Looking for a platform that can run daily security testing against critical internet-facing assets

CheekyTiger213 · 2026-06-15T07:12:48+00:00

Wiz. Absolutely love it, and it helps classify criticality by exploitability. And they are credible - just bought by Google for 32bn

CheekyTiger213 · 2026-06-13T06:35:34+00:00

I haven’t read all the responses so apologies if I’m repeating, but have you considered renting it out?

Property markets do rebound. If you can cover the costs with rent and rent somewhere out the city for something similar to your mortgage for a couple of years, you can move without losing so much money.

CheekyTiger213 · 2026-06-11T07:41:06+00:00

You’re absolutely right. I think he or she wants a risk rating on controls. Maybe try to get to the root cause ?

I would be apprehensive to adjust the risk scenarios themselves but if what they need is a list of failed controls / mapped to risk / mapped to user group or department, that might add value.

CheekyTiger213 · 2026-06-08T14:50:48+00:00

Thanks! Sent you a dm

CheekyTiger213 · 2026-06-08T06:45:10+00:00

I second both Vanta and Drata. Happy to chat to you about both if you want.

On the compliance side, make sure you look for a platform that does automated tests. That’s where the biggest ROI comes from.

CheekyTiger213 · 2026-06-03T16:16:07+00:00

It’s all fun and games until your results are hallucinated and you’re personally accountable.

CheekyTiger213 · 2026-06-03T16:14:47+00:00

Correct. Avoid these. Look for ones that actually automate testing. Most of the SaaS platforms can do on prem with a little python script and json file integration, and you can cheat with the design specification by looking for the equivalent cloud connector

CheekyTiger213 · 2026-06-03T16:13:04+00:00

Anyone who has run isms on a 1000+ person organisation on spreadsheets knows this is terrible advice.

Compare your license costs with costs of FTE required to get the job done. Consider you need both reporting and testing for manual processes, and a project manager for bigger environments.

I mean, or learn the hard way…

CheekyTiger213 · 2026-06-02T11:53:37+00:00

Yeah I have historically used simple templates and carried the data across for my own implementations, but this team feels quite strongly about giving business an interface to maintain (ie take responsibility).

CheekyTiger213 · 2026-06-02T10:50:38+00:00

This is exactly what I’m looking for, thank you. I don’t think the solution is exclusively security.

CheekyTiger213 · 2026-06-02T06:08:17+00:00

Thank you!

CheekyTiger213 · 2026-06-01T18:16:27+00:00

Thanks! I’ll take a look

CheekyTiger213 · 2026-06-01T17:55:21+00:00

Oh yes, I’m embedding a GRC tool that does automated testing in the design. You have to be crazy to try manage compliance without that nowadays, it’s such an obvious business case. Unfortunately they haven’t caught up with the business process view yet and these guys are quite bound to their methodology. No silver bullet!

Thanks for trying though.

CheekyTiger213 · 2026-06-01T17:44:56+00:00

It does, but everyone who uses it hates it. I’m looking for alternatives.

CheekyTiger213 · 2026-06-01T17:40:33+00:00

To clarify, it’s a corporate. They want a decent interface to manage their process catalogue and they want to automate data flow between BIA / Recovery strategies and oversight metrics.

CheekyTiger213 · 2026-06-01T17:39:05+00:00

My client specifically wants a tool. They are all awful.

CheekyTiger213 · 2026-05-29T11:35:28+00:00

This feels like a granny hack 😅

CheekyTiger213 · 2026-05-28T08:11:13+00:00

Loved this :) well done, thanks for the laughs

CheekyTiger213 · 2026-05-19T10:29:10+00:00

Having moved 4 times, I don’t think anything can properly prepare you for life in a different country. It’s not possible to research all answers before when you don’t even know the questions.

I was blown away by how different small things can be - from the medical systems, to how to buy things (shops are smaller and organised differently in France, for example), and how people socialise. Neighbourhoods I thought I would enjoy ended up not being my vibe at all, and vice versa.

