacts. 

A data breach occurs when an unauthorized or potentially malicious party gains access to confidential, sensitive or protected data. Some data breaches contain personally identifiable information (PII), which may include national identity numbers, credit card numbers, or medical records. 

Defensive security is a proactive approach that focuses on prevention, detection, and response to attacks from the perspective of defending the organization. For example, blue teams are generally thought of as defensive security.  

A digital footprint is the trail of data created by a user on the internet. The footprint can be left actively, through websites visited, emails sent, and information submitted online.  

The traditional Domain Name System (DNS) is a real-time, distributed database system where queries to DNS servers and resolvers translate hostnames into IP addresses and vice versa.  

Ethical hacking is a form of offensive security that involves authorized attempts to break into systems and applications in order to test an organization’s security posture. One example of ethical hacking is penetration testing. 

External Attack Surface Management (EASM) is an emerging market category that Gartner created in March 2021 to describe a set of products that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of. 

A false negative occurs when a cyber threat or attack passes through scanning and protection software undetected. 

A false positive is an alert that a detective and protection software generates when legitimate activity is classified as an attack.  

The hacker economy has emerged as a multi-billion dollar criminal industry formed by individual and organized hacking networks.  

An IPv4 address is a 32-bit number that uniquely identifies a network interface used to connect a machine to the Internet or local area network. This is the fourth version of the Internet Protocol used for internetworking.  

IPv6 is a 128-bit number developed by the Internet Engineering Task Force (IETF) to help deal with the long-anticipated problem of IPv4 address exhaustion. 

ISO 27001 is the international gold standard for information security management. ISO 27001 proves the strength of your security posture to prospects and customers in global markets. 

An IT asset is a piece of software or hardware within an information technology environment. 

An organization’s IT ecosystem is the network of services, providers and other organizations connected to the organization that create and deliver information technology products and services.  

Kali Linux is an open-source, specialized Linux platform developed and supported by Offensive Security and used for security research, penetration testing and security forensics.  

Machine learning is a branch of artificial intelligence describing the study of computer programs that leverage algorithms and statistical models to improve automation without explicit programming. This is used to improve the capabilities of a machine, software, or program by allowing it to essentially program itself using data. 

Maltego is an open-source intelligence (OSINT) tool for gathering and connecting data on the internet and illustrating relationships and links between things on a node-based graph. The platform offers a graphical user interface (GUI) that allows security professionals to mine data and helps IT and security teams build a picture of threats, their complexity and severity. 

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated, globally accessible knowledgebase of adversary tactics and techniques based on real-world observations.  

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) initial access is a framework for an attacker’s strategy to get into your network. Initial access involves targeted spear phishing and exploiting public-facing web servers, which may allow for continued access and use of external remote services. 

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) reconnaissance is a framework outlining an attacker’s pre-attack preparation on gathering useful information for future operations. Reconnaissance involves the active or passive gathering of information, which may include details of the victim organization, infrastructure, or staff and personnel. This information is leveraged to aid in other phases of the attack. 

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) resource development is a framework for an attacker’s pre-attack preparation on gathering resources to support an operation. Resource development consists of techniques the attacker uses to create, purchase, or compromise resources to aid in targeting. These resources include infrastructure, accounts, or capabilities. 

MITRE PRE-ATT&CK was a framework of tactics and techniques to help uncover the many pre-compromise behaviors attackers perform. It was deprecated and removed by MITRE in late 2020 and has since been rolled into the Enterprise matrix under Reconnaissance and the Resource Development categories.  

Multi-factor authentication is an authentication method requiring users to supply more than one distinct authentication factor to gain access to a resource such as an application, online account, or VPN. These factors include something you know (such as a password or PIN), something you have (such as a token or key), or something you are (such as your fingerprint).  

NLP is a branch of artificial intelligence describing the study of how computers can understand, interpret, and manipulate human language. This process is commonly used for analyzing large volumes of textual data and structuring data sources to resolve ambiguous language.  

NIST 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) for those working with the US government. 

‍NIST 800-53 is a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. 

The NIST Framework for Improving Critical Infrastructure Cybersecurity (or “The Framework” for short) consists of standards, guidelines, and practices to promote the protection of critical infrastructure. 

Offensive security is a proactive approach that involves testing an organization’s security posture from the viewpoint of an adversary.  

Open-Source Intelligence (OSINT) refers to the collection and analysis of any information about an individual or organization that can be legally gathered from free, public sources.  

The Open Web Application Security Project (OWASP) is an online non-profit community that aims to improve software security.  

In cybersecurity, passive DNS is used for detecting malicious activities like domain hijacking and botnets. It stores historical DNS information and provides insights into domain names and IP addresses. Passive DNS solutions enhance security posture and protect against emerging threats. 

Passive scanning is a reconnaissance workflow that typically does not involve direct interaction with a digital asset, for example parsing open-source intelligence (OSINT) such as DNS enumeration or Google searches. 

The path of least resistance in cybersecurity is an attacker’s easiest route to reaching a target asset.  

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that applies to any business that accepts, processes, stores, transmits, or impacts the security of cardholder data. 

Automated pen testing is designed to mimic penetration testing with digital tools and software. This process is commonly used by attackers to continuously scan an organization’s entire attack surface. 

Penetration or pen testing is a security practice where a real-world attack on a subset of an organization’s IT ecosystem is simulated in order to discover the security gaps that an attacker could exploit.  

A proactive security approach is the practice of taking measures to predict and prevent a breach before it ever happens. 

