Vulnerability Management & Attack Surface Management¶
Segment at a Glance
Market Size (VM): ~$16.5 billion (2024) | projected ~$24 billion by 2030 | ~7--8% CAGR (Mordor Intelligence, MarketsandMarkets, Grand View Research) Market Size (ASM/EASM): ~$1.4--2.1 billion (2024) | projected ~$5--6.5 billion by 2029--2033 | ~28--34% CAGR (Straits Research, Frost & Sullivan, Fortune Business Insights) Maturity: VM --- mature (reinventing around exposure management); ASM/EASM --- fast-growing; CTEM --- emerging framework Growth: VM moderate; ASM/EASM high (30%+ CAGR) Key Trend: Gartner's CTEM framework driving convergence of VM + ASM + validation into unified exposure-management platforms
What It Is¶
This segment covers the technologies and frameworks that help organizations discover, assess, prioritize, and remediate security weaknesses across their digital estate:
- Vulnerability Management (VM): The traditional discipline of scanning infrastructure, operating systems, and applications for known vulnerabilities (CVEs), scoring them by severity, and tracking remediation. Historically centered on periodic scan-and-patch cycles using agents, authenticated scans, and network scanners.
- Risk-Based Vulnerability Management (RBVM): An evolution of VM that moves beyond raw CVSS scores to incorporate threat intelligence, asset criticality, exploit availability (e.g., EPSS --- Exploit Prediction Scoring System), and business context to prioritize remediation by actual risk rather than theoretical severity.
- Attack Surface Management (ASM): Continuous discovery and monitoring of all organizational assets --- known and unknown --- across IT, cloud, SaaS, and third-party environments. Provides a unified asset inventory and identifies exposures such as misconfigurations, open ports, expired certificates, and shadow IT.
- External Attack Surface Management (EASM): A subset of ASM focused specifically on the attacker's outside-in view --- internet-facing assets, domains, IPs, cloud resources, and leaked credentials visible from the public internet. Simulates attacker reconnaissance to find blind spots.
- Continuous Threat Exposure Management (CTEM): Gartner's five-stage framework (Scoping, Discovery, Prioritization, Validation, Mobilization) that unifies VM, ASM, and security validation into a continuous, business-aligned program for systematically reducing exposure. CTEM is not a product category but a strategic approach that spans multiple tool categories.
Modern platforms are collapsing these categories: leading VM vendors now embed EASM discovery, EPSS-based prioritization, breach-and-attack simulation (BAS) validation, and automated remediation workflows into unified exposure-management platforms.
Buyer Profile¶
| Attribute | Detail |
|---|---|
| Primary Buyer | CISO, VP of Security Operations, Director of Vulnerability Management |
| Influencers | SOC analysts, infrastructure/cloud ops, compliance teams, risk management, development/DevSecOps |
| Org Size | All sizes --- SMBs use cloud-native VM; mid-market and enterprise layer on ASM and CTEM |
| Buying Triggers | Regulatory audit findings, breach/incident, CVE backlogs exceeding SLA, cloud migration revealing shadow assets, M&A due diligence, cyber insurance underwriting requirements |
| Budget Range | $50K--$300K/year (mid-market VM); $500K--$3M+/year (enterprise VM + ASM + validation); EASM point tools $30K--$150K/year |
| Sales Cycle | 3--9 months; POC/competitive bake-off standard; procurement often tied to annual renewal cycles |
Market Landscape¶
CTEM Lifecycle & Technology Mapping¶
Vendor Positioning¶
{
"$schema": "https://vega.github.io/schema/vega-lite/v5.json",
"description": "VM & ASM Vendor Positioning (2025)",
"width": 500,
"height": 400,
"title": {
"text": "VM & ASM Vendor Positioning (2025)",
"fontSize": 16,
"color": "#1B1F3B"
},
"config": {
"background": "transparent",
"axis": {
"labelColor": "#3D4166",
"titleColor": "#1B1F3B",
"gridColor": "#e5e8ee"
},
"text": {
"color": "#1B1F3B"
}
},
"layer": [
{
"mark": {
"type": "text",
"fontSize": 13,
"fontWeight": "bold",
