ASM/CV: Vendors to Watch, Know, Understand
In preparing the Horizon Report “Automating Defense: Implementing Continuous Discovery and Validation,” the Stratascale Innovation Labs team assessed 41 companies to evaluate different approaches to enabling key components of an automated attack surface management (ASM)/continuous validation (CV) strategy.
Vendor identification isn’t included in Horizon Reports, but there is ongoing interest in understanding which vendors might be positioned to support a strategy or specific function – and in that spirit, we decided to share our observations regarding “vendors to watch, know, understand” in the ASM/CV space. The initial list of 41 reflected input from the four authors of the report (Michael O’Neil, Joseph Karpenko, Michael Wilcox and Ryan Benson) and from a variety of external sources, notably Vation Ventures, which tracks investment trends across technology segments.
Please note that while Stratascale has assembled this list as a starting point for companies that are looking for sources of attack surface management and continuous validation (ASM/CV) and related solutions/capabilities, no recommendation or warranty is implied by the inclusion of any vendor within this report.
What specific capabilities are considered within an ASM/CV strategy?
The ‘long list’ of 41 vendors that have established relevant ASM/CV market positions includes firms active in one or more of six different competitive markets: Attack Surface Management (ASM), External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), Threat Intelligence (TI), Continuous Automated Red Teaming (CART) and IT Asset Management (ITAM). This initiative yielded a set of suppliers that provide diverse capabilities, addressing a wide range of threats that are inherent in today’s evolving, increasingly-complex digital business environments.
These suppliers were then reviewed from our customers’ perspectives. Stratascale serves (broadly) Fortune 1000 companies, and these large organizations require a combination of solutions, tools and third-party support for integrating and managing the ASM/CV function. In our experience, enterprises looking at potential suppliers consider:
- Technology capabilities and specific target functionality.
- Compatibility, interoperability, and integration with existing or future technologies and solutions.
- Expansion path.
- Cost (product, implementation and integration, ongoing management and support)
- Support and documentation.
- Cultural fit.
Each of the 41 long list firms has established a position that connects their discrete capabilities with client needs; these capabilities may be an ideal fit for your business.
If you are seeking a starting point, Stratascale recommends that readers begin their investigation with the following vendors. Brief observations from Stratascale experts are included in quotes to provide context.
- Armis Security: “Customers are trying to address IoT and often don’t know where to begin.”
- Acquired by Insight Partners for $1B, January 2020.
- Bit Discovery: “Security teams need to keep track of their Web/digital teams’ assets.”
- C2SEC: “I like the 3rd party assurance play.”
- Censys: “Interesting technology and story.”
- CybelAngel: “Good buzz around their data leak technology.”
- Cymulate: “Good addition to incident response/simulation testing.”
- FireCompass: “Combines ASM with CART.”
- LookingGlass: “Strong innovation heritage.”
- RecordedFuture: “I like this company and their technology a lot.”
- Acquired by Insight Partners for $780M, May 2019.
- ZeroFox: “Those who can afford them seem very happy; great social media intelligence.”
Multiple vendors included in this report offer deep capabilities for specific use cases and should be considered if their focus overlaps with a discrete requirement. These vendors, with brief descriptions of their focus areas (drawn from Vation/vendors), include:
- Axonius: Asset management with a cybersecurity lens.
- Rumble: Discover and classify assets in IT and OT environments, more effectively manage asset risk.
- Tanium: Full visibility – on every endpoint, managed or unmanaged – to prevent or correct bad behaviors.
Attack Surface Management
- CyCognito: Continuously discover, perform automated attack emulation, identify risks and implement controls.
- Expanse: Continuously discover, evaluate, and mitigate your external attack surface.
- Acquired by Palo Alto Networks for $800M, November 2020.
- Medigate: Discover, identify, and protect all Internet of Medical Things (IoMT) devices.
- Acquired by Claroty for $400M, December 2021.
- Orca Security: Agentless SideScanning™ technology that delivers full-stack visibility of cloud infrastructure.
- Randori: Trusted Adversary for ASM, CART, and secure cloud-migration needs.
- Shodan: Delivering “an asset discovery and search engine for internet-connected devices.”
- Digital Shadows: Minimizing digital risk by identifying exposure and protecting against external threats.
- Flashpoint: Various types of intelligence and threat insights – dark web, fraud, financial crime, and credential theft.
- RiskIQ: Digital risk, threat and vulnerability intelligence, attack surface discovery, and 3rd party risk insights.
- Acquired by Microsoft for $500M, July 2021.
Other firms included in the initial list
In addition to the firms listed above, Stratascale’s research scope included Alphawave (acquired by LookingGlass in 2021), Balbix, BinaryEdge (acquired by Coalition in 2020), Bishop Fox, Bitdefender, Black Kite, CTM360, CyberInt, Cyberpion, ImmuniWeb, Intrigue, IntSights, Netsparker, Order, Reposify, RiskLens, SpyCloud and Sweepatic. Readers might also look to vendors such as Cisco Systems, FireEye, Mandiant, Microsoft, and Palo Alto Networks, which may incorporate needed ASM, EASM, DRPS, TI, CART and/or ITAM capabilities within their portfolios. These vendors were not included in the Horizon Report evaluation, but may meet the needs of specific buyers, particularly those with existing investments in one or more of these vendors.
Stratascale brings a unique combination of expertise, solution depth and vendor relationships and insight to the cybersecurity market. Readers seeking support for the Attack Surface Management and Continuous Validation (ASM/CV) function are encouraged to contact their Stratascale Account Executive or to connect with us at stratascale.com/contact-us/.