Home > Research > Your Internet Secret Service, Otherwise Known as External Attack Surface Management (EASM)

Your Internet Secret Service, Otherwise Known as External Attack Surface Management (EASM)

Have you ever thought of what else you could do to take your SOC to the next level and focus on prevention? External attack surface management (EASM) was a popular managed service and topic of discussion at RSA Conference 2023.

Out of the dozens of vendors I spoke to at RSA Conference 2023 this year, EASM vendors were of special interest to me. Several members had asked me on analyst calls about what services they offered, an overview of their platforms, and my thoughts. I must confess, I was only vaguely familiar with the vendors and products in this area until I started asking questions during demos and understanding their capabilities well enough to share some insights.

After speaking to several EASM vendors, they shared some differentiating features, but if you’re in the market, at a minimum, you should look for three key capabilities:

  1. External Asset Management – You want to know about assets you are unaware of. If you have a cloud application security broker (CASB), this will extend its reach across the internet, it’s the “Secret Service” I mentioned above.
  2. Managed Threat Intelligence – This should be an aggressive pipeline of threat intelligence fed into your threat management tools. You’re paying for the quality, fidelity, and volume.
  3. Extended Vulnerability Management – Go beyond your defined perimeter and discover risks you were unaware of. This includes the deep web, of course, but other things, like decommissioned assets that are still running risky services and posing a risk to the firm, also resonated with me. You might have never stumbled on this issue, but I recall thinking a number of times over the years: “Weren’t these supposed to be shut down and confirmed out of service by our scans?”

I wanted to share my insights after speaking with two EASM vendors at length: ZeroFox and CybelAngel (that’s not a typo: “Cybel,” not “Cyber”). Both caught my eye at the expo hall, and I was on a mission to learn more about their capabilities.


A company that has won SINET16 and was featured in Dark Reading, ZeroFox promises to go on a fox hunt, seeking out your adversaries and providing around-the-clock digital risk protection. Three key differentiators were shared with me as well:

  • Scope – unparalleled social media coverage.
  • Innovation – patented SaaS technology with best-in-breed threat intelligence feeds.
  • Unrivaled scale – the speed of takedowns and other mitigating actions at volume is based on strong industry partnerships and track record.

ZeroFox Leadership Team, Company, Investors | ZeroFox, Company website, 2023.


A company started by two brothers in 2013, Erwan and Stevan Keraudy, both passionate about cybersecurity. Today, the company has grown to nearly 200 employees that are focused on external threat protection for your organization. They shared three differentiating traits with me:

  • Be proactive – detect, discover, and resolve external threats.
  • Stay efficient – only manage true positives.
  • Safeguard – protect your organization and brand.

Digital Risk Protection from Cyber Threats - About Us at CybelAngel, Company website, 2023.

Our Take

Both companies offer compelling products. Whichever vendor you choose should perform the mitigation for you – some of the vendors I spoke to only do a report, and you need to spend the time with the follow-up actions. This can come at an extra cost, so be explicit in stating your needs.

Ask for data breach prevention; in other words, have them scan everywhere for open ports on rogue assets, storage buckets like S3, and other risks that may have evaded you. They should also provide dark web monitoring to provide insight on threats planned against your organization. Domain name protection is a must – these attacks are commonly known as typosquatting, where attackers use lookalike characters or other tomfoolery to phish you. Have the vendor perform the takedowns as part of the service, and ask for their track record, relationships, and service level objectives (SLOs).

Finally, account takeover (ATO) prevention is an area that was of interest to me coming from a fintech. Both CybelAngel and ZeroFox can search for your leaked credentials in paste sites, ransomware gang Discords, and other criminal marketplaces. Ask for their trial and conduct a proof of concept. Some vendors offer three-week trials or longer based on scope and intent.

Want to Know More?

Threat Intelligence & Incident Response | Security Technology & Operations | Info-Tech Research Group (infotech.com)

Build Your Security Operations Program From the Ground Up | Info-Tech Research Group (infotech.com)