EASM University

Learn about External Attack Surface Management and its many applications? What are the primary capabilities of EASM? How is it different from Internal Attack Surface Management. Everything you need to know before adopting this technology.

What is External Attack Surface Management (EASM)?

External Attack Surface Management (EASM) is a cybersecurity strategy that involves the continuous discovery, monitoring, and assessment of an organization's internet-exposed digital assets to identify and mitigate active and potential cyber threats and vulnerabilities. EASM helps organizations maintain a comprehensive understanding of their attack surface, including shadow IT, unknown devices and systems, and third-party assets.

The primary challenges of External Attack Surface Management (EASM) include:
  • Comprehensive Asset Discovery – Ensuring complete visibility of all digital assets, including those managed by third parties and shadow IT, can be challenging and may lead to overlooked vulnerabilities.
  • Dynamic Environments – The constantly changing nature of digital environments, with rapid growth, frequent updates, new deployments, and evolving cloud services, makes it difficult to maintain an accurate and up-to-date inventory.
  • Data Integration and Analysis – Aggregating and accurately assessing massive amounts of data from various sources to provide actionable insights is complex, requiring sophisticated tools and expertise.
Best practices for External Attack Surface Management (EASM) include:
  • Continuous Monitoring – Implement continuous monitoring to ensure real-time visibility into the attack surface and promptly identify new assets and changes that may introduce vulnerabilities.
  • Automated Discovery Tools – Use automated tools to regularly scan and map the entire digital footprint, including web applications, IP addresses, cloud services, and third-party dependencies.
  • Prioritization of Risks – Prioritize vulnerabilities and risks based on their potential impact, ensuring that remediation efforts focus on the most critical areas first.
  • Integration with Existing Security Measures – Integrate EASM with other security tools and processes, such as threat intelligence, vulnerability management, and incident response, to create a cohesive and comprehensive security strategy.
  • Continuous Assessment – Assessment of threats and vulnerabilities should be able to account for changes in the environment, new technologies, and evolving threat landscapes.
Why choose TacitRed Tactical Attack Surface Intelligence solution:
  • Empowers security analysts to take immediate, decisive actions to mitigate cyber exposures, leveraging fully curated and prioritized tactical attack surface intelligence.
  • Continuously monitors over 18 million US companies and threat actors, providing detailed findings instantly across your core domains, as well as those of third parties and partners.
  • Delivers only meaningful data on actual in-process threats and at-imminent-risk assets, prioritized by urgency of threat, categorized, and with full details to enabling decisive and timely response and coordination with extended teams.

What is the difference between internal and external attack surface management?

Internal and external attack surface management are both crucial aspects of an organization’s cybersecurity strategy, focusing on different parts of the digital environment to identify and mitigate threats and vulnerabilities.

Internal Attack Surface Management:
Internal attack surface management focuses on discovering, monitoring, and securing all digital assets within an organization's internal network. This includes devices, servers, applications, and data stored on-premises or within internal cloud environments.

External Attack Surface Management:
External attack surface management, on the other hand, deals with identifying and securing all digital assets that are exposed to the internet. This includes public-facing web applications, IP addresses, cloud services, third-party services, and any other externally accessible assets. This is an outside-in approach that takes the view and perspective of attackers to stay ahead of them.

What types of threats can External Attack Surface Management (EASM) identify?

  • Targeted Technologies – Identify the use of technologies that are risky to expose to the internet. This could be due to a technology being recently vulnerable, under active attack, or providing another vector of exploitation in the attack surface.
  • Recon – Identify a threat actor, or known bulletproof host scanning the monitored entity network. This can be determined by examining internet traffic, and performing analysis on connections between the monitored entity and the threat actor to determine small amounts of data have been sent from a threat actor, and the TCP handshake has not been completed.
  • Compromised Credentials – Find stolen usernames and passwords that have been stolen or obtained by unauthorized individuals through phishing attacks, malware infections, or data breaches. To be most effective this intelligence should ideally be obtained directly from the malware source, and not as an aggregation of publicly disclosed data breaches and data dumps.
  • Session - Identify threat intelligence indicators that the monitored entity has session cookies on monitored assets, stolen by session stealer malware, and sent to adversary command and control. EASM solutions should provide users with the cookie URL, login, machine name, machine ID, stealer ID, and date of compromise when available.
  • Malware – Identify malicious software that is installed on a machine without the user's consent. This causes intentional harm to the user, machine, or network where it is installed, often by stealing data or inflicting damage on resources. This is identified by analyzing adversary infrastructure and internet traffic to detected that a monitored entity has malware on certain assets.
  • Persistent Threat – Identify a threat actor, or known bulletproof host communicating with the monitored entity network. This is determined by examining internet traffic, and performing analysis on connections between the monitored entity and the threat actor to determine small amounts of data have been sent from a threat actor, and the TCP handshake has been completed, and a significant amount of data has been sent.

Can EASM help with Cyber Insurance Risk Assessment?

Assessing risk for cyber insurance involves evaluation of an organization's internet-exposed digital assets and vulnerabilities to determine the potential risk of cyber incidents. This assessment helps insurers to better understand the organization's security posture and set appropriate coverage terms and rates.

Challenges include:
  • Traditional risk assessment methods that do not adequately capture the dynamic nature of cyber threats and vulnerabilities.
  • Lack of relevant findings in a reasonable timeframe to reflect the true threat level and exposure risk, leading to inconsistencies in underwriting.
  • Inability for a client to proactively evaluate and address threat levels before policy acquisition to gain better coverage and terms.
How EASM can help:
  • Enables timely assessments of a client’s active attack surface including third-party dependencies to generate more accurate risk assessment for underwriting purposes.
  • Provides insurers with evidence-based risk assessments based on advanced analytics, allowing organizations to improve their cyber insurance coverage terms and premiums.
  • Facilitates continuous monitoring of the threat landscape, enabling clients to detect and respond to emerging risks in real time, reducing the likelihood of costly insurance claims.

TacitRed automates the evaluation of an organization's internet-exposed digital assets and vulnerabilities to determine the potential risk of cyber incidents. This assessment helps insurers to better understand the organization's security posture and set appropriate coverage terms.

Can EASM help with Incident Response Optimization?

Incident Response Optimization is the process of enhancing an organization's ability to detect, analyze, and respond to cybersecurity incidents efficiently and effectively by streamlining workflows, leveraging automation, and improving coordination among response teams.

Challenges include:
  • Long response times between detection and response due to massive quantities of threat “indicators” that extend investigative effort.
  • Limited resources and poor automation, making investigation and incident prioritization a slow and inaccurate process.
  • Poor coordination and communication among various teams and stakeholders, including handoff of investigation finding details needed for efficient mitigation.
How EASM can help:
  • Enables continuous and rapid detection of compromised assets, malicious activities, and access attempts by threat actors, along with actionable context and validation.
  • Provides tactical attack surface intelligence that empowers security analysts to take immediate, prioritized, and decisive actions to quickly mobilize mitigation processes.
  • Facilitates seamless collaboration between cross-functional teams by producing high-confidence and detailed source data, with validation and contextualization.

TacitRed enhances an organization’s ability to respond to cybersecurity incidents efficiently and effectively by automating the detection and analysis of cybersecurity incidents, and preparing the curated, prioritized, and detailed evidence required for enhanced coordination among response teams.

Can MSPs sell EASM as a Managed Services Offering?

A managed services offering for External Attack Surface Management (EASM) is a comprehensive service that continuously monitors, assesses, and manages an organization's internet-exposed digital assets and vulnerabilities – and can incorporate third-party risk assessment.

Challenges include:
  • Difficulty in scaling resources and adapting rapidly to dynamic changes in an organization’s extended attack surface, including associated third parties and partners.
  • Poor contextual understanding of each client's unique environment sufficient to provide meaningful intelligence across their dynamic infrastructure.
  • Challenge to integrate and align offered services with an MSP organization's existing security processes, tools, and internal workflows.
How EASM can help:
  • Enables MSPs to offer crucial threat insights, ensuring timely visibility into threat exposure and enabling prompt detection and response to emerging threats.
  • Effortlessly offers actionable insights of clients' external attack surface, including tailored recommendations and strategies to proactively mitigate risks and active threats.
  • Equips MSPs with extensive API integrations to automate findings into existing systems, making it an extremely valuable capability with an extraordinarily low TCO.

TacitRed offers for External Attack Surface Management (EASM) as a comprehensive service that continuously monitors, assesses, and manages an organization's internet-exposed digital assets and vulnerabilities – and can incorporate third-party risk assessment.

Can EASM help with Third-party Risk Management?

Third-party cybersecurity risk management involves identifying, assessing, and mitigating the security risks associated with engaging subsidiaries, agents, vendors, suppliers, and service providers, ensuring they can maintain system defenses and protect sensitive data.