Ransomware is a form of malware that leverages encryption to hold the operations of an organization hostage in exchange for a ransom payment.  

Recon-ng is a web-based open-source reconnaissance tool (OSINT) written in Python, often paired with the Kali Linux penetration distribution. The tool reduces time spent harvesting information from open resources and consists of an extensive range of modules and database interaction. 

Red, Blue, and Purple Teams consist of security professionals who are integral to maintaining and improving an organization’s security posture. Red Teams are “attackers” who deploy ethical hacking methods such as penetration testing to simulate an attack and improve defenses. 

Remediation is the removal of the vulnerability or threat that could impact an organization's business and network security, typically through modifying a configuration or patching an operating system or application. Mitigation includes reducing the impact of a threat when it cannot be eliminated. 

Risk is a multifactor calculation of the severity of a threat, likelihood of an occurrence, and the impact of that threat on organizational operations, reputation, and costs. This includes mission, functions, image, or reputation on the organization’s assets or individuals associated with the organization.  

A risk assessment is the process of identifying, analyzing, and evaluating information assets that could be affected by a cyber attack. It then identifies the risks that could affect those assets. A risk assessment helps to ensure the cybersecurity controls are appropriate to the risks facing the organization.  

Risk-Based Vulnerability Management (RBVM) is a process that emphasizes prioritizing the most severe security vulnerabilities and remediating according to the risk that they pose to the organization. This approach is being more widely adopted as organizations realize they have far more vulnerabilities than they can remediate, and they need a way to prioritize which to fix first. 

After a risk analysis has been made, there will be clusters of risks varying in levels of criticality. Risk prioritization is a rational and common sense approach to decision making and analytics, applied to rank and order identified risk events from most to least critical on an appropriate scale. 

An organization’s security posture is the collective measure of the effectiveness of its cybersecurity. Assessing security posture involves testing the security of your IT ecosystem and its susceptibility to outside threats. 

A security rating service (SRS) performs an independent assessment of an organization’s security posture based on third party data from threat intelligence feeds. These feeds consider externally observable and safety factors based on publicly available information. 

Security testing checks software to reveal vulnerabilities in security mechanisms and determine whether data and resources are protected from threat actors. It’s a type of non-functional testing focused on whether the software or application is designed and configured correctly.  

Security theater refers to superficial security measures that create a false sense of safety. Businesses should focus on comprehensive strategies, including effective controls, threat intelligence, and incident response, to minimize risks and protect assets. 

Shadow IT is the use of web apps, cloud-services, software, and other IT resources without the knowledge of an organization’s IT or security teams. 

“Shadow risk” is the risk associated with the unknown assets within an organization’s attack surface.  

In cybersecurity, the phrase “shift left” refers to the process of focusing security practices as early as possible in a given activity or process. “Left” is a reference to the idea that a timeline runs from left to right, with “earlier” to the left, so “shift left” means to start earlier.  

Supply chain risk can be thought of as a specific type of third-party risk, where the risk stems from the fact that vendors and partners in an organization’s supply chain increase its attack surface yet the organization may not have sufficient visibility or awareness of the suppliers’ security posture. 

Third-party risk refers to the potential security risks to an organization stemming from the use of third-party vendors, including those vendors in the supply chain as well as groups that may not typically perform security investigations such as law firms, building infrastructure maintenance and services, accounting firms, or even catering. Third-party risk is also posed by business partners and subsidiaries as well as the vendors that they work with. 

Also known as cyber threat intelligence (CTI), this is information an organization uses to understand the occurrence and assessment of cyber and physical threats. Threat intelligence solutions gather raw data on emerging or existing threats from a number of sources. 

A true negative occurs in cybersecurity when a negative detection occurs in a situation where there is a negative condition. In other words when an intrusion detection system (IDS) successfully ignores acceptable behaviour, or a vulnerability assessment detects no vulnerability in non-vulnerable software, or in attack surface management the platform or process ignores assets that are unrelated to an attack surface. 

A true positive occurs in cybersecurity when a positive detection occurs in a situation where there is an alert or problem condition. In other words when an intrusion detection system (IDS) successfully detects suspicious behaviour, or a vulnerability assessment detects vulnerable software, or in attack surface management when the platform or process finds assets that are related to an attack surface. 

The phrase “unknown unknowns” was popularized by former United States Secretary of Defense Donald Rumsfeld, and has its origins in psychological research.  

A vulnerability is a weakness or issue within a system, software, or application that could be exploited by a malicious party or hacker to gain unauthorized access to an organization.  

Vulnerability management (VM) is the process of identifying, categorizing, and remediating security vulnerabilities to proactively defend against threats.  

A vulnerability scanner is a tool that inspects applications, systems, networks, and software for potential vulnerabilities and compares details about the assets encountered to a database of information about known security holes in those assets that may involve services and ports, anomalies in packet construction, and potential paths to exploitable programs or scripts. 

A web application firewall (WAF) is a security device that protects web applications from a variety of attacks, including SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.  

Also known as a web app, a web application is software running on a web server that is accessed by users via a browser called a client. Google Docs is a common example of a web application. 

A query and response protocol commonly used for querying databases storing registered users or assignees of internet resources. This includes information on the owners of a domain name, IP address block, or autonomous system. The response is delivered in a human-readable format, the current iteration of which was drafted by the Internet Society. 

Zero Trust is a model for security centered on the belief that organizations should not automatically trust anything, whether inside or outside their network perimeters.