Don’t miss out on tomorrow’s session, hosted by yours truly. Get your 50% discount as a _secpro subscriber and plug in for Katie’s expertise.

Don't miss out!

Cybersecurity threats continue to increase in frequency, sophistication, and financial impact. Organisations now operate in an environment where cyberattacks are persistent, automated, and highly adaptive. Attackers no longer rely solely on simple malware or isolated phishing emails. Modern threat actors use ransomware, cloud exploitation, credential theft, AI-generated scams, supply chain attacks, and long-term infrastructure compromise to target businesses, governments, and critical services.

From the beginning of January 2026, several high-profile cyber incidents demonstrated how exposed many organisations remain. One major example involved the ransomware group RansomHub, which continued targeting healthcare providers, logistics companies, and public sector organisations across Europe and North America. The group used double-extortion techniques, encrypting systems while simultaneously threatening to leak stolen data publicly. These attacks highlighted how exposed organisations remain to credential theft, poor segmentation, and unpatched systems.

Another major concern involved the cybercriminal collective Scattered Spider, which became associated with social engineering attacks against telecommunications and cloud service providers. The group exploited helpdesk procedures by impersonating employees and convincing support staff to reset credentials or bypass multi-factor authentication protections. This showed that organisational exposure is not limited to technical systems; human processes can also create major security weaknesses.

Security agencies also continued warning about activity associated with the Chinese state-linked group Volt Typhoon. Investigations suggested the attackers maintained hidden access within critical infrastructure systems for extended periods. Rather than immediately disrupting services, the group appeared focused on persistence, reconnaissance, and positioning for future operations. This demonstrated how exposed critical infrastructure can become when visibility into networks and operational technology systems is limited.

The financial sector also experienced increasing attacks involving AI-generated phishing campaigns and voice impersonation scams. Criminal groups used generative artificial intelligence to create highly convincing emails, cloned voices, and fraudulent communications at scale. These attacks lowered the barrier for cybercrime and increased the effectiveness of social engineering operations.

Meanwhile, several retail and software organisations suffered supply chain breaches during the 2025 holiday period after attackers compromised third-party vendors and service providers. These incidents showed that organisations are exposed not only through their own infrastructure, but also through trusted external relationships.

These attacks reveal an important reality about modern cybersecurity: many organisations do not fully understand where they are exposed. Traditional cybersecurity strategies often focus on defending networks after systems are already deployed. However, modern attackers continuously search for weaknesses across cloud platforms, remote devices, APIs, third-party suppliers, identity systems, and internet-facing infrastructure.

As a result, cybersecurity has increasingly shifted toward a model known as continuous exposure management. Instead of relying on occasional assessments or static defences, organisations continuously identify, evaluate, prioritise, and reduce their exposure to cyber threats.

What Continuous Exposure Management Means

Continuous exposure management is a proactive cybersecurity strategy focused on identifying and reducing security weaknesses before attackers can exploit them.

Traditional cybersecurity programmes often relied on periodic audits, annual penetration testing, and compliance checklists. While these activities remain useful, they are no longer sufficient in environments where infrastructure changes daily and attackers move rapidly.

Continuous exposure management assumes that:

• Organisations are constantly changing

• New vulnerabilities appear continuously

• Attack surfaces expand over time

• Threat actors actively search for weaknesses

• Visibility gaps create security risks

The goal is therefore to continuously discover and manage exposures across the organisation rather than reacting only after incidents occur. ,An exposure is any weakness, misconfiguration, vulnerability, or access path that could allow attackers to compromise systems or data. Exposures may include:

• Unpatched software vulnerabilities

• Weak passwords

• Excessive access permissions

• Misconfigured cloud storage

• Insecure APIs

• Legacy systems

• Third-party supplier risks

• Poor network segmentation

• Exposed administrative interfaces

Modern organisations often have thousands of potential exposures at any given time. The challenge is not simply identifying vulnerabilities, but determining which exposures represent the greatest business risk.

This is why continuous exposure management focuses heavily on prioritisation. Security teams must understand:

• Which systems are most critical

• Which vulnerabilities are actively exploitable

• Which assets are internet-facing

• Which exposures attackers are most likely to target

• Which weaknesses could lead to major operational disruption

This approach is closely connected to the concept of an attack surface, which describes all the possible entry points available to attackers. The growth of cloud computing, remote work, mobile devices, and third-party integrations has dramatically expanded organisational attack surfaces over the past decade.

