Attack Surface Management Solutions, Q3 2024

We are pleased to announce the first release of Forrester’s Wave: Attack Surface Management Solutions, Q3 2024. In this Wave for Attack Surface Management (ASM), we evaluated the eleven most important ASM providers in what is currently a rapidly evolving market segment. Forrester covers ASM and peripheral markets such as Exposure Management and Vulnerability Risk Management (VRM) as these segments all contribute to proactive security and support use cases of visibility, prioritization and remediation. At the ASM Wave, we focused primarily on how ASM solutions provide the first essential step to proactive security: visibility.

What’s going on with the attack surface management market?

For the ASM wave, we evaluated vendors that began as Cyber ​​Asset Attack Surface Management (CAASM) or External Attack Surface Management (EASM) solutions, vendors that bundle ASM as part of their SecOps platform strategy, including vendors that Deliver ASM capabilities through an exposure management offering. The goal of all evaluated vendors is to provide comprehensive insight into assets and attack surfaces so customers can prioritize and ultimately remediate risks. The state of attack surface management is volatile and dynamic (see image below), which we took into account in the Wave assessment. Key considerations regarding the state of proactive security today include:

• CAASM and EASM have been merged into a single ASM to support visibility use cases. CAASM and EASM have always provided visibility, either through an internal (defender view) or external (attacker view). These related use cases provide visibility and are enhanced by combining both views – which users can now obtain via CAASM, EASM or ASM integrated into a SecOps platform. As our Wave details show – CAASM capabilities can differentiate themselves by expanding the breadth of integrations that capture asset context, and EASMs can differentiate themselves when vendors own and use proprietary scanning technology.
• The standalone EASM is more like a threat intelligence product. EASM has become a capability found in a variety of products, particularly among threat intelligence providers, that augment external images of the environment – not just externally facing assets, but also features such as malicious brand impersonations on social media or mobile app stores. Management supervision and third party supervision/supply chain.
• EASM and continuous security testing complement each other. When assets are discoverable and accessible from the outside, the next strategic step in proactive security – prioritization – is to test them to assess vulnerabilities. That’s why continuous security testing companies that offer breach and attack simulation, bug bounty or penetration testing as a service have added EASM capabilities. Proactive security vendors must support more than just visibility or prioritization to expand a platform offering. Because ASM’s focus is on visibility and continuous security testing supports prioritization, we expect ASM and continuous security testing vendors to continue to expand each other’s capabilities.
• Most prominent are proactive security platform approaches to attack surface management. ASM will continue to gain traction as a capability in proactive security platforms to provide transparency. Today, proactive security platforms are expanding and will continue to enhance prioritization through capabilities such as exposure management, CISA KEV/EPSS/CVSS or risk assessment (typically in VRM solutions) or continuous security testing. The way ASM integrates with a proactive security or SecOps platform – with the data the platform already has – is a key differentiator here, as it provides out-of-the-box asset context and stepping stones for risk management Provides part of a prioritization strategy.

A proactive security approach to future-proofing secures vendor rebranding, category changes, and your program strategy

Until and if the proactive security market in a category stabilizes, continue to ask yourself how much visibility you have, whether your prioritization strategy meets acceptable risk thresholds, and how well you remediate vulnerabilities. These will always be the core principles you must meet, even as the market landscape changes. Today, ASM solutions ensure transparency both externally and internally. This visibility must be accessible to your prioritization strategy (be it through exposure management, VRM-provided risk assessments, or continuous security testing) and must be the source in and out of your remediation tracking (be it through VRM, ITSM, or SIEM).

Forrester customers who have questions or concerns about ASM and these other complementary markets should schedule an inquiry or consulting session with me to discuss how you can ensure your organization is on the right track for effective proactive security.