Cyber Risk Intelligence (CRI) in cybersecurity is a continuous process of identifying, assessing, and understanding the likelihood and impact of cyber threats and vulnerabilities on an organization's assets and operations from an external perspective. It focuses on providing actionable insights to proactively manage cybersecurity risks.
ThreatNG serves as an all-in-one solution for external attack surface management, digital risk protection, and security ratings, directly facilitating robust Cyber Risk Intelligence through its comprehensive capabilities:
External Discovery
ThreatNG performs purely external unauthenticated discovery using no connectors. This capability is foundational to CRI because it allows organizations to see their digital footprint and potential attack vectors from the viewpoint of an external attacker. This involves uncovering internet-facing assets like web applications, subdomains, mobile apps, and code repositories that could be exposed.
External Assessment
ThreatNG's external assessment capabilities are extensive, providing detailed ratings that highlight specific areas of susceptibility and exposure, which are crucial for CRI. ThreatNG performs all the following assessment ratings:
Web Application Hijack Susceptibility: This score is supported by analyzing the external attack surface and digital risk intelligence, including Domain Intelligence, to identify potential entry points for attackers in a web application. For example, if ThreatNG identifies outdated web server software with known vulnerabilities on a publicly accessible web application, it would contribute to a high "Web Application Hijack Susceptibility" score, informing the organization to patch or update the software to mitigate the risk.
Subdomain Takeover Susceptibility: ThreatNG evaluates this using external attack surface and digital risk intelligence, incorporating Domain Intelligence. This includes a comprehensive analysis of the website's subdomains, DNS records, SSL certificate statuses, and other relevant factors. For instance, if ThreatNG detects a subdomain (e.g.,
test.example.com) that points to an expired cloud service (like an Amazon S3 bucket that is no longer active, but the DNS record still exists), it would flag a high susceptibility for subdomain takeover. An attacker could then claim that cloud resource and serve malicious content under the organization's legitimate subdomain, leading to reputational damage or phishing attacks. This intelligence helps the organization remove the dangling DNS record or reclaim the service.BEC & Phishing Susceptibility: This rating is derived from Sentiment and Financials Findings, Domain Intelligence (including Domain Name Permutations and Web3 Domains, and Email Intelligence), and Dark Web Presence (Compromised Credentials). If ThreatNG discovers that several look-alike domains (e.g.,
threaatng.comorthreat-ng.org) are available for registration or have already been registered, and simultaneously finds compromised employee credentials on the dark web, it indicates a high susceptibility to Business Email Compromise (BEC) and phishing attacks. This actionable insight enables the organization to register those deceptive domains proactively and implement stronger email security controls.Brand Damage Susceptibility: This is derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials (including Lawsuits, SEC filings, SEC Form 8-Ks, and Negative News), and Domain Intelligence (Domain Name Permutations and Web3 Domains). For example, if ThreatNG identifies public negative news articles or significant ESG violations associated with the organization, combined with numerous domain name permutations that could be used for brand impersonation, it would indicate a high brand damage susceptibility. This helps the organization address potential public relations issues and strengthen its brand protection efforts.
Data Leak Susceptibility: This rating is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials (Lawsuits and SEC Form 8-Ks). If ThreatNG discovers an exposed cloud storage bucket (e.g., an unauthenticated AWS S3 bucket) containing sensitive data or identifies many compromised employee credentials on the dark web, it would indicate a high data leak susceptibility. This prompts the organization to immediately secure the exposed cloud resource and implement stronger access controls.
Cyber Risk Exposure: This considers parameters covered by the Domain Intelligence module, including certificates, subdomain headers, vulnerabilities, and sensitive ports. Code Secret Exposure is also factored in, as it discovers code repositories and their exposure level and investigates their contents for sensitive data. Additionally, the score considers the organization's compromised credentials on the dark web, which increases the risk of successful attacks. If ThreatNG identifies numerous unpatched critical vulnerabilities on an organization's public-facing servers, exposed sensitive ports (like an open RDP port), and code repositories containing hardcoded API keys, it would contribute to a high cyber risk exposure score. This directs the organization to prioritize patching, secure exposed ports, and remove sensitive data from public repositories.
Cloud and SaaS Exposure: This evaluates cloud services and Software-as-a-Service (SaaS) solutions. ThreatNG identifies sanctioned and unsanctioned cloud services, cloud service impersonations, and open exposed cloud buckets across AWS, Microsoft Azure, and Google Cloud Platform. It also identifies various SaaS implementations associated with the organization. For instance, if ThreatNG discovers an unsanctioned SaaS application being used by employees (e.g., a lesser-known file sharing service that it does not approve), or an open AWS S3 bucket, it flags a "Cloud and SaaS Exposure" risk, indicating potential shadow IT and data exfiltration pathways. This enables the organization to bring these services under IT governance and secure exposed data.
ESG Exposure: ThreatNG rates the organization based on discovered environmental, social, and governance (ESG) violations through its external attack surface and digital risk intelligence findings. It analyzes and highlights Competition, Consumer, Employment, Environment, Financial, Government Contracting, Healthcare, and Safety-related offenses. For example, if ThreatNG identifies publicly reported environmental violations or significant negative news regarding labor practices by the organization, it would highlight ESG exposure, which can impact its reputation and investor confidence.
Supply Chain & Third Party Exposure: This is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. Suppose ThreatNG reveals a critical third-party vendor within the organization's supply chain has several exposed cloud services with known vulnerabilities or uses outdated technology stacks. In that case, it signals a supply chain risk that the organization must address with that vendor.
Breach & Ransomware Susceptibility: This is derived from external attack surface and digital risk intelligence, including domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). If ThreatNG detects an organization's compromised credentials available on the dark web alongside active discussions by ransomware gangs targeting similar industries, it would indicate a high susceptibility to breaches and ransomware, prompting immediate defensive measures like password resets and enhanced network monitoring.
Mobile App Exposure: This evaluates how exposed an organization’s mobile apps are by discovering them in marketplaces and for the presence of access credentials, security credentials, and platform-specific identifiers. For example, suppose ThreatNG discovers an organization's mobile application in a public marketplace that contains hardcoded API keys (e.g., a Google API Key or an AWS Access Key ID) or unencrypted security credentials. In that case, it flags a critical "Mobile App Exposure". This immediate insight allows the development team to update the application and remove the exposed credentials.
Positive Security Indicators: This feature identifies and highlights an organization's security strengths, detecting the presence of beneficial security controls and configurations, such as Web Application Firewalls or multi-factor authentication. ThreatNG validates these positive measures from the perspective of an external attacker, providing objective evidence of their effectiveness. This offers a more balanced and comprehensive view of an organization's security posture and explains the specific security benefits of these positive measures. For instance, if ThreatNG confirms the presence of a Web Application Firewall (WAF) protecting the organization's main web application and detects proper multi-factor authentication (MFA) implementation on external-facing login portals, these positive indicators would enhance the overall security rating, demonstrating robust controls from an external perspective.
Reporting
ThreatNG offers various reporting capabilities, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings. These reports are critical for CRI as they translate complex security data into understandable formats for stakeholders. For instance, a "Prioritized" report can highlight the most essential risks (High) based on ThreatNG's assessments, enabling security teams to focus their remediation efforts effectively. An "Executive" report can provide a high-level overview of the organization's overall security rating and its implications for business leaders, aiding strategic decision-making and resource allocation for risk mitigation.
Continuous Monitoring
ThreatNG continuously monitors all organizations' external attack surface, digital risk, and security ratings. This continuous feedback loop is crucial for CRI because the threat landscape is dynamic. As new vulnerabilities emerge, an organization's digital footprint changes, or new threats are identified, ThreatNG will automatically detect and report these shifts, allowing for real-time risk adjustments and maintaining an up-to-date understanding of the organization's evolving risk posture.
Investigation Modules
ThreatNG's investigation modules enable deep dives into discovered assets and risks, providing detailed intelligence essential for effective risk mitigation as part of CRI.
Domain Intelligence: This module comprehensively overviews an organization's digital presence.
