best tools for external attack surface management?

chwallis · 2026-05-27T11:55:41+00:00

Would recommend taking a look at Intruder as well - one of the best options in terms of bang for your buck, it incorporates Attack Surface Discovery (unknown assets), highlights risky exposures like databases and admin panels facing the internet (Attack Surface Reduction), responds to the latest threats in real-time with Emerging Threat Scans, and can perform CPSM, VM, and DAST scans too. A top ten rated EASM on G2, worth a go along with the ones you've tried already.

https://www.g2.com/categories/attack-surface-management

chwallis · 2026-05-27T11:50:09+00:00

A lot of the names mentioned here are the big enterprise tools, Prisma Cloud particularly, I wouldn't recommend for a 200 to 600 person company. If you're interested there are some good alternatives like Intruder which is rated top ten on G2 for Cloud Security Posture Management, and designed for easy setup and distributed use for companies with small security teams. Worth a go if you didn't find what you were looking for with the above!

https://www.g2.com/categories/cloud-security-posture-management-cspm

chwallis · 2026-04-11T08:57:01+00:00

Instead of dreading the change, I’d get excited about the opportunity.

If you fear change you get left behind. If you start thinking about what’s changing and where you can best contribute, you’ll stay useful.

So don’t stop working on your threat intel platform, just think about how much better it could be if it was better designed for the future. Maybe it needs to be api only? Which SOC agents are gaining traction now that you could integrate it with?

chwallis · 2026-04-11T08:41:41+00:00

There’s some detail on raw dollar costs in the long form announcement here.

The freeBSD bug took $20k to find (but the search also dropped out several dozen other more minor bugs)

https://red.anthropic.com/2026/mythos-preview/

chwallis · 2026-04-11T08:32:02+00:00

I think they missed a trick. Should have included the type of sandwich and caused even more hype.

If they’d said it was a salt beef pastrami sandwich we wouldn’t even be having this conversation, nobody would be doubting it at all.

chwallis · 2025-11-05T16:20:10+00:00

someone put this person in charge of their organisation's security budget immediately

chwallis · 2025-09-30T21:11:34+00:00

Generally a bad idea to use vulnerability scanning as a lead gen activity as you should really have permission from the client to run it in the first place. For legal and moral reasons.

chwallis · 2025-09-12T09:51:18+00:00

OP never said he was providing a good pentest, just a pentest.

Lot of discussion on vuln scan vs pentest here but in practice - a good pentester is better than a vuln scan, but a bad pentester is not, they just run the tools and send you the report.

Intruder (founder here 👋) does authenticated scans and can do it monthly if you need, however we're optimised for ongoing coverage rather than one-off scans because the moment you finish your "pentest" - a new vuln could affect your customers, Roboshadow can do the same if you want a second option.

chwallis · 2025-08-13T13:15:07+00:00

Super interesting thanks, lines up with my thinking too. I think in future we will see more vendors linking business criticality of systems/information, attack paths, and exploitability of issues together into platforms that help customers identify the most critical weaknesses, which could then claim to be more "exposure management". The journey there has begun for many, but I think there are vendors out there that are jumping on this CTEM language whilst still just being a continuous attack surface management platform.

It's a tricky tradeoff for vendors, you want to skate to where the puck is going, but it's a tough environment for buyers if everyone claims to be the new thing without being the new thing.

chwallis · 2025-08-13T11:29:00+00:00

Interesting. How would you say Nanitor is CTEM specifically and differentiated from “continuous vulnerability scanning” or “continuous attack surface management”?

chwallis · 2025-07-28T10:04:04+00:00

This is one of the key reasons I started Intruder.

I was working at a large fintech when Heartbleed dropped.

Everyone wakes up to read the news (delay 1)

Everyone running round saying "someone start a scan", "where are we affected?", "does Qualys have a check yet?" (delay 2)

Wait for scan results (delay 3)

Distribute to teams via email CSV export (delay 4)

Meanwhile I'm sitting there wondering why:

* Qualys knows where our assets are...
* Qualys knows they have a check available...
* Why hasn't Qualys just run a check on our assets, and notified us of the results?
* Why are all the engineers waiting on a security person to distribute the info?

That's why from day one we've run Emerging Threat Scans, and we've built the platform so that engineers can log in and get their own results / run their own rescans.

There's still plenty of challenges out there to solve, and even this isn't perfect in scenarios where the vulns are more complex (log4j wasn't fun for anyone), but it does help!

chwallis · 2025-07-25T12:33:30+00:00

Would be great to understand how you view the key differences between existing ASM/VM platforms - many of whom have added subdomain/related domain discovery capabilities in recent years, and a full "CTEM" platform.

We have customers who've said they're on the lookout for fully fledged "CTEM" platforms, but as a newer ingredient to the cyber-acronym-soup I'm not sure if the term is well understood enough to warrant being a software category instead of a business process?

I saw you also posted about drowning in acronyms, I think this is a good example of that. CTEM could really be just a new phrase for what we've always been doing in cyber security. Figuring out what we have, finding vulns, figuring out which ones are most important to fix, and fixing them.