"opacity": 0.15
},
"data": {
"values": [
{
"x": 0.75,
"y": 0.75,
"label": "Platform Leaders"
},
{
"x": 0.25,
"y": 0.75,
"label": "Legacy Incumbents"
},
{
"x": 0.25,
"y": 0.25,
"label": "Emerging Specialists"
},
{
"x": 0.75,
"y": 0.25,
"label": "ASM Innovators"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#1B1F3B"
}
}
},
{
"mark": {
"type": "point",
"size": 150,
"filled": true
},
"data": {
"values": [
{
"x": 0.82,
"y": 0.9,
"label": "Tenable One"
},
{
"x": 0.7,
"y": 0.88,
"label": "Qualys VMDR"
},
{
"x": 0.65,
"y": 0.8,
"label": "Rapid7 InsightVM"
},
{
"x": 0.78,
"y": 0.75,
"label": "CrowdStrike Falcon Surface"
},
{
"x": 0.72,
"y": 0.68,
"label": "Armis Centrix"
},
{
"x": 0.35,
"y": 0.55,
"label": "Censys ASM"
},
{
"x": 0.4,
"y": 0.52,
"label": "CyCognito"
},
{
"x": 0.55,
"y": 0.6,
"label": "Bitsight"
},
{
"x": 0.5,
"y": 0.45,
"label": "Nucleus Security"
},
{
"x": 0.2,
"y": 0.4,
"label": "Greenbone / OpenVAS"
},
{
"x": 0.18,
"y": 0.35,
"label": "ProjectDiscovery Nuclei"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "VM / Scan-Centric \u2192 Exposure Platform",
"format": ".0%"
}
},
"y": {
"field": "y",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "Emerging / Niche \u2192 Established / Broad",
"format": ".0%"
}
},
"color": {
"value": "#00C9A0"
},
"tooltip": [
{
"field": "label",
"type": "nominal",
"title": "Vendor"
},
{
"field": "x",
"type": "quantitative",
"title": "Platform Breadth"
},
{
"field": "y",
"type": "quantitative",
"title": "Established"
}
]
}
},
{
"mark": {
"type": "text",
"dy": -12,
"fontSize": 11
},
"data": {
"values": [
{
"x": 0.82,
"y": 0.9,
"label": "Tenable One"
},
{
"x": 0.7,
"y": 0.88,
"label": "Qualys VMDR"
},
{
"x": 0.65,
"y": 0.8,
"label": "Rapid7 InsightVM"
},
{
"x": 0.78,
"y": 0.75,
"label": "CrowdStrike Falcon Surface"
},
{
"x": 0.72,
"y": 0.68,
"label": "Armis Centrix"
},
{
"x": 0.35,
"y": 0.55,
"label": "Censys ASM"
},
{
"x": 0.4,
"y": 0.52,
"label": "CyCognito"
},
{
"x": 0.55,
"y": 0.6,
"label": "Bitsight"
},
{
"x": 0.5,
"y": 0.45,
"label": "Nucleus Security"
},
{
"x": 0.2,
"y": 0.4,
"label": "Greenbone / OpenVAS"
},
{
"x": 0.18,
"y": 0.35,
"label": "ProjectDiscovery Nuclei"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#3D4166"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"x": 0.5
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"y": 0.5
}
]
},
"encoding": {
"y": {
"field": "y",
"type": "quantitative"
}
}
}
]
}
Vendor Comparison¶
| Vendor | Focus | 2024 Revenue / Scale | Key Differentiator | Deployment |
|---|---|---|---|---|
| Tenable | VM, Exposure Mgmt, OT, Cloud | $900M revenue (13% YoY growth) | Broadest exposure platform (Tenable One); Nessus heritage; OT/IoT via Tenable.ot | Cloud + On-prem |
| Qualys | VM, CSPM, Patch Mgmt | $608M revenue (10% YoY growth) | Cloud-native since inception; agent-based + agentless; integrated patch management | Cloud-native |
| Rapid7 | VM, SIEM, MDR | $844M revenue (9% YoY growth) | InsightVM + InsightConnect SOAR; strong mid-market; Metasploit heritage | Cloud + On-prem |
| CrowdStrike | EASM, Exposure Mgmt | Part of $3.9B+ CrowdStrike platform | Falcon Surface (ex-Reposify); deep integration with Falcon EDR + threat intel | Cloud-native |
| Armis | CAASM, OT/IoT, Exposure Mgmt | $300M+ ARR; $6.1B valuation; acquired by ServiceNow for $7.75B (Jan 2026) | Agentless asset intelligence across IT/OT/IoMT; unified attack surface | Cloud-native |
| Censys | EASM, Internet Scanning | Series C; growing mindshare | Internet-wide scanning heritage; comprehensive internet asset discovery | Cloud-native |
| CyCognito | EASM | Private; strong EASM niche | Automated reconnaissance; attacker-perspective discovery; minimal false positives | Cloud-native |
| Bitsight | Security Ratings, EASM, TPRM | $200M+ ARR | Unique combo of EASM + security ratings + cyber insurance + third-party risk | Cloud-native |
Competitive Dynamics¶
- Big Three dominance: Tenable, Qualys, and Rapid7 collectively hold ~60% of the VM market. All three are racing to become "exposure management platforms" that subsume ASM, BAS, and patch management.
