External Attack Surface Ratings

An External Attack Surface Rating is a quantifiable metric, often expressed as an alphanumeric grade (e.g., A-F) or a numerical score (e.g., a credit score), that objectively represents an organization's security posture as seen from the public internet. It is a dynamic quantification of the cyber risk posed by an organization’s internet-facing assets.

Purpose and Methodology

The rating is the end product of an External Attack Surface Management (EASM) process, which provides a simple, objective, and easy-to-understand representation of security performance for both technical and non-technical stakeholders. The core purpose is to help organizations transition from reactive security to proactive digital risk management.

Calculation Methodology

While specific algorithms vary by provider, all external attack surface ratings are calculated using a combination of the following agentless, non-intrusive data collection methods applied to publicly available and externally verifiable information:

1. Continuous Asset Discovery: The process begins with continuously identifying and inventorying all internet-facing assets, including domains, subdomains, IP addresses, cloud services, and third-party connections.

2. Vulnerability Data Analysis: Each discovered asset is analyzed for security flaws and weaknesses. This includes checking for:

• Misconfigurations: Such as exposed ports, unsecure services, and missing security headers.

• Vulnerability Status: Detecting outdated software or systems with known vulnerabilities (CVEs).

• Encryption and Hygiene: Checking for invalid or expired SSL certificates and a lack of encryption.

• Information Leakage: Identifying exposed sensitive information or code in public spaces.

3. Risk Scoring and Weighting: Findings are assigned individual risk scores based on the severity of the vulnerability, the likelihood of exploitation, and the potential impact. Severity is often weighted based on relative breach risk.

4. Aggregation: The individual risk scores of all internet-facing assets are aggregated to calculate an overall score for the entire organization. The score decreases (or the letter grade worsens) as more severe issues are discovered.

5. Contextual Enrichment: Scores are often enriched with dark web discoveries and cyber threat intelligence to provide a contextualized view of risk.

Benefits in Cybersecurity

The External Attack Surface Rating provides measurable, actionable value to a security program:

• Risk Prioritization: It translates complex technical findings into a single metric, allowing security teams to quickly prioritize efforts on high-risk areas that most heavily impact the score.

• Benchmarking: It allows an organization to compare its security posture with industry peers, competitors, and historical internal trends to identify areas for improvement.

• Third-Party Risk Management (TPRM): Organizations use vendor and partner ratings to assess security risks in their digital supply chain.

• Communication: It provides an objective, concise way to convey the organization's cybersecurity risk level to executive leadership, boards, and non-technical stakeholders.

• Compliance: It helps identify and close external attack vectors that could lead to a data breach, which is vital for maintaining compliance with regulations such as GDPR and HIPAA.

ThreatNG is fundamentally an External Attack Surface Management (EASM) solution that helps organizations manage their External Attack Surface Ratings by continuously and objectively assessing their public-facing digital posture and providing actionable, prioritized risk intelligence.

ThreatNG's Role in External Attack Surface Ratings

External Discovery and Continuous Monitoring

ThreatNG's ratings are built solely on external, unauthenticated discovery, which is the core methodology of any EASM rating system. By simulating an unauthenticated attacker, ThreatNG identifies all internet-facing assets without requiring internal agents. This is achieved through Continuous Monitoring of the external attack surface, digital risk, and security ratings for all organizations, ensuring ratings reflect real-time changes and exposures.

External Assessment and Examples

ThreatNG calculates an organization's security posture through a series of specialized security ratings (A-F scale), which serve as the granular components of the overall external attack surface rating.

• Cyber Risk Exposure Rating: This rating covers critical external hygiene factors.

• Example: The rating accounts for invalid certificates and the absence of essential DNS records, such as DMARC and SPF. A missing DMARC record directly lowers the rating.

• Data Leak Susceptibility Rating: This assessment quantifies the risk of sensitive information being exposed externally.

• Example: It is derived from uncovering external digital risks such as Cloud Exposure (specifically exposed open cloud buckets) and Compromised Credentials. A publicly exposed S3 bucket significantly lowers this rating.

• Non-Human Identity (NHI) Exposure Security Rating: This quantifies vulnerability to threats from high-privilege machine identities.

• Example: The rating assesses Sensitive Code Exposure (leaked API keys) and misconfigured Cloud Exposure. Finding a hardcoded AWS key contributes heavily to a poor score.

• Subdomain Takeover Susceptibility Rating: This checks a critical external vulnerability.

• Example: The process identifies CNAME records pointing to inactive or unclaimed third-party vendor resources (e.g., an unclaimed Heroku CNAME) and confirms the "dangling DNS" state.

Investigation Modules and Examples

The ratings are backed by detailed findings from ThreatNG's investigation modules, providing the necessary evidence for score changes:

• Sensitive Code Exposure: This module directly identifies secret exposure, which dramatically impacts the rating. The Code Repository Exposure submodule discovers public code repositories and specifically finds Access Credentials (e.g., Stripe API key, Google OAuth Key) and Security Credentials (e.g., PGP private key block, RSA Private Key).

• Subdomain Intelligence: This module discovers technical exposures that feed into multiple ratings. It checks for Exposed Ports (e.g., MySQL, RDP, SSH), Private IPs, and Subdomain Cloud Hosting across platforms such as AWS, Microsoft Azure, and Google Cloud Platform.

• Domain Name Permutations: This module proactively finds brand risk that lowers ratings, detecting manipulations like bitsquatting, hyphenations, and TLD-swaps and providing mail records for these permutations.

Intelligence Repositories

ThreatNG uses its intelligence repositories (DarCache) to enrich the context and certainty of its rating factors:

• Vulnerabilities (DarCache Vulnerability): This repository informs the Cyber Risk Exposure and Breach/Ransomware Susceptibility ratings by linking discovered technologies to known risks. It integrates data from NVD (severity), KEV (active exploitation), and EPSS (exploitation likelihood) to accurately prioritize the danger posed by an exposed vulnerability.

• Compromised Credentials (DarCache Rupture): This repository confirms if any exposed credentials discovered by ThreatNG (e.g., via Sensitive Code Exposure) are already circulating on the dark web, immediately validating and escalating the risk component of the rating.

Complementary Solutions

ThreatNG's external ratings and high-certainty intelligence can be powerfully combined with other security platforms:

• Security Orchestration, Automation, and Response (SOAR) Platforms: When ThreatNG discovers a critical exposure that significantly lowers the rating (e.g., a leaked API key resulting in a poor NHI Exposure Rating), the SOAR platform can automatically act on this finding. It can trigger an immediate, high-priority workflow to revoke the compromised credential in the cloud provider's IAM system and notify the developer, thereby ensuring the rating recovers rapidly.

• Vulnerability and Risk Management (VRM) Platforms: ThreatNG's External GRC Assessment capability provides a continuous, outside-in evaluation that maps findings directly to compliance frameworks like PCI DSS or NIST CSF. This data can be ingested by an internal VRM platform, which can then use the Legal-Grade Attribution from ThreatNG's Context Engine™ to prioritize external compliance gaps above internal findings, ensuring security investments target the issues most visible to auditors and attackers.

Third-Party Risk Management (TPRM) Platforms: Organizations use ThreatNG's ratings for their vendors. When a vendor's rating drops sharply (e.g., due to a high Supply Chain & Third Party Exposure rating ), the TPRM platform can automatically use this data to initiate a risk review, temporarily suspend access privileges for that vendor, or trigger a required security questionnaire.