Challenges include:
  • Complex vendor ecosystems with diverse suppliers, service providers, and partners, making security posture assessment almost impossible.
  • Lack of threat intelligence and active attack visibility, accuracy, and relevance regarding third-party access, internet-facing exposures, and system breach.
  • Limited resources that are focused on an organization’s primary environment, reducing the ability to even attempt meaningful third-party assessments.
How EASM can help:
  • Empowers organizations to assess their extended attack surface simply by entering the domain of the partners, suppliers, agents, and service providers they do business with.
  • Offers continuous monitoring of third-party threat exposure, providing advanced notice of threats and at-risk assets, and the ability to share findings to facilitate corrective actions.
  • Enables organizations to conduct technical security due diligence of third parties and track exposure and remediation progress, fostering supply chain transparency and accountability.

TacitRed simplifies third-party cybersecurity risk management by identifying and assessing the external security risks of subsidiaries, agents, vendors, suppliers, and service providers, ensuring their threat surface does not adversely affect that of the primary organization.

Can EASM help with M&A cyber due diligence?

M&A cyber due diligence is the process of thoroughly evaluating the cybersecurity posture of a target company during a merger or acquisition, assessing the target's security controls, and identifying vulnerabilities and risks that could impact the value and success of the transaction.

Challenges include:
  • Difficulty consolidating and analyzing cybersecurity data from multiple sources, such as security assessments, compliance audits, and incident reports.
  • Time constraints that require due diligence to be conducted quickly and efficiently, without sacrificing thoroughness of the analysis of potential risks and liabilities.
  • Transparency, cooperation and ability of the target company and their agents to provide comprehensive access to all internet-facing assets.


How EASM can help:
  • Empowers organizations to conduct comprehensive assessments of the target company's external attack surface, including exposed applications, devices, and networks.
  • Enables acquirers to focus on high impact risks post-acquisition by identifying security concerns, active attacks, and compromised systems and credentials.
  • Provides already-collected tactical attack surface intelligence on prospective and recently acquired organizations since it continuously evaluates over 18 million US organizations

TacitRed facilitates the thorough evaluation of the cybersecurity posture of a target company during a merger or acquisition, assessing the target's attack surface, and identifying vulnerabilities and risks that could impact the value and success of the transaction.

Can EASM help with Digital Asset Discovery and Assessment?

Digital asset discovery and assessment involves identifying all internet-exposed assets, such as websites, IP addresses, and cloud services, and assessing their security posture. This process helps organizations understand their attack surface and uncover potential vulnerabilities.

Challenges include:
  • Lack of comprehensive visibility of all digital assets, including IoT, abandoned or forgotten assets, and those managed by third parties.
  • The constantly changing nature of digital environments, including frequent updates, new deployments, new vulnerabilities, and evolving cloud services.
  • Difficulty in aggregating and accurately assessing data from various sources to provide a coherent and actionable understanding of attack surface risks and active attacks.
How EASM can help:
  • Empowers organizations to conduct comprehensive assessments of a company's external attack surface, including all exposed digital assets, targeted technologies, and cloud environments.
  • Continuously maps and analyzes your internet-facing assets, while dynamically monitoring the connections and threat activity between your digital presence, threat actors, and third-party entities.
  • Continuously analyzes threat signals, traffic, and web data of over 18 million US organizations, allowing immediate delivery of a thorough assessment to any new customer.

TacitRed identifies all internet-exposed assets, such as websites, IP addresses, and cloud services, and assesses their security posture. This process helps organizations understand their attack surface and uncover potential threats with sufficient detail for timely remediation.

Can EASM help with Pen Testing Scope?

Pen testing scope and focus can be challenging in growing and dynamic environments. Unless there is some way to continuously identify and monitor all internet-exposed digital assets, providing a comprehensive and prioritized up-to-date inventory, there is no practical way to scope and optimize the pen testing process, resulting in wasted resources and effort.

Challenges include:
  • Identifying all associated internet-facing assets that should be included in the pen test scope, especially in dynamic and extended environments with frequent changes.
  • Time constraints that limit the practical scope and potentially miss high-priority and targeted technologies that may already be threatened by malicious actors.
  • Ensuring objectives cover extended attack surface risks while not disrupting business operations.
How EASM can help:
  • Continuously identifies and assesses exposures across internet-exposed digital assets, ensuring that pen testers have a comprehensive and up-to-date inventory of the attack surface.
  • Provides curated and validated insights into which assets are compromised or at imminent risk, helping pen testers prioritize their efforts.
  • Offers ongoing passive attack surface discovery and threat analysis, identifying new assets and changes that might introduce vulnerabilities, and ensuring that new risks are promptly examined.

TacitRed can augment pen testing scope by continuously identifying and monitoring all internet-exposed digital assets, providing a comprehensive and prioritized up-to-date inventory based on threat urgency, enhancing the efficiency, thoroughness, and effectiveness of the pen testing process.

What is an outsider threat?

An outsider threat refers to cyber risks posed by individuals or entities outside of an organization who attempt to gain unauthorized access to the organization’s digital assets. These attackers exploit vulnerabilities in publicly exposed assets, such as web applications, cloud services, and internet-facing devices, to breach the organization's security. Over 80% of cyber breaches originate from outsider threat actors.

Challenges protecting against outsider threats include:
  • Expansive Attack Surface – Organizations often have a large number of publicly accessible assets, making it challenging to identify and secure all potential entry points.
  • Sophisticated Attack Methods – Outsiders use advanced techniques, such as phishing, malware, and zero-day exploits, which can bypass traditional security measures.
  • Constantly Evolving Threat Landscape – Cyber threats and attacker tactics are continuously evolving, requiring organizations to stay updated and adapt their security measures proactively.
  • Limited Resources – Security teams often have constrained resources, making it difficult to continuously monitor and defend against a wide range of potential external threats.
  • Inadequate Threat Intelligence – Without comprehensive and real-time threat intelligence, it is challenging to detect and respond to sophisticated outsider attacks effectively.
How EASM can help:
  • Identify all externally facing assets and systems that a malicious outsider would be able to see and attempt to breach.
  • Continuously monitor threat signals across all organizational entities, third party entities, and malicious domains to catch them in the act.
  • Use AI methods to sort through massive amounts of Internet traffic to identify and validate the real threats and prioritize them based on urgency and threat level.
  • Monitor third-party domains that have access into primary systems in the same way so that a deficiency in their attack surface won’t adversely affect the organization.

What are the essential capabilities of an External Attack Surface Management solution?

A comprehensive EASM solution should be able to continuously identify and update the entire external attack surface and recognize all manner of attacks, threats and vulnerabilities, and make it easy for security analysts and their extended teams to respond in a timely manner to mitigate real threats before any harm is done.

The enumerated capabilities are as follows:
  • Inventory – Continuously analyze and map your internet-facing assets.
  • Discover – Collect data to understand the overall security posture of your external attack surface.
  • Investigate – Analyze data to reduce noise and false positive indicators to present a prioritized subset of data that is more likely to contain real threats and vulnerabilities.
  • Respond – Generate reports with curated findings and share with incident response teams for follow up and mitigation. Most are capable of integrating with SIEM, SOAR, SOC, and service management systems.
  • Extend – Assess your extended attack surface of the third-party entities you do business with, such as subsidiaries, partners, suppliers, agents, and service providers.
Unique to TacitRed:
  • Only TacitRed uses patented Complex Event Processing to extend event analysis and curating beyond the capabilities of the competition, eliminating the tedious manual sifting, filtering and investigation process to discover the real top priority issues to remediate. In addition, TacitRed presents the supporting evidence and details necessary to validate each threat and enable extended teams to effectively remediate in a timely fashion. This extra level of analysis and reporting dramatically simplifies the job of analysts, expedites responses, and offers greater overall security to the organization.

What is Continuous Threat Exposure Management (CTEM)?

Introduced by Gartner in 2022, Continuous Threat Exposure Management (CTEM) is a strategic approach that continuously assesses, prioritizes, and mitigates cyber threats in real time. This methodology ensures that organizations maintain a dynamic understanding of their risk posture by integrating threat intelligence, vulnerability management, and security analytics. CTEM focuses on providing a holistic view of potential exposures, enabling proactive defense measures, rapid response to emerging threats, and ongoing improvement of security practices. This continuous cycle helps organizations stay ahead of adversaries and reduces the likelihood of successful cyber attacks.

While CTEM represents an idealized objective to attain, Tactical Attack Surface Intelligence, such as TacitRed, is a critical component, and fulfills key core elements of the CTEM strategy. The total strategy includes identifying and protecting all attack surfaces, while TacitRed excels at External Attack Surfaces and providing ample validated detail to efficiently support the mobilization effort to remediate.

Here is a brief description of how TacitRed Tactical Attack Surface Intelligence supports the five stages of the CTEM model:
  • Scope – Define the organization’s total external attack surface and risk profile.
  • Discover – Utilize advanced technology to identify potential threats and risks.
  • Prioritize – Analyze and curate massive amounts of data to identify real threats.
  • Validate – Prove and prioritize actual threats, based on severity and urgency.
  • Mobilize – Deliver validated exposure evidence with high fidelity through APIs.
  • BONUS – Extend the protection model to all connected third parties.

What are the stages of a cyber attack?

A cyber attack typically progresses through multiple stages, each representing a different phase of the attacker's strategy. Understanding these stages can help organizations better prepare and defend against cyber threats. TacitRed assigns each discovery to one of these stages so the analysis and response teams have more context when deciding how to respond.

