Tenable: Vulnerability management is out, attack surface management is in 


Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

Over the past two years or so, it’s become increasingly clear that traditional vulnerability management doesn’t work. With 18,378 vulnerabilities reported in 2021, security teams simply don’t have time to mitigate all potential entry points before an attack can exploit them. 

At the same time, modern enterprise environments are so dynamic and expansive that organizations need complete visibility over the entire attack surface. This goes well beyond monitoring on-site IT assets, to cloud services, containers, web apps, and identity services. 

This is a trend that vulnerability provider Tenable has recognized by today launching Tenable One, a new cloud-based Exposure Management platform designed to discover assets and assess risk across the entire attack surface. 

Exposure management gives security teams a broader view of the attack surface, offering the ability to conduct attack path analysis to analyze attack paths from externally identified points to internal assets, and creating a centralized inventory of all IT, cloud, Active Directory, and Web assets. 


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Vulnerability management is out, exposure management is in 

Tenable’s shift away from vulnerability management comes as more organizations are struggling to manage the attack surface. 

According to the State of Attack surface Management 2022 report, 7 in 10 organizations have been compromised via an unknown, unmanaged, or poorly managed internet-facing asset in the past year. 

One of the main reasons for this high-level of exploitation is that many organizations lack the ability to identify exposed assets as part of a unified inventory. 

“Traditional vulnerability management focuses on the act of enumerating flaws in software that could be exploited (CVEs). Exposure management extends beyond this by providing additional context like who is using the system, what they have access to, how it’s configured, etc,” said CTO at Tenable, Glen Pendley. 

“There is more to proactively securing an environment than patching software. Exposure management enables cybersecurity teams to operationalise their preventing security programs, which in turn also allows organizations to clearly explain the effectiveness of their security program,” Pendley said. 

Tenable One approaches exposure management by providing users with data about configuration issues, vulnerabilities, and attack paths across assets to give security teams a clear view of their environment and potential weaknesses that attackers could exploit. 

A look at the vulnerability management and attack surface management market 

For years, Tenable has sat firmly within the vulnerability management market, which researchers anticipate will reach a value of $2.51 billion by 2025, growing at a Compound Annual Growth Rate (CAGR) of 16.3%. 

However, Tenable One can most accurately be described as competing against attack surface management vendors, which aim to provide a comprehensive view of the exposures of internet-facing assets, rather than offering a system to identify and prioritize vulnerabilities within an on-site network. 

One of the leading vendors in this space is Randori, with a valuation between $50 to $100 million which IBM acquired midway through this year, and offers a cloud-based solution to map the attack surface in real-time. This includes services, IPs, domains, networks, hostnames, and other components. 

Another competitor is Cycognito, which raised $100 million in funding in December 2021 and achieved a $800 million valuation, offering enterprises an external attack surface management platform that can automatically discover internet-facing assets and provide contextualized risk mapping, detecting and prioritizing which an attacker can exploit. 

According to Pendley, Tenable’s key differentiator is context. “As of today, no other company is able to provide the breadth of coverage, context and actionable reporting that Tenable can. We expect the large-cap cybersecurity vendors to start moving in this direction, but no one has developed what Tenable has,” Pendley said.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.