GigaOm Radar for Attack Surface Management v5

Attack surface management (ASM) has evolved from a niche diagnostic activity into a critical layer of the enterprise security stack. At its core, ASM provides continuous, automated discovery and monitoring of an organization's external digital assets, detecting vulnerabilities, misconfigurations, and shadow IT that traditional internal scanners miss. This technology is vital because the modern attack surface is dynamic and ephemeral. Cloud instances spin up and down in minutes, and third-party dependencies create risk vectors outside direct corporate control. Consequently, this solution category is essential for CISOs, security architects, and threat intelligence teams responsible for blocking breaches before they occur.

For the C-suite, ASM is no longer an optional hygiene tool but a business imperative for operational resilience. The rapid digitalization of business processes has created a dangerous inventory gap, meaning IT teams often manage only a fraction of the assets they actually own. ASM bridges this gap, transforming asset inventory from a static spreadsheet into a real-time system of record. By providing an attacker's eye view of the enterprise, these solutions enable organizations to prioritize remediation based on actual exploitability rather than theoretical severity. This shift allows leadership to move from reactive firefighting to strategic risk reduction, directly improving compliance posture and lowering cyber insurance premiums.

This report examines vendors that provide comprehensive external attack surface management (EASM) capabilities. To be included, solutions must go beyond simple asset enumeration. They must offer autonomous discovery of unknown assets, continuous monitoring, and risk prioritization capabilities. We focused on solutions that meet specific criteria beyond the basic table stakes:

• Solutions must be available for purchase as a singular product, buyers should not be required to purchase a broader solution set to gain access to only the ASM features

• Platforms must provide evidence of recursive discovery capabilities that identify assets not explicitly seeded by the user (seedless discovery)

• Pure play vulnerability scanners that require a known IP list to function are excluded from this evaluation

This year, we observe a significant shift in market positioning compared to previous reports. While prior iterations focused heavily on the mechanics of discovery, the narrative has now moved decisively toward exposure management and alignment with continuous threat exposure management (CTEM) frameworks. This change reflects the market's demand for actionable validation over mere visibility. Buyers now require tools that not only find the asset but also contextualize the risk it poses to the business.

This is our fifth year evaluating the attack surface management space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 32 of the top attack surface management solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading attack surface management offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well attack surface management solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Buyers’ requirements often prioritize ease of use and rapid time to value over granular customizability. Purchase considerations typically weigh simplified cost structures that make ASM achievable for smaller security budgets without requiring extensive dedicated personnel.

• Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category focus on flexibility, performance, data services, and features that improve security and data protection. Key purchase considerations include scalability, the ability to deploy the service across diverse environments, and deep integration with existing enterprise security stacks.

• Managed security service provider (MSSP): ASM solutions that offer multitenancy and unified tenant management are evaluated against this market segment. Buyer requirements focus on centralized management consoles that provide unified visibility across multiple customer environments. Purchase considerations often include the ability to rebrand or white label the ASM solution and flexible licensing models that align with service provider business structures.

In addition, we recognize the following deployment models:

• SaaS: These solutions are available only in the cloud. Often designed, deployed, and managed by the service provider, they are available only from that specific provider. This model is useful for organizations seeking rapid deployment with zero infrastructure overhead, as data is collected entirely from the attacker's perspective without requiring on-prem components.

• Hybrid: These solutions are cloud-based but leverage a sensor, collector, or agent as an additional telemetry source to create a better understanding of the client's technical environment. This model is useful for organizations that require visibility into internal assets or those behind firewalls, combining external discovery with internal context for a more complete attack surface view.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Continuous discovery of attack surface

• Inventory management of attack surface assets

• Risk identification in attack surface

• Management of false positives

• Asset discovery

• Assessment of vulnerabilities

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an attack surface management solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Attack Surface Management Solutions.”

Key Features

• Attack path analysis: This capability visualizes the chains of vulnerabilities and misconfigurations attackers could exploit to reach critical assets. Advanced solutions provide real-time updates, chaining analysis, and risk scoring, allowing security teams to prioritize remediation based on business impact and the actual feasibility of an attack path.

• Automation and correlation: This feature evaluates the solution's ability to drive automated remediation workflows and validate fixes through rescans. It includes cross-domain correlation (combining ASM with EDR or cloud data) and bidirectional integration with ticketing systems to streamline security operations and response times.

• Internal ASM: As internal environments become as dynamic as external ones, this feature assesses the ability to perform ASM on non-internet-facing assets. Leading solutions deliver depth of execution on internal assets that is in parity with external ASM, covering common enterprise technologies without significant gaps.

• Risk scoring: Beyond static CVE scores, modern risk scoring incorporates analytics like the Exploit Prediction Scoring System (EPSS), exploitability, and compensating controls. This capability delivers unique, context-aware scores that identify high-priority issues, often adding modifiers for data sensitivity, location, or ownership to ensure resources focus on the most critical threats.

• Asset categorization: Effective ASM relies on logically grouping diverse assets to simplify management. Advanced categorization goes beyond general buckets to provide granular context, such as specific cloud services, business units, owners, or criticality, thereby enabling more accurate risk assessment tailored to organizational structures.

• Asset correlation: This capability involves automating the mapping of assets to business owners and the dynamic tagging of those assets based on behavior. It ensures a comprehensive inventory by deduplicating and linking related assets, such as connecting child assets to parent organizations, to maintain a single source of truth.

• Third-party risk identification: This feature discovers and assesses risks introduced by external vendors and partners. It correlates internet-discovered assets to client-owned cloud services or SaaS tenants, allowing organizations to monitor their digital supply chain and manually add assets to ensure comprehensive visibility of third-party exposures.

• Managed triage: To combat alert fatigue, this capability provides human analyst validation of critical alerts, aiming for zero false positives on escalated issues. It includes 24/7 support or periodic validation services, ensuring that internal teams spend time remediating genuine threats rather than sifting through noise.

Table 2. Key Features Comparison

Emerging Features

• Custom threat intelligence: This feature assesses the solution's ability to facilitate two-way intelligence sharing and ingest custom signatures. Advanced implementations correlate findings with specific industry threat feeds to drive discovery, going beyond simple API endpoints to become a fully integrated part of the organization's broader threat intelligence ecosystem.

• Dark web monitoring: Beyond basic search, this capability enables organizations to tune searches, create ignore lists, and correlate dark web findings such as VIP exposure or compromised credentials directly to specific assets. It transforms raw data into actionable risk intelligence integrated into the overall risk calculation.

• Generative AI (GenAI) assistants: GenAI assistants in ASM solutions leverage AI to analyze attack surface data, providing actionable intelligence through natural language interfaces. These capabilities transform complex security findings into accessible insights, enabling security teams to efficiently identify, prioritize, and remediate vulnerabilities across their digital ecosystem.

• Software supply chain security: This capability addresses code-level risks by ingesting software bill of materials (SBOMs) to correlate discovered CVEs. It includes automated discovery of secrets in public repositories and links code-level vulnerabilities to runtime assets, bridging the gap between application security and attack surface management.

Table 3. Emerging Features Comparison

Business Criteria

• Flexibility: This criterion assesses the solution's adaptability to diverse environments and use cases. Top-tier solutions support seven or more distinct use cases, ensuring the platform can evolve with the organization's changing security landscape rather than being narrowly focused on a single function.

• Discovery frequency: This is a measure of how often the system scans and updates asset information. Superior solutions allow customers to adjust frequency without arbitrary limitations, offering continuous or event-driven options to ensure the most up-to-date view of the attack surface.

• Scalability: This metric evaluates the solution's ability to efficiently manage growing asset volumes. Optimal solutions leverage cloud-native architectures to deliver consistent performance with no degradation, regardless of organization size or the magnitude of the data set.

• Cost transparency: This metric encompasses the clarity and predictability of the pricing model. The best solutions offer flat-rate or clearly tiered pricing based on active assets, thereby avoiding hidden costs for inactive data and making it easy for organizations to predict and manage their financial investment.

• Ease of use: This involves user-friendliness and operational simplicity. Leading solutions combine intuitive dashboards with built-in automation and GenAI/NLP capabilities to reduce manual effort, ensuring security teams can operate the system effectively without extensive training or proprietary query languages.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Attack Surface Management

As you can see in Figure 1, the most decisive trend visible is the overwhelming market shift toward Platform Plays. The density of vendors positioned on the right side of the chart versus the sparse left side indicates this sector has moved well past the era of point solutions. Customers are favoring consolidated suites that deliver broad, integrated functionality over niche tools designed to solve isolated problems.

The market remains highly active and competitive. Vendor distribution is fluid, with significant inward movement evident across the board, particularly from the Innovation hemisphere. This trajectory shows a sector that is still evolving rapidly, with agility and the ability to pivot in response to market changes being the primary drivers of success.

This positioning signals that broad functionality and extensive use case support are now baseline requirements for entry. Vendors attempting to compete solely on specific functionality are becoming outliers, whereas the winning strategy is to build or acquire a comprehensive ecosystem.

The chart displays a relatively balanced split between Maturity and Innovation, with the character of these halves differing significantly.

• The Maturity half is populated by established industry giants, whose positioning suggests a focus on stability and enterprise-grade continuity.

• The Innovation half is crowded with aggressive movers. The density here implies that, despite the presence of incumbents, there is ample room for disruption. Newer vendors are challenging the status quo by remaining flexible and responsive to emerging threats.

A significant cluster exists in the Innovation/Platform Play quadrant. This suggests the sweet spot for growth in this market is the combination of a broad platform approach with aggressive innovation. This area represents the fiercest competition, as numerous vendors jostle for a position that allows them to move toward the center.

There is a cluster of Outperformers in the Innovation half of the chart. This indicates that vendors making the fastest progress and offering the most compelling value propositions are those prioritizing flexibility and market responsiveness over pure stability. In this specific market, "playing it safe" is not currently a driver of rapid advancement.

While there is a healthy number of Leaders in the innermost ring, they are not overwhelmingly dominant. The majority of the vendors sit in the Challenger ring. This indicates a maturing market in which many vendors have graduated from being Entrants but are hitting a competitive ceiling as they attempt to unseat established Leaders. The high density in this ring, particularly on the Platform side, implies a battleground where vendors must struggle to differentiate themselves to bridge the gap to the center.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Armis: Armis Centrix Cyber Exposure Management Platform

Solution Overview
Armis Centrix Cyber Exposure Management Platform addresses the expanding attack surface through a platform-centric approach focused on comprehensive asset intelligence and cyber exposure management. The solution leverages its Asset Intelligence Engine to track over 6.5 billion asset profiles, providing a unified view of IT, OT, IoT, and IoMT devices without reliance on agents. By combining passive network monitoring with smart active querying and extensive API integrations, Armis delivers continuous visibility and real-time risk assessment. The core methodology centers on nonintrusive discovery and behavioral analysis, allowing organizations to bridge the gap between traditional asset management and proactive security posture management across complex, hybrid environments.

The platform is architected as a cloud-native solution using microservices, though it supports on-prem and hybrid deployment models to accommodate strict regulatory requirements. Armis positions itself as a centralized hub for exposure management, aggregating data from existing security tools to eliminate silos and correlate dispersed asset data. The solution will look and feel largely the same over the contract lifecycle. Armis prioritizes stability and continuity, ensuring its core asset identification and risk engines remain consistent while incrementally expanding support for new device types and integration partners. 

Armis is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Armis scored well on a number of decision criteria, including:

• Asset categorization: Armis offers an AI-driven automated classification system, which leverages the Asset Intelligence Engine to provide granular, context-aware tagging. The solution dynamically classifies assets based on device behavior and network activity rather than static attributes, enabling it to distinguish between similar device types (for example, specific medical devices versus standard IoT). This detailed categorization allows organizations to apply precise security policies and align asset management with operational business pillars.

• Asset correlation: The solution maps communication patterns and establishes baselines to detect anomalies, such as improper segmentation or suspicious lateral connections and misconfigurations and parameter drift. By providing a cumulative risk assessment that considers the interconnectedness of assets, Armis enables security teams to visualize threat propagation pathways and understand the downstream impact of a compromised asset.

• Third-party risk identification: The solution employs a multifactor risk assessment model that combines business impact with control urgency, enabling the identification of third-party devices operating within the corporate network. This boundary-based logical grouping helps organizations maintain a zero trust architecture by continuously monitoring and validating third-party asset behavior.

Armis is classified as a Fast Mover thanks to its aggressive integration of GenAI capabilities and continuous enhancements to its Asset Intelligence Engine, which rapidly accelerates the speed of asset classification and risk prioritization.

Opportunities
Armis has room for improvement in a few decision criteria, including:

• Automation and correlation: While the solution automates the vulnerability management lifecycle and offers predictive owner assignment, the "act" phase of patching and blocking often depends on bidirectional connections with external orchestration and ticketing tools (such as Jira or ServiceNow). Organizations that desire to achieve a fully closed loop will need to consider adding on the VIPR Pro product, which can achieve this at an additional cost.

• Attack path analysis: While Armis provides a multi-detection engine with lateral movement simulation, the solution’s approach is primarily analytical and simulation-based rather than validation-centric. The platform maps potential attack vectors by analyzing traffic and firewall rules, but organizations requiring empirical validation of these paths might find the simulation less definitive than active exploitation techniques used in dedicated penetration testing solutions. The distinction between a theoretical attack path and a validated exploit chain may require additional manual verification.

• Risk scoring: Armis uses a highly customizable risk scoring model that incorporates security findings, asset criticality, and compensating controls. However, this high degree of customizability can introduce complexity for organizations seeking a set-and-forget metric. The dynamic nature of the scoring, which updates in real time based on environmental changes and control efficacy, requires security teams to carefully configure and maintain the weighting logic to ensure risk scores remain consistent and meaningful across diverse asset types and business units.

Purchase Considerations
Armis employs a straightforward annual subscription pricing model based on the total number of assets, regardless of asset type. This per-asset structure simplifies budgeting by treating a critical MRI machine and a standard laptop as equivalent units for licensing purposes, avoiding complex weighting schemes. The pricing is transparent, with no upfront implementation fees, and volume-based discounts are available. As a Platform Play, the solution is best used when adopted broadly to cover the entire estate rather than for niche discovery tasks.

The solution is designed for enterprise scalability, leveraging a cloud-native architecture on AWS that supports millions of assets. Deployment is streamlined through an agentless approach that delivers fast time to value, often providing actionable insights within hours of network connection or API integration. Support options include premium packages with technical account managers who provide personalized risk reviews and 24/7 support, which is offered through its partner base. Armis also offers value packs for rapid deployment of specific use cases, helping organizations progressively expand from basic visibility to advanced early warning capabilities.

Use Cases
Armis excels in environments with high concentrations of unmanaged or specialized devices, such as healthcare and manufacturing. Healthcare organizations leverage the platform's deep understanding of IoMT protocols to maintain accurate inventories of medical devices, ensuring patient safety by identifying vulnerabilities without disrupting clinical care. The solution's ability to correlate device behavior with clinical workflows allows for risk prioritization that respects patient care requirements. 

Industrial and manufacturing enterprises benefit from Armis's OT-specific capabilities, using the platform to secure industrial control systems (ICS) and SCADA environments. The solution's passive monitoring ensures operational continuity while identifying risks in legacy equipment that cannot support traditional agents. Additionally, large enterprises with hybrid environments use Armis to bridge the visibility gap between traditional IT assets and the exploding population of IoT and OT and cloud-connected devices, providing a unified risk picture across the entire digital estate.

Bishop Fox

Solution Overview
Bishop Fox delivers a managed security service, blending automated attack surface management with continuous human-led testing. The solution focuses on identifying and validating exploitable exposures, distinguishing itself by integrating an expert operations team directly into the discovery and triage workflow. Core components include continuous attack surface discovery, autonomous scanning, and manual validation of high-risk findings, effectively functioning as an extension of an organization’s security team. 

The platform is built on a microservices architecture that autoscales to handle fluctuating asset volumes, delivered as a SaaS offering that emphasizes true positive reporting. Bishop Fox positions its service as a comprehensive solution that eliminates false positives through its human-in-the-loop methodology. The solution will look and feel different over the contract lifecycle as Bishop Fox delivers an aggressive roadmap of feature enhancements and service expansions. 

Bishop Fox is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths 
Bishop Fox scored well on a number of the decision criteria, including:

• Attack path analysis: This service moves beyond theoretical risk mapping by employing an operations team that actively exploits vulnerabilities to validate threats. The solution provides finding notifications that include a detailed walkthrough of the specific attack path utilized by the testers, allowing security teams to understand the exact mechanics of a compromise and the lateral movement possibilities within their environment.

• Automation and correlation: The platform effectively combines automated domain discovery with a curated triage workflow. It uses TLS certification allow lists generated via a human-in-the-loop process to assign validation scope accurately. This hybrid automation approach accelerates time to value by streamlining the investigation and reporting of exposed sensitive information without overwhelming users with unverified data.

• Risk scoring: Bishop Fox avoids theoretical severity metrics in favor of a manual validation process that determines risk based on post-exploitation business impact. The methodology reserves the critical classification for instances of successful compromise with scope extension or data breach, ensuring remediation teams prioritize confirmed material risks rather than hypothetical vulnerabilities.

Opportunities
Bishop Fox has room for improvement in a few decision criteria, including:

• Asset categorization: While the service categorizes standard assets like domains, IPs, and web applications, deeper customization relies heavily on manual asset tagging by the customer or the operations team. This dependency on manual input for granular grouping can create administrative overhead for organizations attempting to map complex business hierarchies or dynamic infrastructure changes.

• Asset correlation: The solution correlates assets using external signals such as registration information, DNS data, and cloud metadata but lacks native integration with internal asset repositories or CMDBs. This limitation hinders the platform's ability to automatically map external findings to internal business owners or technical contexts, often requiring manual correlation to establish clear accountability.

• Third-party risk identification: Bishop Fox approaches third-party risk through a dedicated “threat enablement & analysis” team that monitors for specific emerging threats rather than providing a continuous, automated scoring engine for a broad vendor ecosystem. Organizations requiring real-time, quantitative risk scoring across a massive supply chain may find this service-focused model less scalable than data-driven alternatives.

Purchase Considerations
Bishop Fox employs a simplified licensing model for its service, with pricing based solely on the count of external attack surface assets. This single-solution structure includes Attack Surface Discovery, Continuous Attack Surface Testing, and Emerging Threats monitoring without hidden fees for tester access or on-demand remediation testing. The inclusive managed service model provides human expert access at no additional cost, positioning it as a value-heavy option for teams needing external validation support. The solution is designed for enterprise scalability, utilizing a stateless microservices architecture that autoscales independent data and business logic streams. The service-oriented nature of the offering ensures customers receive tailored support, with technical account managers facilitating the onboarding and governance process.

Use Cases
The Bishop Fox service excels in environments where internal security teams are overwhelmed by false positives and require high-confidence, validated findings. It is particularly well suited for midsize-to-large enterprises that lack a dedicated internal red team but need continuous, expert-led adversary simulation. Financial services and healthcare organizations leverage the platform’s true positive reporting to focus strictly on exploitable vulnerabilities that pose a verified threat to sensitive data. 

Security leaders seeking to augment their exposure management programs benefit from the solution’s human-in-the-loop triage. By offloading the validation of external exposures to Bishop Fox’s operations team, internal resources can pivot from alert fatigue to remediation. The platform also serves organizations with strict regulatory requirements for continuous testing, providing an audit-ready stream of validated impact assessments rather than just vulnerability scan logs.

Bugcrowd

Solution Overview
Bugcrowd’s ASM solution leverages the company’s crowdsourced security heritage to deliver a hybrid approach to exposure management. The platform distinguishes itself by combining automated reconnaissance with human-validated intelligence, integrating its Asset View component for continuous discovery with AI Triage for noise reduction. This duality allows it to feed high-fidelity vulnerability data directly into Bugcrowd’s broader ecosystem, ensuring discovered assets are not just cataloged but actively tested against real-world threats.

The solution operates as a cloud-native SaaS platform, positioning Bugcrowd as a Platform Play that emphasizes the convergence of ASM and offensive security. By utilizing its AI Connect API layer, which is a Model Context Protocol (MCP) server, Bugcrowd facilitates deep integration with customer AI stacks, moving beyond static inventory management. 