Here are the common stages of a cyber attack:
  • Reconnaissance – This stage indicates the earliest stages of cyber threat. An intruder has selected an organization to target, is researching it, and is attempting to identify vulnerabilities in the target network.
  • Weaponization – This stage indicates that an intruder is trying to make use of what they learned in the reconnaissance phase. An intruder has created a remote access malware weapon (such as a virus or worm) to exploit one or more vulnerabilities.
  • Delivery – This stage indicates that an intruder has transmitted their weapon to their target organization (for example, via e-mail attachments, websites, or USB drives).
  • Exploitation – This stage indicates that a delivered malware weapon's program code has triggered, exploiting a vulnerability in the target organization.
  • Installation – This stage indicates that the intruder's malware weapon has installed an access point (or "backdoor") for the intruder to use.
  • Command & Control – This stage indicates that the installed malware has granted an intruder persistent access to the target, allowing them to achieve their objectives.
  • Exfiltration – This stage indicates that an intruder has acted to achieve their goals, such as data exfiltration (unauthorized data transfer, also known as "data extrusion" or "data exportation"), data destruction, or encryption for ransom.

What is the difference between attack surface management and vulnerability management?

Attack Surface Management (ASM) is the continuous process of discovering, monitoring, evaluating, and managing the potential entry points (attack surfaces) that an attacker could exploit. ASM provides a holistic and proactive view of an organization's digital footprint, including all internet-facing assets, how they are connected, and the threats they face.

Vulnerability Management (VM) is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and software. It is a subset of ASM that focuses on known assets and the specific vulnerabilities they might have.

Attack Surface Management (ASM) and Vulnerability Management (VM) are essential cybersecurity strategies that work together to protect an organization’s digital assets. There are some important differences between ASM and VM. First, Vulnerability Management works off a list of known assets, while Attack Surface Management has discovery capability to identify security issues even in assets that were previously unknown. Attack Surface Management identifies a broad range of threats, risks and vulnerabilities, so that, while they are often sold as distinct tools, if an organization deploys ASM, they are also getting VM.

Organizations employing ASM inherently incorporate VM, as ASM encompasses vulnerability assessment as part of its broader strategy. TacitRed bridges the gap between these two approaches for external-facing assets, offering comprehensive external attack surface visibility and continuous vulnerability assessment to ensure that both known and unknown risks are managed effectively. With ASM and VM integrated, organizations can enhance their security posture, better prioritize risks, and respond more effectively to potential threats.

Should MSPs be in the EASM business?

MSPs face mounting pressure to automate security posture improvement and cyber threat response for their customers – driving the need for curated threat intelligence (TI) and External Attack Surface Management (EASM). According to IDC, the demand for Managed Security Services (MSPs) remains strong, and they predict that outsourced security services continue to offer stronger overall growth opportunity – forecasted at 18% in 2024.

MSPs top 3 challenges are acquiring more customers, countering novel security threats, and hiring. The implications are to seek strategic partnerships with technology vendors that can:

  • enable service expansion to acquire and retain clients.
  • optimize and reinvigorate their security talent.

TacitRed is a great option for MSPs. TacitRed’s continuous, curated attack surface findings and threat intelligence automatically prioritizes active compromises and imminent threats – fully curated findings provide attack type, exploitation stage, and full contextualization. This directly improves MSP analyst capacity and capability.

TacitRed is dynamically monitoring the external attack surface of over 18 million U.S. business entities. This allows MSPs to extend their service portfolio by adding external attack surface management monitoring and third-party risk assessment services options across their existing business.

Attack surface and threat intelligence findings can be readily integrated into the MSP’s existing systems and processes leveraging TacitRed’s API features.

What is a 1st party (first party) Monitored Entity (for ASM)?

A 1st party monitored entity refers to any asset or component within an organization’s own IT infrastructure that is actively monitored for security purposes. This includes servers, endpoints, applications, databases, and network devices owned or directly controlled by the organization. Monitoring these entities helps to identify vulnerabilities, misconfigurations, and potential threats, ensuring the security of the organization's internal environment. By continuously overseeing these assets, organizations can promptly address security issues, maintain compliance, and protect sensitive data from unauthorized access or cyber-attacks.

What is an API or REST API Service?

A REST API (Representational State Transfer Application Programming Interface) service is a web service that uses REST architecture principles to enable communication between client and server over HTTP. REST APIs facilitate interaction with web services by using standard HTTP methods such as GET, POST, PUT, DELETE, and PATCH. These methods correspond to CRUD (Create, Read, Update, Delete) operations.

A REST API typically returns data in JSON or XML format, making it language-agnostic and easy to integrate with various applications. It allows clients to access and manipulate web resources by using a predefined set of stateless operations, enhancing scalability and performance in web applications.

An External Attack Surface Management solution would use a REST API to communicate its prioritized findings to a SIEM or SOAR system for either manual review or automated response, as part of the process to protect against active and imminent threats.

What are Continuous Attack Surface Findings?

Continuous Attack Surface Findings refer to the ongoing identification and assessment of active and potential threats across an organization's entire digital footprint. For External Attack Surface Management, this includes all external assets that could be targeted by cyber attackers. The process involves continuously scanning, monitoring, and analyzing the organization's IT infrastructure to detect exposed endpoints, misconfigurations, outdated software, and other security gaps. By maintaining a real-time understanding of the attack surface, organizations can promptly address weaknesses, mitigate risks, and strengthen their overall security posture.

In the case of TacitRed, it continuously ingests and analyzes internet traffic feeds and threat data for more than 18 million US companies to provide continuous attack surface findings. TacitRed monitors connections and threat activity between its digital presence, cyber adversaries, and third-party entities. Users can examine compromised and imminent target assets and novel attack findings categorized by severity, threat type and cyber kill chain stage.

What is a Total Threat Score?

A Threat Score is a relative measure of potential harm due to a particular event or situation. Note that there are no industry standards for threat scores, and none should ever be used to compare items in one product or system to any other. That said, threat scores can be incredibly valuable as a mechanism to prioritize where attention and resources should be given, and where less attention may be required.

A Total Threat Score represents the OVERALL risk level for a monitored entity (domain or organized group of assets), taking into account the Threat Scores of individual entities that comprise the monitored entity. Again, this Threat Score should be used as a comparison to other monitored entities within the same solution.

What are the Stages of a Cyber Attack Chain?

There are a number of representations of the various stages of a Cyber Attack, the most popular being that of the MITRE ATT&CK Matrix for Enterprise. In most cases, the beginning of an attack is represented by Reconnaissance, the earliest stage of an attacker evaluating and probing an organization and/or a specific target, and ends with Exfiltration, representing the successful theft, manipulation, or destruction of targeted assets.

TacitRed assigns one of seven attack chain stages to each detected threat so that analysts have additional context to help understand and prioritize resource allocation and response. These stages represent the typical flow through which an attack is conducted.

  • Reconnaissance: This stage indicates the earliest stages of cyber threat. An intruder has selected an organization to target, is researching it, and is attempting to identify vulnerabilities in the target network.
  • Weaponization: This stage indicates that an intruder is attempting to make use of what they learned in the reconnaissance phase. An intruder has created a remote access malware weapon (such as a virus or worm) to exploit one or more vulnerabilities.
  • Delivery: This stage indicates that an intruder has transmitted their weapon to their target organization (for example, via e-mail attachments, websites, or USB drives).
  • Exploitation: This stage indicates that a delivered malware weapon's program code has triggered, exploiting a vulnerability in the target organization.
  • Installation: This stage indicates that the intruder's malware weapon has installed an access point (or "backdoor") for the intruder to use.
  • Command and Control: This stage indicates that the installed malware has granted an intruder persistent access to the target, allowing them to achieve their objectives.
  • Exfiltration: This stage indicates that an intruder has taken action to achieve their goals, such as data exfiltration (unauthorized data transfer, also known as "data extrusion" or "data exportation"), data destruction, or encryption for ransom.

What are the Various Findings That Might Appear in an EASM Report?

Here are some types of findings that might appear in an EASM Report:

  • Reconnaissance
  • Persistent Threat
  • Compromised Credentials
  • Compromised Sessions
  • Malware Infections
  • Targeted Technology

Below is a more detailed description of each of these, as implemented and reported in TacitRed:

Reconnaissance Finding – Cyber Reconnaissance, typically the initial phase of malicious activities, involves the deliberate gathering of information by threat actors about potential targets, including internet-facing assets and vulnerable personnel. TacitRed plays a pivotal role in detecting instances of such reconnaissance attempts. For instance, TacitRed employs sophisticated algorithms to identify threat actors or known bulletproof hosts scanning the network of the monitored entity. This detection mechanism relies on comprehensive analysis of internet traffic, scrutinizing connections between the monitored entity and the potential threat actors. By examining data exchanges, TacitRed discerns when small amounts of data are transmitted from a threat actor, and crucially, when the TCP handshake remains incomplete, signaling suspicious activity indicative of reconnaissance efforts. Through this process, TacitRed is able to alert security analysts to the earliest stage of malicious activities, allowing them to take actions to prevent further intrusion and stopping the attack long before any damage may be accomplished.

Persistent Threat Finding – While reconnaissance involves identifying a hostile actor searching for potential entry points, a Persistent Threat represents a discovered and actively exploited entry point. This indicates that a hostile actor has not only found a vulnerability but is also attempting to or has already begun exploiting it. TacitRed identifies these threats by detecting communications between the monitored entity’s network and known threat actors or bulletproof hosts, which are often used by attackers to carry out malicious activities without fear of being shut down. TacitRed determines the presence of a persistent threat by meticulously examining internet traffic and analyzing connections between the monitored entity and the threat actor. This involves looking for specific patterns in the data exchange, such as the initial communication where small amounts of data are sent from the threat actor and the completion of the TCP handshake. Following this, TacitRed looks for significant data transfers from the monitored entity to the threat actor, indicating that an exploit may be in progress. By identifying these patterns, TacitRed can detect ongoing attempts to exfiltrate data or maintain unauthorized access within the network.

Compromised Credentials Findings – Compromised credentials are usernames and passwords that have been stolen or obtained by unauthorized individuals. This can happen in a variety of ways, such as through phishing attacks, malware infections, or data breaches. Once compromised credentials are in the hands of attackers, they can be used to gain access to a variety of systems and accounts, including email, social media, bank accounts, and more. This can have serious consequences for the victim, including financial loss, identity theft, and even blackmail. TacitRed gathers this intelligence directly from the source, so these credentials have been stolen directly as a result of malware. This is not an aggregation of publicly disclosed data breaches and data dumps. This method ensures the compromised credentials TacitRed identifies are those actively being exploited by threat actors. By focusing on credentials stolen through malware, TacitRed provides timely and relevant intelligence, enabling organizations to take swift action to protect their systems and users from unauthorized access and potential harm.

Compromised Sessions Findings – Sessions are considered compromised when cookies, such as authentication tokens, have been stolen. This finding indicates that TacitRed has detected evidence of threat intelligence indicators suggesting that the monitored entity possesses stolen session cookies on enumerated assets. Typically, these cookies are acquired by session stealer malware, which captures the cookies from the user's browser. Once stolen, the session cookies are sent to adversary command and control servers, allowing attackers to hijack the user's session. This type of attack enables cybercriminals to bypass authentication mechanisms, gaining unauthorized access to sensitive information and systems without needing login credentials. TacitRed's detection of such incidents allows organizations to respond promptly by invalidating the stolen session tokens and implementing additional security measures to protect against further breaches.

Malware Infections Findings – Malware, short for malicious software, is installed on a machine without the user's consent and is designed to cause intentional harm. This harm can include stealing data, corrupting files, or damaging system resources. Malware can come in various forms such as viruses, worms, trojans, ransomware, spyware, and adware. These programs often operate covertly, making them difficult to detect and remove. Through comprehensive analysis of adversary infrastructure and internet traffic, TacitRed has identified a high likelihood that the monitored entity has malware present on its enumerated assets. This detection is based on indicators such as unusual network behavior, connections to known malicious servers, and suspicious activities consistent with malware operations. The presence of malware poses significant risks, including data breaches, financial loss, and operational disruption. TacitRed’s ability to pinpoint these infections allows organizations to take prompt remedial actions, such as isolating affected systems, removing the malicious software, and strengthening defenses to prevent future incidents. By addressing these findings, organizations can mitigate the impact of malware and enhance their overall cybersecurity posture.

Targeted Technology Findings - A targeted technology refers to specific hardware or software with known, historical, or ongoing vulnerabilities that attackers often exploit. These vulnerabilities can arise from unpatched software, outdated hardware, or inherent design flaws, making them attractive targets for cybercriminals. Attackers seek out these technologies because they provide inroads for malicious activities such as stealing sensitive information, disrupting operations, or launching ransomware attacks. Exploiting these vulnerabilities can lead to significant security breaches, financial losses, and operational downtime. TacitRed enumerates an entity’s technologies that are known to be targeted by threat actors, offering detailed insights into potential weak points within the organization’s infrastructure. By identifying these targeted technologies, TacitRed enables organizations to prioritize their security efforts, patch vulnerabilities, and implement robust defenses to protect against exploitation. This proactive approach helps mitigate the risk of attacks and strengthens the overall cybersecurity posture.

What is Curated Threat Intelligence and how is Curated Threat Intelligence different from Threat Intelligence?

Curated Threat Intelligence refers to a specialized form of threat intelligence that undergoes meticulous curation, analysis, and validation before being disseminated to organizations or individuals. In essence, it involves the careful selection and refinement of threat data to provide actionable insights tailored to specific security needs.

The key difference between curated threat intelligence and general threat intelligence lies in the level of processing and customization involved. While threat intelligence encompasses raw data or information about potential cyber threats, curated threat intelligence undergoes additional layers of scrutiny and interpretation. Curated threat intelligence is often sourced from diverse channels such as open-source intelligence, proprietary databases, human intelligence, and collaboration with industry partners.

Curated threat intelligence adds value by:

  1. Contextualizing Threat Data: Raw threat data is analyzed in the context of industry and historical trends, and organizational risk factors. This contextualization helps prioritize threats based on their relevance and potential impact on specific environments.
  2. Validation and Verification: The credibility and accuracy of threat data is validated through a complex event processing platform, including correlation with multiple sources, verification against known indicators of compromise (IOCs), and assessment of threat actor tactics, techniques, and procedures (TTPs).
  3. Timeliness and Relevance: Curated threat intelligence is updated regularly to reflect emerging threats, vulnerabilities, and attack patterns. This ensures that organizations receive timely and relevant insights to enhance their cybersecurity posture and mitigate potential risks.

Overall, curated threat intelligence empowers organizations with actionable insights, enabling them to make informed decisions, proactively defend against cyber threats, and stay ahead of adversaries in an increasingly complex threat landscape.

What is Continuous Threat Exposure Management (CTEM) and how does TacitRed align to CTEM tenets?

Continuous Threat Exposure Management (CTEM) is a proactive approach to cybersecurity that focuses on continuously identifying, assessing, and mitigating potential threats and vulnerabilities across an organization's IT infrastructure and digital assets. CTEM aims to provide real-time visibility into security risks, prioritize remediation efforts based on the severity of threats, and enable organizations to adapt and respond swiftly to evolving cyber threats.

TacitRed aligns closely with the key tenets of CTEM through its comprehensive threat detection, analysis, and curated intelligence:

  1. Continuous Monitoring: TacitRed continuously monitors network traffic and other data sources to detect anomalous behavior and potential security threats in real-time. By providing continuous visibility into the digital environment surrounding an organization, TacitRed helps identify emerging threats before they escalate into serious incidents.
  2. Threat Detection and Analysis: TacitRed leverages advanced threat detection algorithms and machine learning techniques to identify a wide range of cyber threats, including malware infections, suspicious network activities, and unauthorized access attempts. Through in-depth analysis of security events and indicators, TacitRed helps organizations understand the nature and scope of potential threats, enabling informed decision-making and timely response.
  3. Risk Prioritization and Mitigation: TacitRed aligns with CTEM principles by helping organizations prioritize security risks based on their likelihood and potential impact. By categorizing threats and vulnerabilities according to predefined risk metrics, TacitRed enables organizations to allocate resources effectively and focus on addressing the most critical security issues first.
  4. Mobilize Response: TacitRed supports broad integration into existing systems, like SIEM and SOAR, to mobilize targeted and timely response based on specific and detailed validation of each incident, allowing organizations to automate incident response actions and orchestrate security controls in real-time. By integrating with existing security infrastructure and leveraging playbooks and workflows, TacitRed helps organizations streamline incident response processes and minimize the time to detect and contain security incidents.

TacitRed's comprehensive feature set and capabilities make it well-suited for supporting Continuous Threat Exposure Management initiatives, enabling organizations to enhance their security posture, reduce cyber risk, and protect critical assets from evolving threats.

How is Active Attacked or At Imminent Risk Assets more useful than General Threat Intelligence?

Intelligence about Active Attacked or At Imminent Risk Assets holds significant advantages over General Threat Intelligence due to its specificity, relevance, and actionable insights tailored to an organization's immediate security needs. Aside from the obvious reduction or elimination of signal noise, here's why it's more valuable:

  1. Specificity: Active Attacked or At Imminent Risk Assets intelligence provides detailed information about threats targeting specific assets within an organization's infrastructure. This specificity allows security teams to focus their attention and resources on protecting critical assets that are actively under attack or at high risk of being compromised. In contrast, General Threat Intelligence may provide broad insights into prevalent threats but may not offer the granularity needed to address specific security challenges.
  2. Relevance: Intelligence about assets under active attack or imminent risk is highly relevant to an organization's current security posture and operational environment. By highlighting immediate threats and vulnerabilities, this intelligence enables security teams to prioritize their response efforts and take proactive measures to mitigate risks effectively. In contrast, General Threat Intelligence may include threats that are not directly relevant to the organization or may lack the timeliness needed to address emerging threats promptly.
  3. Actionable Insights: Active Attacked or At Imminent Risk Assets intelligence provides actionable insights that empower security teams to make informed decisions and take decisive action to protect critical assets. Whether it's deploying additional security controls, patching vulnerable systems, or implementing incident response measures, this intelligence helps organizations respond effectively to active threats and minimize potential impact. General Threat Intelligence, while valuable for understanding broader threat trends, may not always translate into actionable steps that directly address immediate security concerns.
  4. Risk Reduction: By focusing on assets that are actively under attack or at imminent risk, organizations can reduce their overall cyber risk more effectively. Proactively addressing threats targeting specific assets helps prevent potential data breaches, financial losses, and reputational damage associated with successful cyber attacks. This targeted approach to risk reduction is more impactful than relying solely on General Threat Intelligence, which may not provide the necessary insights to address specific security vulnerabilities and exposures.