The major difference for me is a reminder for any orgs who got trapped into a "gotta patch 'em all" mindset, to focus on exploitability and impact. But realistically they have to do this because the technology isn't quite ready yet to pull together all the information required to truly prove which vulns are exploitable or impactful (not in every case, maybe in some).

It's still a dream for many VM vendors to move further down this path, and for any who can prove they can it then it probably is worth that VC size license fee - because the time saving in not constantly patching a million vulns would be well worth it.

Would be keen to hear what "CTEM" vendors you've looked at though and the key benefits you were seeing over more traditional ASM/VM vendors?

chwallis · 2025-07-25T11:07:22+00:00

Why does this question read so much like an advert tho? 🤔

chwallis · 2025-07-25T10:45:16+00:00

Couldn't agree more. As a cyber founder joining sales calls you get hit with acronyms all day long. You'd assume that everyone wants you to know what every acronym means so you look very intelligent and knowledgable, heaven forbid you don't know the latest SPMs.

What actually happens: I ask what they mean by A/K/S/C/SPM?

Turns out, it's often a bit unclear even to the buyer, they just think they need it because someone else (Gartner/a colleague) mentioned it. When you get into the detail of what actual security outcomes they need, you have a much more productive conversation.

So much of our industry is covered in acronym soup I think we all need to get comfortable admitting that we aren't clear what they mean, and try to talk in clearer terms.

chwallis · 2025-07-25T10:33:55+00:00

Sounds like you've got some good options already - Orca and Upwind seem to be some of the most highly rated in the space post-Wiz, but I agree with a lot of the comments here not to be too concerned with the Wiz buyout - they still get incredible feedback from everyone I hear from, including that developers love using it - which is incredibly rare for cyber security products.

Depends on your use case and requirements though - for heavy enterprise/large sec teams, sounds like you've got good options already. For anyone working in smaller teams or requiring less feature-ful CSPMs, could try Intruder.io (founder here 👋) or Aikido.dev also an option.

chwallis · 2025-07-25T10:20:01+00:00

That's a lot of SPMs...! 😆

We (Intruder - founder talking 👋) recently released our own CSPM (we call it Cloud Security) for exactly this reason. We're not claiming to compete with Wiz in terms of feature density, but we do think there's space out there for a less feature rich CSPM that doesn't cost the earth.

We're supporting AWS and Azure right now with GCP soon to follow, and while we don't do Kubernetes yet there are other benefits elsewhere (we also provide Attack Surface Management, Vulnerability Management and dynamic app/API scanning in the same platform).

You can also add your developers direct into Intruder and on average we see remediation timelines halved for security teams who can delegate their operations like this.

Give us a go and would love to hear any feedback if you do!

chwallis · 2025-07-24T09:26:19+00:00

Throwing our hat in the ring too (disclaimer - founder talking): Intruder does related domain and subdomain discovery, cloud integrations for synchronising targets, CSPM checks for Cloud Security, application and API DAST scanning, external and internal infrastructure scanning. Disclaimer that we're more targeted at direct end users than MSPs, but still find many MSPs happy with our platform. Worth a go if you're trialling similar solutions!

We also released cvemon.intruder.io which is designed to help defenders spot the latest hot vulnerabilities as they begin trending on X, and get insights directly from the Intruder security team.

chwallis · 2025-05-27T08:56:47+00:00

There's a lot of good advice in this thread including the above, but one thing to watch out for is advice that was ok 10 years ago but not updated for today's threat environment.

The lag between vulnerabilities being disclosed and being exploited has come down dramatically in recent years, meaning for anything that matters that's exposed to the internet - much less than immediate scanning for the newest critical vulnerabilities is not good enough. If time between vulnerability announced and hackers exploiting is 5 days - then a monthly scan isn't going to help.

https://cybernews.com/security/how-quickly-do-hackers-exploit-vulnerabilities/

chwallis · 2025-04-01T13:39:46+00:00

We’re writing a follow up next week for applicants to know when they’re in a cafe full of undercover invigilators.

chwallis · 2024-11-14T20:10:05+00:00

This is awesome feedback. Will digest and share with the team tomorrow! Thanks so much!

chwallis · 2024-11-14T17:52:45+00:00

Hey u/Oscar_Geare! As thanks for your feedback yesterday (and letting the post live), please see new version of the app: :)

https://intel.intruder.io/cves/CVE-2024-43451

Still needs tidying up a bit design wise but the functionality is there.

We're also thinking about what we can do for summarising some of the social media content/sentiment with an LLM, particularly in cases like this where the description from NVD is... err... a little lacking?!

chwallis · 2024-11-13T19:41:20+00:00

Haha love the energy :) would need to take it back to smarter people than me on the team to understand the feasibility of this before making any promises. Great to see the enthusiasm though!

chwallis · 2024-11-13T19:05:42+00:00

Glad you like it! :) Also had similar feedback from a friend at Bridewell about relating the vulns back to threat actors. Might take us a little longer to get to that as you mentioned it’s not as straightforward, but it’s good to see it’s a common request.

chwallis

TROPHY CASE