DNS Intelligence: Provides Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available). For example, if ThreatNG's DNS Intelligence identifies a newly registered domain name that is a common typo of the organization's brand (e.g.,
yourbrand-support.cominstead ofyourbrand.com), and this domain points to a suspicious IP address, it would be flagged as a potential phishing or impersonation attempt, allowing the organization to take action against the fraudulent domain.Email Intelligence: Provides Email Security Presence (DMARC, SPF, and DKIM records) Format Predictions, and Harvested Emails. If ThreatNG discovers that an organization's email domain lacks proper DMARC, SPF, or DKIM records, it indicates a susceptibility to email spoofing. This intelligence helps the organization to configure these records correctly, reducing the risk of BEC and phishing attacks.
Subdomain Intelligence: This investigates HTTP Responses, Header Analysis (Security Headers and Deprecated Headers), Server Headers (Technologies), Cloud Hosting, Website Builders, E-commerce Platforms, Content Management Systems, and identifies Admin Pages, APIs, Development Environments, VPNs, and sensitive content. For instance, if ThreatNG discovers a publicly accessible subdomain named
dev.yourcompany.comthat exposes an unauthenticated API endpoint and contains outdated server headers, it would highlight a critical risk. This allows the organization to secure the development environment, update headers, and implement API authentication.
Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks including Access Credentials (API Keys, Access Tokens, Generic Credentials), Cloud Credentials (AWS Access Key ID, AWS Secret Access Key), Security Credentials (Cryptographic Keys, Private SSH key), Configuration Files (Application, System, Network), Database Exposures (Database Files, Database Credentials), Application Data Exposures (Remote Access, Encryption Keys, Encrypted Data, Java Keystores, Code Repository Data), Activity Records (Command History, Logs, Network Traffic), and Communication Platform Configurations. Suppose ThreatNG discovers a public GitHub repository belonging to the organization that contains a hardcoded Stripe API key or an AWS Access Key ID. In that case, it immediately identifies this as a critical "Code Secret Exposure". This intelligence enables the organization to revoke the exposed key and implement secure coding practices to prevent future leaks.
Mobile Application Discovery: This module discovers mobile apps related to the organization in various marketplaces and checks for the presence of Access Credentials, Security Credentials, and Platform-Specific Identifiers within them. If ThreatNG finds an organization's mobile app in an app store that contains a hardcoded Facebook Access Token or an unencrypted RSA Private Key, it would flag this as a severe "Mobile App Exposure.” This allows the organization to release an updated app version with the sensitive information removed.
Search Engine Exploitation: This facility helps users investigate an organization’s susceptibility to exposing various types of information via search engines, such as Errors, Potential Sensitive Information, Public Passwords, and User Data. For example, if ThreatNG identifies that search engines have indexed an organization's internal administrative login page (
admin.yourcompany.com/login) or publicly accessible directories containing user data (e.g.,yourcompany.com/users/), it highlights a severe misconfiguration. This allows the organization to updaterobots.txtfiles or secure these directories to prevent search engine indexing and reduce exposure.Online Sharing Exposure: This identifies an organizational entity's presence within online code-sharing platforms like Pastebin, GitHub Gist, and Scribd. If an employee unknowingly pastes sensitive company code or proprietary documentation onto Pastebin, ThreatNG would detect this "Online Sharing Exposure", alerting the organization to a potential data leak and allowing them to request removal of the content.
Dark Web Presence: This module identifies organizational mentions of related or defined people, places, or things, associated ransomware events, and compromised credentials. For instance, if ThreatNG discovers forum discussions on the dark web detailing a recent ransomware attack on a competitor or finds a list of compromised employee credentials linked to the organization's domain being sold, it provides critical "Dark Web Presence" intelligence. This allows the organization to bolster defenses against similar ransomware attacks and force password resets for the compromised accounts.
Intelligence Repositories (DarCache)
ThreatNG maintains continuously updated intelligence repositories, branded as DarCache, which are crucial for enriching CRI.
