I am often asked for my thoughts on the Bug Bounty / RECON / Asset Inventory / Attack Surface Management spaces.
This is partially because I founded a company, called HELIOS, back in 2016, which I separated from at the end of 2018. And although I am no longer actively involved in the space I still follow it from a distance.
Here’s how I understand the space and where it’s going.
There are multiple sub-spaces that will eventually merge
The biggest thing to understand is that there are multiple sub-spaces and sub-markets within this overall domain. My favorite name for this space so far is what Assetnote calls itself, which is Attack Surface Management.
Anyway, the functions—or spaces—that I see here are:
Attack Surface Management is really the container that will contain the others eventually.
Attack Surface Management: The overall management of a company’s entire attack surface, whether that’s internal, external, cloud, or legacy/on-prem.
Asset Inventory: The creation of an interactive database of all your online assets. Notable players: BitDiscovery, Expanse (Now Palo Alto).
Bounty Researcher Tooling: These are sets of tools, or platforms, that help security researchers—especially in the Bug Bounty space—to discover more and better bugs in customer systems.
Discovery, Monitorin, and Alerting: These are platforms focused less on maintaining and displaying inventories of discovered systems, but that focus on letting the customer know as fast as possible—via multiple methods—that there is an issue with their attack surface that needs to be fixed.
Reporting and Remediation: These are platforms most focused on integration with customer systems so that issues can be routed and fixed internally as quickly as possible, usually through integration with SOAR tools like Swimlane, Demisto, etc.
Vulnerability Discovery and Management: These are RECON-oriented platforms that are largely focused around emulating traditional Vulnerability Management platforms, except facing the internet, using discovery techniques, and across the entire stack—including AppSec.
Here are some of the players in the space. And please note that there is some significant overlap in the sub-spaces/functions described above, and many of the companies below are already playing in more than one of them.
Listed in alphabetical order.
AssetNote (Primarily Vuln Management)
BitDiscovery (Primarily Asset Inventory)
Expanse (Primarily Asset Inventory)
Helios (Primarily Discovery, Monitoring, and Alerting)
Intrigue (Primarily Researcher Tooling)
Project Discovery / Nucleus (Primarily Researcher Tooling)
The way I see this, all of these spaces will merge into the first one—Attack Surface Management—within around 3-6 years.
Nobody is there now—at least not completely. But they will all get there.
Groups focused on discovery will be asked for a browsable database. People with a database will be asked for real-time monitoring. People with monitoring will be asked for discovery. People with monitoring and discovery will be asked for vulnerability identification. And they will all be asked for SOAR integration.
In less than 10 years, every large vendor in the security space will have some sort of unified play that includes all these components. With some being better than others at each function, of course.
To me, the two questions for a potential user—or investor—of these spaces are:
Which do customers need most right now?, and…
Which option is furthest along in unifying all these spaces into the endstate of Attack Surface Management?
If you can answer those questions you’re doing pretty well. 🙂
I’m purposely not linking to—or favoring—any particular company here because although I’m not involved anymore I personally know people at pretty much every single one of these places, and they’re all my good friends. My goal here isn’t to promote one space or one company as better than others, but to just give a quick 2-minute view of how I see the whole thing progressing in coming years.
Dec 10, 2020 — Another big consideration here is how turnkey these solutions are, vs. requiring an SME or a developer to use. A number of offerings in the bounty/researcher space are very powerful as platforms, but the number of people who can utilize that power is limited. The most succesful companies in this space will not only have the power, but also the ability to make that power usable by regular people.