The EASM Market Enters Its Final Phase
Could this flash bang of a market already be over...
The Cyber Why is a fun weekly newsletter with periodic deep market and technology analysis by a collective of former market analysts and investors. We write about what we see every day in the cyber and technology world. Today’s market analysis piece is a deep dive into the EASM landscape authored by Adrian Sanabria. If you like what you see please subscribe and keep us motivated and excited to bring you more content! Please enjoy the read. — Tyler Shields, The Cyber Why
The EASM market (External Attack Surface Management, Gartner’s term) was inevitable. Penetration testers and OSINT experts knew that traditional vulnerability management players were missing attack surface. Actually, they were missing a lot of attack surface. While the incumbents chose to wait and see, the market exploded between 2018 and 2021. Since that explosion, we have seen nearly half of the major players in the space get acquired into bigger platforms. With that, I think it’s time for some analysis.
Zoom - Super Fast Growth
The EASM market was able to grow quickly, because of the vast availability of existing open-source tools to build upon, and the simplicity of the technical operations necessary to map out a company’s attack surface. Compare the number of vendors we saw at the peak of the EASM market (38+) with what I think is likely the peak of the secure enterprise browser market (3). The barrier to entry was considerably lower than in other security markets when these vendors were raising capital. That means faster ramp time and quicker time to value, thanks to the ability to build a business in the middle of a free money monetary cycle.
What Exactly Is An Asset
That’s an important question here. The term ‘asset’ is used broadly in EASM and adjacent markets. Depending on the focus of the company’s analysis engine, an asset could be a company, a website, a mobile app, a code repository, a TLS certificate, a subdomain, or a website component, like JQuery or a WordPress plugin. The spread of asset classes is one of the key features distinguishing the EASM market from the legacy vulnerability and asset management space. To the old guard, an asset must be tied to an IP. That’s often not the case in the new definition of asset management.
Additionally, there is no sense of feature parity in the EASM market, especially with respect to which assets get collected. Some assets, like websites, IP addresses, certificates, domain information, and (TCP/UDP) services are collected by everyone. Other asset types, like mobile apps, data leaks, and credential leaks are only gathered by some vendors, or specialized vendors (e.g. Digital Shadows and GitGuardian). It really all depends on how the vendor sees the world, what value they want to provide to the buyer from an analysis vantage point, and how the expertise and DNA of the founders and team line up.
The Tricky Bits
Naturally, trying to identify and attribute assets on the Internet to the rightful owner is a tricky and contentious process - just ask anyone that has used a security rating service (SRS). During the analysis process, there are assets that clearly belong and those that clearly don’t. There are also assets that occupy a ‘grey space’. Maybe DNS is pointed to a third party for a legitimate reason - some service is being outsourced to the third party. While that example issue is not a false positive, you still can’t remediate it, because you don’t own it. Most EASM platforms support tagging, giving you ways to categorize and filter assets in a ‘limbo’ state, but it doesn’t change the fact that these tricky grey areas exist.
Once you start the analysis process of the assets you collect, there is a vast quantity of results that have to be triaged. Vulnerability management vendors and teams are familiar with this problem. Luckily, there are a number of things the vendor can do to help. The top vendors in the EASM space must…
show where the finding came from. This is known as asset provenance and helps you analyze the source and details around the existence of an asset to help the triage process.
provide asset context. The existence of an asset is one thing, but the current state and specific configuration details of that asset provide context that significantly helps analysis. For example, metadata from related SSL certs (e.g. bears the name of a defunct subsidiary), webpage footers (e.g. Copyright 2013), and more all help the security analyst understand why assets are what they are. Context is king.
connect the dots to IP ownership. Most EASM vendors label IP addresses belonging to cloud service providers - AWS, Azure, Linode, Digital Ocean, or Ali Baba for example. This is a huge help in helping the analyst locate asset owners.
My favorite feature
My favorite feature of the EASM space is seed discovery. A seed is what kicks off an EASM search. The seed can be the name of a company, a DNS name, or a website, to give a few examples. Seed discovery implies that one seed leads to the discovery of other seeds. If I plug in sonypictures.com, the more sophisticated EASM tools are smart enough to branch out to Sony Pictures the business entity, parent companies, subsidiaries, and all of the websites and other assets attached to each. Here’s a diagram of what that might look like:
Seed discovery is a powerful feature because it highlights an important point: the owner of an asset discovery tool doesn’t necessarily know all the correct inputs. That’s what makes EASM so valuable. EASM makes you aware of the stuff you don’t already know about!
During my time at CyberRisk Alliance, I founded Security Weekly Labs, which produced modern product reviews for cybersecurity products. EASM was the first market I chose to review, because:
I didn’t understand it
lots of folks seemed curious about it
it seemed like a new EASM vendor was popping out of stealth every week
As I started to test EASM products, I quickly realized that there were major differences between products in this market. Differences in use cases, data gathered, methods used, and insights revealed. It was necessary to break the EASM market down into four subcategories, which follow.
