Seeing Risk Isn’t Stopping Risk: What to Consider When Choosing an ASM Solution

Your security team just got another report. Hundreds of exposed assets with dozens of flagged vulnerabilities. A dashboard full of findings, color-coded by severity, timestamped, and ready for review.

None of them have been fixed yet.

This is the reality for most SOC teams operating with an attack surface management tool today. Somewhere between "we found it" and "we stopped it," the work stalls, buried under triage, false positives, manual remediation queues, and the next wave of alerts already on its way.

The attack surface management category was built to solve a real and urgent problem: organizations have more internet-facing assets than they can track, and attackers are scanning for them faster than security teams can inventory them. External Attack Surface Management (EASM) tools emerged to close that gap by giving security teams an outside-in view of their digital footprint, showing what attackers see before they can act on it.

That was a genuine step forward, but visibility alone only gets you so far. Knowing a spoofed domain exists doesn't take it down. Flagging a misconfigured cloud asset doesn't remediate it. And for lean SOC teams already managing hundreds of alerts a day, adding more findings to the queue without the context or tooling to act on them creates more noise, not more security.

When evaluating attack surface intelligence tools, the question that separates useful platforms from expensive dashboards is not just what a solution can find, but what it can do about what it finds. In this post, we’ll walk through the criteria that matter most and explain why the gap between seeing risk and stopping it is where most platforms fall short.

What Good Attack Surface Intelligence Actually Covers

Before evaluating specific tools, it helps to be clear on what a mature attack surface intelligence solution should actually do, because the category has expanded significantly beyond its EASM origins and not every platform has kept pace.

Attack Surface Intelligence (ASI) is the convergence of three capabilities that are far more effective together than apart: External Attack Surface Management (EASM), Cyber Threat Intelligence (CTI), and Digital Risk Protection (DRP). EASM provides the outside-in discovery layer, finding internet-facing assets the way an attacker would. CTI adds the context layer, telling you which of those assets are actually being targeted and by whom. DRP closes the loop by taking action to remove or neutralize threats, rather than simply documenting them.

When these three functions operate in silos—which is how many organizations still run them—you end up with discovery that generates findings nobody has time to investigate, threat intelligence that points to risks nobody can tie back to specific assets, and a remediation backlog that grows faster than teams can clear it. The integration is what turns the whole thing into a working defense.

In practice, a mature ASI platform runs a continuous cycle across three phases. Discovery finds everything connected to your organization, including assets your own teams may not know exist: forgotten subdomains, shadow IT, cloud instances spun up and never decommissioned, executive profiles, social accounts, third-party connections throughout your supply chain. Critically, discovery should start with your organization's specific brands, domains, and people, not with a global threat database that tries to work backward to relevance.

Validation then enriches every discovered asset with threat intelligence to separate genuine risk from noise. That means correlating exposures against known vulnerability databases like the CISA Known Exploited Vulnerabilities list, active exploit data, and dark web signals that show whether threat actors are actually discussing or targeting assets like yours. Without this layer, you're left with a long list of findings with no clear starting point, which is exactly the alert fatigue problem most SOC teams are already struggling with.

Disruption is where most platforms stop short, and where the real differentiation lives. The final phase means actively removing threats: taking down malicious domains, blocking phishing infrastructure, removing impersonation accounts, triggering credential resets when customer data surfaces on underground markets. 

As Josh Mayfield, Senior Director of Product Marketing at ZeroFox, puts it: "Without threat context, it's just an asset inventory. When you add intelligence, you get urgency." And when you add disruption, you get outcomes.

The platforms worth evaluating are the ones that deliver all three phases in sequence, not just the first one or two.

What to Look for When Evaluating ASM Solutions

With that framework in place, here are the five criteria that should drive any serious evaluation of attack surface intelligence tools.

1. Does discovery start with you, or with the threat landscape?

There are two fundamentally different approaches to attack surface discovery, and they produce very different results.

The first approach starts with the global threat landscape: collect every known threat, every malicious domain, every piece of underground chatter, and then try to figure out if any of it is relevant to the customer. The problem is that for most organizations, the vast majority of it isn't. Security teams end up buried in data that has no connection to their actual environment, chasing signals that were never about them to begin with.

The second approach starts with the customer: your brands, your domains, your people, your assets. Discovery is oriented around finding threats that are specifically targeting you, which means every finding that surfaces is relevant by design.

The distinction sounds simple, but it has a significant impact on how much noise a platform generates and how quickly a SOC team can move from a finding to an action. When evaluating tools, ask vendors directly: where does your discovery process start?

2. Can it find assets your own team doesn't know exist?

Most legacy ASM tools work from a list you provide. You give them a set of IP ranges or domains, they scan for vulnerabilities, and they report back. That's useful for known assets, but it does nothing for the unknown ones, and unknown assets are exactly where attackers look first.

Gartner reports that only 17% of organizations can clearly identify and inventory the majority of their digital assets. That number reflects a real operational reality: businesses move fast, teams stand up infrastructure without always documenting it, mergers bring in inherited assets with incomplete records, and cloud environments change constantly. A server stood up to meet a deadline three years ago and never decommissioned is still reachable. A subdomain from a test environment that nobody took down is still live. These are the assets that end up in breach reports.

True attack surface intelligence utilizes automated discovery techniques that work the way attackers do, crawling the internet to find everything connected to your organization regardless of whether it appears on any internal list. If a platform can only scan what you already know about, it's solving the wrong problem.

3. Does validation add real threat context, or just severity scores?

A CVE severity score tells you how bad a vulnerability could theoretically be. It doesn't tell you whether anyone is actually trying to exploit it right now, whether your specific technology stack is being targeted, or whether threat actors in underground forums are already discussing it in the context of your industry.

That context is what turns a list of exposures into a prioritized action plan. Effective validation layers in exploit prediction data, CISA Known Exploited Vulnerabilities status, active threat actor targeting patterns, and dark web signals, then ranks findings based on real-world risk rather than theoretical severity. An asset with a moderate CVE score that's actively being discussed in criminal forums is more urgent than a critical CVE that nobody is currently exploiting.

The other dimension of validation is human oversight, and this is especially true for dark and deep web intelligence. AI crawlers can monitor open forums and surface-level signals, but closed criminal channels require something different: a real human profile with an established presence in those communities. Infiltrating the forums where threat actors coordinate brand attacks, share attack plans, and trade stolen data isn't something an automated scanner can do.

It takes operatives who have built credible personas over time, can read context and criminal slang accurately, and can engage directly when needed to understand the full scope of a threat. AI-driven scoring at scale is necessary, but dark web intelligence that actually gets ahead of brand attacks requires humans in the loop. The strongest platforms combine automated detection with analyst-led infiltration to surface threats before they materialize, not just after they've been executed.

4. Are takedowns handled in-house, or outsourced to a third party?

This is one of the most practically important questions in any ASI evaluation, and it's one that doesn't always get asked directly enough.

Some platforms identify threats and then hand off remediation to a third-party takedown provider. That handoff introduces delays, reduces transparency, and creates accountability gaps, particularly for use cases that go beyond domain takedowns, like social media impersonation, fraudulent mobile apps, or executive protection scenarios that the third party may not cover at all.

In-house takedown capability means the same platform that found the threat is also removing it, with direct relationships with registrars, hosting providers, ISPs, and social platforms already in place. It also means rebound monitoring is built into the same workflow, so if a threat actor stands the same infrastructure back up under a different domain, the platform catches it without requiring a new ticket to a separate vendor.

Ask any vendor you're evaluating: who actually executes your takedowns, how long do they take on average, and what happens if the threat resurfaces?

5. Will this platform add to your team's workload, or reduce it?

Unmanaged platforms with high false positive rates put the entire triage burden on the customer. For a SOC team already managing hundreds of alerts a day, a platform that surfaces more unvalidated findings without curation is a liability, not an asset.

The question to ask is whether managed services are included or whether they're an add-on. A platform that requires a dedicated internal analyst team to operate effectively is a very different investment than one where expert curation and triage are built into what you're paying for. For lean security teams especially, the operational overhead of self-managing a noisy platform can easily exceed the value it provides.

Where Other ASI Approaches Fall Short

Recorded Future is the most widely recognized name in threat intelligence, and that reputation is earned. Their Intelligence Graph is impressive, their platform usability is reported as best in class, and for organizations with large, well-resourced analyst teams who need comprehensive threat data, it remains a strong option.

But threat intelligence leadership is not the same thing as attack surface intelligence leadership, and the gap between the two is significant enough that SOC teams evaluating Recorded Future specifically for ASI use cases should go in with their eyes open.

• Discovery is exposure-first, not customer-first. Recorded Future's ASI module is built around scanning and scoring external assets, which is useful but represents exactly the global-threat-first approach described above. The platform doesn't orient discovery around your specific brands, domains, and people, which means the relevance filtering burden falls on your team rather than the platform.
• There are no in-house takedown capabilities. This is the most consequential gap. Recorded Future outsources all takedowns to PhishFort, a third-party provider. That means every time a threat needs to be removed, it goes through an external vendor, with all the delays, handoff friction, and coverage limitations that come with it. Social media impersonation, fraudulent app store listings, and executive protection scenarios are particularly underserved by this model. For comparison, ZeroFox performs over one million takedowns annually through the Global Disruption Network, with a 98% success rate and built-in rebound monitoring.
• The platform requires significant internal resources to run effectively. Forrester's 2023 Wave noted that Recorded Future requires substantial analyst investment to operate. The platform is powerful, but it is fundamentally unmanaged, meaning noisy alerts, false positives, and prioritization decisions land on your team. For organizations without a large, experienced internal threat intelligence function, that's a significant hidden cost on top of an already high licensing fee.
• Modular pricing limits coverage and inflates cost. Recorded Future's ASI is a separate module with separate licensing. Social media protection, executive protection, and app store coverage are either limited or absent from that module, meaning organizations that need full external attack surface coverage will quickly find themselves purchasing additional modules at additional cost. Customers and analysts consistently cite pricing opacity and inflexibility as top complaints, and those concerns have only grown since Mastercard's acquisition.
• Dark web intelligence lags behind the TI offering. Forrester reference customers noted directly that Recorded Future's dark web threat intelligence wasn't at the same level as its open-source TI. For attack surface validation to be meaningful, underground context matters. If the platform can't reliably surface what threat actors are saying about your assets in criminal forums, a critical layer of the validation process is missing.

The summary is this: Recorded Future is a tool built for threat intelligence teams with the resources to use it. It is not built to reduce the workload of a lean SOC team, it is not built to actively disrupt the threats it finds, and it is not priced or structured for organizations that need comprehensive external attack surface coverage without assembling a module-by-module stack.

What ZeroFox ASI Does Differently

ZeroFox Attack Surface Intelligence is built around the same evaluation criteria outlined above, and the differences are concrete enough to measure.

• Discovery starts with your organization. ZeroFox orients its entire discovery process around your brands, domains, people, and assets, then goes looking for threats targeting you specifically. This means findings are relevant by design rather than filtered after the fact. The platform uses automated reconnaissance techniques that mirror attacker behavior, including browser simulation, DNS analysis, SSL certificate mapping, IP attribution, and relationship analysis, to surface everything connected to your organization including assets your own team doesn't know exist. The AI model now achieves 97% accuracy in determining asset ownership, which eliminates the false positive cleanup that plagues most new EASM deployments.
• Validation layers real threat context onto every discovered asset. ZeroFox correlates exposures against CVE and CVSS data, EPSS scores, CISA KEV status, active threat actor targeting patterns, and signals from over 1,000 dark web forums monitored continuously by more than 100 elite analysts with real intelligence backgrounds. Critically, many of the most valuable dark web sources are closed channels that AI crawlers simply cannot access. ZeroFox operatives maintain well-seasoned personas inside criminal communities, allowing them to infiltrate private forums, identify emerging brand attack plans, and engage directly with threat actors to understand the full scope of a threat before it executes. Every alert comes with context, evidence, and a clear next action, so the findings that reach your team are the ones that actually warrant attention.
• Disruption is in-house and built into the platform. The Global Disruption Network maintains direct relationships with 100-plus ISPs, registrars, hosts, and platforms, enabling takedowns of malicious domains, impersonation accounts, fraudulent apps, and phishing infrastructure in minutes rather than days. The platform monitors for rebounds so threats that are taken down stay down. Over one million successful takedowns are performed annually, with a 98% success rate across executive, brand, and domain use cases. This isn’t outsourced or a third-party handoff. It’s part of the platform.
• Managed services are included for every customer. ZeroFox's OnWatch service means your team isn't responsible for triaging and maintaining the platform on its own. Findings are curated and validated before they reach your queue, which directly reduces the alert fatigue problem rather than adding to it.
• The scope goes beyond infrastructure. ZeroFox covers the full external attack surface: social media, mobile app stores, executive profiles, physical security intelligence, and digital risk protection across more than 180 platforms. This is not a collection of separate modules at separate price points. Rather, it’s a fused platform.
• The outcomes customers see reflect the approach. Forrester's Total Economic Impact^TM study puts the average ROI for ZeroFox customers at 287%, with a net present value of $1.6 million over three years and a payback period under six months. Organizations integrating ZeroFox with vulnerability management platforms see a 60% reduction in redundant findings. Security, legal, and marketing teams save an average of 17 hours per takedown. False positive identification improves by 50%, which means analysts spend their time on threats that are actually real. And time spent on audit preparation and compliance reporting drops by half, freeing up resources that most security teams can't afford to waste.

A Quick Evaluation Checklist

When you're in an ASI vendor conversation, these are the questions worth asking directly:

• Does discovery start from my specific assets, or from a global threat database?
• Can the platform find assets my own team doesn't know we have?
• Does validation include dark web and adversary targeting context, not just CVE severity scores?
• Are takedowns handled in-house, and does the platform monitor for rebounds after a threat is removed?
• Will this require dedicated internal analyst resources to operate effectively?
• Does coverage include social media, executive profiles, and app stores, or only infrastructure?
• Are managed services included in the platform, or are they a separate cost?

If a vendor can't answer those questions directly and specifically, that's useful information too.

Attack Surface Management Today

The attack surface management category has matured to the point where visibility is no longer a differentiator. Most tools can find exposures. The question is what they do next, and that's where the real differences between platforms emerge.

SOC teams don't need more dashboards. They need platforms that close the loop: finding the threats that are actually targeting their organization, validating which ones require immediate action, and removing them before they cause damage. That full cycle, Discover, Validate, Disrupt, is what separates attack surface intelligence from attack surface awareness.

If your current tool is generating findings faster than your team can act on them, it's worth asking whether the platform is solving your problem or adding to it. ZeroFox ASI is built to reduce that gap, not widen it. Check it out for yourself in a demo with the experts at ZeroFox.