Bugcrowd is positioned as a Challenger and Outperformer in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Bugcrowd scored well on a number of decision criteria, including:

• Managed triage: The solution utilizes its Vulnerability Rating Taxonomy and specific triage playbooks to standardize assessments, while the AI Triage component functions as a copilot to accelerate the handling of repetitive tasks. This human-machine synergy significantly reduces false positives compared to purely automated alternatives.

• Risk scoring: The solution’s Asset View enriches asset data with exposure levels, ownership details, and business criticality to support a real-world risk scoring framework. By tying asset information directly to crowdsourced testing outcomes and human-validated vulnerabilities, Bugcrowd provides context-aware remediation guidance that reflects actual exploitability rather than theoretical risk.

• Asset categorization: Bugcrowd enhances asset metadata with exposure status and business context, effectively eliminating blind spots such as shadow IT. The solution tracks changes in infrastructure over time, providing material improvements in stewardship compared to simple EASM inventories. This capability ensures security teams can organize assets based on their dynamic exposure profile rather than just static technical attributes.

Bugcrowd was classified as an Outperformer given its aggressive roadmap that includes the recent acquisition of Mayhem Security for dynamic SBOM capabilities and the rollout of GenAI assistants.

Opportunities
Bugcrowd has room for improvement in a few decision criteria, including:

• Internal ASM: Bugcrowd relies on API integrations with CMDB platforms to provide insight into internal assets, a method that is currently limited in its use cases. Organizations seeking a unified view of internal and external attack surfaces may find this approach less seamless than solutions with native, agent-based internal discovery capabilities, potentially creating visibility gaps for on-prem infrastructure.

• Automation and correlation: While the platform supports integration with customer AI stacks via the AI Connect API, the reliance on external MCP configurations for advanced correlation can introduce complexity. Organizations may find that achieving deep, automated correlation requires significant setup and dependence on their own AI infrastructure rather than leveraging a fully self-contained out-of-the-box engine.

• Asset correlation: Although Bugcrowd centralizes asset ingestion, it currently lacks robust attribution information to automatically map assets to their specific owners or origins. While the platform identifies connections that automated tools might miss, the absence of granular attribution data can hinder the ability to assign responsibility for remediation quickly, particularly in large, complex enterprises with decentralized IT ownership.

Purchase Considerations
Bugcrowd employs a tiered pricing structure aligned with functionality requirements, often offering cost advantages when the ASM solution is bundled with other services like bug bounties or penetration testing. The model is designed as a Platform Play that’s value increases significantly for customers who use the broader Bugcrowd ecosystem. Standalone purchases are possible, but the flexibility of the solution is maximized when integrated with the vendor's offensive security modules. The platform enables rapid time to value through an intuitive user interface and cloud-based architecture that scales effectively to enterprise levels. Discovery frequencies are set to perform vertical scanning of assets and subdomains every four hours, with horizontal discovery of customer domains occurring every 24 hours. This cadence balances depth of insight with network performance. Support is bolstered by the AI Triage system and comprehensive documentation, ensuring users can navigate the platform’s hybrid automated-human workflows effectively.

Use Cases
Bugcrowd excels in environments with highly dynamic external footprints, such as high-growth technology companies and organizations with extensive web3 or mobile application assets. The platform's ability to identify shadow IT and provide human-validated risk assessments makes it ideal for security teams that need to manage a broad and constantly shifting attack surface with limited internal headcount.

Enterprises with mature security programs benefit from Bugcrowd's integration of ASM with offensive testing. By feeding discovered asset data directly into bug bounty or pentesting engagements, these organizations can ensure their most critical exposures are not only identified but also rigorously tested by security researchers. This makes Bugcrowd a strong fit for financial services and healthcare organizations that must go beyond simple compliance-based scanning to achieve a robust security posture.

Buguard: Dark Atlas 

Solution Overview
Buguard’s Dark Atlas is an AI-driven eXtended Cyber Intelligence platform that unifies external attack surface management with dark web and digital risk monitoring for proactive defense. The Dark Atlas ASM capability fits within a broader, mature platform that emphasizes stability and consistent value delivery over time.

Buguard focuses on intelligence-led security services and products, including threat intelligence, dark web monitoring, and managed security offerings that emphasize staying one step ahead of external threats. The Dark Atlas platform extends this focus by bundling external attack surface management with digital risk protection, dark web monitoring, and cyberthreat intelligence into a single, integrated offering rather than a loose collection of point tools. 

Buguard is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar report.

Strengths
Buguard scored well on a number of decision criteria, including:

• Third-party risk identification: Buguard provides comprehensive vendor risk assessment capabilities through multiple detection methods, including DNS analysis and service dependency detection. The solution conducts attack surface scanning of vendor infrastructure and generates security posture scores based on certificate management, email security configurations, and exposed services. The continuous dark web monitoring for vendor breaches and credential leaks delivers timely intelligence for security teams, while detailed vendor security reports with risk scoring support procurement decision-making.

• Custom threat intelligence: The solution offers flexible threat intelligence integration through multiple input methods, including REST API, with support for industry standards like STIX, as well as JSON and CSV formats. Buguard effectively correlates external threat findings with internal security events, providing early warnings and enhanced context. This capability has demonstrated concrete value by improving remediation prioritization accuracy by 40-50% when compared to generic vulnerability scoring methods.

• Asset correlation: Buguard establishes relationships between assets using multiple technical indicators, including IP relationships, DNS connections, and SSL certificates. The infrastructure topology mapping and service dependency identification capabilities help security teams understand potential lateral movement paths and enable more efficient grouped remediation approaches.

Opportunities
Buguard has room for improvement in a few decision criteria, including:

• Attack path analysis: The solution may have limitations in highly dynamic cloud-native environments where infrastructure changes rapidly. Organizations with complex multicloud architectures may find that attack path visualizations require additional context to accurately reflect business-specific risk priorities beyond technical metrics.

• Automation and correlation: The correlation engine works effectively for static infrastructure but may require significant tuning in environments with high rates of change or ephemeral assets. The customizable automation workflows demand initial configuration investment and ongoing maintenance. Organizations with mature security programs might find integration with existing security tooling requires additional development effort.

• Internal ASM: The solution focuses primarily on external attack surface management with limited internal visibility. Organizations requiring comprehensive internal asset discovery will face significant gaps until the planned agent-based solution arrives in 2026. Those with complex internal networks will need to supplement with additional tools to achieve complete visibility across their environment, especially for assets not connected to cloud platforms.

Purchase Considerations
Buguard structures its licensing with a moderately transparent pricing model based on distinct metrics per module: assets and scan frequency for ASM, domains monitored for Dark Web, and integration types for CTI. The solution offers annual contracts with quarterly true-ups to accommodate asset growth, which provides some flexibility but requires ongoing commitment. The licensing approach falls between a platform and feature play, with four customizable modules (ASM, Dark Web, Brand Protection, CTI) available either separately or in discounted bundles, allowing customers to tailor purchases to specific needs without requiring full platform adoption.

The SKU structure is effectively productized with four clear service tiers (Free, Basic, Standard, Enterprise), though selecting individual modules and appropriate service levels requires careful consideration of organizational requirements. Deployment complexity appears manageable, with setup typically completed in less than one day using preconfigured workflows. The cloud-based SaaS architecture supports substantial scale, handling over 100,000 assets, suggesting suitability for organizations of varying sizes. The solution includes self-service documentation, video tutorials, and in-app help, complementing the moderate initial setup complexity.

Use Cases
Buguard excels in third-party risk management for organizations with extensive vendor ecosystems. Its solution identifies vendors through DNS analysis and API connections, performs comprehensive attack surface scanning, and monitors the dark web for employee compromised credentials and supply chain data breaches. This helps procurement teams make informed security decisions based on quantifiable vendor risk data.

Organizations with complex network infrastructures benefit from Buguard's attack path visualization capabilities. The solution maps potential compromise paths through various network entry points and lateral movement opportunities, enabling security teams to identify and remediate critical juncture assets that appear in multiple attack scenarios.

Cavelo: Cavelo360 

Solution Overview
Cavelo provides a cyber asset attack surface management (CAASM) solution that emphasizes data security posture management (DSPM) alongside traditional asset discovery. The platform uses a hybrid discovery methodology, combining a lightweight agent-based approach for endpoints with agentless API connectors for cloud environments. This dual-method strategy allows Cavelo to identify, classify, and track sensitive data across the organization while maintaining a continuous inventory of hardware and software assets. The solution distinguishes itself by integrating vulnerability management with data discovery, enabling organizations to correlate risk not just by CVE severity but by the sensitivity of the data residing on the impacted asset.

The solution operates as a SaaS platform built on Amazon EC2 architecture, designed for scalability and minimal network impact through its thin-agent design. 

Cavelo is positioned as a Challenger and Fast Mover alone in the Maturity/Feature Play quadrant of the ASM Radar chart.

Strengths
Cavelo scored well on a number of decision criteria, including:

• Internal ASM: This agent-based architecture allows organizations to perform deep internal discovery and vulnerability scanning behind firewalls without requiring dedicated appliances or complex network configurations, thereby reducing the logistical burden of securing distributed internal networks.

• Attack path analysis: The solution provides breadcrumb trail visualization and dashboard data correlation to map potential compromise routes. This capability correlates disparate risk factors such as user identity and asset vulnerability into a unified attack path visualization, enabling security teams to identify and disrupt lateral movement opportunities before they can be exploited.

• Risk scoring: Cavelo’s scoring engine takes a composite approach that incorporates exploit prediction scoring (EPS) and CVSS data alongside estimated breach costs. This financial quantification of risk, combined with contextual factors like data sensitivity, empowers organizations to prioritize remediation efforts based on potential business impact rather than technical severity alone.

Opportunities
Cavelo has room for improvement in a few decision criteria, including:

• Automation and correlation: While Cavelo employs a policy engine with predefined templates to identify anomalies, the solution relies on manual customization to fine-tune signal-to-noise ratios. This dependence on user-configured rules for environment-specific correlation may create administrative overhead for teams seeking a fully autonomous, hands-off correlation experience.

• Managed triage: Cavelo does not offer vendor-provided human expertise for risk analysis or validation. The solution’s reliance on automated analysis and customer interpretation places the operational burden of triage on internal security teams, which may create friction for organizations lacking the resources to investigate every alert manually.

• Asset correlation: The platform uses policy-driven workflows to correlate assets across its agent-based and agentless inputs. Unlike solutions that leverage advanced unsupervised ML for entity resolution, Cavelo’s approach may require manual policy configuration to alert on anomalies effectively, potentially extending the time required to achieve a unified view of complex environments.

Purchase Considerations
Cavelo employs a modular pricing model based on seat count or endpoints under management (agents or cloud users). This structure avoids complex tiering, allowing organizations to scale costs linearly with their infrastructure growth. The solution offers separate modules for data discovery and asset discovery, providing flexibility for buyers who may need only specific capabilities. Deployment is streamlined through the platform's auto-provisioning architecture and thin-agent deployment, which is designed to minimize endpoint performance degradation. The SaaS delivery model ensures updates and definitions are delivered “over the air” without disrupting user operations. The platform creates specialized reports designed for both technical teams and business executives, facilitating communication of risk posture to a board of directors.

Use Cases
Cavelo excels in environments where data visibility is as critical as asset inventory. Organizations in regulated industries, such as finance or healthcare, can leverage the platform's combined cyber asset ASM (CAASM) and DSPM capabilities to maintain continuous compliance benchmarks while monitoring for PII exposure. Mid-market enterprises with distributed workforces benefit from Cavelo’s agent-based internal ASM capabilities. The ability to turn endpoints into internal scanners allows these organizations to maintain visibility into home office networks and remote sites without deploying heavy infrastructure, ensuring consistent security posture across a hybrid environment.

CrowdStrike: Falcon Exposure Management

Solution Overview
CrowdStrike addresses the ASM market through its Falcon Exposure Management solution, which unifies internal and external visibility features to preempt adversary activity. This combination enables a continuous cycle of discovery, prioritization, and remediation, leveraging CrowdStrike’s established endpoint dominance to correlate external exposures with internal asset context and vulnerability data.

The platform operates as a cloud-native, SaaS-delivered solution centered on the lightweight Falcon agent, distinguishing it through its ability to bridge the gap between security operations and exposure management. The solution will look and feel largely the same over the contract lifecycle. CrowdStrike prioritizes stability and continuity, focusing on deepening the integration between its modules rather than radical architectural pivots. 

CrowdStrike is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Crowdstrike scored well on a number of decision criteria, including:

• Attack path analysis: CrowdStrike creates cross-domain relationship mapping among endpoints, identities, applications, and cloud resources to visualize potential lateral movement. The solution identifies choke points that serve as critical connections between network segments, allowing security teams to overlay vulnerability data onto attack paths. This capability enables what-if scenario analysis, helping users understand how specific remediations would disrupt potential compromise routes to sensitive assets.

• Automation and correlation: The solution natively integrates with Falcon Fusion SOAR to orchestrate customized workflows and remediation actions based on discovery findings. By mapping external-facing IPs to internal assets using agent-based traffic analysis, the platform provides highly accurate correlation that reduces manual triangulation efforts for security teams.

• Risk Scoring: CrowdStrike’s ExPRT.AI scoring system analyzes over 40 risk factors, including real-time threat intelligence, adversary activity, and exploitation potential. The algorithm automatically determines asset criticality by analyzing behavior patterns and considers whether vulnerabilities are internet accessible or internally protected. This dynamic scoring approach allows organizations to prioritize remediation based on the actual likelihood of compromise rather than static severity ratings. CrowdStrike’s rapid integration of external attack surface data with its internal EDR telemetry provides a unified view of risk that accelerates decision-making.

Opportunities
Crowdstrike has room for improvement in a few decision criteria, including:

• Internal ASM: While the solution combines agent-based scanning with passive and active discovery for unmanaged devices (such as IoT), the depth of visibility and context for assets where the agent cannot be installed is less granular than for instrumented assets. This discrepancy can create varying levels of fidelity across a hybrid environment, potentially requiring additional validation for unmanaged segments.

• Third-party risk identification: While it effectively identifies risks within the immediate digital supply chain, the solution lacks the deep, multitier ecosystem mapping provided by specialized third-party risk management (TPRM) vendors. Organizations requiring extensive n-tier supply chain illumination may find the current capabilities focused more on direct connections than broader ecosystem exposure.

• Managed triage:. Unlike some dedicated ASM vendors that include native concierge triage to curate all findings within the standard subscription, CrowdStrike requires organizations to opt in to premium service tiers to offload the validation burden, potentially increasing the total cost of ownership for managed support.

Purchase Considerations
CrowdStrike’s solution employs a consumption-based licensing model, typically structured around the number of managed endpoints or assets, consistent with its broader Falcon platform pricing. As a Platform Play, the value proposition is highest for existing CrowdStrike customers who can activate Exposure Management as an additional module without deploying new infrastructure. This consolidation reduces vendor sprawl but ties the organization deeper into the CrowdStrike ecosystem.

The solution is designed for enterprise scale, leveraging the cloud-native architecture to support massive asset counts without performance degradation. Implementation is streamlined for organizations with the Falcon agent already deployed, as enabling the module requires minimal configuration. Support is tiered, with standard options supplemented by technical account managers (TAMs) for larger enterprise accounts.

Use Cases
CrowdStrike excels in EDR-centric environments where organizations seek to extend their endpoint visibility into broader exposure management. Security operations teams can leverage the unified console to correlate external exposures with internal endpoint telemetry, streamlining investigation workflows and reducing context switching. Large enterprises with hybrid infrastructures benefit from the solution's ability to bridge the gap between IT operations and security. The shared Asset Graph provides a single source of truth for asset inventory, helping IT teams identify unmanaged assets while allowing security teams to prioritize vulnerabilities based on real-time threat intelligence and asset criticality.

Cyberint (Check Point)

Solution Overview
Cyberint provides a consolidated exposure management platform that integrates EASM, digital risk protection (DRP), and threat intelligence. The solution focuses on delivering high-fidelity visibility by combining automated discovery with analyst-driven validation to minimize false positives. Its core methodology centers on the Digital Presence Triad, which correlates assets, risks, and threat intelligence to provide a contextualized view of an organization's external posture. This approach allows security teams to manage risks extending beyond their immediate perimeter, including supply chain vulnerabilities and dark web threats, within a single interface.

The platform operates as a SaaS-based solution, designed to serve as a unified command center for external threats. Cyberint distinguishes itself through its heavy emphasis on impact-based prioritization, leveraging its patented Context Filter to separate critical issues from noise. The solution will look and feel largely the same over the contract lifecycle. Cyberint prioritizes stability and consistent performance, focusing on refining its existing detection engines and managed service capabilities rather than frequent, disruptive architectural overhauls. 

Cyberint is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Cyberint scored well on a number of decision criteria, including:

• Third-party risk identification: Cyberint’s Supply Chain Intelligence module delivers robust, real-time assessments of third-party ecosystems. The solution proactively alerts organizations to risks within their digital supply chain by continuously monitoring vendor exposure and breach history. This capability allows security teams to identify and mitigate downstream dependencies that are often invisible to traditional perimeter scans, effectively extending protection to the vendor ecosystem.

• Automation and correlation: Cyberint effectively automates the asset discovery and threat validation lifecycle by leveraging its patented Context Filter. This mechanism correlates finding data with threat intelligence to validate exposures and automatically dismiss irrelevant alerts. By reducing the noise typically associated with automated scanning, the solution ensures that security operations centers (SOCs) can focus on confirmed high-priority threats without being overwhelmed by false positives.

• Risk scoring: The solution employs a hierarchical risk scoring framework that contextualizes findings based on asset severity, posture ratings, and alert levels. By enriching risk data with the Digital Presence Triad—incorporating EPSS and known exploited vulnerabilities (KEV) data—Cyberint provides granular risk assessments. This enables organizations to prioritize remediation efforts based on the likelihood of exploitation and business impact rather than generic severity ratings. 

Opportunities
Cyberint has room for improvement in a few decision criteria, including:

• Asset categorization: Cyberint earned a capable score for asset categorization because while the platform enables custom tagging on the asset owner field, it currently lacks more granular, multidimensional tagging capabilities across the full range of asset metadata. This limitation impacts the user by constraining the flexibility needed to align assets with complex, nonlinear business structures, often requiring security teams to consolidate organizational mapping within the asset owner field rather than leveraging a diverse set of custom metadata tags.

• Asset correlation: The solution’s correlation capabilities are primarily focused on external data sorting and lack deep integration with internal asset repositories. Cyberint excludes internal attack path mapping from its visualization tools, limiting its ability to build a comprehensive asset graph that connects external exposures to internal infrastructure. This compels users to rely on separate tools to bridge the gap between external findings and internal network context.

• Managed triage: Cyberint earned a capable score for managed triage because the platform utilizes a highly automated workflow that manages the end-to-end lifecycle of alerts, including the automatic generation and closing of issues once a remediation is detected. While this provides significant operational efficiency, human analyst expertise for hands-on triage and deeper investigation is offered as a supplementary paid service rather than an inclusive platform feature. This impacts the user by requiring additional budgetary planning for organizations that need expert-led validation, potentially leaving teams that rely solely on the base subscription to manage sophisticated or nuanced threats through the platform's automated logic alone.

Purchase Considerations
Cyberint employs a transparent, volume-based pricing model that scales according to the number of digital assets. The structure is segmented into three distinct coverage levels (ASM, Digital Risk Protection, and Threat Intelligence), allowing organizations to purchase ASM capabilities independently based solely on digital asset count. This modular approach provides flexibility for buyers who may not initially require the full suite of digital risk protection services.

The solution is a Platform Play designed for enterprise-grade scalability, evidenced by its deployment across Fortune 100 environments. It leverages a SaaS delivery model that provides immediate value, with discovery engines capable of performing daily production scans and weekly nonproduction assessments. Implementation is streamlined through a high-touch support model, often involving technical account managers to assist with initial configuration. The platform’s interface is designed for ease of use, featuring contextual tool tips and AI assistance for users who ask a question about the platform. 

Use Cases
Cyberint excels in environments heavily dependent on extended supply chains, such as retail and e-commerce sectors. Its Supply Chain Intelligence module allows these organizations to monitor third-party vendors for breach indicators and exposure risks, ensuring that vulnerabilities in the partner ecosystem do not compromise the core business. Financial institutions and organizations with high-profile brand assets benefit significantly from Cyberint’s integrated digital risk protection. The solution’s ability to correlate dark web intelligence with ASM findings helps these entities identify targeted threats and brand impersonation attempts, providing a layer of defense that extends beyond technical vulnerability management.

CyCognito: Attack Surface Platform

Solution Overview
CyCognito provides a comprehensive EASM platform designed to simulate the attacker's perspective as a way to uncover blind spots. The solution performs automated black box penetration testing on all exposed assets across an organization's entire digital ecosystem, including subsidiaries, cloud environments, and third-party connections. Its methodology relies on a proprietary graph-based data model that autonomously maps organizational structures to discover assets without requiring seed data or agents. This outside-in approach is augmented by integrations with internal security tools like Armis and Wiz to correlate external findings with internal context.

The platform is delivered as a SaaS solution, emphasizing scalability and automation over manual intervention. It positions itself as an enterprise-grade platform capable of handling massive infrastructures, demonstrated by its deployment in environments with over 100 million assets. The solution will look and feel largely the same over the contract lifecycle. CyCognito prioritizes stability and continuity, ensuring its core discovery and testing engines deliver consistent, reliable performance for large-scale security operations. 

CyCognito is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
CyCognito scored well on a number of decision criteria, including:

• Attack path analysis: CyCognito maps relationships among discovered assets, exposures, and business context to visualize potential compromise routes through interactive dashboards. The solution effectively correlates external findings with internal data from platforms like Armis and Wiz, creating a unified view of external-to-internal attack paths. This integration allows security teams to prioritize remediation based on a holistic understanding of how an attacker could move from an exposed edge asset to critical internal systems.

• Automation and correlation: The platform uses a graph-based model with evidence-based attribution to normalize and resolve entity data automatically. CyCognito enriches findings with real-time exploit intelligence and correlates multiple risk dimensions (including technical severity and asset exposure) to prioritize risks dynamically. This high degree of automation reduces manual analysis overhead by ensuring vulnerability information is continuously updated and reprioritized without human intervention.

• Asset categorization: CyCognito adds over 160 unique context elements to each asset, covering technical details, security metrics, and ownership information. The solution evaluates asset discoverability and business function connections to assign metadata that directly influences risk assessment. This granular categorization, which detects compensating controls like web application firewalls (WAFs) and single sign-on (SSO), enables organizations to apply precise automated policies and workflows based on the specific business context of each asset. 

CyCognito is classified as an Outperformer thanks to its robust development of ecosystem integrations and the maturity of its automated testing engines, which have significantly enhanced its ability to deliver actionable risk insights at scale.

Opportunities
CyCognito has room for improvement in a few decision criteria, including:

• Third-party risk identification: CyCognito tracks third-party software libraries and open source components across the external attack surface, but its capabilities are limited to external exposure analysis. Unlike dedicated TPRM tools, the solution does not perform internal code dependency scanning or SBOM management. This limitation creates blind spots for organizations that require deep, internal verification of software supply chain risks beyond what is visible from the public internet.

• Risk scoring: CyCognito leverages a proprietary scoring engine that aggressively filters noise, identifying approximately 0.01% of issues as critical compared to the industry average of 1% to 3%. While effective for risk-based prioritization, this "black box" reduction may create friction for compliance-focused teams that are mandated to report and remediate all vulnerabilities above a certain CVSS threshold, regardless of immediate exploitability, necessitating manual calibration of internal workflows.

• Managed triage: The solution functions as a fully automated platform designed to operate independently of continuous human involvement. Organizations seeking a human-in-the-loop managed service to validate false positives or provide manual remediation guidance will find this capability absent. Teams must rely on their own internal resources or third-party partners to handle the triage that some competing managed ASM services provide natively.

Purchase Considerations
CyCognito employs a SaaS pricing model with modular components for ASM, Active Security Testing (AST), and exploit intelligence (EI). Costs are scaled based on the volume of assets under monitoring for the ASM module, while the AST and EI modules are priced according to active IPs and web applications. This structure favors cost transparency by decoupling pricing from organizational complexity, allowing companies to scale their coverage as their digital footprint expands. 

The solution is built for high scalability, using a globally distributed infrastructure that supports on-demand or scheduled discovery cadences. It creates an organization mapping that automatically mirrors enterprise structures, including subsidiaries and business units, which facilitates accurate chargeback and simplified management for complex conglomerates. Support is offered in tiered packages (Standard, Premium, and Premium Plus) and provides varying SLAs to match different operational requirements. Implementation is streamlined through the platform’s agentless outside-in discovery process, which does not require extensive seed data. Users can leverage features like AI Search for natural language queries and prebuilt integrations with CMDBs like ServiceNow to accelerate time to value. However, organizations should plan for the operational shift required to trust and utilize the platform's automated, low-volume critical alert output.

Use Cases
CyCognito excels in large enterprise environments that require the automated discovery and testing of massive distributed digital footprints. Organizations undergoing mergers and acquisitions can leverage the platform's ability to map subsidiaries and business units to quickly assess the cyber risk of acquisition targets without deploying agents. The solution’s outside-in perspective provides immediate visibility into the acquired entity’s security posture, enabling rapid risk integration. Security operations teams in complex conglomerates benefit from CyCognito’s granular asset categorization and attack path analysis. The platform’s ability to correlate external exposures with internal context allows teams to prioritize effectively across thousands of assets. Furthermore, its automated evidence-based attribution helps security leaders assign remediation tasks to the correct subsidiary or business unit, streamlining workflow in decentralized organizations.

CYFIRMA: DeCYFIR

Solution Overview
CYFIRMA provides a threat-led ASM solution through its DeCYFIR platform. The company distinguishes itself by fusing external attack surface management with digital risk protection and cyber intelligence, aiming to provide organizations with an outside-in view of their threat landscape. The solution centers on its ability to correlate an organization’s digital footprint with specific threat actor campaigns, moving beyond simple asset discovery to provide context-rich intelligence about potential attacks. 

Core components include the DeCYFIR platform for external threat landscape management and the DeTCT module for digital risk protection, both leveraging a combination of automated discovery and human intelligence. The platform operates as a cloud-native SaaS solution, positioning itself as a strategic tool for organizations prioritizing threat visibility alongside asset management. Its architecture integrates diverse data lakes, including surface, deep, and dark web sources, to fuel its analysis engines. The solution will look and feel different over the contract lifecycle. CYFIRMA delivers an aggressive roadmap, frequently updating its threat attribution models and correlation algorithms to adapt to the shifting adversary landscape. 

CYFIRMA is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths 
CYFIRMA scored well on a number of the decision criteria, including:

• Managed triage: CYFIRMA’s two-offering model allows organizations to consume the solution as a platform-only product or as a managed service. The latter layers human experts on top of the DeCYFIR and DeTCT modules, through which analysts validate high-severity findings, enrich alerts with specific threat intelligence, and provide detailed remediation guidance. This human-in-the-loop approach significantly reduces false positives and ensures security teams receive vetted, actionable narratives rather than raw data.

• Asset correlation: The solution employs multilayer correlation using metadata, rules, and AI/ML to link disparate digital artifacts (such as domains, networks, and technology stacks) to specific ownership and risk contexts. CYFIRMA effectively uncovers hidden connections, including shadow IT, brand abuse instances, and threat actor campaigns. This deep correlation allows users to identify inherited risks from shared infrastructure like certificates and IPs, providing a comprehensive map of the extended attack surface.

• Attack path analysis: CYFIRMA uses graph-based modeling to map asset interconnections through shared IPs, DNS hierarchies, and linked applications. The solution correlates technical vulnerabilities and misconfigurations with asset criticality to identify potential pivot points for attackers. By enriching this analysis with real-time threat intelligence on actor TTPs and exploited CVEs, DeCYFIR visualizes connections between exposures and infrastructure, continuously recalculating potential attack routes as the environment changes. 

Opportunities
CYFIRMA has room for improvement in the following decision criteria:

• Automation and correlation: CYFIRMA leverages an API-first architecture and native STIX/TAXII standards to drive autonomous remediation, earning a superior score for its interoperability. However, this open standards approach prioritizes flexibility for mature SOCs over out-of-the-box simplicity. Organizations lacking internal development resources may find that leveraging the full power of these REST APIs for orchestration requires more engineering effort than solutions offering a broader library of preconfigured, low-code connectors for legacy or niche ITSM tools.

• Internal ASM: CYFIRMA’s approach to internal asset management relies primarily on customer onboarding of IP addresses and passive identification techniques through public DNS and cloud metadata. Unlike solutions with dedicated internal sensors or agents, this passive and list-based methodology limits visibility into deep internal infrastructure that is not already leaking signals externally, potentially creating blind spots for organizations requiring comprehensive inside-out visibility.

• Risk scoring: CYFIRMA uses a transparent hackability metric that exposes complete weightage calculations and relies on open standards such as CVE, CVSS, and EPSS, earning a superior score for its clarity. However, the high fidelity of this dynamic scoring model, which continuously adapts to real-time threat intelligence, can introduce operational complexity for teams accustomed to static assessments. Organizations may find that risk scores fluctuate based on external adversary behavior rather than internal changes alone, requiring a shift in operational processes to accommodate a threat-centric rather than a purely schedule-based remediation cadence.

Purchase Considerations
CYFIRMA’s solution is typically purchased as a subscription service, with pricing often structured around the scope of the attack surface, such as the number of domains, IPs, or digital assets being monitored. The transparency of the two-offering model (platform versus managed service) is a key consideration for buyers. Organizations with smaller security teams may find the managed service tier essential for handling triage, while mature SOCs might opt for the platform-only access to integrate raw intelligence into their existing workflows. 

As a Platform Play, DeCYFIR aggregates multiple capabilities (ASM, digital risk protection, and cyber intelligence) into a unified interface. This consolidation offers significant value for enterprises looking to reduce tool sprawl. Implementation is generally streamlined due to the SaaS nature of the product, with the ability to begin discovery immediately upon inputting root domains. The inclusion of technical account management in higher tiers or the managed service package ensures customers can align the platform's threat attribution capabilities with their specific industry risks.

Use Cases
CYFIRMA excels in environments where understanding who is attacking is as important as knowing what is vulnerable. Financial institutions and critical infrastructure providers can leverage the solution's deep threat intelligence integration to prioritize remediation based on active threat actor campaigns targeting their specific vertical. The ability to correlate external signals with specific adversaries allows these organizations to move from reactive patching to proactive defense. 

The solution is also well suited for organizations managing complex supply chains. DeCYFIR’s ability to map vendor assets and correlate them with dark web leakage allows security teams to monitor third-party risk proactively. By identifying leaked credentials or data from suppliers before they are used in an attack, organizations can mitigate third-party breaches more effectively than with traditional questionnaire-based assessments.

Cymulate

Solution Overview
Cymulate provides a comprehensive exposure management and security validation platform that integrates ASM with Exposure Validation. The solution focuses on validating security controls and exposures through a continuous, automated approach that goes beyond passive discovery. Core components include Exposure Validation, Exposure Prioritization, Attack Path Discovery, and Automated Mitigation, which work in concert to identify, validate, and prioritize risks based on actual exploitability rather than theoretical severity. 

The platform operates as a SaaS solution with a unified agent architecture for internal and cloud environments, positioning it as a robust tool for enterprises requiring validated risk insights. Cymulate prioritizes stability and continuity, offering a consistent environment for long-term security program management. The solution will look and feel largely the same over the contract lifecycle, as the company focuses on deepening existing integration and validation capabilities. 

Cymulate is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Cymulate scored well on a number of the decision criteria, including:

• Third-party risk identification: The solution provides continuous assessment of vendor ecosystems, including subsidiary scoring and specific vendor mitigation recommendations, enabling organizations to effectively manage supply chain risk beyond simple questionnaires.

• Asset correlation: Cymulate leverages its unified attack path mapping and analysis (UAPMA) capabilities to deliver enhanced correlation across multicloud and hybrid environments. The solution integrates data from EASM, cloud platforms, network devices, and Active Directory to create comprehensive relationship visualizations. This approach allows security teams to understand the context and interconnectivity of assets, facilitating more accurate risk profiling.

• Risk scoring: The solution’s validated scoring methodology distinguishes it by stacking threat intelligence, business impact, asset tiers, and, crucially, control efficacy. By incorporating the results of active simulations, Cymulate generates risk scores that reflect true exposure. The integration of the AI Copilot Attack Planner allows the system to dynamically create and customize assessments based on real-time intelligence and natural language queries, ensuring scoring remains relevant to the current threat landscape.

Opportunities
Cymulate has room for improvement in the following decision criteria:

• Attack path analysis: While Cymulate automates offensive testing to map paths to crown jewels, its approach relies heavily on active validation and the UAPMA integration. This methodology, though effective for confirming specific vectors, may lack the continuous, passive graph-based visibility of all theoretical attack paths that purely API-driven EASM leaders provide, potentially limiting the scope of analysis for organizations seeking an always-on view of the entire theoretical surface without active testing.

• Automation and correlation: Cymulate utilizes its AI Copilot for attack planning and insight generation, but broader automation capabilities are focused primarily on the validation phase of the exposure lifecycle. Organizations may find that the solution prioritizes automating the testing and prioritization of risks over the end-to-end orchestration of remediation workflows, often requiring additional integrations with ticketing or SOAR platforms to close the loop on identified issues.

• Internal ASM: The solution employs a unified agent for data collection and testing across on-prem and cloud environments. While this ensures deep visibility for simulation purposes, the reliance on agent-based architecture creates deployment and maintenance friction compared to agentless, API-first alternatives. This requirement may present a barrier for organizations seeking rapid, low-overhead internal discovery and monitoring.

Purchase Considerations
Cymulate’s pricing model typically follows a tiered subscription structure based on the number of assets or specific modules purchased, such as EASM, BAS, or continuous automated red teaming (CART). This modular approach allows organizations to start with specific capabilities and scale into a full Platform Play. The solution is designed as a comprehensive exposure management platform, offering significant flexibility through custom attack chaining (with over 100,000 actions) and MSSP multitenancy support. The platform targets midsize-to-large enterprises and MSSPs, supporting hybrid and multicloud environments through its SaaS interface and agent-based collectors. Deployment involves installing the unified agent for internal visibility, while external assessments can begin immediately upon domain input. The inclusion of the AI Copilot helps reduce the learning curve by assisting with scenario customization and insight interpretation, accelerating time to value for security teams.

Use Cases
Cymulate excels in environments that require continuous security validation alongside discovery. Financial institutions and high-security enterprises can leverage the platform’s combination of EASM and Exposure Validation to not only find exposures but also empirically test their existing controls against them, ensuring theoretical risks are prioritized based on validated exploitability. The solution is also well suited for organizations managing complex third-party ecosystems. Security teams can use Cymulate’s robust third-party risk identification and subsidiary scoring to monitor supply chain exposures continuously. By correlating external findings with internal context via UAPMA, organizations can gain a unified view of risk that spans their entire digital footprint, from external vendors to internal critical assets.

Data443: TacitRed

Solution Overview
Data443 entered the ASM market with TacitRed, which it acquired in June 2025 from Cogility Software. The solution focuses on continuous outside-in discovery and monitoring, leveraging a unique approach to correlate assets with threat intelligence. By utilizing a patented hierarchical complex event processing (HCEP) engine, TacitRed aims to automate the detection of active threats and prioritize them based on their stage in the kill chain rather than relying solely on static vulnerability severity. All of this is fed with high-velocity Netflow captures at major xSP interconnects around the world.

The platform is a SaaS offering designed for rapid deployment with minimal configuration. Data443 positions itself as an innovator, leveraging its background in complex event processing to deliver high-fidelity signals. The solution will look and feel different over the contract lifecycle. Data443 delivers an aggressive roadmap focused on enhancing its predictive capabilities and integrations. 

Data443 is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the ASM Radar chart.

Strengths
Data443 scored well on a number of decision criteria, including:

• Third-party risk identification: TacitRed extends its monitoring capabilities beyond the immediate organization to include partners, subsidiaries, and suppliers. This allows security teams to identify and address risks within their digital supply chain without requiring invasive access to third-party networks, fostering collaborative risk reduction.

• Risk scoring: The solution goes beyond standard CVSS scoring by analyzing attacker movement through kill chain stages. By incorporating the Digital Presence Triad approach and enriching data with EPSS and KEV feeds, TacitRed prioritizes active threats, enabling teams to focus remediation efforts on exposures that are currently being exploited or show signs of imminent compromise.

• Attack path analysis: Data443 provides visualization of attack surface risks through a chronological attack chain map. This feature correlates threat intelligence with asset data to illustrate the progression of a potential compromise, offering security analysts contextual insights into how an adversary might traverse the environment.

Opportunities
Data443 has room for improvement in a few decision criteria, including:

• Automation and correlation: While the HCEP engine automates the correlation of telemetry, the solution lacks the explicit advanced orchestration capabilities or GenAI automation found in some competing platforms. This limitation may require organizations to rely on external security orchestration, automation, and response (SOAR) tools or manual processes for complex remediation workflows.

• Internal ASM: Data443’s approach relies on inferring internal compromise by correlating external threat intelligence and malware infrastructure signals from an adversary’s perspective. This inference-based methodology lacks the direct visibility provided by internal agents or API integrations, potentially leaving blind spots regarding risks that do not yet manifest valid external signals.

• Asset correlation: The solution’s ability to correlate threat intelligence with organizational assets is primarily focused on external data points. Without deep integration into internal CMDBs or directory services, the platform may struggle to map external findings to specific internal business owners or critical business processes, limiting the contextual richness needed for rapid stakeholder alignment.

Purchase Considerations
Data443 employs a tiered subscription pricing model with four distinct levels: Essentials, Advanced, Professional, and Enterprise. The structure is designed to accommodate organizations of varying sizes and complexities, with the Enterprise tier including dedicated analyst support. A 30-day free trial of the Essentials tier allows prospective buyers to evaluate the solution's discovery capabilities before committing.

Deployment is streamlined through the Attack Surface Explorer interface, which requires minimal configuration to begin generating insights. While the solution offers API integrations for data access, it focuses on a standardized reporting approach designed for portfolio visibility rather than highly customizable frameworks.

Use Cases
TacitRed is well suited for organizations managing complex portfolios, such as private equity firms or enterprises with numerous subsidiaries. Its ability to monitor third-party entities and subsidiaries without intrusive deployment makes it effective for M&A due diligence and ongoing portfolio risk management.

The solution also serves organizations looking for a set-and-forget external monitoring tool. By prioritizing active threats through its HCEP engine, TacitRed helps security teams with limited resources focus on high-priority issues without being overwhelmed by low-fidelity alerts.

Detectify: Surface Monitoring

Solution Overview
Detectify offers a specialized EASM solution that is deeply rooted in its heritage of ethical hacking and dynamic application security testing (DAST). The platform, Surface Monitoring, focuses on the continuous discovery and surveillance of internet-facing assets, utilizing a unique payload-based testing methodology. This approach leverages crowdsourced intelligence from a global community of ethical hackers alongside its AI Alfred engine, which automates the creation of security tests and integrates real-world threat actor intelligence to prioritize vulnerabilities and misconfigurations. The solution is designed to bridge the gap between broad attack surface visibility and deep application security testing, providing a streamlined workflow for identifying and remediating risks across web applications and cloud infrastructure.

The solution operates as a pure SaaS solution, emphasizing ease of use and rapid deployment without the need for agents. Detectify is positioned as a Feature Play, targeting organizations that require high-fidelity application security insights rather than broad, generalist IT asset management. The solution will look and feel different over the contract lifecycle, as Detectify delivers an aggressive roadmap centered on enhancing automated triage and expanding its classification capabilities. 

Detectify is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the ASM Radar chart.

Strengths
Detectify scored well on a number of the decision criteria, including:

• Asset correlation: Detectify utilizes its specialized Asset Classification engine to auto-analyze discovered web assets using attacker reconnaissance signals. By correlating data points such as libraries, form structures, and header configurations, the solution categorizes assets into distinct classes, including rich web apps, basic apps, and APIs. This granular correlation enables the platform to provide intelligent scan recommendations, ensuring DAST coverage is optimized for the specific technical composition of each asset.

• Third-party risk identification: The solution leverages its robust DAST scanning capabilities to identify third-party risk at the component level. Instead of relying solely on passive vendor scoring, Detectify actively scans web applications and APIs to detect the usage of vulnerable third-party software, such as outdated libraries and exposed headers. This approach provides teams with actionable evidence of exposure within their software supply chain, validating the actual presence of exploitable third-party elements on their attack surface.

• Internal ASM: Detectify extends its visibility beyond the external perimeter through dedicated cloud connectors for major providers like AWS, Azure, and GCP. These integrations allow the solution to enumerate internal assets and identify known CVEs and misconfigurations within the cloud environment. By bridging external discovery with internal cloud inventory data, Detectify provides security teams with a more unified view of their exposure across hybrid infrastructures.

Opportunities
Detectify has room for improvement in the following decision criteria:

• Attack path analysis: Detectify’s visualization capabilities are currently centered on providing a network graph with supplementary connected data details. While this illustrates asset relationships and highlights vulnerable connections, the solution lacks the depth of full attack flow diagrams or multistage compromise simulations found in broader platform offerings. This limitation may hinder teams trying to model complex lateral movement scenarios or validate specific attack chains beyond the initial entry point.

• Automation and correlation: The solution does not include native automation and correlation features such as SOAR capabilities or cross-tool event correlation. Detectify relies on external integrations to handle remediation workflows and broader security orchestration. Organizations seeking a self-contained platform to automate complex response actions or correlate findings with disparate security telemetry may find this lack of native automation creates additional reliance on third-party tools.

• Asset categorization: Detectify’s categorization framework is heavily optimized for web assets, such as applications and APIs, using characteristics like attacker reconnaissance signals. However, this niche focus can present challenges for organizations with diverse infrastructure that includes non-web assets, such as OT or proprietary network devices. The solution’s grouping rules, while customizable, may require manual effort to adapt to complex organizational structures that fall outside the domain-based, web-centric model.

Purchase Considerations
Detectify employs a transparent tiered pricing model based on the volume of assets monitored. Costs are determined by the number of domains for the Surface Monitoring (ASM) component and per target for deep DAST and API scanning. This structure allows organizations to scale their coverage based on their specific attack surface size, with active domain cleanup features helping to optimize billing by removing irrelevant assets. The pricing focuses on relevant coverage rather than a per-seat license, making it accessible for teams of varying sizes.

The solution is designed for rapid time to value, with an agentless SaaS deployment that can begin mapping assets and providing insights within minutes of inputting a root domain or connecting a cloud account. Implementation is streamlined through automated onboarding, and the platform’s high-fidelity testing significantly reduces triage noise. Support options include automated vulnerability review powered by the internal research team, with enterprise customers gaining access to optional sales engineer reviews for complex environments.

Use Cases
Detectify excels in environments driven by centralized application security (AppSec) teams that require continuous, high-accuracy vulnerability monitoring. Its ability to classify web apps and APIs makes it ideal for digital-native organizations and software companies that need to secure rapid development cycles. The platform’s integration of ethical hacker payloads ensures these teams receive validated, actionable findings without the fatigue of high false-positive rates.

Startups and mid-market enterprises with cloud-heavy infrastructure also benefit significantly from Detectify’s cloud connectors and ease of use. The solution’s focus on web assets and immediate scan recommendations helps these organizations maintain a secure posture during rapid growth phases. By automating the discovery of third-party libraries and misconfigurations, Detectify enables smaller security teams to manage supply chain risks effectively without requiring extensive manual resources.

FireCompass

Solution Overview
FireCompass positions itself as a converged platform in the ASM market, unifying EASM, CART, and penetration testing as a service (PTaaS). The solution distinguishes itself by moving beyond simple asset discovery to include active testing and validation, leveraging a multistage attack simulation engine and a new agentic AI interface that autonomously interprets user intent to craft and execute end-to-end reconnaissance and red teaming strategies. Core components include continuous internet-wide scanning, automated playbooks for exploit validation, and a managed service layer that verifies findings to reduce alert fatigue.

The platform operates as a pure SaaS delivery model, designed to scale effortlessly for large, distributed enterprises. FireCompass’s strategy focuses on the integration of automated discovery with human expertise, positioning the tool as not just an inventory system but a proactive exposure management engine. The solution will look and feel largely the same over the contract lifecycle. FireCompass prioritizes stability and continuity, focusing on consistent performance and gradual enhancements to its core testing engines rather than disruptive pivots. 

FireCompass is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
FireCompass scored well on a number of the decision criteria, including:

• Managed triage: FireCompass employs a robust expert-in-the-loop validation model that significantly reduces the operational burden on security teams. By integrating PTaaS directly into the workflow, the solution ensures escalated issues are verified by human analysts, effectively providing a guarantee against false positives and allowing internal teams to focus solely on confirmed high-priority threats.

• Asset Categorization: The solution excels in organizing the attack surface with granular detail, automatically classifying assets by cloud provider, API type, and service function. This deep categorization framework incorporates business context, enabling organizations to prioritize remediation efforts based on the actual criticality of the asset rather than just technical severity.

• Asset correlation: FireCompass utilizes a unified dashboard to effectively map disparate internet assets to their respective cloud providers and owners. The solution’s correlation engine links findings across discovery and testing modules, providing a cohesive view of the attack surface that helps security teams understand the relationship between exposed assets and potential attack paths.

Opportunities
FireCompass has room for improvement in the following decision criteria:

• Internal ASM: FireCompass is heavily weighted toward external and SaaS delivery models. While it offers comprehensive visibility into the internet-facing attack surface, the solution currently demonstrates limited evidence of deep, on-prem internal discovery parity, potentially requiring organizations to maintain separate tools for internal network visibility.

• Risk scoring: This solution follows a relatively standard methodology. Organizations requiring highly bespoke risk algorithms or advanced, AI-driven predictive analytics may find the current model lacks the granular customizability found in specialized risk management platforms.

• Third-party risk identification: While the solution effectively identifies third-party assets within a customer's immediate ecosystem, deeper supply chain mapping remains a roadmap item. This current limitation means that organizations seeking multitier visibility into their vendors' vendors may face gaps in assessing fourth-party risk exposure without supplementary intelligence sources.

Purchase Considerations
FireCompass employs a straightforward pricing model based on a per-asset subscription, ensuring cost transparency with no hidden fees for additional modules or users. This simple structure aligns well with enterprise procurement preferences, allowing organizations to predict costs accurately as their attack surface expands. As a Platform Play, the solution consolidates over seven distinct use cases, including EASM, CART, and PTaaS, into a single license, offering significant value consolidation for buyers looking to replace multiple point solutions.

The platform is designed for high scalability and has been deployed in large enterprise environments supporting hundreds of thousands of assets. It operates on a standard 24-hour discovery cycle but supports event-driven scans to detect zero-day threats rapidly, ensuring coverage aligns with the speed of the threat landscape. Implementation is typically low-friction due to the SaaS architecture, with the managed triage service accelerating time to value by delivering actionable insights almost immediately upon deployment.

Use Cases
FireCompass excels in environments that demand continuous active validation of their security posture. Large enterprises with complex, distributed infrastructure can leverage the combined EASM and CART capabilities to not only find assets but actively test them against ransomware and lateral movement playbooks, effectively simulating a persistent red team engagement at scale. Organizations with lean security operations centers benefit significantly from the expert-in-the-loop service. By offloading the initial triage and validation of alerts to FireCompass’s managed analysts, these teams can bypass the noise of raw scanning data and dedicate their limited resources to remediation and strategic defense improvements.

Fortinet: FortiRecon, Fortinet’s Digital Risk Protection Service*

Solution Overview
Fortinet enters the ASM market with FortiRecon, a SaaS-based DRP service that combines EASM, Brand Protection (BHP), and Adversary Centric Intelligence (ACI) into a unified offering. The solution focuses on providing outside-in visibility to identify enterprise risks before they can be exploited. FortiRecon leverages FortiGuard Labs’ global threat intelligence to enrich findings, offering a distinct advantage in correlating observed exposures with active threat actor campaigns. Its methodology relies on a combination of autonomous discovery and curated intelligence, allowing organizations to monitor their digital footprint, including open, deep, and dark web sources.

The platform is architected as a cloud-native SaaS solution but is deeply integrated into the broader Fortinet Security Fabric, distinguishing it from standalone ASM players. This positioning allows for seamless interoperability with on-prem and cloud-based enforcement points, such as FortiGate firewalls and FortiSOAR. Fortinet prioritizes stability and continuity, ensuring that the solution remains a consistent and reliable component of a broader security ecosystem. 

Fortinet is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Fortinet scored well on a number of the decision criteria, including:

• Automation and correlation: Fortinet demonstrates robust automation capabilities through its exceptional integration with the Fortinet Security Fabric and FortiSOAR. This integration enables the automated triggering of playbooks and response actions directly from ASM findings, significantly reducing the time to remediation. By correlating external exposure data with internal security telemetry, the solution effectively filters noise and streamlines incident response workflows without requiring complex third-party connectors.

• Internal ASM: Fortinet addresses the internal attack surface through a dedicated internal attack surface management (IASM) module. This capability utilizes lightweight, containerized scanners that can be deployed within the customer's infrastructure to discover and assess assets behind the firewall. This approach provides deep visibility into internal networks, ensuring the same rigor applied to external assets is extended to the internal environment, a critical feature for hybrid architectures.

• Risk scoring: The platform utilizes an advanced risk scoring mechanism that goes beyond static severity ratings. It combines standard CVSS scores with proprietary threat intelligence from FortiGuard Labs and real-time active exploitation data. This multifaceted approach allows security teams to prioritize remediation efforts based on the actual likelihood of exploitation rather than theoretical risk, ensuring resources are focused on the most critical exposures.

Opportunities
Fortinet has room for improvement in the following decision criteria:

• Attack path analysis: While FortiRecon maps findings to the MITRE ATT&CK framework to provide context on potential adversary tactics, it lacks a dynamic visual attack graph. The absence of interactive visualization tools limits the ability of analysts to intuitively explore complex attack chains or simulate lateral movement paths, making it harder to communicate risk context to nontechnical stakeholders.

• Managed triage: The solution’s approach to triage is bifurcated. While it offers managed takedowns for its Brand Protection module, the EASM component relies primarily on automated prioritization. This places the burden of validating and triaging technical vulnerabilities on the customer's security team, which may create resource constraints for organizations expecting a fully managed service experience across all modules.

• Third-party risk identification: Fortinet manages third-party risk primarily through a watchlist approach rather than global internet attribution. This requires customers to pre-identify and list their vendors for monitoring rather than the system automatically discovering and attributing third-party relationships. This limitation can leave organizations blind to risks emerging from unknown or shadow fourth-party connections that are not explicitly defined in the watchlist.

Purchase Considerations
Fortinet employs a tiered, asset-based subscription model for FortiRecon, which is typical for the market. The pricing is structured around the volume of assets (such as domains and IPs) being monitored, providing cost transparency for buyers. The solution is positioned as a Platform Play, bundling EASM, brand protection, and threat intelligence capabilities. This bundling offers significant value for organizations already invested in the Fortinet ecosystem but may introduce unnecessary overhead for buyers seeking a standalone, best-of-breed EASM tool.

Deployment is streamlined due to the SaaS architecture, with immediate access to the portal upon provisioning. However, the full value of the Security Fabric integration requires existing investment in Fortinet hardware or software (like FortiGate or FortiSOAR), which may be a barrier for non-Fortinet shops. Support is delivered through Fortinet’s global support infrastructure, with options for technical account management for larger enterprise deployments.

Use Cases
FortiRecon is an ideal fit for existing Fortinet customers, particularly large enterprises and MSSPs, who can leverage the Security Fabric for automated response. SOCs benefit from the seamless ingestion of high-fidelity alerts into FortiSOAR, allowing for automated mitigation of discovered risks without manual intervention.

The solution is also well suited for organizations requiring robust brand protection alongside technical ASM. Retail and financial services sectors, which face high risks of domain spoofing and phishing, can utilize the Brand Protection module’s managed takedown services to mitigate external threats while simultaneously monitoring their technical infrastructure for vulnerabilities.

Forward Networks

Solution Overview
Forward Networks delivers a distinct ASM capability through its network digital twin technology, which focuses on mathematical modeling rather than traditional external scanning. Unlike market peers that operate outside-in, Forward Enterprise ingests configuration, state, and routing data from network devices and cloud environments to construct a mathematically accurate behavioral model of the infrastructure. This inside-out architecture enables deterministic analysis of reachability and security posture, positioning the platform as a single source of truth that bridges the operational gap between SecOps and NetOps.

The solution is architected as a comprehensive platform supporting hybrid multicloud environments, with deployment options ranging from SaaS to robust on-prem virtual appliances. This flexibility is critical for its primary client base of large global enterprises and federal agencies, for which network opacity and strict data controls are primary risk drivers. Forward Networks prioritizes an aggressive innovation strategy, consistently releasing advanced features like the Network Query Engine (NQE) and AI Assist to redefine how organizations interact with complex network data.

Forward Networks is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Forward Networks scored well on a number of the decision criteria, including:

• Internal ASM: Forward Networks defines the standard for this capability by modeling the entire internal infrastructure, including data centers, campus LANs, and SD-WANs, with a depth of execution that matches or exceeds traditional external ASM. The platform creates a digital twin that detects segmentation violations and lateral movement paths within the "soft underbelly" of the network, providing east-west visibility that external scanners cannot achieve.

• Attack path analysis: The platform leverages a blast radius capability that deterministically maps every possible packet path from a compromised host using header space analysis rather than static graph databases. This feature allows security teams to simulate a compromise and instantly visualize the cone of influence, validating whether a theoretical attack path is mathematically possible given current ACLs, NAT rules, and routing protocols.

• Asset categorization: The proprietary Network Query Engine (NQE) enables exceptional flexibility, allowing users to analyze assets based on any attribute found in the configuration or state data using SQL-like queries. This capability transforms the infrastructure into a queryable database where assets can be dynamically tagged and grouped by business unit, owner, or cloud context (for example, AWS VPCs or Security Groups) without relying on rigid, predefined buckets.

Opportunities
Forward Networks has room for improvement in the following decision criteria:

• Third-party risk identification: Forward Networks identifies third-party risk primarily through the detection of unapproved hardware vendors (via OUI lookups) and supply chain checks for unsupported software versions rather than external attribution of vendor ecosystems. While it effectively secures the immediate physical supply chain, the platform typically does not perform nth party discovery of a vendor's broader digital footprint or assess the risk of unconnected SaaS tenants.

• Risk scoring: The solution prioritizes vulnerabilities based on proven reachability, but it relies on integrating base risk scores from partners like Tenable and Rapid7 rather than generating a wholly proprietary risk metric. While the platform adds critical context (downgrading critical CVEs if they are mathematically unreachable), it functions more as a context engine for existing scores than a standalone risk-rating agency.

• Asset correlation: While Forward Enterprise excels at correlating assets across hybrid cloud and on-prem domains into a single cohesive model, the platform creates a unified graph for internal stakeholders but does not fully support multitenancy models by which external partners can independently view and manage only their specific assets.

Purchase Considerations
Forward Networks employs a subscription-based pricing model typically structured around the scale of the network (number of devices or assets) rather than data volume. This approach provides predictability for large enterprises but lacks the public transparency found with some SaaS-first competitors, often requiring "contact us" engagement for detailed quotes. The solution is a Platform Play, meaning buyers are investing in a foundational network operating system that supports multiple use cases beyond ASM, including compliance, change management, and troubleshooting.

The solution is explicitly designed for scale, supporting networks with 50,000 network devices without performance degradation due to its distributed collector architecture and offline digital twin processing. Implementation is streamlined for large environments through the NQE, which normalizes data across dozens of vendors (like Cisco, Juniper, AWS, Azure), allowing teams to treat infrastructure as code immediately upon ingestion. Support options include technical account managers and standard enterprise support, though a managed triage service is not a core offering.

Use Cases
Forward Networks excels in complex, large-scale enterprise and federal environments where inside-out visibility is critical for securing hybrid architectures. Federal agencies leverage the platform's robust on-prem deployment options and digital twin modeling to maintain strict compliance with segmentation policies in air-gapped networks. SecOps teams benefit from the platform's blast radius identification, which allows them to prioritize remediation efforts by focusing only on vulnerabilities that are reachable from untrusted zones. NetOps teams simultaneously use the platform for automated change verification and outage prevention, consolidating multiple operational tools into a single source of truth.

Google Cloud: Mandiant Attack Surface Management*

Solution Overview
Mandiant Attack Surface Management, now a foundational component of Google Cloud, delivers an EASM solution centered on operationalizing the "adversary’s view" of the enterprise. The solution moves beyond static inventory checks by utilizing recursive discovery engines that begin with minimal seed data to map the extended enterprise from the outside in, identifying shadow IT and unknown assets. A primary differentiator is the deep integration of frontline threat intelligence and "active validation," a capability that employs benign payloads to safely simulate attacker behavior and confirm the exploitability of discovered vulnerabilities.

The platform operates as a SaaS-based reconnaissance engine within the broader Google Cloud Security stack, feeding telemetry into Google Security Operations and leveraging the massive scale of Google’s internet visibility. While it functions as a standalone EASM module, its strategic value is maximized when integrated with the Google ecosystem, creating a unified risk to remediation pipeline. The solution will look and feel largely the same over the contract lifecycle. Google Cloud prioritizes stability and continuity, focusing on refining its detection fidelity and integration depth rather than radically altering its core architecture.

Google Cloud is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Google Cloud scored well on a number of the decision criteria, including:

• Risk scoring: The solution leverages its proprietary Google Threat Intelligence (GTI) score, which differs fundamentally from standard CVSS-based models by incorporating exploitation status and real-world threat actor activity. The scoring engine uses active asset checks to validate the presence of specific vulnerabilities using benign payloads, allowing organizations to prioritize confirmed risks over theoretical exposures and significantly reducing alert fatigue.

• Managed triage: The solution offers exceptional noise reduction through its Managed Digital Threat Monitoring service, whereby human analysts actively triage alerts derived from the open, deep, and dark web. This expert-in-the-loop approach ensures critical alerts regarding credential leaks or brand threats are validated before reaching the customer, effectively delivering a zero false positive experience for escalated issues.

• Automation and correlation: The platform excels at workflow orchestration through robust, bidirectional integrations with major ITSM and SOAR platforms, including ServiceNow, Splunk, and Google Security Operations. Its automated defense capabilities utilize ML to triage alerts and trigger downstream playbooks, ensuring ASM findings are seamlessly routed to remediation teams without manual intervention.

Opportunities
Google Cloud has room for improvement in the following decision criteria:

• Internal ASM: The solution is fundamentally architected as an external reconnaissance tool and lacks a dedicated physical or virtual appliance for deep on-prem internal scanning comparable to legacy vulnerability management vendors. Organizations seeking a unified view of air-gapped or non-internet-facing assets must rely on API integrations with other tools or Google Chronicle rather than native discovery sensors, creating potential visibility gaps for purely internal estates.

• Attack path analysis: While the solution provides a discovery context visualizer to map external infrastructure relationships, it lacks the deep, graph-based lateral movement analysis found in specialized attack path management tools. The platform focuses on entry node analysis but does not natively visualize complex, multi-hop internal attack chains or choke points without broader platform integrations.

• Third-party risk identification: Mandiant Attack Surface Management allows the monitoring of key vendors via curated collections, but it is more capable than exceptional regarding nth party discovery. The solution effectively attributes assets to immediate partners but does not provide the open-ended, recursive mapping of a vendor’s entire supply chain ecosystem that specialized third-party risk management platforms offer, requiring users to manually define scope for deeper partner assessments.

Purchase Considerations
Mandiant typically employs a quote-based pricing model that varies based on asset volume and specific service modules, which can be less transparent than flat-rate SaaS subscriptions. The licensing structure often bundles ASM with other Mandiant Advantage or Google Cloud security offerings, meaning buyers must carefully scope their active asset counts to avoid unpredictability in dynamic environments. The solution supports outcome-based discovery workflows, allowing organizations to tailor the depth and frequency of scans to managing costs.

The platform is designed for enterprise scalability, leveraging Google’s cloud-native infrastructure to handle massive attack surfaces without performance degradation. Implementation is streamlined through a seed-based discovery process, accepting domains, ASNs, or netblocks, which enables rapid time to value without the deployment of agents. The solution is best utilized as a Platform Play because its value increases significantly when adopted alongside Google Security Command Center and Chronicle for a unified security operations experience.

Use Case
Mandiant Attack Surface Management excels in M&A scenarios, in which its agentless, outside-in discovery engine allows security teams to rapidly assess a target entity’s risk posture without requiring access credentials or IT cooperation. This capability enables stealthy due diligence and immediate identification of shadow IT risks prior to integration.

Organizations heavily invested in the Google Cloud ecosystem benefit significantly from the solution’s native integration, using it to feed external telemetry directly into Google Security Operations for comprehensive threat detection. Additionally, enterprises prioritizing threat-centric defense over compliance checklists are ideal candidates, as the platform’s active validation features allow teams to focus strictly on confirmed, exploitable exposures that are currently targeted by adversaries.

Group-IB: Attack Surface Management

Solution Overview
Group-IB approaches the ASM market with an adversary-centric philosophy, leveraging its heritage in cybercrime investigation to prioritize exposure based on real-world threat actor intent rather than theoretical severity. The solution, a core module of the Unified Risk Platform, operates on an agentless, SaaS-based architecture that replicates the reconnaissance phase of an attack. Core components include a high-frequency discovery engine that recursively maps assets using digital breadcrumbs and an integrated threat intelligence data lake that enriches findings with dark web signals, malware logs, and botnet activity. This integration allows for dynamic risk scoring that escalates issues based on active exploitation probability, effectively filtering noise for security operations teams.

The solution will look and feel different over the contract lifecycle. Group-IB delivers an aggressive roadmap characterized by rapid integration of emerging threat vectors and expanded capabilities in graph-based visualization and supply chain mapping. Its architecture is designed to police the public-facing edge, providing an outside-in view that complements internal vulnerability management programs. 

Group-IB is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Group-IB scored well on a number of the decision criteria, including:

• Asset correlation: Group-IB utilizes a sophisticated multilayer correlation engine that links disparate digital footprints (domains, networks, SSL certificates, and ownership records) into a unified graph. This capability extends beyond simple inventory listing. The solution employs recursive mapping logic and "detective" algorithms to uncover hidden relationships among subsidiaries, shadow IT, and forgotten infrastructure. By visualizing these connections, the platform effectively maps the blast radius of potential compromises, showing how seemingly isolated assets connect back to critical corporate infrastructure.

• Asset categorization: The solution employs automated, AI-driven classification to organize the attack surface into granular technical and business-logic categories. Beyond basic technical bucketing (such as cloud provider, service type), Group-IB’s engine fingerprints underlying technology stacks and maps assets to specific business units or owners. This categorization is enriched by the Unified Risk Platform’s intelligence, allowing security teams to filter assets not just by type but by threat reality, such as distinguishing between a standard server and a high-value payment gateway or a phishing site impersonating the brand.

• Third-party risk identification: Group-IB demonstrates exceptional capability in nth party discovery and supply chain mapping. The solution allows organizations to point the ASM engine at vendors and partners, generating an outside-in audit that attributes internet assets to specific service providers or subsidiaries. This includes the detection of toxic combinations for which third-party data leaks or compromised credentials found on the dark web are correlated back to the customer’s supply chain, providing early warning of vendor-originated risks.

Opportunities
Group-IB has room for improvement in the following decision criteria:

• Attack path analysis: While Group-IB provides graph-based visualizations of asset connections, its current capability focuses primarily on immediate infrastructure relationships rather than simulating complex, multi-hop kill chains. The solution effectively maps the external perimeter but lacks the autonomous, real-time attack chaining found in some competitor platforms that validate the full route from external entry to internal crown jewels. This limitation means users may see the connection but not necessarily the validated exploit path an attacker would take to traverse it.

• Internal ASM: Group-IB’s ASM module is fundamentally architected as an EASM tool, focusing on the hacker's eye view of the public internet. It lacks parity with dedicated internal ASM solutions that deploy appliances to map non-internet-facing assets deep within the corporate network. Organizations requiring a unified view of both external and internal assets (for example, for PCI DSS compliance on internal subnets) must rely on separate tools or integrations rather than a native Group-IB scanner for the internal estate.

• Risk scoring: Although Group-IB utilizes dynamic risk scoring enriched by threat intelligence, the platform employs a specific "gamified" scoring model (0-100 scale or 0-10 health score) that may not align perfectly with organizations seeking highly customizable, algorithmic risk frameworks. While it incorporates business context, the scoring engine's customization options for factor weights and custom risk multipliers are less granular compared to market leaders who offer fully user-definable risk equations. This can create friction for mature enterprises attempting to force the tool's logic to match rigid internal risk management policies.

Group-IB is classified as a Forward Mover. The vendor continues to refine its capabilities, particularly in asset correlation and third-party risk identification, prioritizing consistent, albeit slower incremental advancements that keep the solution moving forward.

Purchase Considerations
Group-IB employs a transparent asset-based pricing model calculated on the total number of mapped assets (defined as IPs, domains, and subnets). This structure avoids complex per-user fees, allowing costs to scale linearly with the organization's digital footprint. The offering is segmented into Standard and Premium tiers, with the Premium tier unlocking the critical Managed ASM service, which includes human analyst validation to reduce alert fatigue. As a Platform Play, the ASM module provides disproportionate value when bundled with the broader Unified Risk Platform (threat intelligence and fraud protection), creating a "walled garden" of high-fidelity data.

The solution targets mid-market to large enterprises, particularly those facing sophisticated threats for which the managed service aspect is a key differentiator. Deployment is frictionless due to the agentless SaaS delivery model, typically generating an initial map within hours of defining seed assets. Support is consultative, leveraging Group-IB’s incident response heritage, often giving customers access to the same experts who investigate high-profile cybercrimes.

Use Cases
Group-IB excels in environments targeted by sophisticated adversaries, such as financial institutions and critical infrastructure, where the integration of dark web intelligence provides a critical defense layer. The solution’s ability to correlate credential leaks and botnet logs directly to assets makes it ideal for preventing account takeover and ransomware entry. Organizations with complex global supply chains benefit significantly from Group-IB’s nth party discovery capabilities. The tool enables security leaders to audit the external posture of subsidiaries and vendors without deploying agents, providing a truth-based assessment that is invaluable for M&A due diligence and third-party risk management.

Hadrian: Hadrian Offensive Security Platform

Solution Overview
Hadrian positions itself as a disruptive force in the ASM market, moving beyond traditional discovery into autonomous, offensive security. The platform is built on an outside-in philosophy, utilizing agentic AI (autonomous software agents that mimic the behavior and logic of human adversaries). Unlike legacy scanners that rely on database matching, Hadrian’s event-driven architecture orchestrates safe, active exploitation attempts to validate risks, addressing the verification gap by confirming exploitability rather than just identifying theoretical vulnerabilities. This approach combines EASM, BAS, and automated validation into a single offensive engine.

The solution operates as a pure play SaaS platform, designed for continuous, event-driven monitoring rather than scheduled scanning. The solution will look and feel different over the contract lifecycle. Hadrian delivers an aggressive roadmap, frequently releasing new "hacker" capabilities and AI-driven features that expand the platform’s offensive reach.

Hadrian is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Hadrian scored well on a number of the decision criteria, including:

• Attack path analysis: By mapping the relationships between assets, such as using a cross-site scripting (XSS) vulnerability to steal a session token and access a restricted portal, the solution validates the entire attack path. This distinguishes between low-severity individual findings and critical chokepoints that allow lateral movement, enabling security teams to prioritize remediation based on verified exploitability.

• Automation and correlation: Hadrian provides robust automation through its event-driven architecture, which reacts to infrastructure changes in real time rather than waiting for scheduled scan windows. The solution earned a high score for its ability to automatically verify fixes and correlate findings across domains, ensuring that a new server is tested the moment it touches the public internet. This continuous validation loop reduces drift and operational overhead for SOC teams by minimizing the need for manual verification of remediation.

• Third-party risk identification: Hadrian excels in monitoring the digital supply chain by identifying third-party technologies and mapping nth-party dependencies, such as risks inherited from a vendor’s vendor. The solution earned a strong score for its ability to detect exposed secrets and vulnerabilities in partner infrastructure without requiring direct integration. This provides visibility into the extended attack surface, allowing organizations to assess the security posture of their digital ecosystem and supply chain partners from an outside-in perspective.

Hadrian is classified as an Outperformer thanks to its rapid pace of innovation over the last 12 months, demonstrated by the deployment of its agentic AI capabilities and continuous updates to its offensive testing modules. The solution shows strong potential for continued market disruption through its autonomous approach to validation and exposure management.

Opportunities
Hadrian has room for improvement in the following decision criteria:

• Risk scoring: Hadrian earned a capable score because its risk scoring combines complex ML-based dynamic modifiers with static severity data. This approach impacts the user by creating potential friction for organizations that must align these sophisticated, real-world risk scores with more traditional or legacy compliance-based reporting frameworks.

• Internal ASM: The vendor earned a lower score in this category due to its primary focus on the external attack surface and the lack of a dedicated on-prem appliance for deep discovery in flat networks. This impacts the user by limiting the platform's ability to provide the same level of granular visibility into legacy internal infrastructure as it does for cloud-based and external assets.

• Managed triage: Hadrian earned a limited score here because its expert human-in-the-loop model is primarily designed to train and validate its AI agents rather than providing a full-service managed triage of every customer alert. This impacts the user by requiring internal security teams to maintain a degree of involvement in the final triage and incident response stages for validated risks.

Purchase Considerations
Hadrian uses a transparent asset-based subscription pricing model based on the number of digital assets (IPs, domains) and contract terms. The pricing is volume-based and flat-rate per asset type, avoiding complex tiering or per-seat charges, which provides predictability for large-scale deployments. As a Platform Play, the solution offers significant value through tool consolidation, potentially allowing organizations to retire separate EASM, BAS, and vulnerability management point solutions in favor of a single offensive engine.

The solution is designed for enterprise scale, supporting Fortune 10 clients with cloud-native Kubernetes architecture. Deployment is streamlined with a zero-configuration setup that begins providing insights immediately upon inputting root domains. While Hadrian does not offer a native managed triage service, it leverages a partner network of MSSPs for customers requiring human-led intervention. The agentic AI approach allows for instant scalability, enabling the testing of thousands of assets simultaneously without the bottleneck of human analyst availability.

Use Cases
Hadrian excels in high-velocity DevOps environments where infrastructure changes frequently. Tech-forward enterprises and SaaS companies can leverage the event-driven architecture to ensure that every new code push or server instance is immediately tested for vulnerabilities, preventing exposure drift. The solution’s automated validation is particularly valuable for lean security teams that need to reduce false positives without hiring additional analysts. 

Financial institutions and large enterprises involved in M&A activities benefit from Hadrian’s rapid discovery capabilities. The outside-in perspective enables quick due diligence of a target company’s external risk posture before integration, while the digital supply chain visibility helps identify risks from third-party partners and vendors that could impact the acquiring organization’s security compliance.

Intel 471: Attack Surface Exposure

Solution Overview
Intel 471 delivers a specialized ASM solution, Attack Surface Exposure, that integrates high-fidelity cyberthreat intelligence with continuous asset discovery. The platform is architected around a tripartite module system (Attack Surface Discovery, Management, and Intelligence), leveraging the widely-used SpiderFoot OSINT engine to map digital footprints. This approach prioritizes an outside-in, adversary-centric perspective, distinguishing itself by overlaying rich underground intelligence (such as dark web chatter, compromised credentials, and actor intent) directly onto discovered assets. The solution is designed to bridge the gap between pure asset inventory and proactive threat hunting, enabling organizations to prioritize exposures based on real-world threat reality rather than theoretical severity.

The solution is strictly SaaS, requiring no on-prem hardware, and functions as a "window to the cyber underground" rather than a holistic IT asset management tool. This strategic focus aligns with Intel 471's positioning as a specialist in EASM. The solution will look and feel largely the same over the contract lifecycle. Intel 471 prioritizes stability and continuity, focusing on deepening its intelligence integrations and refining its existing detection capabilities rather than pivoting its core architecture.

Intel 471 is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Intel 471 scored well on a number of the decision criteria, including:

• Asset correlation: The platform utilizes sophisticated graph-based modeling, derived from its engine, to map complex relationships between disparate external assets. This infrastructure topology mapping allows analysts to visually explore connections such as linking a specific email address to a registered domain and its resolving IP, which enables deep investigative pivoting and the identification of clusters of risk that might otherwise remain obscured.

• Third-party risk identification: Intel 471 leverages its nonintrusive SpiderFoot OSINT modules to offer deep nth party discovery, attributing internet assets to specific vendors or service providers without requiring permission or agents. This capability transforms supply chain risk management by providing an adversarial view of a vendor's hygiene, revealing active exposures or dark web data leaks associated with critical partners.

• Asset categorization: The solution employs automated classification techniques that fingerprint technologies, identifying operating systems, web server software, and frameworks through banner grabbing and header analysis. While primarily technical, this categorization is enhanced by the ability to group assets by subsidiary or location, supporting complex organizational hierarchies suitable for M&A use cases.

Opportunities
Intel 471 has room for improvement in the following decision criteria:

• Custom threat intelligence: The solution earned a moderate rating in custom threat intelligence due to its reliance on manual API key management and Python modules for advanced data integration, which impacts the user by requiring specialized technical skills for deep customization. While the platform offers significant integration potential, organizations without dedicated development resources may find the barrier to entry higher than for tools with more native, preconfigured connectors.

• Internal ASM: Intel 471 earned a minimal rating because the solution currently lacks native internal ASM capabilities, which impacts the user by limiting visibility to external-facing assets. Organizations seeking a unified view of both internal and external infrastructures will need to complement the platform with additional tools to cover their internal network assets and configurations.

• Attack path analysis: The solution visualizes infrastructure relationships through node graphs but falls short of simulating logical exploit chains or functional attack paths. It maps the surface structure rather than the adversarial path through the interior, lacking the capability to model complex, multi-hop compromise scenarios often found in advanced BAS tools.

Purchase Considerations
Intel 471 employs a simple and predictable pricing model based on a per-monitor and per-user subscription. By avoiding opaque asset-count metrics, the solution provides cost transparency that is particularly beneficial for organizations with dynamic cloud environments where the number of ephemeral assets can fluctuate significantly. This approach allows for predictable budgeting and scales effectively as the monitored perimeter expands.

Intel 471 primarily targets midsize-to-large enterprises and government agencies that possess the maturity to consume and act upon high-fidelity threat intelligence. Deployment is virtually instantaneous for the discovery component due to its SaaS delivery model, requiring only seed assets to begin automated crawling. Users benefit from access to global analysts and intelligence operators, ensuring expert context is available to interpret critical threats, though this high-touch support is often a premium feature.

Use Cases
Intel 471 excels in environments requiring deep threat context and intelligence-led vulnerability management. Mature SOCs can leverage the platform's integration of EPSS and dark web chatter to prioritize patching based on active weaponization rather than theoretical severity. Organizations with complex digital supply chains benefit from the platform's nonintrusive third-party discovery capabilities. The solution allows risk teams to monitor the external hygiene of vendors and partners without requiring agents, offering an objective, adversarial view of supply chain risk that complements questionnaire-based assessments.

Intruder: Intruder Attack Surface Management

Solution Overview
Intruder provides a focused, high-speed vulnerability management and attack surface monitoring solution designed to reduce the cognitive load on security teams. The platform combines continuous network monitoring with automated vulnerability scanning and CSPM, effectively bridging the gap between automated detection and human-led penetration testing. Core components include the Smart Recon engine and always-on subdomain discovery, which optimizes scanning by validating active services. The solution emphasizes radical simplicity and integration, connecting directly with cloud providers and major communication tools to deliver actionable intelligence rather than theoretical noise.

The platform operates as a cloud-native SaaS solution, utilizing a combination of external scanning and internal agents to provide visibility across hybrid environments. It targets mid-market and cloud-forward enterprises where agility and rapid remediation are prioritized over complex platform consolidation. The solution will look and feel different over the contract lifecycle. Intruder delivers an aggressive roadmap, evidenced by its rapid adoption of GenAI capabilities like GregAI and continuous updates to its risk models. 

Intruder is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the ASM Radar chart.

Strengths
Intruder scored well on a number of the decision criteria, including:

• Managed triage: Intruder effectively democratizes access to elite security analysis by providing a managed triage layer that significantly reduces the false-positive burden on internal teams. Certified analysts manually review critical alerts to ensure a low false positive experience for escalated issues, a service level typically reserved for high-end consultancies. This human-in-the-loop approach ensures that teams focus on confirmed threats rather than investigating noise.

• Risk scoring: Intruder moves beyond static CVSS scores by adopting EPSS to prioritize vulnerabilities based on the probability of active exploitation in the wild. This is augmented by its proprietary cyber hygiene score, a gamified metric that tracks remediation velocity against industry benchmarks. This dynamic scoring model empowers organizations to address imminent threats first and provides executive-level visibility into operational performance.

• Asset categorization: The platform excels at automatically organizing assets into specific buckets based on cloud provider context (AWS, Azure, GCP) and service type. While it supports robust user-defined tagging for business units and environments, its primary strength lies in the automated Smart Recon classification, which distinguishes between active, responsive systems and dormant ones. This ensures the inventory reflects the effective attack surface, allowing for precise filtering and management of the digital estate.

Opportunities
Intruder has room for improvement in the following decision criteria:

• Automation and correlation: Intruder offers capable bidirectional integrations with ITSM tools like Jira and ServiceNow, but it lacks fully automated remediation workflows. The platform identifies issues and syncs ticket status but does not natively trigger active defense mechanisms, such as WAF updates or automated patching, without human intervention. This limits its ability to function as a self-healing security system compared to more mature platforms.

• Internal ASM: The solution relies on an agent-based approach for internal scanning, which provides deep visibility into managed assets but creates blind spots regarding unmanaged devices. Unlike network-based appliance scanning that discovers everything on a subnet, Intruder’s agents cannot inherently discover rogue IoT devices or shadow IT residing inside the firewall unless the software is manually installed.

• Asset correlation: While Intruder effectively links IP addresses to cloud accounts, it lacks advanced, automated mapping of assets to complex business logic or organizational hierarchies. The correlation is primarily technical rather than organizational, meaning it does not automatically infer business ownership or map child assets to parent organizations without manual tagging. This can create administrative overhead for large enterprises with complex subsidiary structures.

Purchase Considerations
Intruder employs a transparent license-based pricing model that charges only for active assets, utilizing its Smart Recon feature to filter out inactive IPs so customers never pay for dead air. The model is highly predictable and inclusive, offering unlimited users and ad-hoc scans on licensed assets, which contrasts with the complex consumption-based metrics of some competitors. As a feature play, buyers should view Intruder as a specialized best-of-breed solution for vulnerability management and external exposure rather than a broad, consolidated platform.

The solution is designed for rapid time to value, often deploying in minutes via cloud connectors. It targets mid-market and cloud-native organizations that require agility, offering a user experience optimized for developers and IT generalists rather than just dedicated security experts. Support is enhanced for higher-tier customers by providing direct access to security analysts for context on critical findings.

Use Cases
Intruder excels in cloud-forward environments where infrastructure is ephemeral and changes rapidly. DevOps teams can leverage the event-driven discovery to automatically scan new cloud instances the moment they are spun up, ensuring shadow IT is immediately brought under management. Midsize enterprises with limited security resources benefit significantly from the managed triage capability. The combination of automated scanning and human validation allows small teams to maintain a strong security posture without being overwhelmed by false positives, effectively extending their operational capacity.

IONIX: IONIX External Exposure Management Platform

Solution Overview
IONIX, formerly Cyberpion, offers an ASM platform distinguished by its proprietary Agentic Asset Discovery, Exploit Validation & Connective Intelligence Technology, which focuses on illuminating the complex mesh of digital supply chains. Rather than stopping at first-order assets, the solution employs a recursive discovery engine that traverses dependency graphs down to the fourth and fifth degree, effectively mapping risks in assets that organizations rely upon but do not own. The platform unifies this external visibility with internal cloud context through its Cloud Cross-View capability, bridging the historical gap between EASM and cloud security posture management (CSPM) to validate exposures and reduce false positives.

The architecture is fully SaaS-delivered, emphasizing rapid time to value and reduced operational friction through Active Protection, the automated remediation of specific threats like subdomain takeovers. The solution will look and feel different over the contract lifecycle. IONIX delivers an aggressive roadmap, evidenced by its rapid integration of new capabilities such as AI asset detection and continuous expansion of its remediation logic.

IONIX is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
IONIX scored well on a number of the decision criteria, including:

• Asset categorization: IONIX excels in organizing the attack surface through its Forensics-Backed Discovery, which uses ML to analyze DNS records, SSL certificates, and HTML content for high-confidence attribution. The platform automatically categorizes assets into granular technical buckets (such as cloud, API, service type) and supports dynamic tagging that maps technical findings to business context, allowing security teams to filter risks by subsidiary, business unit, or asset criticality.

• Asset correlation: The platform utilizes its connective intelligence graph database to model complex relationships rather than presenting flat asset lists. It successfully correlates external scan data with internal cloud API data (Cloud Cross-View) to confirm reachability and ownership, effectively linking disparate digital footprints (such as a dangling DNS record and its corresponding deleted cloud resource) to map the true extent of the organization's perimeter.

• Third-party risk identification: IONIX provides market-leading visibility into the digital supply chain through its recursive scanning engine. By treating every discovered third-party asset as a new target and scanning its dependencies, the solution illuminates deep nth-party risks that traditional scanners miss, such as a vulnerable JavaScript library hosted by a fourth-party ad network. This allows organizations to police the shadow dependencies they unknowingly rely on.

Opportunities
IONIX has room for improvement in the following decision criteria:

• Attack path analysis: While the platform excels at mapping connectivity, its visualization of attack chains focuses primarily on the external-to-internal vector and blast radius rather than simulating complex, multilateral movement paths deep within the internal network. The current implementation prioritizes the implication of an exposed asset (business impact) over the granular, step-by-step kill chain visualization found in dedicated BAS tools.

• Internal ASM: IONIX achieves internal visibility primarily through integrations with cloud providers and existing tools rather than a dedicated on-prem scanning appliance. While Cloud Cross-View effectively bridges the EASM-CSPM gap for cloud-native environments, the solution relies on these API connections for internal context and lacks a native heavy-duty internal scanner for legacy flat networks compared to traditional vulnerability management giants.

• Managed triage: The platform focuses on automating triage through its Threat Exposure Radar and algorithmic prioritization rather than providing a human-led managed security service. While IONIX utilizes customer success interactions for optional human support instead of a dedicated 24/7 SOC, it employs agentic, automatic validation of the exploitability and exposure for every finding. 

Purchase Considerations
IONIX employs a subscription-based pricing model typically tied to the number of monitored assets or domains, offering a predictable cost structure for enterprises. As a Platform Play, it unifies discovery, inventory, prioritization, and remediation into a single SKU, avoiding the complexity of piecemeal module licensing often found in legacy suites. The platform is designed for scalability, capable of supporting large enterprises with millions of assets without performance degradation due to its cloud-native architecture.

The solution is particularly attractive for organizations with complex, hybrid digital footprints where the distinction between internal and external is blurred. Implementation is frictionless due to the SaaS delivery model, often providing actionable insights within hours of the initial domain input. Support includes access to technical experts, and the platform's focus on active protection allows for immediate return on investment by automatically neutralizing low-hanging fruit like subdomain takeovers upon deployment.

Use Cases
IONIX excels in supply chain risk management for organizations with complex vendor ecosystems. Its nth party discovery capabilities help financial services firms identify previously hidden risk connections, allowing for compliance with evolving third-party oversight regulations while reducing blind spots in digital relationships. 

For multinational corporations with distributed security teams, IONIX's AI-driven asset categorization paired with dark web monitoring creates federated risk management capabilities. Security teams can identify situations when leaked credentials or brand exposures directly affect their specific business units or subsidiaries, enabling targeted remediation without overwhelming central teams.

JupiterOne: JupiterOne Platform

Solution Overview
JupiterOne has established itself as a definitive leader in the CAASM category, fundamentally shifting the discipline from static inventory lists to dynamic relationship mapping. The platform is architected around a knowledge graph data model that aggregates and normalizes data via API connections from over 200 distinct security and infrastructure tools. Rather than relying solely on active network scanning, JupiterOne creates a centralized, queryable repository of all cyber assets (including code, users, policies, and ephemeral cloud resources), allowing security teams to visualize the intricate connections between assets, identities, and risks.

The solution is primarily delivered as a SaaS-first platform, leveraging cloud-native graph analytics to traverse millions of relationships in real time. JupiterOne positions itself as a strategic command center for modern SOCs and governance, risk, and compliance (GRC) functions, distinguishing itself through its security as code philosophy that allows infrastructure to be queried using the JupiterOne Query Language (J1QL). 

The solution will look and feel different over the contract lifecycle. JupiterOne delivers an aggressive roadmap focused on exposure management and AI-driven analysis to address the complexities of cloud-native ecosystems.

JupiterOne is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
JupiterOne scored well on a number of the decision criteria, including:

• Asset categorization: JupiterOne demonstrates exceptional capability in unifying fragmented data into a coherent graph where an asset is treated as a single entity enriched with both external exposure data and internal configuration context. The platform’s patented assessment engine and automated mapping features enable the seamless correlation of child assets to parent organizations and business owners. This allows organizations to move beyond simple technical tagging to a business-aware view of their estate, effectively bridging the gap between IT inventory and security context.

• Asset correlation: The platform’s graph-first architecture treats relationships (edges) as first-class citizens, enabling blast radius analysis that visualizes exactly how a compromised asset impacts the broader environment. By integrating EASM and CAASM data models, JupiterOne creates a unified graph that connects disparate identities (such as mapping a cloud instance to its specific owner and active policies), solving the fragmentation problem inherent in hybrid environments.

• Third-party risk identification: The platform allows for the manual addition and monitoring of third-party entities, enabling organizations to map their vendors’ vendors and understand the recursive dependencies of their supply chain. This depth extends to mapping vulnerabilities within third-party libraries to the specific applications running them, connecting code-level risk to runtime exposure.

Opportunities
JupiterOne has room for improvement in the following decision criteria:

• Attack path analysis: While the platform provides native topology maps, its capability to simulate complex adversarial attack paths relies on integrations rather than native execution. To achieve advanced analysis comparable to dedicated attack simulation tools such as BloodHound style mapping, users must leverage integrations like "runZeroHound." This dependency limits the platform's standalone ability to autonomously validate and visualize multi-hop kill chains without external data sources.

• Internal ASM: JupiterOne’s internal visibility is heavily contingent on the deployment of connectors or agents, acting more as an aggregator of internal data rather than a primary discovery engine. Unlike appliance-based competitors that perform deep native network scanning to uncover unmanaged assets, JupiterOne relies on the existence and coverage of other management tools (for example, vCenter, Active Directory) to feed its graph. This creates potential blind spots in "dumb" or unmanaged network segments where no API-enabled tool is present.

• Risk scoring: The platform’s risk scoring methodology is fundamentally dependent on the quality of third-party data ingestion, creating a “garbage in, garbage out” challenge. Because JupiterOne acts as a correlation engine rather than a generator of primary vulnerability data for unmanaged assets, it cannot independently validate the exploitability of a risk in the same way a native active scanner would. This reliance means the fidelity of the risk score is tethered to the refresh rates and accuracy of the upstream tools feeding the graph.

Purchase Considerations
JupiterOne uses a consumption-based pricing model centered on the number of cyber assets, with costs influenced by asset count, number of integrations, and data refresh frequency. While this aligns with modern cloud scaling, the definition of a billable asset can be a source of friction. Highly ephemeral resources like serverless functions or containers that exist for minutes can skew counts and lead to unpredictable costs if not clearly defined during procurement. The pricing lacks public transparency, which is common in enterprise software but requires careful scoping.

The solution is ideal for organizations embracing a Platform Play strategy, as it creates a system of record that unifies fragmented security data across the enterprise. JupiterOne actively targets the full spectrum of the market, offering a JupiterOne for AWS Startups tier that provides a low-cost entry point for smaller teams while scaling to support massive enterprise estates. Deployment is rapid due to its API-driven, SaaS-first architecture, allowing customers to begin ingesting data and visualizing their graph within minutes of authorization.

Use Cases
JupiterOne excels in cloud-native enterprise environments utilizing complex AWS, Azure, or GCP architectures where infrastructure is defined by code and assets are ephemeral. Security engineering teams leverage the platform to implement security policy as code, integrating security checks directly into CI/CD pipelines. The solution is also highly effective for highly regulated industries, such as fintech and healthcare, which must adhere to frameworks like PCI-DSS, SOC2, and HIPAA. By automating evidence collection and mapping the flow of sensitive data to specific users and devices, JupiterOne significantly reduces the manual burden of compliance audits and helps demonstrate least privilege access control.

Liongard: LiongardIQ

Solution Overview
Liongard delivers LiongardIQ, a comprehensive unified asset intelligence platform that bridges the gap between IT operations and security visibility. Originally entrenched in the MSP sector, the platform has expanded its capabilities to challenge traditional ASM categorizations through a unique architectural blend of automated documentation, deep API inspection, and rigorous change detection. The solution combines inside visibility with outside visibility, achieved via self-managed agents that query local configurations (WMI, SQL, Active Directory). This dual approach allows Liongard to construct a high-fidelity, historical record of the IT estate, enabling operators to rewind time and pinpoint exactly when a configuration drifted from its known good state.

The platform operates on a cloud-native SaaS architecture that leverages a system of "inspectors," or specialized agents and API connectors, to ingest granular asset inventory and configuration data across the entire stack, from cloud tenants to on-prem endpoints. Unlike pure play scanners that rely on stochastic probing, Liongard utilizes a deterministic, API-driven approach to data collection, ensuring high accuracy in asset identification. 

The solution will look and feel largely the same over the contract lifecycle. Liongard prioritizes stability and continuity, focusing on deepening its integration ecosystem and refining its core configuration analysis engine rather than radically altering its operational workflow.

Liongard is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Liongard scored well on a number of the decision criteria, including:

• Internal ASM: Liongard achieves exceptional internal visibility by deploying self-managed agents directly onto domain controllers and key servers behind the firewall. This architecture allows the platform to inspect internal assets such as Active Directory forests, SQL databases, and Hyper-V clusters with a depth of execution that matches or exceeds external scanning capabilities. By querying configurations directly via WMI and SNMP rather than relying solely on network inference, Liongard provides a granular view of deep internal state (including registry keys and user permissions) that traditional external scanners cannot reach.

• Asset categorization: The platform utilizes a rigorous hierarchical taxonomy that automatically structures data into Environments (customers), Systems (inspectors), and Asset Classes. This Unified Cyber Asset Inventory transforms raw data into actionable intelligence by preserving the business context of every asset. The system supports extensive metadata retention and allows for friendly name aliasing, ensuring cryptic hostnames can be mapped to business-relevant identities (such as Primary-Billing-DB) that persist across the operational timeline.

• Asset correlation: Liongard excels at solving the identity fragmentation problem through its identity visibility and monitoring capability. The correlation engine seamlessly links disparate child assets, such as a user account in Active Directory, a mailbox in Microsoft 365, and a login in Duo Security, into a single, unified identity profile. This automated cross-system mapping allows security teams to detect orphaned accounts and complex security gaps (such as an active cloud user with a disabled directory account) without manual cross-referencing.

Opportunities
Liongard has room for improvement in the following decision criteria:

• Risk scoring: Though Liongard’s ThreatImpactIQ module introduces context-aware prioritization, the platform currently lacks the proprietary predictive analytics found in market-leading solutions. The risk scoring engine relies heavily on ingesting vulnerability data from third-party scanners and enriching it with business context rather than generating its own predictive metrics for future exploitability (such as native EPSS integration or proprietary threat modeling). This dependency limits the solution's ability to forecast risk based on emerging threat actor activity independent of established CVEs.

• Attack path analysis: Liongard captures the necessary relational data to identify potential risks (such as user rights and network access) but lacks a native visual graph engine to model these relationships. The solution relies on tabular data and query-based analysis (using JMESPath) rather than providing an interactive BloodHound-style attack graph that automatically visualizes the chain of exploitation from an entry point to a critical asset. This requires operators to manually construct the narrative of an attack path rather than seeing it immediately visualized.

• Managed triage: The solution operates on a channel-enablement model and does not provide a first-party, 24/7 managed SOC for alert validation. While Liongard offers features like actionable alerts and AI-driven noise reduction to assist analysts, it relies entirely on its partner network of MSPs to perform human triage. This creates a gap for direct-to-enterprise customers who expect a vendor-managed service to guarantee zero false positives without third-party involvement.

Purchase Considerations
Liongard’s pricing model is transparent and explicitly aligned with the service provider model, typically utilizing a flat-rate structure per environment or per user that includes all core Inspectors. This approach avoids the unpredictability of data ingestion fees or variable module costs common in the enterprise market. The HunterX EASM capability uses a clear credit system for prospecting scans, allowing costs to scale directly with sales or discovery activity. As a Platform Play, the solution offers high utility by amortizing costs across multiple departments, serving use cases for security, operations, finance (billing reconciliation), and compliance simultaneously.

The solution is designed for horizontal scalability, supporting a multitenant architecture capable of managing thousands of distinct environments and millions of assets without performance degradation. Deployment is streamlined through a hybrid model; cloud assets are onboarded via direct API integration, while internal visibility is achieved through lightweight agents that auto configure. Support is heavily tailored toward the MSP channel, with global inspectors allowing partners to push standardized alert rules across their entire client base instantly.

Use Cases
Liongard excels in environments managed by MSPs and MSSPs requiring unified visibility across a distributed client base. The platform’s multitenant architecture and global dashboard capabilities allow service providers to monitor hundreds of distinct networks from a single pane of glass, ensuring consistent compliance with frameworks like NIST or CIS across all tenants. 

Organizations with strict change management requirements benefit significantly from Liongard’s "time machine" capability. The platform’s rigorous change detection engine provides a historical timeline of every configuration drift, enabling IT teams to instantly correlate a service outage or security incident with a specific change event (for example, a firewall rule modification or a new admin user creation). 

Enterprises struggling with tool sprawl use Liongard as a manager of managers to centralize asset intelligence. By aggregating data from disparate sources such as distinct Active Directory forests, cloud tenants, and endpoint protection agents, Liongard normalizes this information into a single data lake, providing a single source of truth for asset inventory and billing reconciliation.

NetSPI

Solution Overview
NetSPI delivers a unified proactive security solution, the NetSPI platform, which converges PTaaS, attack surface visibility, automated vulnerability prioritization, attack simulations, and context-driven remediation guidance into a single solution. The platform distinguishes itself by eschewing the industry’s reliance on purely automated scanning, instead offering a human-in-the-loop service by which a dedicated operations team manually validates critical findings in addition to automated attack surface and vulnerability discovery. This hybrid approach leverages the acquired Hubble Technology for internal visibility and proprietary discovery engines to create a continuous feedback loop of asset inventory, vulnerability detection, and verified risk prioritization.

The solution utilizes a cloud-native architecture that supports agentless API connectors. NetSPI is strategically positioned for large enterprises with complex, distributed environments, emphasizing high-fidelity data over raw volume. The solution will look and feel largely the same over the contract lifecycle, as NetSPI prioritizes stability and continuity in its service-led delivery model, focusing on the refinement of validation processes and integration depth rather than radical architectural pivots.

NetSPI is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
NetSPI scored well on a number of the decision criteria, including:

• Asset categorization: NetSPI utilizes a sophisticated tagging and normalization engine that ingests data from internal sources like CMDBs and cloud providers to map technical assets to business context. The solution allows complex organizations to segregate and view assets by subsidiary, business unit, or acquisition target, enabling granular risk management that aligns with corporate hierarchy rather than just network topology.

• Asset correlation: The platform employs advanced correlation mechanisms, including perceptual hashing and graph-based modeling, to link disparate data points, such as mapping child assets to parent organizations or grouping assets by visual similarity to detect phishing infrastructure. By external and internal data models, NetSPI constructs a unified asset graph that correlates external exposures with internal security control gaps, ensuring an asset’s risk is evaluated in the context of its deployed defenses.

• Managed triage: NetSPI’s standout capability is its standard inclusion of a 24/7 global operations team that validates high-severity findings before they reach the customer. This service level effectively eliminates false positives for critical alerts, transforming the ASM workflow from a noise-management exercise into a verified risk-response process.

NetSPI is classified as an Outperformer thanks to its aggressive expansion of platform capabilities, notably the integration of internal attack surface visibility via the Hubble acquisition and the rapid deployment of proprietary technologies.

Opportunities
NetSPI has room for improvement in the following decision criteria:

• Attack path analysis: While NetSPI effectively visualizes discovery chains to trace the lineage of an asset from root domain to vulnerable service, it currently prioritizes lineage over the fully autonomous simulation of lateral movement paths found in dedicated BAS tools. The platform's reliance on human verification for complex chains, while accurate, may lack the real-time, algorithmic what-if modeling required to instantly visualize potential blast radius across internal networks without analyst intervention.

• Automation and correlation: NetSPI supports robust bidirectional integrations with ITSM platforms like Jira and ServiceNow, ensuring seamless ticketing workflows. However, the solution limits its native capabilities for fully autonomous remediation, such as automatically blocking an IP or patching a server without human approval, focusing instead on guided remediation and context delivery, which may slow response times for organizations seeking self-healing infrastructure.

• Internal ASM: NetSPI delivers great depth in internal visibility, a capability enhanced by the integration of Hubble Technology. To streamline the user experience, the platform has eliminated historical friction points: licensing is no longer segmented and the requirement for virtual appliances has been removed. Instead, automated external and internal attack surface visibility is now provided free of charge with all penetration testing engagements, offering customers unified visibility and immediate access upon purchase.

Purchase Considerations
NetSPI offers a flexible, scalable pricing model that combines per-engagement pentesting with free continuous attack surface coverage, including external asset discovery, cloud security configuration scans, and dark web monitoring. This approach eliminates the complexity of segmented modules by providing unified visibility at no additional cost upon purchase. For organizations requiring deeper oversight, NetSPI provides predictable asset-based pricing for optional 24/7 human-in-the-loop manual validation, calculated by the volume of IPs or domains. With unlimited seats included, the model is designed to accommodate the budgeting needs of both small businesses and large enterprise programs.

The solution is specifically engineered for large enterprises and highly regulated industries where the cost of operational noise exceeds the cost of the service. Deployment is facilitated by a cloud-native SaaS delivery model for external scanning, while internal visibility requires the provisioning of agents. NetSPI supports complex organizational structures, making it a viable platform for holding companies and conglomerates managing multi-subsidiary risk.

Use Cases
NetSPI excels in environments requiring high-fidelity risk validation and regulatory compliance. Financial services organizations can leverage the platform's "human advantage" to ensure that reported vulnerabilities are verified exploitable risks, significantly reducing the operational burden on internal SOC teams and satisfying strict audit requirements. Large enterprises undergoing M&As benefit from NetSPI's continuous discovery capabilities. The solution allows security teams to rapidly onboard and assess the attack surface of acquired entities, correlating new assets to the parent organization and identifying shadow IT or security gaps in the acquired infrastructure before integration.

Palo Alto Networks: Cortex Xpanse 

Solution Overview
Palo Alto Networks positions Cortex Xpanse as an active attack surface management platform designed to autonomously discover, prioritize, and remediate exposures across the global internet. Unlike traditional scanners that rely on known IP ranges, Cortex Xpanse operates as a massive-scale outside-in discovery engine that continuously indexes the entire IPv4 space multiple times daily to identify unknown unknowns without seed data. The platform leverages proprietary active learning to attribute disparate assets to specific organizations based on global traffic patterns and certificate data, effectively addressing shadow IT and rogue cloud instances. 

The solution is architected as a purely cloud-native, agentless SaaS platform, where the massive scanning infrastructure is maintained entirely by the vendor. This Platform Play is deeply integrated into the broader Cortex ecosystem, feeding discovery data into Cortex XSOAR for orchestration. The solution will look and feel largely the same over the contract lifecycle. Palo Alto Networks prioritizes stability and continuity, focusing on deep ecosystem integration and autonomous remediation rather than radical architectural pivots.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strength
Palo Alto Networks scored well on a number of the decision criteria, including:

• Third-party risk identification: Cortex Xpanse leverages its global scanning infrastructure to provide superior visibility into supply chain risks through its Link module and Assess tool. By mapping the attack surface of vendors, partners, and acquisition targets with the same depth as the customer's own network, the solution enables nth party discovery and active monitoring of vendor exposures without requiring agents or permission. This allows organizations to validate the technical security posture of their ecosystem empirically rather than relying on passive scores.

• Asset categorization: The solution offers granular categorization capabilities, leveraging deep metadata to distinguish between diverse cloud providers, service types, and organizational hierarchies. Xpanse uses active classifications to identify specific server roles (such as Microsoft OWA Server) and map assets to business units or owners, enabling precise context for risk management in complex, multinational environments.

• Asset correlation: Cortex Xpanse utilizes a patented assessment engine to automatically map assets to business entities, seamlessly correlating child assets, such as subdomains and SaaS tenants, to their parent organizations. This capability acts as a graph of the internet for the customer, accurately linking disparate and dynamic infrastructure back to a corporate identity using secondary signals like SSL certificate chains and traffic flow data, ensuring a coherent view of the digital estate.

Opportunities
Palo Alto Networks has room for improvement in the following decision criteria:

• Attack path analysis: While the broader Palo Alto Networks portfolio offers sophisticated Infinity Graph visualizations within Cortex Cloud, the standalone Cortex Xpanse product focuses primarily on asset inventory and vulnerability enumeration rather than native lateral movement modeling. The solution identifies the entry point effectively but relies on ecosystem integrations to visualize the full kill chain or internal blast radius, creating a dependency on the full suite for deep attack path analysis.

• Internal ASM: While the solution offers internal visibility through the Cortex Network Scanner and Cortex XDR integrations, it remains architecturally rooted in its EASM heritage. The reliance on specific deployments like the Broker VM or endpoint agents for internal discovery may create friction for organizations seeking a natively unified, agentless CAASM and EASM experience in a single, consolidated product.

• Managed triage: Expert manual validation and triage are available only as an optional add-on via Unit 42 services rather than being included in the standard SaaS license. Organizations relying solely on the base product may find themselves burdened with high volumes of automated alerts that require additional manual effort or an upgraded service tier to effectively filter and prioritize.

Purchase Considerations
Palo Alto Networks employs a pricing model based on assets under management (AUM) tiers, such as Tier 7 covering 500,000 to 749,999 assets. This structure is designed for scalability but can introduce complexity for organizations with highly dynamic cloud footprints. The Expander platform targets large enterprises with continuous monitoring needs, while the Assess offering provides point-in-time assessments suitable for smaller organizations or specific audit requirements. As a defined Platform Play, the solution delivers maximum value when deployed alongside Cortex XSOAR and Cortex Cloud, enabling the Active Response capabilities that differentiate it from passive scanners. Implementation is agentless and rapid for discovery, often delivering insights within days of configuration, though full remediation workflows require integration tuning. Support is tiered, with premium options offering faster SLAs and dedicated technical account management.

Use Cases
Cortex Xpanse excels in large enterprise environments characterized by chaotic, decentralized IT and aggressive M&A activity. Global conglomerates use the platform to discover shadow IT and rogue cloud instances that exist outside the corporate registry, leveraging the no-seed discovery to bring unknown assets under governance. The solution is also highly effective for supply chain risk management. Defense and highly regulated sectors utilize Xpanse to assess the technical risk of third-party vendors and subsidiaries nonintrusively, ensuring the extended supply chain does not introduce vulnerabilities into the core network.

Praetorian: Chariot

Solution Overview
Praetorian delivers Chariot as a comprehensive CTEM ecosystem that fundamentally converges ASM with vulnerability management and continuous penetration testing (CPT). Unlike pure play scanner vendors, Praetorian operates as a high-touch managed service, combining an advanced software platform with expert human validation to deliver a zero false positive guarantee. The core methodology fuses automated discovery engines (leveraging techniques like subdomain enumeration, TLS mining, and cloud integrations) with mandatory manual triage by offensive security engineers. This ensures that every reported risk is verified as exploitable, addressing the industry-wide challenge of alert fatigue by focusing strictly on material risk rather than theoretical severity.

The platform utilizes a cloud-native architecture capable of auto-scaling to support massive enterprise environments, exceeding 900,000 assets without performance degradation. The solution will look and feel different over the contract lifecycle. Praetorian delivers an aggressive roadmap focused on disrupting its own technology stack, evidenced by recent platform rewrites and a strategic push toward agentic AI for autonomous exploitation.

Praetorian is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Praetorian scored well on a number of the decision criteria, including:

• Risk scoring: Praetorian employs a material risk methodology that transcends standard CVSS scoring by integrating expert human verification to confirm actual exploitability. The platform combines static metrics (CVSS, EPSS) with context-aware modifiers such as threat actor data and MITRE ATT&CK mapping and validates these against the specific environment to deliver a unique priority score that filters out theoretical noise and confirms compromised assets with absolute certainty.

• Internal ASM: Praetorian achieves depth of execution in parity with its external capabilities through the deployment of internal agents that facilitate rigorous risk identification behind the firewall. This architecture allows offensive engineers and automated engines to query internal assets with the same fidelity as external ones, effectively identifying lateral movement paths and applying the material risk validation methodology to the entire internal estate.

• Automation and correlation: The solution leverages a graph datastore to facilitate deep correlation among disparate assets, vulnerabilities, and remediation statuses, supporting complex multidimensional queries. Praetorian is actively advancing its automation capabilities through agentic AI and modular backend interfaces designed to support autonomous identification and exploitation tasks, creating a sophisticated feedback loop between the detection engine and the validation team.

Praetorian is classified as an Outperformer thanks to its aggressive adoption of agentic AI for autonomous exploitation and its willingness to completely re-architect its platform to support modern graph-based correlation and massive scale.

Opportunities
Praetorian has room for improvement in the following decision criteria:

• Attack path analysis: Praetorian validates attack paths through automation and AI agents, which provides a  fully dynamic, real-time visual graph. The solution effectively identifies paths to critical systems but currently lacks the fully autonomous, real-time chaining analysis found in some competitor platforms.

• Third-party risk identification: The solution's ability to assess third-party risk is currently limited compared to specialized vendors. While it effectively attributes discovered assets to cloud service providers, it relies on external data feeds and partners for deep third-party risk scoring. This reliance on third-party integrations may create visibility gaps for organizations with extensive vendor ecosystems that require native deep-dive risk assessments.

• Managed triage: Although Praetorian offers a zero false positive guarantee, the solution is in a state of transition as it shifts from human-led validation to AI-driven triage. The reliance on backend AI for triage, while efficient, may lack the nuanced business context that a dedicated human analyst provides during complex, bespoke security assessments.

Purchase Considerations
Praetorian employs a pricing model based on asset count and FQDN count, providing a per-asset structure that scales with the organization's footprint. While logical, the separation of different asset types (for example, distinct counts for IPs versus FQDNs for DAST) creates a multi-variable pricing structure that can be more complex to predict than simple flat-rate active asset models. As a Platform Play, the solution converges multiple offensive security disciplines (ASM, VM, and pentesting) into a single managed service, offering significant consolidation value for enterprises.

The solution is explicitly targeted at large enterprises and MSSPs, with no offering currently available for the SMB market due to the high costs associated with its human-in-the-loop methodology. Implementation is streamlined by the managed service delivery model, which removes the operational burden of configuration and triage from the customer. The platform supports customer-configurable scan frequencies and on-demand triggers, ensuring alignment with operational tempos like rapid DevOps cycles.

Use Cases
Praetorian excels in high-complexity environments requiring absolute precision and low operational noise. Large enterprises can leverage the zero false positive guarantee to eliminate alert fatigue, allowing security teams to focus exclusively on verified exploitable risks rather than chasing theoretical vulnerabilities. Organizations with complex internal networks benefit from Chariot's internal ASM capabilities, which deploy agents to provide deep visibility into lateral movement paths and internal exposures that mirror the external attack surface. The platform is also ideal for M&A due diligence, automatically extracting subsidiary and corporate-structure data from EDGARs filings and correlating this data to technical assets, ensuring a comprehensive view of inherited risk.

Qualys: Qualys Enterprise TruRisk Platform (ETP)

Solution Overview
Qualys Enterprise TruRisk Platform is a comprehensive exposure management solution that allows  ASM to be integrated directly with vulnerability management, compliance, and remediation. The platform leverages a single code base philosophy to unify discovery and risk assessment, converging EASM and cybersecurity asset management (CSAM) into a cohesive workflow. Core components include the sensor grid for hybrid data collection, which uses cloud agents, passive sensors, and API connectors, and the TruRisk engine, which quantifies risk based on threat intelligence and asset criticality.

The platform operates on a cloud-native, massive-scale architecture capable of indexing over 18 trillion data points and processing 2 trillion security events annually, providing a significant "data gravity" advantage. Qualys functions as a Platform Play, aiming to consolidate disparate point solutions for VM, ASM, and patch management under a single agent and interface. The solution will look and feel largely the same over the contract lifecycle. Qualys prioritizes stability and continuity, leveraging its maturity and massive infrastructure to deliver consistent, enterprise-grade performance while iteratively adding advanced capabilities like agentic AI.

Qualys is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Qualys scored well on a number of the decision criteria, including:

• Automation and correlation: Qualys excels in reducing operational friction through its Qualys Flow (QFlow) engine and TruRisk Eliminate capabilities. The platform uses "smart merge" logic to intelligently consolidate data from agents, scans, and APIs into a single Golden Record, effectively deduplicating assets across hybrid environments. Furthermore, the QFlow engine allows users to build low-code/no-code workflows that automate complex actions, such as triggering a ServiceNow ticket or initiating a quarantine action based on specific risk thresholds, effectively operationalizing the last mile of remediation.

• Internal ASM: The solution delivers exceptional internal visibility by leveraging its ubiquitous cloud agents and network passive sensors (NPSs). Unlike competitors relying solely on API aggregation, Qualys uses these lightweight agents to provide deep, real-time telemetry into the operating system and running processes of internal assets, while the passive sensing (CAPS) feature turns managed endpoints into sensors that detect unmanaged devices on local subnets. This creates a comprehensive internal inventory that synchronizes bidirectionally with CMDBs to eliminate stale data.

• Risk scoring: Qualys utilizes its proprietary TruRisk quantification algorithm to translate technical vulnerabilities into actionable business risk metrics. The scoring engine synthesizes the Qualys Detection Score (QDS) (modified by real-time threat intelligence such as exploit availability) with the Asset Criticality Score (ACS) to produce a dynamic risk score (0-1000). This multifactor approach allows organizations to prioritize remediation based on actual business impact and toxic combinations rather than static severity ratings, enabling CISOs to communicate risk reduction in financial terms.

Opportunities
Qualys has room for improvement in the following decision criteria:

• Attack path analysis: While the platform offers sophisticated graph-based visualization of attack paths, realizing this value can be contingent on the adoption of specific modules like TotalCloud and TruRisk Insights. The depth of analysis, which maps toxic combinations and blast radius, often requires a high level of instrumentation and data saturation across the environment. For organizations that have not fully deployed the sensor grid or subscribed to the necessary upper-tier modules, the ability to visualize complex, multi-hop lateral movement paths may be limited compared to specialized, standalone graph vendors.

• Asset correlation: Although the Smart Merge technology is robust, the complexity of configuring trust hierarchies and normalization rules can present a steep learning curve for some teams. Effectively unifying data from diverse sources, such as merging an agent-based record with an external scan record, requires careful tuning of the Golden Record logic to avoid data conflicts or fragmentation. Users often report that setting up and maintaining the taxonomy and tagging rules necessary for precise correlation requires significant manual effort and ongoing maintenance.

• Managed triage: Qualys utilizes a partner-led model for human validation rather than offering a native, vendor-delivered managed service. Organizations seeking 24/7 human triage for their alerts must engage with the Managed Risk Operations Center (mROC) partner alliance, which delegates the service layer to certified MSSPs. This contrasts with competitors that bundle zero false positive human verification directly into the SaaS subscription, potentially adding vendor management overhead for customers who prefer a single-provider relationship for both software and service.

Purchase Considerations
Qualys employs a licensing model that has historically been complex, involving a mix of asset-based counts, module subscriptions (for example, VMDR, EASM, CSAM), and appliance fees. While the recent introduction of Qualys License Units (QLUs) attempts to simplify consumption by offering a pool of credits applicable across different apps, the calculation of units and budget forecasting can still be opaque for some buyers. The platform operates as a massive Platform Play. The ROI is maximized by consolidating multiple security functions (VM, ASM, compliance) onto the single Qualys agent rather than using it as a niche point solution.

The solution is engineered for the large enterprise and public sector, capable of scaling to millions of assets without performance degradation due to its distributed agent architecture. Deployment is flexible, offering public SaaS, private cloud platform (PCP) for data sovereignty, and on-prem options for air-gapped networks. Support is included, but deep operational triage relies on the external partner ecosystem. Time to value can be rapid for agent-based discovery, but full platform mastery and taxonomy configuration often require dedicated training or certification.

Use Cases
Qualys excels in large, complex hybrid environments where asset sprawl across on-prem data centers and multiple clouds is a primary challenge. Its ability to seamlessly link asset discovery with automated remediation (TruRisk Eliminate) makes it ideal for Global 2000 organizations seeking to reduce mean time to remediate (MTTR) at scale. Highly regulated industries, such as finance and healthcare, benefit significantly from the platform's robust compliance reporting and private SaaS deployment options. The deep integration of the cloud agent allows these organizations to enforce strict configuration benchmarks and maintain audit-ready inventories of sensitive assets, ensuring adherence to standards like PCI-DSS and HIPAA.

Rapid7: Surface Command

Solution Overview
Rapid7 delivers a converged exposure management ecosystem through its Surface Command Platform, consolidating EASM, CAASM, and detection capabilities into a unified operational layer. The solution pivots beyond traditional vulnerability scanning by leveraging the graph-based architecture of Surface Command to create a holistic view of the digital estate. Central to its value proposition is the unification of disparate telemetry: ingesting data from internal agents, cloud APIs, and external scanners into a single, correlation-rich unified asset model. This approach allows security leaders to contextualize assets not just by their technical presence but by their business value, ownership, and real-time risk status.

The Command Platform is architected as a cloud-native SaaS solution hosted on AWS, ensuring scalability for massive global enterprises while maintaining hybrid data collection capabilities via the Rapid7 Agent, network-based and on-prem scan engines. The solution utilizes a sophisticated Active Risk engine that synthesizes vulnerability severity, threat intelligence, and exploitation status to drive prioritization. Rapid7 is executing an innovative strategy, actively disrupting legacy scan-and-report models with AI-driven scoring and autonomous agentic workflows. The solution will look and feel different over the contract lifecycle. Rapid7 delivers an aggressive roadmap focused on automating the transition from simple discovery to proactive exposure management.

Rapid7 is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
Rapid7 scored well on a number of the decision criteria, including:

• Automation and correlation: Rapid7 embeds a full-featured SOAR engine to enable complex, bidirectional remediation workflows that transcend basic ticketing. The platform utilizes a unified asset model to correlate data across domains, allowing an alert from the external ASM module to trigger internal EDR validation or cloud API actions automatically. This capability closes the operational loop (detect, ticket, fix, and verify) without human intervention, significantly reducing mean time to remediation.

• Internal ASM: Leveraging its massive installed base of Insight Agents, Rapid7 delivers authenticated internal discovery that is fully parity-matched with its external capabilities. Unlike competitors relying solely on passive scanning, Surface Command ingests deep telemetry from endpoints and on-prem infrastructure, providing high-fidelity visibility into private network-accessible cyber assets, including roaming laptops and air-gapped servers. This ensures the defender's view of the attack surface is as comprehensive as the attacker's.

• Managed triage: Rapid7’s Managed Threat Complete service functions as a fully integrated operational layer rather than a simple support add-on. The service includes 24/7 expert monitoring, proactive threat hunting, and unlimited incident response, effectively extending the customer's team with a SOC-in-a-box capability. This human-led validation ensures a zero false positive experience for critical escalations, directly addressing the alert fatigue common in automated ASM deployments.

Opportunities
Rapid7 has room for improvement in the following decision criteria:

• Asset categorization: While the platform automatically classifies assets into technical buckets, the derivation of business context (for example, mapping assets to specific business units or owners) often requires initial manual definition or rule creation. The system supports robust tagging via RealContext but lacks the fully autonomous AI capability to infer business ownership purely from traffic patterns or content analysis without user configuration, potentially creating setup overhead for complex organizations.

• Third-party risk identification: The solution’s third-party risk assessment module operates primarily as a targeted assessment tool rather than a global, precorrelated map of the entire internet’s ownership. While it provides deep scanning of selected vendors, it lacks the "Google Maps for the internet" capability to instantly attribute any internet asset to a vendor without running a specific new assessment, limiting immediate visibility into nth party risks compared to specialized supply chain graph vendors.

• Asset correlation: Although Rapid7 utilizes a sophisticated graph database to link disparate identities into a single entity, the platform falls just short of the real-time chaining of complex, multi-hop third-party SaaS ecosystems required for a perfect score. The graph is exceptional for owned infrastructure, but the visualization of recursive dependencies across the broader supply chain is an emerging capability that continues to mature.

Purchase Considerations
Rapid7 employs a transparent, predictable asset-based pricing model, typically starting around $1.93 per asset/month for core modules. While this avoids the opacity of some competitors, the definition of an active asset in highly dynamic cloud environments where ephemeral instances spin up and down constantly can introduce variability in billing compared to flat-rate models. The Command Platform is a definitive Platform Play, offering tiered bundles like Essential for SMBs and Ultimate for large enterprises, allowing organizations to consolidate vulnerability management, ASM, and detection budgets into a single contract.

The solution is built for scale, leveraging a cloud-native architecture that supports over 11,000 customers and handles the data volumes of the Fortune 500 without performance degradation. Implementation is streamlined via the unified asset graph, which automatically correlates data from existing agents and cloud connectors, accelerating time to value. Support options are robust, with the Managed Threat Complete service providing a premium Tier 1 experience that offloads the operational burden of triage and response to Rapid7's expert analysts.

Use Cases|
Rapid7 excels in environments requiring a unified visibility layer across hybrid infrastructure. Midsize-to-large enterprises dealing with tool sprawl can leverage Surface Command to act as a clearinghouse for asset data, correlating signals from disparate tools like CrowdStrike and ServiceNow into a single active risk view. This is particularly valuable for organizations transitioning from on-prem data centers to aggressive cloud adoption, where maintaining a coherent inventory across both worlds is critical.

SOCs benefit significantly from the platform's focus on automation and context. The integration of agentic AI and the SOAR engine allows teams to automate complex response workflows (such as isolating compromised hosts or blocking malicious IPs) directly from the console. Furthermore, organizations seeking to outsource the triage burden find a strong fit with the Managed Threat Complete service, which provides 24/7 expert validation.

RapidFort*

Solution Overview
RapidFort pioneers software attack surface management (SASM), a specialized discipline that diverges from traditional "management by discovery" to focus on "management by reduction." Unlike legacy EASM tools that catalog infrastructure to prioritize alerts, RapidFort actively shrinks the attack surface by identifying and removing unused code components. The platform leverages advanced Runtime Bill of Materials (RBOM) technology to correlate static vulnerabilities with runtime execution paths, distinguishing between code that exists in a container and code that actually runs. This "profiling and pruning" methodology addresses the root cause of vulnerability debt (code bloat) rather than merely treating symptoms, positioning RapidFort as a critical enabler for secure software delivery in high-assurance environments like the Department of Defense.

The solution creates a polarized scoring profile typical of a specialized disruptor, operating deeply "inside the wire" rather than scanning from the outside in. RapidFort’s architecture is purpose-built for cloud-native and containerized workloads, utilizing lightweight instrumentation to profile execution without performance degradation. The solution will look and feel different over the contract lifecycle. RapidFort delivers an aggressive roadmap that challenges industry orthodoxy, moving from reactive monitoring to proactive, automated hardening that fundamentally alters the security ROI calculation.

RapidFort is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the ASM Radar chart.

Strengths
RapidFort scored well on a number of the decision criteria, including:

• Automation and correlation: By leveraging RBOM data to mathematically prove the unreachability of vulnerable libraries, the platform automatically strips unused components from container images within the CI/CD pipeline. This self-healing capability closes the loop without human intervention, effectively pruning up to 90% of the software attack surface and resolving vulnerabilities by removing the asset entirely rather than patching it.

• Internal ASM: RapidFort operates with exceptional depth on internal assets, providing visibility into containerized workloads and proprietary code that matches or exceeds the fidelity of external assessments. The platform’s architecture is designed to function anywhere, utilizing agentless instrumentation and eBPF-like profiling to generate granular, real-time views of the internal software estate down to the system call level. This white box approach solves the dark matter problem of internal networks, offering visibility into execution paths that traditional external scanners cannot reach.

• Third-party risk identification: RapidFort delivers superior identification of risks embedded in third-party software components by generating deep transitive dependency trees. The platform achieves near 100% attribution for software components, creating an SBOM that lists every third-party dependency, version, and license. Beyond simple cataloging, RapidFort allows organizations to provision trus" by replacing risky upstream vendor images with curated near-zero CVE images, proactively hardening the supply chain before artifacts enter the production pipeline. 

Opportunities
RapidFort has room for improvement in the following decision criteria:

• Asset correlation: While RapidFort effectively links code components to libraries, it lacks the advanced automated mapping of assets to business logic found in broader platforms. The correlation is primarily technical (for example, identifying that Code A belongs to Library B) rather than organizational, meaning it does not automatically map assets to specific business owners or users without manual intervention. This limits the platform's ability to provide a semantic map of the digital estate that reflects corporate structure and ownership hierarchies.

• Asset categorization: RapidFort excels at technical categorization (for example, distinguishing Alpine from Debian images) but lags in business-context tagging. The solution lacks robust native features to group assets by nontechnical attributes such as business unit or data sensitivity level within the primary dashboard in a way that drives policy. This creates a gap for organizations seeking to manage the attack surface based on P&L ownership or specific business criticality without extensive manual configuration.

• Managed triage: RapidFort is a pure technology platform focused on automated remediation and does not offer a human-led managed triage or SOC service. The vendor’s philosophy is to "quit the endless triage cycle" through automation, meaning there are no human analysts available to review alerts or filter false positives for the customer. While the agentic AI aims to eliminate the need for triage, organizations that rely on human validation services to manage alert fatigue will find this service layer absent. 

Purchase Considerations
RapidFort employs a transparent flat-rate pricing model based on unlimited containers, often listed publicly on marketplaces like AWS. This approach offers significant cost predictability compared to variable asset-counting models, avoiding the complexity of tracking ephemeral cloud resources. However, buyers should note that RapidFort is a specialized feature play rather than a broad security suite. It focuses intensely on container hardening, vulnerability remediation, and compliance, replacing specific point tools like SCA scanners rather than general-purpose CNAPP platforms.

The solution is heavily entrenched in high-assurance sectors, offering hybrid deployment models that support air-gapped or classified environments, making it ideal for organizations with strict data sovereignty requirements. Deployment is streamlined through a "zero code change” approach in which the platform profiles containers via a cloud-hosted control plane or on-prem instrumentation, allowing users to get up and running in minutes. Despite the advanced output (a hardened, minimal-vulnerability image), the operational process is simplified to automated pipeline actions, significantly reducing the burden on engineering teams.

Use Cases
RapidFort excels in environments requiring strict software supply chain security and automated compliance. Defense contractors and regulated enterprises can leverage the platform's ability to generate hardened, STIG-compliant images to achieve continuous authority to operate (cATO), effectively automating federal compliance requirements within the CI/CD pipeline.

Cloud-native organizations facing vulnerability debt benefit from RapidFort's ability to operationalize the shield right strategy. By utilizing RBOMs to identify and remove unused code, these organizations can drastically reduce their attack surface and cloud infrastructure costs simultaneously, turning security into an efficiency enabler. 

runZero: runZero Platform

Solution Overview
runZero operates as a comprehensive CAASM and ASM platform, distinguishing itself with a proprietary unauthenticated active scanning methodology. The solution focuses on creating a unified, high-fidelity asset inventory by aggregating, correlating, and deduplicating data from active scans and third-party integrations. Its approach circumvents the operational friction of credential management and the blind spots of agent-based deployment, effectively illuminating the dark matter of enterprise networks, including unmanaged devices, rogue servers, and fragile operational technology (OT) systems.

The platform utilizes a cloud-native architecture capable of processing millions of assets without performance degradation, supporting a hybrid deployment model where a SaaS control plane manages distributed, lightweight Explorers. runZero positions itself as a source of truth for exposure management, integrating statistical anomaly detection with predictive threat modeling rather than offering managed services. The solution will look and feel different over the contract lifecycle. runZero delivers an aggressive roadmap, consistently introducing disruptive innovations like inside-out discovery and outlier analysis to challenge foundational discovery dogmas.

runZero is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
runZero scored well on a number of the decision criteria, including:

• Internal ASM: runZero utilizes a specialized unauthenticated active scanning engine optimized for speed and safety, allowing it to perform internal discovery with a depth of execution that rivals external ASM. This capability is specifically engineered to be safe for fragile OT and ICS environments, detecting outlier devices, protocol gateways, and embedded systems that are invisible to the internet but critical to business operations.

• Asset correlation: The solution employs a sophisticated multifactor merge algorithm that correlates data points such as MAC addresses, hostnames, and cloud IDs to aggregate disparate telemetry into a single, unified asset record. runZero further enhances this with automated ownership mapping, which pulls "managed by" fields from directories to assign asset ownership and handle multi-homed device detection, ensuring a seamless, deduplicated view of the estate.

• Asset categorization: runZero excels in granularity, leveraging a fingerprinting engine that profiles assets against nearly 1,000 attributes to distinguish specific hardware models, firmware versions, and OS builds. The platform pairs this forensic-level detail with a flexible rules engine that allows organizations to automate business context categorization, tagging assets by unit, owner, or criticality based on logical attributes like subnet or behavior.

Opportunities
runZero has room for improvement in the following decision criteria:

• Third-party risk identification: runZero is primarily architected as a first-party asset management tool, focusing on the customer's direct infrastructure rather than the external risk posture of their supply chain. While it can identify connections to third-party services and deployed vendor infrastructure, it does not natively attribute internet assets to third-party ownership or provide independent security ratings for vendors, lagging behind dedicated TPRM tools.

• Managed triage: The platform operates as a pure software solution and does not include a managed security service (SOC) or human analyst layer to validate alerts. While runZero offers premium support through runZero Care, it relies on automated mechanisms like the Rules Engine for noise reduction, placing the burden of validating critical risks and filtering false positives on the customer's internal security team or partners.

• Risk scoring: While runZero employs advanced metrics like EPSS and proprietary outlier scores, its scoring model is probabilistic rather than deterministic. Unlike solutions that integrate active penetration testing (PTaaS) to empirically verify exploitability, runZero's risk scoring relies on statistical anomalies and threat intelligence probability, potentially requiring users to perform manual validation to confirm the actual exploitability of a flagged asset.

Purchase Considerations
runZero uses a transparent per-asset licensing model based on a clear definition of active assets, avoiding charges for duplicate IPs or ghost assets. This pricing structure is flat-rate or clearly tiered, ensuring predictability for procurement teams compared to usage-based models. As a Platform Play, the solution offers broad utility across IT, OT, and cloud environments, justifying its investment as a foundational inventory layer rather than a niche point solution.

The solution is designed for zero-touch deployment, allowing users to download an Explorer binary and commence scanning in minutes without configuring credentials or complex firewall rules. It scales elastically to support millions of assets, making it suitable for large enterprises and MSSPs. Support options include runZero Care for account health checks, though organizations seeking 24/7 managed triage services will need to engage with runZero's MSSP partners.

Use Cases
runZero excels in complex, segmented enterprise environments requiring total visibility into dark matter assets. Organizations with significant OT or IoT footprints can leverage the platform's safe, unauthenticated scanning to inventory fragile devices that traditional agent-based tools cannot reach. Large enterprises undergoing M&As benefit from runZero's rapid deployment capabilities. The ability to deploy Explorers in minutes allows security teams to quickly assess the attack surface of an acquired network, identifying rogue servers and integration risks without requiring immediate administrative credentials.

Tenable: Tenable One Exposure Management Platform*

Solution Overview
Tenable provides an integrated ASM solution embedded within the Tenable One Exposure Management Platform, moving beyond traditional point-in-time scanning to continuous, holistic risk assessment. The solution leverages the acquisition of Bit Discovery to deliver outside-in visibility, which is seamlessly unified with Tenable's market-leading Nessus technology for deep inside-out vulnerability management. The platform employs a massive data lake of over 5 billion internet-facing assets to continuously map the external attack surface, identifying disparate asset types from domains to cloud instances and enriching them with deep metadata and business context.

The solution reflects Tenable's mature approach through its emphasis on stability and consistent performance, focusing on the convergence of VM, EASM, and CAASM. As a SaaS-native offering with hybrid capabilities, it allows organizations to bridge the gap between on-prem security centers and modern cloud environments. The solution will look and feel largely the same over the contract lifecycle, as Tenable prioritizes stability and continuity, ensuring that metrics like the Vulnerability Priority Rating (VPR) remain standardized for enterprise reporting.

Tenable is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ASM Radar chart.

Strengths
Tenable scored well on a number of the decision criteria, including:

• Risk scoring: Tenable’s Predictive Prioritization methodology sets a market standard by moving beyond static CVSS scores. The solution employs the VPR, which dynamically analyzes the threat landscape, including exploit maturity and dark web chatter, and combines it with the Asset Criticality Rating (ACR) to calculate a composite Asset Exposure Score (AES). This analytics-driven approach allows security teams to prioritize remediation based on actual business risk and predictive exploitability rather than theoretical severity.

• Asset correlation: The platform excels in unifying fragmented data through its sophisticated property merge order logic, which intelligently deduplicates and merges conflicting data from disparate sources like CrowdStrike, Microsoft Defender, and Nessus into a single, authoritative asset record. Furthermore, the Lumin Exposure View enables the creation of hierarchical exposure cards, which dynamically correlate technical assets to specific business units or processes, ensuring security findings are presented in a business-relevant context.

• Asset categorization: Tenable automates the organization of complex inventories using over 200 distinct metadata fields and a robust dynamic tagging engine. The system distinguishes between nuanced asset types, such as specific cloud provider tenants or technology stacks, and allows users to build context-aware rules that automatically apply tags based on attributes like region or naming convention. This granular categorization supports the exposure management narrative by enabling highly specific filtering and reporting.

Opportunities
Tenable has room for improvement in the following decision criteria:

• Attack path analysis: While Tenable One provides sophisticated visualization of potential compromise routes using choke points and MITRE ATT&CK mapping, the feature suffers from latency issues that hinder real-time responsiveness. The system triggers data processing jobs every 30 minutes, but updates can take up to five hours to reflect in the graph. This delay creates a window of exposure where the visualized attack path may not represent the current state of the environment during an active incident.

• Internal ASM: Tenable's approach to internal ASM is deeply rooted in its traditional active scanning model rather than purely passive real-time CAASM aggregation. While the integration of Nessus provides unmatched depth, the reliance on scheduled scans or agent-based polling can introduce gaps compared to continuous, API-driven asset graph queries found in dedicated CAASM competitors. Furthermore, achieving the full "exceptional" depth often requires deploying the full suite of on-prem and cloud components, which increases architectural complexity.

• Managed triage: Tenable adheres strictly to a software-vendor model and does not offer a standard first-party managed triage service to manually validate findings. The solution relies on automated confidence scoring and AI insights to reduce noise, placing the operational burden of verifying false positives and validating attribution on the customer or third-party MSSP partners. This lack of a human-in-the-loop service wrapper can result in higher workload for internal teams compared to vendors offering zero false positive guarantees.

Purchase Considerations
Tenable employs an asset-based licensing model that calculates costs based on observable objects or assessed assets, with different asset types consuming varying portions of a license (for example, one ASM object equals 0.25 Tenable One assets). This model offers transparency but can lead to unpredictability, as the very nature of ASM is to discover unknown assets, potentially pushing customers over their licensed volume unexpectedly. 

The solution is clearly positioned as a Platform Play. Organizations gain the most value when adopting the full Tenable One suite rather than purchasing ASM as a standalone point solution.

The platform is designed for enterprise scale, capable of supporting over 5 billion internet-facing assets and "unlimited" top-level domains without performance degradation. Deployment is flexible, offering SaaS delivery for external discovery with hybrid options to integrate legacy on-prem Nessus scanners. Support is robust, leveraging a mature partner ecosystem and dedicated MSSP portals, though customers seeking white-glove triage services will need to engage with partners rather than Tenable directly.

Use Cases
Tenable excels in large, complex enterprises that require a unified view of risk across hybrid environments. Global organizations can leverage the platform's massive scalability and exposure management narrative to communicate cyber risk in business terms to their board of directors, unifying data from IT, OT, and cloud environments. SOCs benefit significantly from the deep integration of VM and ASM. The "frictionless assessment" capability allows teams to automatically trigger active vulnerability scans on newly discovered external assets, streamlining the transition from discovery to remediation and ensuring high-fidelity risk data for prioritization.

ThreatNG Security

Solution Overview
ThreatNG Security positions its platform as a holistic digital risk solution that unifies EASM, DRP, and security ratings into a single, cohesive architecture. Through an outside-in philosophy that uses unauthenticated and agentless discovery, the platform deliberately limits its purview to what an actual adversary can perceive and exploit from the public internet. Core components include a patented assessment engine that drives iterative correlation and the DarCache intelligence repositories, which update continuously with dark web mentions and threat indicators. By eschewing internal agents in favor of purely external reconnaissance, the solution focuses on real-world exploitability and believability over theoretical severity.

The platform operates exclusively as a cloud-native SaaS solution, utilizing distributed processing to ensure elastic scalability without impacting customer infrastructure. The solution will look and feel different over the contract lifecycle. ThreatNG delivers an aggressive roadmap, focusing on disruptive capabilities such as DarChain (digital attack risk contextual hyper-analysis insights narrative) for attack path visualization and GenAI/LLM security integrations driven by its DarcSight Labs’ R&D team.

ThreatNG Security is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ASM Radar chart.

Strengths
ThreatNG Security scored well on a number of decision criteria, including:

• Automation and correlation: ThreatNG utilizes a patented assessment engine that employs a single backplane to perform sophisticated horizontal and vertical data correlation. This engine automatically links disparate data types (for example, connecting a nonhuman identity finding to the specific cloud asset it unlocks) and employs a context filter to validate findings against multiple sources, significantly reducing manual analysis requirements.

• Asset categorization: The platform delivers exceptional categorization through its Technology Stack Identification module and dynamic tagging capabilities. By automatically mapping technical findings to "functional pillars" (strategic, operational, financial, technical) and allowing users to define custom dynamic entities, ThreatNG translates raw technical data into business logic categories, enabling stakeholders to view assets as prioritized business risks rather than simple server lists.

• Asset correlation: ThreatNG excels at creating a cohesive map of the digital footprint through recursive discovery that seamlessly links child assets to parent entities. The platform’s architecture automatically correlates subdomains, certificates, and SaaS tenants to the parent organization and integrates cross-vector data, such as linking a dark web credential leak directly to the specific domain it impacts, ensuring a holistic view of exposure.

Opportunities
ThreatNG Security has room for improvement in a few decision criteria, including:

• Attack path analysis: Although the solution includes the DarChain module for contextual attack path intelligence, its capabilities are primarily focused on external narratives of adversary behavior and relational path intelligence. Organizations requiring deep internal lateral movement simulation or highly interactive, real-time remediation of complex internal paths may find the current visualization maturity requires more manual analysis than more established market leaders.

• Third-party risk identification: Although ThreatNG offers robust fourth-party visibility and passive scanning capabilities, its approach to third-party risk is primarily product-centric rather than service-based. While it allows for the manual addition of vendor entities, it stops short of providing a premapped global internet view or a fully managed service for vetting vendors, which may require more operational effort from the customer compared to dedicated TPRM platforms.

• Managed triage: Managed triage is delivered through Crosshairs, a premium analyst service that works alongside internal security teams. For organizations that lack the budget for premium services, the reliance on an add-on service for high-touch vulnerability triage may be a barrier, potentially leaving smaller teams to manage the prioritization of complex findings independently without the benefit of integrated, native triage automation found in some competing platforms.

Purchase Considerations
ThreatNG Security employs a transparent, all-inclusive pricing model based on a flat per-entity rate, whereby an entity is defined as a domain and organization name pair. This model is highly predictable, eliminating the sticker shock often associated with asset-based pricing where costs escalate as discovery uncovers more shadow IT. The subscription includes unlimited users, assets, modules, and intelligence repositories, positioning it as a cost-effective Platform Play for organizations seeking to consolidate EASM, DRP, and security ratings without complex add-on fees.

The solution scales elastically to support large enterprise volumes, documenting a capacity for single users to manage up to 2,000 entities per month with full scan cycles completing in approximately seven hours. Implementation is designed for zero-friction deployment, requiring no agents or hardware, and utilizing a guided investigation wizard that allows organizations to initiate comprehensive assessments using only a domain name. While the platform offers robust API integration for data export, organizations requiring deep internal visibility behind the firewall will need to pair ThreatNG with separate internal scanning solutions or CAASM tools.

Use Cases
ThreatNG excels in environments requiring broad digital risk visibility and rapid outside-in assessments. M&A teams can leverage its agentless architecture and fourth-party visibility to perform rapid due diligence on target companies without requiring IT access or cooperation, mapping dependencies and hidden risks immediately. SMBs and organizations with lean security teams benefit from ThreatNG's all-inclusive model and guided investigation wizard, which allow generalist IT personnel to operate the tool effectively without deep threat intelligence expertise. Governance, risk, and compliance (GRC) teams can utilize the platform’s functional pillars and ESG Violations monitoring to correlate technical cyber risks with broader corporate liabilities, ensuring that board-level reporting reflects actual business impact rather than just technical metrics.

The ASM market has evolved from a niche discipline focused on simple asset discovery into the foundational intelligence layer for proactive security operations. We are witnessing a definitive shift from reactive ASM to broader exposure management and CTEM. It is no longer sufficient to merely catalog external assets; organizations must validate the risk those assets pose within the context of business operations.

Consequently, the market is bifurcating. We see massive Platform Plays consolidating ASM with vulnerability management and XDR, contrasting with specialized Feature Plays that offer deep capabilities like autonomous offensive testing or supply chain mapping. For the strategist, the entry point remains clear: establishing a unified asset inventory that serves as the immutable system of record for the entire security program.

Three dominant themes define the current landscape:

• The CTEM mandate: Buyers are prioritizing solutions that support the full CTEM cycle (scoping, discovery, prioritization, validation, and mobilization) over static scanning tools to shift from alert-driven operations to outcome-driven risk reduction.

• The validation imperative: Solutions utilizing agentic AI or human verification to prove exploitability are displacing passive scanners, effectively addressing alert fatigue by ensuring security teams focus on management by reduction rather than just increased visibility.

• Supply chain complexity: As the perimeter extends to the nth party and software supply chain attacks double, organizations require tools capable of recursively mapping dependencies to attribute risks from vendors' vendors.

For IT decision-makers weighing adoption, the following actions are critical:

• Define your source of truth: Do not deploy ASM as another silo. Ensure your chosen solution integrates bidirectionally with your CMDB and ITSM to create a single, trusted view of asset reality.

• Audit your licensing exposure: Avoid legacy "per-IP" licensing models that penalize elasticity in cloud-native environments, and instead seek business entity or flat-rate pricing models to prevent budget overruns as you scale.

• Operationalize for MTTR: Test the mean time to inventory and integration with automation platforms (SOAR) during the proof of concept, as a tool that cannot automatically trigger a remediation workflow is not ready for enterprise deployment.

• Address the human element: Prioritize managed triage services or hybrid solutions from vendors like Bishop Fox or NetSPI if your internal team is lean, ensuring you do not purchase a tool you cannot effectively staff.

Looking at 2026 and beyond, it’s likely the concept of "standalone ASM" will vanish as it is absorbed into broader exposure assessment platforms (EAPs) and CNAPP ecosystems. The defining technology of the near future is agentic AI, autonomous digital defenders capable of investigating root causes and deploying patches without human intervention. However, this introduces new risks regarding shadow AI and agentic autonomy that must be governed. To prepare, organizations must break down data silos today, building a clean, graph-based asset inventory that these future AI agents can rely upon to act autonomously and safely.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

My mission is to deliver innovative and scalable solutions that enable data-driven decision making and business transformation. I have extensive knowledge and skills in big data, data warehousing, Apache Airflow, and Google Cloud Platform, where I hold three professional certifications. I enjoy collaborating with clients and partners, sharing best practices, and mentoring the next generation of data and cloud professionals.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Attack Surface Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.