In summary, intelligence about Active Attacked or At Imminent Risk Assets offers greater specificity, relevance, actionable insights, and risk reduction benefits compared to General Threat Intelligence. By leveraging this tailored intelligence, organizations can strengthen their security defenses, mitigate immediate threats, and better protect their most valuable assets from cyber attacks.

What is Coordinating Threat Response?

Coordinating threat response involves orchestrating actions among security teams to address cyber threats effectively. It ensures collaboration, communication, and decision-making to mitigate risks and minimize the impact of security incidents, facilitating a cohesive approach to threat management.

What is Threat Mitigation?

Threat mitigation refers to the process of reducing the impact of potential threats to an organization's security. It involves implementing preventive measures like resetting passwords, terminating sessions, patching vulnerable systems or software, or deploying security controls to proactively address known risks and vulnerabilities, thus strengthening the organization's defenses.

What is Attack Containment?

Attack containment is the strategy of limiting the spread and impact of a cyber attack within an organization's network. It involves isolating affected systems, blocking malicious traffic, and preventing further unauthorized access to mitigate damage and facilitate incident response efforts, thus preventing the escalation of the attack.

What is Incident Response?

Incident response is the organized approach to managing and responding to security incidents such as data breaches or cyber attacks. It encompasses detecting, analyzing, and containing threats, as well as coordinating recovery and remediation efforts to restore normal operations and minimize disruption to the organization's systems and services.

What is Exposure Remediation?

Exposure remediation involves addressing vulnerabilities and weaknesses in an organization's systems and infrastructure to reduce the risk of exploitation by cyber threats. It includes patching software, configuring security settings, and implementing best practices to strengthen defenses and protect against potential attacks, thus enhancing the organization's overall security posture.

What is Threat Enumeration?

Threat enumeration is the process of identifying and cataloging potential threats and vulnerabilities within an organization's environment. It involves conducting assessments, scanning for known security issues, and compiling a comprehensive inventory of risks to prioritize remediation efforts effectively, thus providing insight into the organization's threat landscape.

What is Threat Contextualization?

Threat contextualization is the process of analyzing and understanding the significance of security threats within the broader context of an organization's operations and risk landscape. It involves assessing the relevance, severity, and potential impact of threats to inform decision-making and resource allocation for mitigation and response, thus enabling a more informed and strategic approach to cybersecurity.

What is Third Party Risk?

Third-party risk refers to the potential security threats and vulnerabilities introduced by external vendors, suppliers, or partners with access to an organization's systems or data. It involves assessing and managing the security posture of third-party entities to mitigate the risk of data breaches, supply chain attacks, or other security incidents, thus ensuring the integrity and security of the organization's ecosystem.

What is the difference between External Attack Surface Management vs Attack Surface Management?

External Attack Surface Management focuses specifically on identifying and managing the digital footprint and vulnerabilities that are accessible from outside the organization's network perimeter. It includes assets such as public-facing websites, domain names, and internet-connected devices.

On the other hand, Attack Surface Management encompasses a broader scope, which includes both external and internal attack surfaces. It involves identifying and managing all potential points of entry or attack within an organization's entire infrastructure, including external-facing assets as well as internal systems, applications, endpoints, and network configurations.

While External Attack Surface Management is in essence a subset of Attack Surface Management, focusing exclusively on the external-facing aspects of an organization's digital presence and security posture may offer an advantage in that realm over the more generic solution implementations of Attack Surface Management that aim to deliver results across all assets, internal and external.

What is Attack Surface Visibility and Dynamic Mapping?

Attack surface visibility and dynamic mapping refer to the continuous monitoring and mapping of an organization's digital footprint to identify potential entry points for cyber attacks. Attack surface visibility involves gaining insights into all assets, applications, and infrastructure components that are exposed to potential threats. Dynamic mapping goes further by tracking changes in the attack surface over time, including new assets, configurations, or vulnerabilities that may emerge. This proactive approach enables organizations to stay ahead of attackers by understanding their full attack surface, including external-facing assets such as web applications and internet-connected devices. By maintaining comprehensive visibility and dynamic mapping, organizations can effectively prioritize security efforts, detect emerging threats, and mitigate risks to their digital assets.

What is Threat Noise and Unactionable Data?

Threat noise refers to the high volume of security alerts generated by various monitoring tools, which often inundate security teams and overwhelm their capacity to respond effectively. Unactionable data encompasses alerts or information that lack context or relevance to actual security threats, leading to wasted time and resources. These issues can result from misconfigured sensors, false positives, or redundant alerts from multiple sources. Managing threat noise and unactionable data requires refining detection mechanisms, optimizing alert thresholds, and implementing automated response capabilities to filter out noise and prioritize actionable alerts. By reducing noise and focusing on actionable data, organizations can enhance their incident response capabilities, improve operational efficiency, and better protect against cyber threats.

TacitRed eliminates noise and unactionable data through a patented process called Hierarchical Complex Event Processing for behavioral analytics. With this technology in place, TacitRed only presents validated, detailed, and prioritized threats such that security analyst resources and mitigation efforts are assured to be applied to the most urgent and real threats.

What is Phishing?

Phishing is a type of cyber attack where attackers use deceptive emails, messages, or websites to trick individuals into disclosing sensitive information or performing actions that compromise security. These phishing attempts often impersonate legitimate entities, such as banks, government agencies, or trusted organizations, to deceive recipients into providing login credentials, financial data, or other confidential information. Phishing attacks can also deliver malware payloads, exploit vulnerabilities, or manipulate users into wire transfers or other fraudulent activities. To mitigate the risk of phishing, organizations should implement security awareness training, email filtering, domain validation, and multi-factor authentication measures. By educating users, enhancing email security, and implementing anti-phishing technologies, organizations can reduce the likelihood of successful phishing attacks and protect against data breaches, financial losses, and reputational damage.

What is Ransomware?

Ransomware is a type of malicious software designed to encrypt files or lock users out of their systems, demanding payment (a ransom) for decryption or restoration of access. Ransomware attacks typically begin with the infiltration of a victim's system through phishing emails, malicious downloads, or exploit kits. Once inside the system, the ransomware encrypts files using strong encryption algorithms, rendering them inaccessible to the victim. Attackers then demand payment, often in cryptocurrency, in exchange for the decryption key needed to unlock the files. Ransomware attacks can have devastating consequences for organizations, including data loss, financial damage, and operational disruption. To mitigate the risk of ransomware, organizations should implement robust cybersecurity measures, such as regular data backups, endpoint protection, network segmentation, and employee training. By taking proactive steps to prevent ransomware attacks and prepare for potential incidents, organizations can reduce the likelihood of successful attacks and minimize the impact on their operations and reputation.

What is a SOC?

A Security Operations Center (SOC) is a centralized unit within an organization responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. The SOC serves as the nerve center for security operations, leveraging technologies, processes, and skilled personnel to protect against and mitigate cyber threats in real-time. SOC analysts monitor security events and alerts from various sources, including network and endpoint monitoring tools, security information and event management (SIEM) systems, and threat intelligence feeds. They investigate suspicious activities, analyze security incidents, and coordinate response efforts to contain and mitigate threats effectively. The SOC also plays a crucial role in incident response planning, vulnerability management, and security awareness training. By maintaining a proactive and vigilant approach to cybersecurity, the SOC helps organizations detect and respond to threats before they escalate into serious security incidents, ensuring the confidentiality, integrity, and availability of critical assets and information.

What are Compromised Assets?

Compromised assets refer to systems, devices, or data that have been infiltrated or affected by unauthorized access due to a cyber attack or security breach. When an asset is compromised, it means that its integrity, confidentiality, or availability has been undermined, potentially allowing attackers to exploit it further for malicious activities. This can include stealing sensitive information, launching further attacks within the network, or causing operational disruptions. Detecting compromised assets involves continuous monitoring, threat intelligence, and advanced detection tools to identify signs of unauthorized access or anomalous behavior. Once identified, incident response teams must isolate and remediate the compromised assets to prevent further damage and mitigate the impact of the breach.

What are At-Imminent-Risk Assets?

At-imminent-risk assets are systems, devices, or data that are currently facing an immediate threat of being compromised. These assets are identified as having a high likelihood of being targeted by attackers due to existing vulnerabilities, exposure to known threats, or ongoing suspicious activities. Detecting at-imminent-risk assets involves proactive monitoring, vulnerability assessments, and threat intelligence to identify assets that are particularly vulnerable or exposed. Organizations must prioritize the protection and remediation of these assets to prevent potential breaches. This can include applying security patches, enhancing monitoring, implementing additional security controls, and conducting targeted threat hunting. By focusing on at-imminent-risk assets, organizations can take preemptive actions to mitigate the risk of compromise and protect their critical systems and data.

What is a Data Breach Exposure?

A data breach exposure refers to sensitive information being accessed, disclosed, or stolen due to a security incident. This can include personal data, financial information, intellectual property, and other confidential data. The severity of a data breach exposure depends on the volume of data compromised, the sensitivity of the information, and how it is used by malicious actors. Data breach exposures can lead to financial loss, reputational damage, legal consequences, and regulatory penalties for organizations. Identifying that a data breach has happened is the first essential step in managing the situation, but is often challenging, and in many cases is only discovered after significant time has passed. Managing data breach exposures involves implementing robust security measures, such as encryption, access controls, and regular security audits, to protect sensitive data. Organizations should have a comprehensive incident response plan in place to quickly identify, contain, and remediate breaches, as well as notify affected parties and comply with legal and regulatory requirements.

What is Security Posture?

Security posture refers to the overall strength and effectiveness of an organization’s security measures in protecting against cyber threats. It encompasses the policies, procedures, technologies, and practices that an organization employs to safeguard its digital assets. A strong security posture means that an organization is well-prepared to prevent, detect, and respond to security incidents. Assessing security posture involves evaluating various aspects, such as attack surface management, vulnerability management, access controls, incident response capabilities, and employee training. Continuous assessments across all of these avenues are essential for understanding and improving security posture, and organizations must constantly adapt their security strategies to address emerging threats. A robust security posture helps minimize risk, protect sensitive information, and ensure the resilience and continuity of business operations.

What is an External Attack Surface?

An external attack surface refers to all entry points or vulnerabilities that can be exploited by attackers from outside the organization's network perimeter. This includes public-facing assets such as websites, web applications, IP addresses, and exposed APIs. An expansive and poorly managed external attack surface increases the risk of cyber attacks, as it provides more opportunities for malicious actors to find and exploit weaknesses. Managing the external attack surface involves continuously identifying, assessing, and mitigating vulnerabilities in these externally accessible assets. Tools like attack surface management platforms, vulnerability scanners, and penetration testing are used to monitor and protect the external attack surface. By maintaining a minimal and well-protected external attack surface, organizations can reduce the likelihood of successful cyber attacks and enhance their overall security posture.

How is TacitRed different from other External Attack Surface Management solutions?

Unlike typical external attack surface management (ASM) approaches, TacitRed not only autonomously captures and analyzes massive global threat signals, traffic activity, and threat intelligence between threat actors, your organization, and entities you do business with, but interprets threat findings for you. That’s different.

Our intelligence is curated, valid, prioritized, and actionable with full evidence — so you quickly understand the type of active threats taking place and the context to take immediate corrective and preventative action. We rank and reveal the active attack and imminent threat, and provide the evidence down to the threat type, cyber attack kill chain stage, and affected, IPs, machines, and users.

This is not ASM that is merely providing intelligence aggregation in a query-based service that requires the user to provide IP ranges or domain association to kickoff a search or scan and wait for results.

Nor is this conventional ASM that simply joins and periodically queries threat databases to identify possible exposures. Nor is this an ASM adjunct tool that is part of a larger, often semi-automated pen test service sold in addition to the basic ASM mapping tool.

We stream process and analyze well over a billion records / hour of internet, web traffic, and threat signal data in real-time (see Intelligence Synthesis) to identify valid, active attacks and exposures - continuously monitoring over 18 million U.S. entities. Our prioritized findings and evidence is available on-demand - subscribers merely enter in a domain name to examine active findings. This is tactical attack surface intelligence.

How can Tactical Attack Surface Intelligence enhance SIEM, SOAR, SOC and Service Management Systems?

Tactical Attack Surface Intelligence can significantly enhance SIEM, SOAR, SOC, and service management systems by providing comprehensive and actionable insights into active and potential security threats. With this technological advantage, organizations can identify and respond to threats far more quickly and with fewer resources than is possible with traditional data collection and analysis tools.

SIEM (Security Information and Event Management):
Tactical Attack Surface Intelligence enriches SIEM systems by supplying real-time data on the external attack surface, including current activities attempting to exploit vulnerabilities and potential entry points. This context allows SIEM tools to correlate external threat intelligence with internal security events, providing essential context to events and improving the efficiency of response. Enhanced visibility into external threats also enables better prioritization of incidents based on their potential impact on the organization.

SOAR (Security Orchestration, Automation, and Response):
Tactical Attack Surface Intelligence enhances SOAR platforms by providing detailed intelligence on attack vectors and threat actors. This information can be used to automate responses to external threats, such as blocking malicious IP addresses or patching vulnerable systems. With API integration, this automation helps streamline incident response workflows, allowing security teams to respond more quickly and effectively to potential threats, thereby minimizing the window of exposure and reducing the overall risk to the organization.

SOC (Security Operations Center):
For SOC teams, Tactical Attack Surface Intelligence delivers critical insights into the external threat landscape, enabling a more proactive defense posture. By understanding the tactics and techniques used by threat actors, SOC analysts can better anticipate and mitigate attacks. With actionable intelligence that enhances threat hunting, incident investigation, and root cause analysis, SOC teams can make better informed decisions and achieve improved security outcomes.

Service Management Systems:
Tactical Attack Surface Intelligence integration with service management systems enhances the overall IT service management (ITSM) by aligning security with operational processes. For instance, Tactical Attack Surface Intelligence can trigger automated ticket creation for identified threats and other incidents, ensuring timely remediation. It also facilitates better communication between IT and security teams, fostering a collaborative environment where security considerations are integrated into broader IT management and governance frameworks.

What is Threat Severity?

Threat severity refers to the potential impact and seriousness of a cyber threat or security incident. It assesses the extent of damage that a threat could inflict on an organization’s systems, data, and operations if successfully executed. Threat severity is typically determined based on factors such as the type of threat, its sophistication, the vulnerabilities it exploits, and the potential consequences for the organization. It may also be influenced by how far progressed the attack is in relation to the cyber attack chain stage, with a more progressed attack being ranked as more severe than initial reconnaissance. High-severity threats might involve ransomware attacks, data breaches involving sensitive information, or advanced persistent threats (APTs) that could cause significant disruption. Understanding threat severity helps security teams prioritize their response efforts and allocate resources effectively to mitigate the most critical risks. Regularly assessing threat severity through threat intelligence, risk assessments, and vulnerability management practices is essential for maintaining a robust security posture and ensuring prompt and effective responses to emerging threats.

What are Domain Registry and Network Assignments?

Domain registry and network assignments involve the management of domain names and the allocation of IP address spaces within the internet infrastructure. A domain registry is an organization responsible for maintaining the database of domain names and their corresponding IP addresses, ensuring that domain names are unique and properly registered. Network assignments refer to the allocation of IP address ranges to organizations or entities, managed by Regional Internet Registries (RIRs). These assignments ensure that IP addresses are unique and routable on the global internet. Proper management of domain registry and network assignments is crucial for maintaining the integrity and functionality of the internet. Organizations must keep their domain and network information up-to-date to prevent issues such as domain hijacking, IP address conflicts, and ensure the smooth operation of their online services. Monitoring domain and network assignments also helps in identifying and mitigating potential security threats, such as unauthorized changes or malicious activities.

What is the Internet Routing Registry (IRR)?

The Internet Routing Registry (IRR) is a database that records routing information for IP networks, providing a framework for network operators to publish and maintain their routing policies. The IRR helps ensure that internet traffic is routed efficiently and securely by allowing organizations to register their routing announcements and policies. This information is used by other network operators to validate and configure their routing decisions, preventing issues such as route hijacking and improving the overall stability of the internet. The IRR is an essential tool for network operators to coordinate their routing policies, optimize traffic flow, and enhance security. By participating in the IRR, organizations can contribute to the integrity and reliability of the global internet infrastructure. Regular updates and accurate records in the IRR are crucial for maintaining effective and secure routing practices.

What is Threat Signal and Traffic Analysis?

Threat signal and traffic analysis involve examining network traffic and communication patterns to detect and identify potential security threats. Threat signals are indicators of malicious activities or anomalies within the network traffic, such as unusual data flows, unexpected protocol usage, or known attack patterns. Traffic analysis involves monitoring and analyzing these signals to identify potential threats, understand their nature, and assess their impact. This process often utilizes tools like attack surface management platforms, intrusion detection systems (IDS), intrusion prevention systems (IPS), and network traffic analyzers to capture and evaluate data. By analyzing threat signals and traffic patterns, security teams can detect and respond to threats in real-time, prevent data breaches, and mitigate the impact of cyber attacks. Continuous traffic analysis is essential for maintaining network security, identifying emerging threats, and ensuring the timely detection and remediation of security incidents.

What is Browser Session Intelligence?

Browser session intelligence refers to the collection and analysis of data related to user sessions within web browsers to identify potential security threats and improve cybersecurity defenses. This data includes information about user behavior, session duration, interaction patterns, and anomalies that could indicate malicious activities such as session hijacking, phishing attempts, or automated bot attacks. By monitoring browser sessions, security teams can detect suspicious activities, such as multiple login attempts from different locations or unusual browsing patterns that deviate from normal user behavior. Browser session intelligence helps organizations enhance their security measures by providing insights into potential threats and enabling proactive responses. It also aids in improving user authentication mechanisms, detecting fraud, and protecting sensitive information from being compromised during web sessions.

