Demo of the CyCognito PlatformSee the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. More...
State of External Exposure Management, Summer 2024 EditionDownload the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. More...
The Total Economic Impact™ of The CyCognito PlatformRead The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. More...
External Attack Surface Management, or EASM, has become a necessary component of a proactive cybersecurity strategy. According to research from Enterprise Strategy Group, over 65% of breaches stem from a compromised, externally exposed asset, so knowing your attack surface is key to avoiding breaches. Gartner, for this reason, is recommending EASM as a key pillar in the new approach to proactive security they call Exposure Management.
As a new item in the cybersecurity stack, many teams have no context for how and how much to budget for EASM. This post will give you some basic guidance.
EASM refers to the process of identifying, analyzing, and mitigating the vulnerabilities and risks associated with an organization’s external-facing digital assets, such as websites, applications, cloud environments, and network infrastructure. It involves monitoring and securing the exposed attack surface to prevent breaches and unauthorized access by threat actors, and most closely aligns with vulnerability management.
On the low end, basic security ratings tools and vulnerability scanning add-ons may cost in the $25-50K range, sometimes more. These, however, are not truly EASM, and require manual effort, miss assets, have high false positives, struggle with discovering cloud assets, and do not perform any testing.
Modern EASM products are typically priced per asset under management. An average enterprise has over 50,000 assets, according to CyCognito’s State of External Exposure Management report. Mid-market customers have 20,000 on average. Large enterprises may have hundreds of thousands of assets, even up to millions for some industries like telecommunications. Importantly, don’t budget based on your current understanding of your assets; most customers significantly undercount if they do not have EASM in place and are using manual methods to keep track of their assets.
So, the cost of EASM depends on the number of assets you have. It will also vary depending on whether you are simply discovering assets or actively testing those assets, which typically is an added cost. Mid-market customers can expect to pay in the $25-75K range. Large enterprises can expect $100-200K on average. Of course, if your organization has lots of assets based on the business you are in, the price may be higher.
More and more enterprises are creating Exposure Management teams. Some have dedicated EASM staff. Companies with Exposure Management teams would hold the budget there.
If not, EASM is usually part of the Security Operations Center (SOC) budget, often specifically from the vulnerability management budget. If you are including testing in your EASM license, some of the budget may come from the AppSec team.
Advanced EASM products typically run autonomously and staff is only needed to determine whether unknown assets are part of their asset inventories and help triage assets at risk. For smaller organizations, this can just be 4-8 hours a week, depending on findings that week. Larger organizations may have a small team of 1-2 analysts focusing on EASM, often working on other teams, like VM, as well. Many MSSPs also offer EASM as a managed service.
The cost of EASM can be justified in terms of risk reduction, labor savings and efficiency gains, and software license and insurance premium cost reductions.
For more information on CyCognito’s license costs, please visit our pricing page. Or contact us to set up a time to discuss your specific requirements.
1 Statistics from Forrester Total Economic Impact report and CyCognito customer analysis.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure.
Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. Based in Palo Alto, CyCognito serves a number of large enterprises and Fortune 500 organizations, including Colgate-Palmolive, Tesco and many others.
For more information, follow us on Twitter @cycognito.
Privacy Policy Terms of Service Sitemap