Dark Web (DarCache Dark Web): Includes Compromised Credentials (DarCache Rupture) and Ransomware Groups and Activities (DarCache Ransomware), tracking over 70 ransomware gangs. This intelligence directly informs the "BEC & Phishing Susceptibility" and "Breach & Ransomware Susceptibility" assessments.
Vulnerabilities (DarCache Vulnerability): Provides a holistic and proactive approach to managing external risks and vulnerabilities. It includes:
NVD (DarCache NVD): provides information on Attack Complexity, Attack Interaction, Attack Vector, Impact scores (Availability, Confidentiality, Integrity), CVSS Score, and Severity, offering a deep understanding of each vulnerability's technical characteristics and potential impact.
EPSS (DarCache EPSS): Data offers a probabilistic estimate of the likelihood of a vulnerability being exploited shortly. Combining the EPSS score and Percentile with other vulnerability data allows for a more forward-looking approach to prioritization, addressing vulnerabilities that are not just severe but also likely to be weaponized.
KEV (DarCache KEV): This list of vulnerabilities actively exploited in the wild provides critical context for prioritizing remediation efforts on vulnerabilities that pose an immediate and proven threat.
Verified Proof-of-Concept (PoC) Exploits (DarCache eXploit): Provides direct links to Proof-of-Concept (PoC) exploits on platforms like GitHub, referenced by CVE. This information is invaluable for security teams to reproduce the vulnerability, assess its real-world impact on their specific environment, and develop effective mitigation strategies. For example, if ThreatNG identifies a critical vulnerability on an organization's public-facing web server, DarCache KEV would inform if this vulnerability is actively exploited, and DarCache eXploit would provide a link to a verified PoC, significantly accelerating the security team's ability to understand the threat and develop a targeted patch.
Complementary Solutions
ThreatNG, while comprehensive, can significantly enhance an organization's CRI by working synergistically with other cybersecurity solutions.
Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's external discovery and assessment data, including identified vulnerabilities, exposed assets, and security ratings, can be ingested by a SIEM for correlation with internal logs and events. For example, if ThreatNG identifies a newly discovered critical vulnerability on a public-facing web application, this information can be sent to a SIEM. The SIEM can then monitor its internal logs for exploitation attempts targeting that specific vulnerability. A SOAR platform could then automate the creation of a remediation ticket for the security team to patch the vulnerability and automatically update firewall rules to block suspicious IP addresses associated with known exploit attempts from ThreatNG's intelligence.
Vulnerability Management Solutions: ThreatNG's detailed vulnerability intelligence from DarCache NVD, EPSS, and KEV can enrich a dedicated vulnerability management solution. For instance, a traditional vulnerability scanner might identify many vulnerabilities across an organization's assets. ThreatNG's EPSS data can then be used by the vulnerability management solution to prioritize which vulnerabilities will most likely be exploited shortly, allowing the organization to focus remediation efforts on the highest-risk items. Similarly, KEV data can highlight vulnerabilities actively exploited in the wild, enabling immediate attention.
Endpoint Detection and Response (EDR) Solutions: ThreatNG's intelligence on compromised credentials from DarCache Rupture (Compromised Credentials) can inform EDR solutions. For example, if ThreatNG identifies compromised employee credentials on the dark web, this information can be shared with the EDR solution. The EDR can then proactively monitor the endpoints associated with those specific users for anomalous activity, such as unusual login attempts from new locations, privilege escalation attempts, or suspicious data access patterns. This enables a rapid response before a complete compromise.
Incident Response Platforms: When ThreatNG identifies critical external indicators of a potential breach, such as ransomware events or significant data leak susceptibilities derived from its Dark Web Presence module, this information can directly trigger or enrich an incident response playbook within an incident response platform. For instance, if ThreatNG detects recent ransomware gang activity specifically targeting organizations of a similar size and industry, and simultaneously finds compromised credentials for the organization's executives on the dark web, the incident response platform can immediately initiate a targeted investigation, activate communication plans, and deploy containment measures to prevent an imminent ransomware attack.
Organizations can build a more comprehensive, proactive, and resilient Cyber Risk Intelligence program by leveraging ThreatNG's external perspective and rich intelligence alongside complementary solutions' internal visibility and response capabilities.
