Exposure of internet-facing enterprise assets and systems can bring major risks for security. And yet, often, enterprises aren’t even aware of all the internet-facing assets they have — which of course makes it impossible to go about securing those assets and systems.

As digital transformation continues turning all enterprises into internet companies, to one degree or another, this problem of exposed assets and systems is growing fast. And that has led to the emergence of a new category of security technology: External attack surface management, or EASM.

The technology — sometimes referred to simply as attack surface management, or ASM — focuses on identifying all of an enterprise’s internet-facing assets, assessing for vulnerabilities and then remediating or mitigating any vulnerabilities that are uncovered.

A separate discipline within security is penetration testing, or pentesting, in which a professional with hacking expertise performs a simulated attack and tries to breach a system, as a way to uncover vulnerabilities that need to be addressed.

Today, enterprise pentesting firm NetSPI announced that it’s bringing the two worlds together, with the debut of its new attack surface management offering. The solution integrates the company’s pentesting experts into the attack surface management process, as a way to improve the triage and remediation of risky exposures, said Travis Hoyt, CTO at NetSPI.

“EASM does not typically include manual pentesting — at least not in the way NetSPI incorporates it into our new offering,” Hoyt in an email to VentureBeat.

However, “both are necessary to truly accomplish a holistic, proactive security program,” he said. “In today’s threat environment, conducting a pentest once a year is no longer effective given the rate at which the attack surface is changing. EASM ensures that corporate networks have constant coverage and attack surface visibility.”

‘Comprehensive understanding’

When implemented together, EASM and external network pentesting “give organizations a comprehensive understanding of the weaknesses on their external attack surface – and a better path forward for efficient remediation,” Hoyt said.

Currently, many of the key players in the EASM market focus on the monitoring and inventory of assets, and are heavily reliant on technology to accomplish this, he said. NetSPI’s offering, on the other hand, will stand out by integrating human pentesting experts into attack surface management — allowing the company to manually pentest exposures to determine the risk each poses to an organization, Hoyt said.

In other words, “the NetSPI team is constantly looking at your attack surface to prioritize the exposures that matter most to your business, by using proven methodologies from our two decades dedicated to pentesting,” he said.

A key challenge that security leaders face today is keeping up with the rate of change, Hoyt said.

“New things pop up on the external network all the time, often without IT awareness,” he said. “Security leaders today are tasked with keeping track of all assets and understanding the risk of every exposure, which is no easy task.”

Attack surface management, however, can help organizations get a comprehensive view of all of their assets and exposures — including unknown assets — allowing them to dramatically increase their visibility, Hoyt said.

Best of both worlds

Many other companies in attacks surface management either provide scanning that is an entirely manual process, or offer pure technology platforms that operate without intervention from humans, he said.

NetSPI’s solution aims to take the best attributes of those two delivery models, Hoyt said. The company’s attack surface management platform features automated scanning and orchestration technology that identifies and maps all assets on a company’s external attack surface. The platform also continuously monitors the attack surface and provides an alert when it detects a high-risk exposure.

NetSPI’s operations team then steps in to triage exposures — by validating the issue, evaluating what sort of risk it poses and advising the customer about remediation.

“There’s no replacement for human intuition. A tool simply cannot chain together vulnerabilities the way a human can, nor understand an exposure’s true risk to business operations,” Hoyt said.

Ultimately, with the introduction of its ASM offering, NetSPI now offers customers a “full suite of offensive security solutions,” he said — for the first time providing customers with “truly continuous testing.”

Growth spurt

Founded in 2001, NetSPI has seen its business — and headcount — take off over the past few years.

The company’s organic revenue growth grew by 51% in 2021, following 35% organic revenue growth in 2020. And NetSPI now reports having 577 customers, up from 321 customers at this time a year ago.

While the company lists the names of several customers on its website, that list does not include NetSPI’s marquee customers. Among some of the company’s customers are “the top cloud providers, three of the five FAANG companies, nine of the 10 top U.S. banks and many of the Fortune 500,” Hoyt said — with FAANG referring to the elite grouping that consists of Meta (Facebook), Apple, Amazon, Netflix and Alphabet (Google).

Meanwhile, the Minneapolis-based company has expanded its staff to more than 300 — over half of which are full-time pentesters — which is up from 200 employees a year ago. NetSPI expects to increase its headcount by another 20% to 30% by the end of this year. Hoyt himself joined the company in August, after holding roles at TIAA for two years and at Bank of America for nearly two decades.

NetSPI has raised $100 million in funding to date, with $90 million of that amount raised in May 2021. The growth funding round was led by KKR with backing from Ten Eleven Ventures, as well.

All in all, looking ahead, “we can only expect breaches to become more frequent as the attack surface continues to expand, in tandem with growing sophistication of hacking techniques,” Hoyt said. “NetSPI’s unique offering helps support internal security teams by providing an extra set of eyes, both physical and digital, and acting as a true extension of our customers’ teams.”