In many organisations, security teams no longer have complete visibility into all assets connected to the network. Shadow IT, unmanaged devices, forgotten cloud services, and legacy applications create unknown exposures that attackers may discover first.

Continuous exposure management attempts to solve this problem by treating cybersecurity as an ongoing process of visibility, assessment, validation, and remediation.

Tools and Practices for Continuous Exposure Management

Continuous exposure management depends on a combination of technologies, operational processes, and strategic planning. Organisations must continuously monitor their environments and reduce exposure in a structured manner.

Attack Surface Management (ASM)

Attack Surface Management is one of the most important components of continuous exposure management. ASM platforms continuously identify internet-facing assets such as servers, domains, cloud environments, APIs, and applications. These tools help organisations discover systems that may not be properly tracked internally.

For example, an ASM platform may identify:

• Forgotten development servers

• Publicly exposed databases

• Expired certificates

• Open administrative portals

• Shadow IT applications

This visibility is important because organisations cannot protect assets they do not know exist. ASM also helps organisations understand how attackers view their infrastructure from outside the network perimeter.

Several open source tools can help organisations identify and monitor externally exposed assets.

• OWASP Amass: A reconnaissance and attack surface mapping tool commonly used for external asset discovery, DNS enumeration, and subdomain mapping.

• Nmap: A network discovery and port scanning tool used to identify exposed services, hosts, and open network ports.

• theHarvester: An open source intelligence (OSINT) tool that gathers information such as domains, email addresses, and public infrastructure exposure from internet sources.

These tools help organisations discover internet-facing systems that may otherwise remain unmanaged or forgotten.

Vulnerability Management

Vulnerability management remains a central practice within exposure management.

Security teams continuously scan systems for known vulnerabilities and software weaknesses. However, modern vulnerability management is increasingly focused on prioritisation rather than volume alone.

Many organisations face thousands of vulnerability alerts each month. Attempting to patch every issue immediately is often unrealistic. Continuous exposure management therefore prioritises vulnerabilities based on:

• Exploit availability

• Internet exposure

• Asset criticality

• Privilege level

• Business impact

• Active attacker activity

This risk-based approach allows organisations to focus resources where they matter most.

Open source vulnerability management tools help organisations continuously identify weaknesses across systems and applications.

• OpenVAS (Greenbone Vulnerability Manager): A full-featured vulnerability scanning platform capable of identifying thousands of known vulnerabilities and configuration weaknesses.

• Nikto: A web server scanner designed to detect dangerous files, outdated software, and insecure configurations.

• Trivy: A vulnerability scanner for containers, cloud infrastructure, and software dependencies commonly used within DevSecOps environments.

These tools support proactive remediation by identifying exploitable weaknesses before attackers can use them.

Continuous Security Validation

Many organisations now use continuous validation techniques to test whether security controls are functioning correctly.

This may include:

• Automated penetration testing

• Breach and attack simulation

• Red team exercises

• Adversary emulation

Rather than assuming controls work properly, organisations actively validate defences against realistic attack techniques. For example, a breach simulation platform may attempt to imitate ransomware behaviour inside a controlled environment. Security teams can then evaluate whether monitoring tools successfully detect and block the activity.

Security validation tools allow organisations to test whether defensive controls are operating effectively under realistic attack conditions.

• MITRE Caldera: An automated adversary emulation platform based on real-world attacker techniques documented within the MITRE ATT&CK framework.

• Atomic Red Team: A collection of small, controlled attack simulations used to test security monitoring and detection capabilities.

• Infection Monkey: A breach and attack simulation tool that safely tests lateral movement, credential exposure, and segmentation weaknesses.

These tools help organisations validate security controls continuously rather than relying solely on theoretical assumptions.

Identity and Access Management (IAM)

Identity systems have become a major target for attackers. Compromised credentials often allow attackers to bypass perimeter security entirely. As a result, continuous exposure management places strong emphasis on identity security.

Important IAM practices include:

• Multi-factor authentication

• Least privilege access

• Privileged access management

• Continuous authentication

• Access reviews

• Credential monitoring

Reducing unnecessary permissions significantly limits attacker movement inside networks after initial compromise.

IAM-focused open source tools assist organisations in managing authentication, permissions, and access control.

• Keycloak: An identity and access management platform supporting single sign-on, multi-factor authentication, and federated identity management.

• FreeIPA: A Linux-based identity management solution providing centralised authentication, access control, and policy management.