- Platform convergence: CrowdStrike, Palo Alto Networks, and Microsoft are adding VM/ASM capabilities to their broader platforms, threatening pure-play vendors.
- EASM land-and-expand: Specialist EASM vendors (Censys, CyCognito) often enter organizations as lightweight "discovery-first" tools, then expand into broader exposure management.
- Ratings-to-ASM crossover: Bitsight and SecurityScorecard are extending from third-party risk ratings into first-party EASM, leveraging existing customer relationships.
Key M&A Activity (2024--2026)¶
| Date | Acquirer | Target | Value | Rationale |
|---|---|---|---|---|
| Feb 2025 | Tenable | Vulcan Cyber | $147M | AI-powered risk prioritization and automated remediation workflows |
| May 2025 | Rapid7 | Noetic Cyber | Undisclosed | Attack-surface visibility; CAASM capability |
| Jun 2025 | Tenable | Apex Security | Undisclosed | AI attack surface coverage |
| Jan 2026 | ServiceNow | Armis | $7.75B | Unified asset intelligence for IT/OT/IoMT exposure management |
Pricing Models¶
| Vendor | Model | Approximate Cost |
|---|---|---|
| Tenable.io | Per asset / year | ~$35--58 per asset/year (volume-dependent) |
| Qualys VMDR | Per asset / year | ~$199 per asset/year (premium positioning) |
| Rapid7 InsightVM | Per asset / month | ~$23--26 per asset/year ($1.93--2.19/asset/month) |
| EASM tools | Per-domain or per-entity | $30K--$150K/year depending on scope |
| Bitsight / Ratings | Per-monitored-entity | $25K--$200K/year depending on portfolio size |
Pricing Trend
The market is shifting from per-asset pricing toward per-platform licensing (e.g., Tenable One bundles VM + EASM + cloud + identity exposure for a single platform fee). This benefits vendors via higher deal values and benefits buyers via predictable costs as asset counts grow.
Integration & Ecosystem¶
Data Flow: Exposure Management Ecosystem¶
Key integration points:
- ITSM / Ticketing: ServiceNow, Jira --- automated ticket creation with SLA tracking is table stakes
- Patch Management: SCCM, Intune, Automox, Qualys Patch Management --- closing the loop from finding to fixing
- SIEM / SOAR: Vulnerability context enriches SIEM alerts; SOAR playbooks can trigger virtual patching or containment
- CI/CD Pipelines: Shift-left scanning via API integrations with Jenkins, GitHub Actions, GitLab CI for DevSecOps workflows
- CISA KEV & NVD: Automated ingestion of CISA Known Exploited Vulnerabilities catalog and NVD data for prioritization
- EPSS: FIRST.org's Exploit Prediction Scoring System feeds increasingly integrated as a prioritization signal alongside CVSS
SWOT Analysis¶
Strengths¶
- Regulatory tailwinds: Mandates like PCI DSS 4.0, DORA, SEC cyber disclosure rules, and CISA BOD 22-01 (KEV remediation deadlines) create non-discretionary demand for VM
- Established buyer budgets: VM is a mature, well-understood spend category with dedicated budget lines in most security programs
- Data moat: Incumbent VM vendors (Tenable, Qualys) have decades of vulnerability intelligence and scanning signatures that are difficult to replicate
- CTEM momentum: Gartner's prediction that CTEM-adopting organizations are 3x less likely to suffer a breach by 2026 is driving executive buy-in and budget expansion
Weaknesses¶
- Remediation gap: VM tools excel at finding vulnerabilities but historically struggle to ensure they get fixed --- the "last mile" problem
- Alert fatigue: With 40,000+ CVEs disclosed annually (projected ~47,000 in 2025), practitioners are overwhelmed with findings they cannot meaningfully action
- Limited OT/IoT coverage: Many VM tools remain IT-centric; coverage of operational technology, medical devices, and IoT remains uneven
- Pricing complexity: Per-asset pricing penalizes organizations with large, dynamic environments (cloud autoscaling, containers, ephemeral workloads)
Opportunities¶
- CTEM platform play: Vendors that unify VM + EASM + BAS + remediation orchestration into a single CTEM-aligned platform can capture significantly larger deal sizes
- AI-driven prioritization: Machine learning models that correlate exploit intelligence, network topology, and business context to surface the 2--5% of CVEs that actually matter
- OT/IoT expansion: Industrial, healthcare, and critical infrastructure environments remain heavily underserved by traditional VM --- significant greenfield opportunity
- Cyber insurance integration: Insurers increasingly require evidence of continuous vulnerability management; vendors that provide insurer-friendly attestation reports gain channel advantages
Threats¶
- Platform consolidation: XDR/CNAPP mega-platforms (CrowdStrike, Palo Alto, Microsoft) are absorbing VM as a "feature," threatening pure-play VM vendors' standalone value proposition
- CVE system fragility: Concerns about NVD processing backlogs and CVE program funding gaps create systemic risk for the entire VM ecosystem (see CSA analysis)
- Open-source pressure: Tools like Nuclei and OpenVAS provide increasingly capable scanning at zero license cost, pressuring the low end of the commercial market
- EPSS rendering CVSS less relevant: As EPSS gains adoption, traditional CVSS-centric VM approaches (and vendors slow to adopt exploit-probability scoring) risk obsolescence
Pain Points & Complaints¶
Top Practitioner Frustrations
1. CVE Firehose / Scan Fatigue With ~40,000+ CVEs annually and some organizations facing tens of thousands of alerts per month, teams cannot meaningfully triage. Nearly two-thirds of open-source CVEs in 2025 had no severity score at all, forcing blind prioritization. (Sonatype)
2. Prioritization Paralysis Raw CVSS scores do not reflect real-world exploitability. A CVSS 9.8 vulnerability with an EPSS score of 0.01 poses less actual risk than a CVSS 7.0 with an EPSS of 0.95 --- but many tools still default to CVSS-first prioritization. (Cloudsmith)
3. Patching Lag vs. Attacker Speed Attackers now weaponize many flaws within hours of disclosure. The defender response window has shrunk from a median of five days (2023) to under one day (2024), yet most organizations still operate on 30--90 day patching cycles. (Vicarius)
4. The Last-Mile Remediation Gap Finding vulnerabilities is table stakes; getting them fixed is the hard part. Remediation requires cross-team coordination (security, IT ops, app dev) with competing priorities, change windows, and legacy system constraints.
5. Asset Inventory Inaccuracy "You can't secure what you can't see." Dynamic cloud environments, shadow IT, SaaS sprawl, and IoT devices mean the asset inventory is perpetually incomplete. Scans only cover known assets, leaving unknown exposures hidden.
6. Tool Sprawl Organizations often run separate tools for infrastructure VM, web app scanning, cloud security posture, container scanning, EASM, and third-party risk --- with no unified view and redundant findings.
