The modern enterprise attack surface isn’t static. As more organizations embark on their cloud adoption journey, the number of applications, APIs and IT assets they need to protect continues to increase, which is why more and more vendors are attempting to provide automated scanning capabilities. 

One such vendor is offensive security provider Bishop Fox, which announced it has raised $46 million in growth funding from WestCap, and provides a solution called the Cosmos platform leveraging a combination of automation and expert-driven testing to continuously monitor the attack surface and identify potential entry points.

The latest funding round brings its total series B funding to $129 million, and increases its lifetime funding to $154 million. 

Bishop Fox’s attack surface management capabilities give security teams greater visibility over vulnerabilities and attack paths that exist within their systems so they can take action to harden their defenses and make it harder for cybercriminals to gain access to sensitive information and data. 

A mandate for attack surface management 

The announcement comes as more and more organizations are struggling to secure their IT assets, with 7 in 10 organizations reporting that they’ve been compromised via an unknown, unmanaged or poorly managed internet-facing asset in the past year. 

One of the key reasons for this high rate of compromise is the fact that many organizations lack the automation needed to discover vulnerable or misconfigured assets at speed. 

“Today’s IT environments are incredibly dynamic given the proliferation of technologies like cloud, IoT, SaaS and the adoption of agile methodologies — and this means attack surfaces are constantly changing. Unfortunately, traditional solutions weren’t built for these dynamic environments, missing critical exposures and inundating security teams with false alarms,” said Bishop Fox CEO, Vinnie Liu. 

However, while many organizations struggle with securing the attack surfaces, cybercriminals remain vigilant, looking to exploit any organizations that can’t (or won’t) protect these assets. 

“Armed with the latest tactics and technologies, adversaries are taking advantage of this weakness and targeting exposures and exploiting vulnerabilities faster than security teams can keep up. As the saying goes, bad guys only need to be right once, while good guys need to be right every time,” Liu said. 

Bishop Fox’s answer to this predicament is to focus on prevention rather than reaction. For instance, enterprises can use Cosmos to conduct automated application penetration tests to assess the security of applications and APIs against particular tools and techniques used by cyberattackers. 

Attack surface management and vulnerability management market 

The organization’s main platform, Cosmos, falls within the vulnerability management market, which researchers expect will become a $2.5 billion market by 2025, as more organizations look to identify and protect internet-facing assets. 

One of Bishop Fox’s most significant competitors in the market is CyCognito, an attack surface management startup that most recently raised $100 million in funding and achieved an $800 million valuation in December 2021. 

CyCognito’s platform enables security teams to discover vulnerable assets and provides contextualized risk mapping so users can understand which parts of their environment are the most at risk of exploitation. 

Another key competitor in the space is Randori, which offers an attack surface management platform with continuous automated red teaming. Randori’s solution uses IPv6 range scans to build a map of the attack surface across on-premises, cloud and shadow IT assets. 

It’s worth noting that IBM acquired Randori earlier this year for an undisclosed amount. 

Currently, out of these competitors, Liu argues that Bishop Fox’s ability to provide organizations with real-time access to testers is one of the solution’s key differentiators. 

“Unlike other approaches that just deliver generic reports and guidance, Cosmos provides actionable findings with live access to testers, so security teams can ask questions and dig into details, analyze impact analysis and clearly define specific remediation procedures,” Liu said.