• Authelia: An authentication and authorisation server designed to secure web applications using multi-factor authentication and access policies.

These tools help reduce identity-related exposure by strengthening authentication and limiting unnecessary access privileges.

Cloud Security Posture Management (CSPM)

As organisations increasingly migrate infrastructure to cloud environments, cloud misconfigurations have become a major source of exposure. CSPM platforms continuously monitor cloud infrastructure for security weaknesses such as:

• Publicly exposed storage buckets

• Excessive permissions

• Weak encryption settings

• Insecure API configurations

• Unprotected workloads

These tools help organisations maintain visibility across rapidly changing cloud environments.

Open source CSPM tools help organisations identify cloud misconfigurations and insecure cloud deployments.

• Prowler: A cloud security assessment tool focused primarily on AWS environments and aligned with security best practices.

• ScoutSuite: A multi-cloud auditing tool that analyses security posture across AWS, Azure, Google Cloud, and Oracle Cloud environments.

• CloudSploit: A cloud security monitoring tool used to identify insecure cloud configurations and compliance issues.

These tools improve visibility into cloud infrastructure and help reduce exposure caused by configuration weaknesses.

Threat Intelligence Integration

Threat intelligence helps organisations understand which exposures are most likely to be targeted by attackers.

For example, if threat intelligence sources report active exploitation of a newly discovered vulnerability, organisations can prioritise remediation efforts immediately.

Threat intelligence also improves contextual decision-making by identifying:

• Attacker techniques

• Common malware behaviour

• Industry-targeted campaigns

• Emerging exploit trends

This allows organisations to align exposure management with real-world threat activity rather than theoretical risk alone.

Threat intelligence tools collect, organise, and analyse information about attacker activity and emerging threats.

• MISP (Malware Information Sharing Platform): A threat intelligence sharing platform used to distribute indicators of compromise, malware intelligence, and attack data.

• OpenCTI: A cyber threat intelligence platform designed for analysing and correlating threat information from multiple sources.

• YARA: A pattern-matching tool commonly used to identify malware families and suspicious files using custom detection rules.

These tools help organisations prioritise exposures based on real-world attacker activity and emerging exploit trends.

Security Operations and Monitoring

Although continuous exposure management focuses heavily on prevention and reduction, monitoring remains essential.

Security Operations Centres (SOCs) use tools such as:

• Security Information and Event Management (SIEM)

• Endpoint Detection and Response (EDR)

• Extended Detection and Response (XDR)

These systems help organisations identify indicators of compromise quickly if exposures are successfully exploited. The goal is to minimise attacker dwell time and reduce operational impact.

Open source monitoring and detection tools support continuous visibility into organisational systems and suspicious activity.

• Wazuh: A security monitoring and threat detection platform combining SIEM functionality, endpoint monitoring, and intrusion detection.

• Suricata: A high-performance network intrusion detection and threat monitoring engine capable of deep packet inspection.

• Zeek: A network analysis and security monitoring framework used to detect suspicious behaviour and generate detailed traffic logs.

These tools improve visibility, accelerate detection, and support rapid response when exposures are exploited.

Creating a Culture of Continuous Exposure Management

Technology alone cannot create effective exposure management. Organisations must also change how they think about cybersecurity.

Many businesses still treat cybersecurity as a compliance requirement or technical responsibility belonging only to IT departments. Continuous exposure management requires a broader cultural shift where exposure reduction becomes an organisational objective.

Leadership Involvement

Executive leadership plays a critical role in cybersecurity culture. Senior leaders must understand that exposure management directly affects operational continuity, financial performance, legal compliance, and customer trust.

When leadership actively supports cybersecurity initiatives, organisations are more likely to allocate appropriate resources and prioritise long-term resilience over short-term convenience.

Importantly, cybersecurity discussions should focus on business risk rather than purely technical language.

Shared Organisational Responsibility

Exposure management requires participation across the entire organisation.

Employees influence cybersecurity through:

• Password practices

• Data handling

• Access management

• Software usage

• Reporting suspicious activity

Developers, procurement teams, human resources departments, and executives all contribute to organisational exposure in different ways. Organisations should therefore promote the idea that cybersecurity is a shared operational responsibility rather than solely an IT problem.

Continuous Improvement

Continuous exposure management depends on constant adaptation. Organisations should regularly:

• Reassess risks

• Review asset inventories

• Validate security controls

• Conduct training exercises

• