In a recent roundtable discussion, I joined CISOs from multiple industries to share perspectives on one challenge being faced today: achieving accurate visibility into external attack surfaces and managing the risks tied to third-party security ratings.
The conversation explored the difficulties of asset discovery, the reliability of security scoring firms, and the growing need for context-driven, actionable insights rather than an overwhelming flood of raw data.
External Visibility and Risk Scoring in Cybersecurity
Cybersecurity leaders are facing increasing complexity when it comes to understanding and managing their organization’s external attack surface. A recurring theme across the discussion was the challenge of achieving accurate visibility, particularly in relation to domains, IP space, and third-party risk assessments.
Domain and Asset Identification Remain Foundational and Painful
Many organizations reported that a fundamental problem lies in simply identifying what assets they own. In large enterprises with multiple verticals or acquired entities, domain ownership is often unclear. Domains are sometimes orphaned, misattributed to different internal business units, or simply forgotten. This creates substantial risk, particularly when no one is monitoring or managing them.
Mergers and acquisitions add another layer of complexity, with companies inheriting legacy IP ranges and domains. Often, the first time a security team learns about these is through a third-party assessment or an external scan, underscoring the need for better internal asset discovery and integration during M&A.
External Ratings: A Useful Tool with Flawed Metrics
External cybersecurity rating firms, used by many to monitor their own risk posture and that of their vendors, were a point of contention. While these platforms offer visibility, their scoring methodologies are often opaque and difficult to trust. There’s broad skepticism about the value of these scores, especially when based on outdated or low-priority findings like parked domains without SSL or old credentials found on the dark web.
Participants noted that these rating services increasingly emulate credit score models - delaying score changes despite rapid remediations and weighing old vulnerabilities more heavily simply due to their age. This mismatch between real risk and perceived risk often results in customer friction, with some clients threatening not to renew contracts based on third-party scores.
Organizations shared that they frequently receive one-off reports from lesser-known scoring firms or intelligence providers, making it difficult to prioritize which alerts to act on. The consensus: the flood of information from external monitors can become more noise than signal without context.
Bug Bounties, Pen Testing, and Manual Efforts Help Fill Gaps
To supplement external scanning tools, many organizations use bug bounty programs and regular penetration testing to detect unknown vulnerabilities and shadow assets. Some conduct these assessments as frequently as daily, with the aim of identifying new endpoints and mitigating risk before threat actors exploit them.
There's also an increasing push toward integrating internal tools such as vulnerability scanners, CMDBs, and cloud posture systems into centralized analytics platforms to build a more dynamic and accurate inventory. This effort allows for real-time correlation and identification of anomalies that formal processes might miss, particularly in decentralized or cloud-heavy environments.
AI & Analytics: Potential, But Not Yet Mature
While artificial intelligence and large language models (LLMs) hold promise for enhancing asset discovery and risk analysis, most organizations have not yet operationalized these tools in meaningful ways. Instead, they’re leveraging more traditional business intelligence platforms to aggregate data across tools and teams to create dynamic inventories and improve visibility.
There's recognition that AI will likely play a larger role in the future, particularly for correlating disparate data sources and identifying emerging threats, but the industry hasn’t yet reached widespread maturity in this area.
Skepticism Around “100% Visibility” Claims
Security leaders expressed strong doubts about any vendor or tool claiming to offer complete visibility. Given the growing complexity of environments, especially with cloud, SaaS, and continuous DevOps pipelines it's unrealistic to expect full coverage. Tools often misclassify or miss assets altogether, especially when it comes to ephemeral or shared infrastructure.
Visibility, therefore, must be viewed through a lens of constant iteration. Leaders emphasized that it's not about having more data, but having the right visibility, timely, contextualized, and actionable.
Signal vs. Noise and the Need for Context
One major frustration voiced was the challenge of separating useful insights from noise. Many alerts from rating agencies or automated tools lack the context necessary to assess whether they represent real risk. Without the ability to tailor these scores to business context, security teams are often left chasing false positive or worse, reprioritizing based on pressure from clients responding to inaccurate scores.
Defense in Depth and Behavioral Profiling Still Matter
While external visibility is critical, participants noted that many real threats come from post-breach activity, and the focus must shift toward understanding lateral movement and behavior once an attacker is inside the environment. This includes profiling normal user and system behavior to detect anomalies early and layering internal defenses.
Crowdsourced pen testers, for instance, often abandon efforts once they encounter hardened internal controls, suggesting that depth of defense is an effective deterrent—even if it’s not immediately visible to external scanning tools.
Conclusion: More Tools, Same Problems, Focus on Fidelity
Cybersecurity teams today are using a wide array of tools to map and monitor their external attack surface, but challenges remain. The conversation emphasized that visibility alone isn’t the solution. What matters most is the fidelity and relevance of that visibility. Context-aware data, internal integration, and strategic use of tools like AI and behavioral analytics are seen as the way forward.
Ultimately, leaders agree: the goal isn’t perfect scores or full visibility, it’s a clear, contextual, and actionable understanding of the organization’s risk landscape.