What are Malware and Botnet Logs?

Malware and botnet logs are records of activities and events associated with malware infections and botnet operations. These logs capture details such as the source and destination of malware communications, the commands executed by botnet operators, and the data exfiltrated from infected systems. Analyzing malware and botnet logs helps security teams understand the behavior and tactics of malicious software, track the spread of infections, and identify compromised systems within the network. By examining these logs, organizations can gain insights into the infrastructure used by attackers, detect ongoing attacks, and develop strategies to mitigate the impact of malware and botnets. Continuous monitoring and analysis of malware and botnet logs are essential for maintaining cybersecurity, improving threat detection, and enhancing incident response capabilities.

What are Bulletproof Hosting Services?

Bulletproof hosting services are web hosting providers that offer lenient terms of service and minimal oversight, allowing cybercriminals to host malicious content, command-and-control servers, and illegal activities without fear of being shut down. These services often ignore or delay responses to abuse complaints and law enforcement requests, providing a safe haven for activities such as phishing, malware distribution, and cyber attacks. Bulletproof hosting services are attractive to attackers because they offer anonymity, resilience against takedowns, and the ability to quickly relocate malicious infrastructure. Combating bulletproof hosting services requires collaboration between law enforcement, security researchers, and legitimate hosting providers to identify and shut down these services. Organizations should monitor for indicators of bulletproof hosting within their networks and implement security measures to block communications with known malicious hosts to protect against associated threats.

What are C2 (Command & Control) Nodes?

C2 (Command & Control) nodes are central servers or infrastructure used by cyber attackers to communicate with compromised systems within a target network. These nodes are crucial for coordinating malicious activities, such as deploying malware, executing commands, exfiltrating data, and managing botnets. C2 nodes operate covertly, often using encryption and obfuscation techniques to avoid detection. Identifying and disrupting C2 nodes is a critical component of cybersecurity defense, as it can cripple an attacker’s ability to control compromised systems and carry out further attacks. Techniques to detect C2 nodes include monitoring network traffic for unusual patterns, using threat intelligence to identify known C2 infrastructure, and employing advanced threat detection tools. By recognizing communications with C2 nodes, organizations can more quickly and confidently identify malicious activity and mitigate the impact of such cyber attacks, enhancing their overall security posture.

What is Hierarchical Complex Event Processing?

Hierarchical Complex Event Processing (CEP) is a method of analyzing and managing complex streams of events in a layered, structured manner to identify significant patterns, trends, and anomalies. This approach allows for the efficient processing of high volumes of data by breaking down the analysis into hierarchical levels, where each level processes specific types of events or patterns. The results from one level feed into the next, creating a comprehensive and scalable analysis framework. Hierarchical CEP is particularly useful in cybersecurity for real-time threat detection and response, as it enables the correlation of diverse event data from various sources, such as NetFlow ,C2 traffic, user activities, and others. By leveraging hierarchical CEP, organizations can detect sophisticated attack patterns, reduce false positives, and improve the accuracy of threat detection, and organizations’ ability to respond quickly and productively.

What is Threat and Attack Contextualization?

Threat and attack contextualization involves analyzing and understanding the broader context of security threats and attacks to provide actionable insights. This process includes examining the nature, origin, methods, and potential impact of a threat, as well as the specific circumstances and vulnerabilities it exploits. Contextualization helps security teams prioritize threats based on their relevance and severity, enabling more effective and targeted responses. By considering factors such as threat actors' motives, historical attack data, and the specific environment of the organization, contextualization provides a deeper understanding of the threat landscape. This allows for better decision-making, resource allocation, and strategic planning in cybersecurity defense. Tools and techniques for threat contextualization include attack surface management platforms, threat intelligence platforms, behavioral analytics, and incident response frameworks that integrate and analyze diverse data sources.

How can ASM be incorporated into Your Security Posture Management Program?

Incorporating Attack Surface Management (ASM) into your security posture management program involves integrating continuous monitoring, assessment, and mitigation of an organization’s attack surface into its overall cybersecurity strategy. ASM focuses on identifying and managing all potential entry points that attackers could exploit, including both external-facing assets and internal systems. An effective ASM should always start by mapping their entire digital footprint, including internet-connected devices, and third-party integrations. Tools that continuously monitor will identify and account for changes in the attack surface, along identifying and prioritizing threats. By continuously updating and analyzing the attack surface, organizations can adapt to changes in their environment and emerging threats. Additionally, integrating ASM with other security tools, such as Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and threat intelligence platforms, enhances visibility and response capabilities. Training and awareness programs for staff are also essential to ensure everyone understands their role in maintaining a secure attack surface. This comprehensive approach helps maintain a robust security posture, reduces the risk of breaches, and improves overall resilience against cyber attacks.

Why should I use External Attack Surface Management?

External Attack Surface Management (EASM) is crucial for maintaining a robust cybersecurity posture. Here are several compelling reasons why your organization should adopt EASM:

Comprehensive Visibility:
EASM provides a clear and comprehensive view of all external-facing assets, including websites, web applications, and IP addresses. This visibility is essential for identifying and managing potential entry points that attackers could exploit.

Proactive Threat Identification and Prioritization:
EASM enables organizations to proactively identify threats and vulnerabilities before a successful exploit can be carried out. Regular monitoring and scanning help detect weaknesses in real-time, allowing for timely remediation. AI-enhanced analysis curates massive data feeds to eliminate false positives and deliver validated, detailed and actionable intelligence.

Improved Incident Response and Coordination:
With a well-managed external attack surface, organizations can more effectively detect and respond to security incidents. EASM tools provide contextual insights and alerts about suspicious activities, facilitating quicker and more accurate responses. API integration into SIEM, SOAR, and other systems ensures extended teams have all the right information, in a timely fashion to prevent incidents.

Reduced Attack Surface:
EASM helps in continuously monitoring and minimizing the attack surface by identifying vulnerable and persistently attacked assets to allow for hardening, and unused or unnecessary assets for decommissioning. This reduces the number of potential targets for attackers and enhances overall security.

Third-Party Risk Management:
EASM also includes monitoring the external assets of third-party vendors and partners. This is crucial as third-party vulnerabilities can often be exploited to gain access to an organization's network.

Cost Efficiency:
Proactively managing the external attack surface can prevent costly breaches and mitigate damage from potential attacks. Investing in EASM can save the organization significant costs associated with data breaches, downtime, and regulatory fines.

Reputation Protection:
By maintaining a secure external attack surface, organizations protect their reputation. Customers and stakeholders are more likely to trust organizations that demonstrate a commitment to cybersecurity and proactively manage their vulnerabilities.

Strategic Decision-Making:
EASM provides valuable insights into the organization's external security posture, enabling informed strategic decisions. Understanding the attack surface helps in aligning security initiatives with business objectives and risk management strategies.

In summary, External Attack Surface Management is an essential component of a comprehensive cybersecurity strategy. It provides the visibility, control, and proactive measures needed to protect an organization’s external digital assets from potential cyber threats.

What is Intelligence Synthesis?

TacitRed employs intelligence data synthesis which combines proprietary and public data sources, including those with advanced reconnaissance techniques and extensive internet traffic sampling, to achieve global asset-to-entity association, identify threat actor reconnaissance, and attack activity, and deliver comprehensive threat contextualization.

Under the hood, Cogility’s TacitRed applies real-time, high-speed analytics through hierarchical complex event processing (HCEP) technology (Cogility’s Cogynt platform) to continuously analyze terabytes of internet, threat signal and intelligence data (Intelligence Synthesis) which enables active attack surface enumeration and curated findings on demand. The continuous analysis identifies active attacks, exposures and unwanted activity between an organization’s digital presence and threat actors.


API (Application Programming Interface):

An API allows different software systems to communicate and interact seamlessly. TacitRed's API facilitates the integration of its rich threat intelligence and attack surface insights into existing security ecosystems, such as SIEM, SOAR, and ticketing systems, enabling automated threat response and vulnerability management.

APT (Advanced Persistent Threat)

An APT is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period. TacitRed detects signs of APTs by analyzing threat intelligence and external attack surface data from both the primary organization and know malicious hosts, helping organizations to quickly identify and mitigate these sophisticated threats.


An asset refers to any component of the IT environment that can be attacked or compromised, including hardware, software, data, or network resources. TacitRed helps identify and monitor externally exposed assets to ensure they are secured against potential threats and identify when attacks are in progress so remediation efforts can take place.

Attack Vector:

An attack vector is the method or pathway used by a cyber attacker to gain unauthorized access to a network or system, such as Compromised Credentials, Session Takeover or Malware. TacitRed looks for patterns that match various attack vectors and analyze them to validate the threat and provide insights into the actual malicious activities that are threatening or infiltrating an organization assets.

Attack Classification

Attack classification involves categorizing cyber attacks based on their nature, such as malware, phishing, or denial-of-service attacks. TacitRed uses advanced AI to classify and prioritize these attacks, helping security teams focus on the most critical threats.

Blue Team

A Blue Team is a group within an organization responsible for maintaining internal network defenses against cyber threats. In the context of TacitRed External Attack Surface Management, the Blue Team leverages TacitRed’s comprehensive threat intelligence, continuous monitoring, and actionable insights to fortify defenses. TacitRed empowers Blue Teams with real-time visibility into the external attack surface, helping them to proactively identify, assess, and mitigate threats, thereby enhancing the organization's overall security posture.


A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. TacitRed tracks and identifies botnet activities by monitoring external traffic patterns and behaviors, providing actionable intelligence to disrupt and neutralize these threats.

Continuous Discovery

Continuous discovery refers to the ongoing process of identifying and mapping an organization’s digital assets and potential vulnerabilities. TacitRed continuously scans and updates the attack surface to provide real-time visibility into emerging threats, even as the attack surface changes and grows.

Credential Theft

Credential theft occurs when an attacker gains unauthorized access to user credentials, such as usernames and passwords. TacitRed identifies compromised credentials and alerts organizations to potential security breaches, enabling prompt action to mitigate risks.

Cyber Threat Quantification

Cyber threat quantification is the process of measuring and scoring the severity and impact of cyber threats. Since there are no standards for threat quantification (or threat scoring) such “scores” should only be used as a relative measure within a particular solution to prioritize intelligence findings, and is not intended to be compared to quantification or scores in any other solution. TacitRed provides detailed threat scoring to help organizations assess and prioritize risks based on attack chain stage, threat categorization, and the potential impact on the business.

Digital Supply Chain

The digital supply chain encompasses all digital assets, services, and dependencies an organization relies on, including third-party vendors. TacitRed monitors and secures the digital supply chain by identifying vulnerabilities and threats across interconnected systems and networks that may impact the threat level of the primary organization.


An exploit is a piece of code or method used by attackers to take advantage of a vulnerability in a system or application. TacitRed identifies and provides detailed information on potential exploits to help organizations patch vulnerabilities before they are exploited.


Exposure refers to the state of being vulnerable to cyber threats due to weaknesses in the attack surface. TacitRed helps organizations understand and mitigate their exposure by providing actionable insights into identified vulnerabilities and risks.

False Positive

A false positive occurs when a security system incorrectly identifies benign activity as malicious. TacitRed minimizes false positives through advanced, multi-level threat intelligence and analysis, ensuring that security teams focus on genuine threats rather than wasting time on incorrect alerts.

Indicators of Attack (IoA)

Indicators of Attack are signs that an attack is in progress or imminent, including unusual network traffic, system anomalies, or other suspicious activities. TacitRed identifies and analyzes IoAs within the external attack surface, enabling organizations to respond to threats confidently and proactively.

Indicators of Compromise (IoC)

Indicators of Compromise (IoCs) are forensic data pieces, such as unusual IP addresses, malware signatures, or specific file hashes, that signal a potential or ongoing security breach. TacitRed continuously identifies IoCs through external scanning and advanced AI, and provides detailed analysis on these indicators, enabling security teams to quickly detect and respond to potential threats before they can cause significant damage.

Known Asset

Known assets are components of an organization's IT infrastructure that are actively managed and monitored, including hardware, software, network devices, and data repositories. TacitRed helps organizations maintain an up-to-date inventory of these assets, ensuring comprehensive visibility and management to mitigate security risks effectively.

Inactive Asset (Unmanaged or Orphaned)

An inactive asset refers to a digital asset that is no longer actively managed or used but remains part of the organization's IT environment. These can include old servers, forgotten cloud storage, or unused accounts, often termed "orphaned" because they lack an owner or are not actively monitored. TacitRed identifies inactive assets because they are just as crucial a component of the attack surface as active assets, as they can become vulnerable entry points for cyber attackers, perhaps even more so because they may be unpatched and not addressed by regular IT and security audits.

Malicious Asset

Malicious assets are digital components that have been compromised or are used for malicious activities, such as servers hosting malware or phishing websites. TacitRed immediately detects when an asset becomes compromised and provides actionable insights, enabling quick mitigation to prevent harm to the organization's network and data.


Mitigation involves implementing measures to reduce the severity, impact, or likelihood of a cyber threat or vulnerability. TacitRed aids in this process by identifying active threats and vulnerabilities with sufficient validation and detail such that security teams can easily move righ to mitigation by patching, updating security policies, or configuring defenses to block malicious traffic, thus strengthening the organization's security posture.

Penetration Test

A penetration test (pen test) is a simulated cyber attack on an organization's IT infrastructure to identify vulnerabilities that real attackers could exploit. Pen test findings can be used to assess and improve the effectiveness of security measures and uncover weaknesses in the external attack surface. TacitRed uses advanced AI to differentiate between benign and malicious penetration activities to minimize false positives.

Purple Team

A Purple Team is a collaborative effort between the Red Team (attackers) and Blue Team (defenders) to improve cybersecurity defenses. TacitRed supports Purple Team activities by providing comprehensive threat intelligence and attack surface insights, facilitating better communication, coordination, and effectiveness in identifying and mitigating threats.

Red Team

A red team comprises security experts who simulate real-world attacks on an organization’s IT infrastructure to test and improve its defenses. TacitRed supports these exercises by providing detailed threat intelligence and visibility into potential attack vectors, enhancing the organization's ability to identify and mitigate threats.


Remediation involves taking actions to fix or eliminate vulnerabilities and threats identified during security assessments and monitoring. TacitRed's platform supports effective remediation processes by providing detailed, actionable insights that ensure identified risks are promptly and properly addressed, minimizing exposure and enhancing overall security.

Risk Assessment

Risk assessment is the process of identifying, analyzing, and evaluating risks to an organization's assets, operations, and data. TacitRed facilitates comprehensive risk assessments by continuously monitoring and analyzing the external attack surface, helping prioritize security efforts and allocate resources to the most critical and validated threats.

Risk Indicator

A risk indicator is a metric or sign that suggests the presence of a potential risk or vulnerability within an organization’s IT environment. TacitRed monitors and reports on these indicators, allowing for early detection of threats and proactive risk management to maintain a strong security posture.

Risk Scoring

Risk scoring assigns a relative value or score to identified risks based on their severity, likelihood, and potential impact on the organization. TacitRed's solution uses advanced algorithms to dynamically score vulnerabilities, helping prioritize threats and allocate resources effectively to address the most significant risks first.

Security Risk Assessment

A Security Risk Assessment is the process of identifying and evaluating security risks to an organization's IT infrastructure, assets, and data. TacitRed facilitates this by providing detailed insights into real threats and vulnerabilities in the external attack surface, enabling organizations to prioritize and address the most critical risks effectively.

Shadow IT

Shadow IT refers to the use of IT systems, devices, software, applications, and services without explicit organizational approval. TacitRed helps identify and manage these unauthorized assets by continuously enumerating every potential entry point of the external attack surface, ensuring they are accounted for and secured against potential threats.

Spear Phishing

Spear Phishing is a targeted attempt to steal sensitive information such as account credentials or financial information through fraudulent emails that appear to be from a trusted source. TacitRed's advanced threat intelligence capabilities help detect and mitigate these attacks by identifying phishing indicators and providing actionable insights to prevent successful breaches.

Supply Chain Risk

Supply Chain Risk involves potential threats and vulnerabilities that arise from third-party vendors, suppliers, or service providers. TacitRed assesses and monitors these risks by evaluating the external attack surface of third parties, ensuring that the organization’s supply chain does not become a weak link in its overall security. TacitRed intelligence may be shared with third parties so actions may be taken to remediate any threats or vulnerabilities.

Third-Party Risk Management

Third-Party Risk Management is the process of identifying, assessing, and controlling risks associated with third-party vendors and service providers. TacitRed enhances this by providing continuous monitoring and evaluation of third-party attack surfaces, helping organizations mitigate risks posed by their external partners.

Threat Hunting

Threat Hunting is the proactive search for cyber threats that are lurking undetected in a network. TacitRed is literally an automated threat hunting platform, supporting threat hunter objectives by delivering fully curated and validated findings, eliminating the need for threat hunters and analysts to sift, query and filter results manually before getting to remediation in a timely fashion.

Threat Vector

A Threat Vector is a path or means by which a cyber attacker can gain access to a computer or network server to deliver a malicious payload. TacitRed identifies and analyzes vulnerable threat vectors within the external attack surface, providing detailed insights and actionable intelligence to block these potential entry points.

Vulnerability Scanning

Vulnerability Scanning involves automated tools that inspect systems and networks for security weaknesses. TacitRed conducts continuous vulnerability scans across the external attack surface, identifying and prioritizing vulnerabilities that need immediate remediation to prevent exploitation by attackers.


Smishing is a form of phishing that uses SMS messages to trick recipients into revealing personal information or downloading malicious software. TacitRed identifies and provides intelligence on smishing campaigns targeting the organization, as well as any evidence of a successful smishing campaign, enabling timely responses to mitigate the threats.

XDR (Extended Detection and Response)

XDR is a security technology that integrates data from multiple security products into a unified platform for more effective threat detection and response. TacitRed enhances XDR by providing comprehensive visibility and actionable insights into the external attack surface, helping organizations respond to threats faster and more efficiently.