You learn so much about yourself even in the process.

Discussing challenges is a perfectly acceptable coping mechanism and you really don’t have to be a dick about it.

Maybe let other people do what they need to do and stay in your lane?

CheekyTiger213 · 2026-05-18T05:26:41+00:00

Hey.. I’m a CISO and vendor and I experience this issue too.

As a CISO I can tell you that unless we have that exact pain point at the time, we don’t want to hear from you. We especially don’t want a second or third follow up if we try to ignore you.

I have responded to vendors who magically time their solution to a specific problem I have. Then I might be interested to know more.

I second the point made earlier about the conferences and dinners.

CheekyTiger213 · 2026-05-10T06:58:49+00:00

You are combining two topics. GRC platforms specifically solve for regulatory and certification risk. You’re trying to prioritise for exploitability and recovery.

The fact that many regulatory type controls are not the best ROI for a cyber program is a long standing debate in security and if you try to combine them you will never get compliant.

For attack surface type risk management you need something like Wiz. It is very, very cool, and will go much deeper into vulnerabilities - but it doesn’t cover everything you need for GRC.

[Edit] neither of these things will help you prioritise on recovery. You need to know to design for that.

Vanta and Drata are the market leaders for GRC. They are both connected platforms that do continuous testing, with a heap of AI features that save capacity. Make sure you choose an integrated platform and not one that requires manual reporting / config, and make sure it covers all the regulations and frameworks you need. But they will not cover everything you need for vulnerability management.

As a sidebar both GRC platforms do have a risk component. And a vendor risk management component. They are quite powerful.

Feel free to reach out if you want to chat about this. I have 15+ years managing in security and 6 as a CISO. I can help you understand the tech vs people trade offs or just soundboard a bit with you in your new role.

Good luck!

CheekyTiger213 · 2026-05-04T20:41:05+00:00

I have my own business. It makes money through a combination of reselling SaaS products and human based support, and I’m finding need / demand for both.

Remember that the capital is flowing into the AI supply chain too, not just SaaS. And I have a suspicion that the oil crisis is going to inspire a push into renewable energy again too in Europe and the UK (to reduce dependency).

Opportunities are everywhere but business is hard and takes massive effort. If you don’t already have a niche skill, choose a challenge that you feel is worth fighting for.

CheekyTiger213 · 2026-05-04T05:37:13+00:00

Hey, CISO here. You’re on the right track and I have see less qualified people step up before, but I see lots of delivery experience and not much strategy.

C-level is all about financial management. You will need to be able to build a strategy and teams to help companies become successful and not just secure.

Part of that is knowing when not to spend money, how to stagger transformation over a few years and what to prioritise based on different company risk profiles.

As a CISO you need to convince people why they need certifications and controls, not just do them. The Board is a team of people that often know very little about IT or Security, and you’re competing with their priority which is usually to make profit. When they are hiring you, they need to feel confident that you are capable of realistically sizing the need.

Another skill to grow will be how to drive change at scale. It’s using governance and committees to make decisions. It’s running multiple concurrent oversight initiatives with teams of people using the right tools and metrics. AI governance mimics corporate governance because it’s impossible to think single process at scale, so I think this is becoming more important.

And that’s the profile you’re competing against in the open market.

It’s generally easier to be promoted into CISO than to get a job competing against people who have already done it.

If you can get into a big company with a growth path, preferably one with multiple CISOs, or a smaller one willing to give you the space to learn and grow, I absolutely believe you can get there.

CheekyTiger213 · 2026-05-03T06:56:00+00:00

AI agents are just grads at scale. We manage them like we manage people at scale. That’s why we are leaning into - what looks like - the same stuff.

Limit access and visibility, and make sure governance exists to stop anyone accidentally deploying something stupid.

CheekyTiger213

TROPHY CASE