Emerging Technologies & Trends¶
1. CTEM as the Organizing Framework¶
Gartner's CTEM framework is rapidly becoming the industry's lingua franca. By 2026, Gartner predicts organizations prioritizing CTEM will be 3x less likely to suffer a breach. This is driving vendors to position their products within the five CTEM stages (Scoping, Discovery, Prioritization, Validation, Mobilization) rather than as standalone scan tools. (Gartner)
2. EPSS & Exploit-Intelligence-Driven Prioritization¶
The FIRST.org EPSS model uses machine learning to predict the probability of CVE exploitation within 30 days. EPSS is gaining mainstream adoption as a supplement or replacement for raw CVSS scoring. Leading VM vendors (Tenable, Qualys, Rapid7) now integrate EPSS natively, enabling teams to focus on the ~2--5% of CVEs with meaningful exploitation probability.
3. AI/ML-Powered Remediation Orchestration¶
Emerging platforms use LLMs and ML to:
- Auto-generate remediation guidance tailored to specific environments
- Predict patch compatibility risks and recommend optimal deployment windows
- Correlate vulnerability, threat, and asset data to produce contextualized risk scores
- Draft exception/waiver justifications for vulnerabilities that cannot be immediately patched
4. Breach & Attack Simulation (BAS) Integration¶
BAS tools (SafeBreach, AttackIQ, Picus) are converging with VM platforms to add the "Validation" stage of CTEM. Rather than assuming a vulnerability is exploitable based on scanner output, BAS tests whether the vulnerability can actually be reached and exploited given the organization's defensive controls.
5. Autonomous Patching & Virtual Patching¶
Automated patch deployment (Automox, Qualys Patch Management) and virtual patching (WAF rules, IPS signatures deployed automatically for critical CVEs) are reducing the time-to-remediate for known vulnerabilities. Container and serverless environments enable rapid redeployment rather than traditional patching.
6. Identity & AI Attack Surface¶
The attack surface is expanding beyond infrastructure to include:
- Identity exposures: Leaked credentials, misconfigured SSO, excessive permissions
- AI/ML model vulnerabilities: Prompt injection, training data poisoning, model supply chain risks
- Tenable's acquisition of Apex Security signals vendor recognition that AI workloads require dedicated exposure management
Gaps & Underserved Areas¶
Market Gaps
- OT/ICS vulnerability management remains fragmented; most IT-centric VM tools cannot safely scan OT environments without risking operational disruption
- Software supply chain exposure (SBOM-driven vulnerability tracking for transitive dependencies) is nascent and not well-integrated into mainstream VM platforms
- API attack surface management is an emerging blind spot as API sprawl outpaces traditional scanning approaches
- Remediation verification --- confirming that a fix actually resolved the vulnerability (not just that a patch was deployed) --- is rarely automated
- SaaS misconfiguration management (SSPM) overlaps with ASM but remains a separate tool category with limited VM integration
- Small business access --- enterprise VM pricing ($50K+/year) puts comprehensive vulnerability management out of reach for organizations with <500 employees
Geographic Notes¶
| Region | Notes |
|---|---|
| North America | Largest market (~40%+ share). CISA BOD 22-01 KEV mandates drive federal VM spend. SEC cyber disclosure rules create board-level urgency. Tenable, Qualys, Rapid7 headquartered here. |
| Europe | DORA (financial services) and NIS2 directive mandate continuous vulnerability assessment. Strong GDPR intersection. Greenbone (OpenVAS) based in Germany. |
| Asia-Pacific | Fastest-growing region. Digital transformation and regulatory maturation (India's CERT-In directives, Australia's Essential Eight) driving VM adoption. |
| Middle East & Africa | Growing from low base. Critical infrastructure protection mandates in UAE, Saudi Arabia. Oil & gas OT vulnerability management an emerging focus. |
| Latin America | Emerging market. Central bank cybersecurity regulations in Brazil and Mexico driving initial VM adoption. |
Open-Source Alternatives¶
OpenVAS / Greenbone Community Edition¶
OpenVAS (Open Vulnerability Assessment Scanner) is the scanner component of the Greenbone Vulnerability Management (GVM) framework. Maintained by Greenbone since 2006, it is the most widely deployed open-source vulnerability scanner.
| Attribute | Detail |
|---|---|
| License | GNU GPL v2 |
| Capabilities | 100,000+ network vulnerability tests (NVTs); authenticated and unauthenticated scanning; compliance auditing |
| Strengths | Zero licensing cost; comprehensive NVT library; strong community; good for regulatory compliance scanning |
| Limitations | Resource-intensive; slower scan performance than commercial alternatives; limited cloud-native and container scanning; no built-in EASM; UI less polished than commercial products |
| Enterprise option | Greenbone Enterprise (commercial) adds appliance form factors, SLAs, and enterprise support |
| Repository | github.com/greenbone/openvas-scanner |
Nuclei (ProjectDiscovery)¶
Nuclei is a fast, template-based vulnerability scanner written in Go, designed for security researchers and pentesters.
| Attribute | Detail |
|---|---|
| License | MIT |
| Capabilities | 8,000+ community-contributed detection templates; HTTP, DNS, TCP, SSL scanning; CI/CD integration; headless browser support |
| Strengths | Extremely fast (Go-based concurrent execution); huge template ecosystem; easy custom template authoring; excellent for web application and API scanning; strong DevSecOps integration |
| Limitations | Template-based approach means coverage depends on community contributions; less comprehensive for authenticated infrastructure scanning than OpenVAS; no asset management or prioritization features |
| Enterprise option | ProjectDiscovery Cloud Platform (commercial SaaS) |
| Repository | github.com/projectdiscovery/nuclei |
Other Notable Open-Source Tools¶
- Trivy: Container image, filesystem, and IaC vulnerability scanning (Aqua Security). The de facto standard for container scanning in CI/CD pipelines.
- Grype: Container and filesystem vulnerability scanner by Anchore. Pairs with Syft for SBOM generation.
- OSV-Scanner: Google's open-source dependency vulnerability scanner using the OSV database.
- OWASP ZAP: Web application security scanner; strong for DAST in CI/CD.
Open-Source vs. Commercial
Open-source scanners provide capable detection but typically lack the prioritization, asset management, remediation orchestration, and executive reporting that define commercial VM platforms. Organizations commonly use open-source tools for specific use cases (container scanning, CI/CD integration, penetration testing) while relying on commercial platforms for enterprise-wide vulnerability management programs.
Sources & Further Reading¶
Market Research & Sizing¶
- Mordor Intelligence --- Vulnerability Management Solutions Market (2025--2030)
- MarketsandMarkets --- Security and Vulnerability Management Market
- Grand View Research --- Security and Vulnerability Management Market
- Straits Research --- Attack Surface Management Market
- Frost & Sullivan --- External Attack Surface Management Sector (2024--2029)
- BusinessWire --- Vulnerability Management Research Report 2025: $24B Market by 2030
Gartner CTEM Framework¶
- Gartner --- Strategic Roadmap for Continuous Threat Exposure Management
- Gartner --- Use CTEM to Reduce Cyberattacks
- SimSpace --- Gartner's CTEM Trend Explained
- CTEM.org --- What Is Continuous Threat Exposure Management
Vendor Financials & M&A¶
- Tenable --- FY2024 Financial Results
- Qualys --- FY2024 Financial Results
- Rapid7 --- FY2024 Financial Results
- Armis --- $435M Round at $6.1B Valuation
- Bitsight --- Surpasses $200M ARR
- Tenable --- Vulcan Cyber Acquisition
- Tenable --- Apex Security Acquisition
Practitioner Insights & Pain Points¶
- Vicarius --- Vulnerability Management 2025: From Scan-and-Patch to Exposure-First
- CSA --- A Vulnerability Management Crisis: The Issues with CVE
- Sonatype --- Why the World's Vulnerability Index Cannot Keep Up
- Sysdig --- Vulnerability Prioritization: Combating Developer Fatigue
- Cloudsmith --- CVSS vs EPSS: Smarter Vulnerability Risk Prioritization
EPSS & Risk-Based Prioritization¶
- FIRST.org --- Exploit Prediction Scoring System (EPSS)
- FIRST.org --- EPSS User Guide
- Brinqa --- What Is Risk-Based Vulnerability Management
- ArmorCode --- EPSS and Risk-Based Vulnerability Prioritization
Open-Source Tools¶
- OpenVAS / Greenbone Community Edition
- Greenbone GitHub
- ProjectDiscovery Nuclei
- Geekflare --- 15 Open Source Vulnerability Scanners for 2026
MITRE ATT&CK & Validation¶
Glossary¶
This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.