Internet Asset Research
The first approach I focused on was the simplest. It seemed inspired by tools like Shodan and Censys. The basic idea is to scan the entire Internet and then charge a (relatively) small fee for access to a database of Internet assets. I called this category Internet Asset Research. A benefit of this category is that you get access to the whole dataset, allowing you to look at your competitors, and third parties - anyone with a presence on the Internet. Historical research is another use case, making it possible to get answers to questions like, “how long has this SSH port been open?”
External Asset Monitoring
The next category, External Asset Monitoring, adds a monitoring capability to the previous category. I think of it as Shodan++. It’s the same internet-wide dataset, and the same ability to query, the difference is that you can now build asset groups, track them over time, and get alerted to changes. Again, the use case extends to third parties - something we won’t see in the next two categories.
External Asset Management Platforms
External Asset Management platforms, are quite a different beast. Many of these platforms didn’t do any scanning until you started testing the product. Some require you to prove ownership before doing any assessment at all. There’s unresolved anxiety in the EASM industry that it might not be 100% legal to scan assets you don’t own. Some don’t want to take a chance, while others have to, or they’d have to abandon their business model and start from scratch.
These platforms typically go much deeper than the prior categories and include seed discovery. The output of an External Asset Management platform comes very close to replacing a Rapid7, Tenable, or Qualys external scan, as they include a lot of the same information, including vulnerability findings.
Managed External Asset Solutions
The final category is similar to the previous one, but with human-backed services that validate the findings for you. Think of it as someone doing a mini-pen test on each new alert that pops up. Naturally, I called this category Managed External Asset Management. This approach is more expensive than a fully automated EASM product, but considerably cheaper than paying a penetration testing firm to continuously test your external assets year-round.
When I reviewed EASM vendors in April 2021, there were nine that made the cut:
In addition to these nine, there are 28 others I was tracking. This data is old and incomplete, so I’ll instead refer you over to Richard Stiennon’s vendor database for a more authoritative, complete, and up-to-date listing. Besides, if you’re really that interested in diving deep into this category, you’re probably willing to pay for some data, right?
I haven’t seen cybersecurity M&A this hot and heavy in a category since the CASB and NGAV days. Five of the nine vendors I tested in April 2021 have been acquired since then. Overall, ten EASM vendors I’m aware of have been acquired. I only know the deal value of eight of the ten acquisitions, but estimate a total of around $2 billion for all ten combined. Here’s what I know, in chronological order (M/D/Y):
1/22/2020 Binary Edge acquired by Coalition
11/11/2020 Expanse acquired by Palo Alto Networks for $670M
6/22/2021 AlphaWave acquired by LookingGlass
7/13/2021 RiskIQ acquired by Microsoft for $500M
7/19/2021 IntSights acquired by Rapid7 for $335M
8/10/2021 Intrigue.io acquired by Mandiant for $20M
1/4/2022 SecurityTrails acquired by Recorded Future for $65M
4/26/2022 BitDiscovery acquired by Tenable for $44M
6/7/2022 Randori acquired by IBM
9/20/2022 Reposify acquired by Crowdstrike for $18.9M
With most of the funding poured into this market exited, there’s room for at least two more large deals, but I expect the remainder to continue to be small (< $100M). Remember - the barrier to building an EASM tool isn’t particularly high, and adjusted market valuations reflect the new cost of capital. Less free cash flow means more caution, more due diligence, and ultimately, significantly smaller exits.
There’s a good chance we’ll see a few fire sales in the EASM category before the general market downturn reverses - startups that have raised one or two rounds, but fear another may never come. There are still some great EASM vendors out there, but I’m concerned about exit options. CyCognito is by far the largest of the remainder, taking another round (along with a $1B Unicorn valuation) not long before the harsh and sudden market correction that started in early 2022. I’m taking CyCognito’s 15% RIF as a good sign, that the company understands the need to weather out whatever may come in 2023.
Other signs that the market might be winding down are harder to read. Reposify likely got a better than 20x return on revenue, but at the seed stage, is this a useful metric? Similarly, the 2.2x return on money raised doesn’t sound great, but we’re talking about an acquisition price lower than most 2021 Series A rounds. Crowdstrike going after an early-stage target could also be a signal that, while EASM is valuable to them, they still don’t think it makes sense to pay a lot for it. In fact, the previous four deals in this market were either far below $100M (Intrigue, SecurityTrails, and BitDiscovery), or unreported (the IBM/Randori deal).
Only time and market forces will tell if this market has a second wind in it. There are certainly still potential buyers. Tenable and Rapid7 have acquired EASM capabilities, leaving Qualys the odd one out in vulnerability management land. We could see SentinelOne make a purchase to try to keep up with Crowdstrike. Insurtechs and cyber insurance MGAs have shown a lot of interest in continuous monitoring technology as a policy pricing and claims reduction tool. An EASM tool would also fit well into the Fortra (fka HelpSystems) portfolio, which already includes Digital Defense and Core Security.
What do you think? Do you have a favorite EASM vendor or open-source tool? Do you have thoughts on where the market might go? Let me know in the comments!
If you like what you read please subscribe to The Cyber Why. We write fun and interesting content for the cyber and technology reader and subscriptions keep us going!