It’s no secret that digital supply chains are increasingly under attack as hackers look to use this vector to get access to company networks and confidential information. But that also means businesses have to figure out ways to secure their assets even when they sit outside of the attack surface they would traditionally focus on. That’s where external attack surface management services like Cyberpion come in.
Cyberpion is announcing a $27 million Series A round today. The round was led by U.S. Venture Partners, with existing investors Team8 Capital and Hyperwise Ventures, which co-led the company’s $8.25 million seed round, also participating.
The idea behind external attack surface management is to take an outside look at a company’s entire outside-facing assets and infrastructure and proactively scan for risks and vulnerabilities. Since raising its seed round in 2020, attacks like the SolarWinds hack increased awareness of how vulnerable the software supply chain can be. At the same time, a large percentage of enterprise IT infrastructure now sits outside of the traditional company firewall, yet a recent Gartner report noted that only 10 percent of organizations have adopted attack surface assessment solutions so far. That leaves a lot of room for growth because sooner or later, these companies will have to adapt these solutions.
“Traditional third-party risk management solutions have focused exclusively on the vendors and IT infrastructures that are directly connected to the enterprise, an approach that is outdated and ignores the true scale of the problem,” noted Jacques Benkoski, a general partner at U.S. Venture Partners. “Most organizations don’t even consider the supplier of their suppliers as an immediate cyber risk. Cyberpion is the only platform to directly address this issue by continuously assessing all external-facing assets — from 3rd, 4th to Nth party connections — and providing automatic defense against impending attacks.”
Given the increase in awareness, it’s maybe no surprise then that Cyberpion saw its business increase rapidly over the last few years, with revenue more than tripling since raising its seed round in October 2020. Cyberpion co-founder and CBO Ran Nahmias also noted that the company quadrupled its customer base during this time and added one customer in the Fortune 10 and dozens in the Fortune 500.
In terms of product, the company always focused on analyzing and mapping connections to create a map of a company’s external attack surface, but it’s now also going beyond that. “Our technology is based on analyzing and mapping connections downstream to the Nth degree,” Nahmias explained. “But — since we do scan the whole internet multiple times a day — over the last year, we realized that there’s also value in characterizing and starting to look for things that are not connected but may still be a corporate asset that got lost.”
Nahmias also noted that there is an entire class of use cases connected to local domains that were registered by an employee of a gobal company (think something akin to techcrunch.com.co). Those weren’t necessarily created with any malicious intent but aren’t connected to the corporate network or secured by it.
This ability to go upstream to find potential issues, Nahmias noted, is part of what makes Cyberpion unique (and it offers this capability as a paid add-on to its own customers).