A¶
| Term | Definition |
|---|---|
| ACL | Access Control List — rules determining which users/systems can access resources |
| APT | Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access |
| ASM | Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets |
| ASPM | Application Security Posture Management — unified visibility and risk management across the application lifecycle |
| AV | Antivirus — software designed to detect, prevent, and remove malware |
B¶
| Term | Definition |
|---|---|
| BAS | Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls |
| BEC | Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data |
C¶
| Term | Definition |
|---|---|
| C2 | Command and Control — infrastructure used by attackers to communicate with compromised systems |
| CASB | Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers |
| CCPA | California Consumer Privacy Act — California state law granting consumers rights over their personal data |
| CIAM | Customer Identity and Access Management — managing and securing external customer identities and authentication |
| CIEM | Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments |
| CTEM | Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures |
| CNAPP | Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle |
| CSPM | Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks |
| CWPP | Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless) |
| CVE | Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities |
D¶
| Term | Definition |
|---|---|
| DAST | Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks |
| DCS | Distributed Control System — a control system for managing industrial processes across multiple locations |
| DLP | Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage |
| DORA | Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities |
| DSPM | Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments |
E¶
| Term | Definition |
|---|---|
| EASM | External Attack Surface Management — discovering and monitoring internet-facing assets for exposures |
| EDR | Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities |
| EPP | Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response |
F/G¶
| Term | Definition |
|---|---|
| FAIR | Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk |
| GRC | Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations |
| GDPR | General Data Protection Regulation — EU regulation on data protection and privacy for individuals |
H¶
| Term | Definition |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information |
I¶
| Term | Definition |
|---|---|
| IAB | Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers |
| IAM | Identity and Access Management — framework for managing digital identities and controlling access to resources |
| ICS | Industrial Control System — control systems used in industrial production and critical infrastructure |
| IDS | Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts |
| ITDR | Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises |
| IoT | Internet of Things — network of physical devices embedded with sensors, software, and connectivity |
| IPS | Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic |
L¶
| Term | Definition |
|---|---|
| LOTL | Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection |
M¶
| Term | Definition |
|---|---|
| MaaS | Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals |
| MDR | Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response |
| MITRE ATT&CK | MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques |
| MSSP | Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices |
| MFA | Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource |
N¶
| Term | Definition |
|---|---|
| NDR | Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns |
| NERC CIP | North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid |
| NGAV | Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection |
| NIS2 | Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk |
O¶
| Term | Definition |
|---|---|
| OT | Operational Technology — hardware and software that monitors and controls physical devices and processes |
| OWASP | Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance |
P¶
| Term | Definition |
|---|---|
| PAM | Privileged Access Management — securing, managing, and monitoring privileged accounts and access |
| PCI DSS | Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data |
| PII | Personally Identifiable Information — any data that could identify a specific individual |
| PLC | Programmable Logic Controller — an industrial computer used to control manufacturing processes |
R¶
| Term | Definition |
|---|---|
| RaaS | Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits |
| RGB | Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations |
S¶
| Term | Definition |
|---|---|
| SASE | Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud |
| SAST | Static Application Security Testing — analyzing source code for vulnerabilities without executing the application |
| SBOM | Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product |
| SCA | Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase |
| SCADA | Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely |
| SD-WAN | Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic |
| SEG | Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies |
| SIEM | Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance |
| SOAR | Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows |
| SOC | Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents |
| SOX | Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies |
| SSE | Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services |
| SWG | Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats |
T¶
| Term | Definition |
|---|---|
| TAM | Total Addressable Market — the total revenue opportunity available for a product or service |
| TCO | Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime |
| TIP | Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data |
| TLS | Transport Layer Security — a cryptographic protocol that provides secure communication over a network |
| TTP | Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations |
V¶
| Term | Definition |
|---|---|
| VM | Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities |
X¶
| Term | Definition |
|---|---|
| XDR | Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email |
Z¶
| Term | Definition |
|---|---|
| ZTNA | Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles |