In an era of cloud computing and off-site third-party services, traditional network-based security approaches simply aren’t effective. With research showing that large organizations maintain an average of 600 software-as-a-service (SaaS) applications, the modern attack surface is too vast to manage without a purpose-built attack surface management solution. 

Attack surface management solutions provide a tool to automatically discover public-facing assets located outside the perimeter network, and identify vulnerabilities in shadow IT assets and misconfigured systems that hackers can exploit.  

As the need to secure cloud environments increases, these solutions are beginning to pick up more interest, with penetration testing and attack surface management vendor NetSPI today announcing that it has received $410 million in growth funding from global investment firm KKR.

The new funding demonstrates that vulnerability management is giving way to the broader, automated and decentralized approach of mitigating exploits across the entire attack surface. 

The need for attack surface management 

The announcement comes just a day after vulnerability management firm Tenable announced it was moving away from vulnerability management and launching a new exposure and attack surface management solution called Tenable One. 

One of the key reasons for this growing interest is that vulnerability management solutions have failed to secure off-site shadow IT assets and services. 

Most vulnerability management solutions use databases of known CVEs to identify and patch vulnerable systems. The problem is that it not only takes time for CVEs to be updated, but this method fails to consider unknown assets. 

At the same time, cloud adoption continues to increase. According to Palo Alto Networks, on average, companies add 3.5 new publicly accessible cloud services per day — nearly 1,300 per year. Any of these given resources can be publicly exposed to attackers on the internet if they’re poorly provisioned or configured. 

Given this complexity, it’s no surprise that cloud-based security issues comprise 79% of observed exposures compared to 21% for on-prem in global enterprises. 

NetSPI’s answer to cloud vulnerability sprawl 

The writing on the wall is that enterprises need an approach to managing vulnerabilities that can scale to address exploits across the entire attack surface. For NetSPI, that comes down to offensive security. 

“As we look forward to this next chapter, NetSPI will continue to challenge the status quo in offensive security,” said Aaron Shilts, CEO of NetSPI. “With KKR’s support, we are well positioned to amplify our success building the best teams, developing new technologies, and delivering excellence, so that the world’s most prominent organizations can innovate with confidence.”

In effect, NetSPI provides enterprises with a solution to scan for assets in real-time, 24/7/365, using Open Source Intelligence (OSINT) and other methods. 

This approach not only enables an organization to build an inventory of public-facing cloud assets, it also highlights vulnerabilities and their severity so security teams can prioritize fixing the most important entry points. 

What else is happening in the attack surface management market 

The attack surface management market sits loosely within the global vulnerability management market, which researchers anticipate will reach a value of $2.51 billion by 2025, increasing at a compound annual growth rate (CAGE) of 16.3%. 

At the same time, according to Gartner, “By 2026, 20% of companies will have more than 95% visibility of all their assets which will be prioritized by risk and control coverage by implementing cyber asset attack surface management functionality, up from less than 1% in 2022. 

The attack surface management market is seeing interest from all sides — including from established IT vendors like CrowdStrike and Palo Alto Networks, both of which have released products in this category. There are also relatively new players on the block, like Randori, that focus on securing the attack surface exclusively. 

Earlier this year, IBM purchased Randori for an undisclosed amount, with the startup having raised $30 million up to that point, for a solution that scans the attack surface for vulnerable assets and prioritizes them based on severity. 

One of the key differentiators between Randori and other vendors is that instead of using IPv4 range scans, it uses a center-of-mass approach to find IPv6 and cloud assets other solutions miss. 

Cycognito is another vendor seeing significant investor interest. It raised $100 million in December 2021 and achieved an $800 million valuation, for an attack surface management solution that can automatically discover exposed assets and provide the user with a smart contextualized risk map.

NetSPI’s new funding will help to bolster its position in the market and situate it as a hybrid attack surface management and penetration testing provider.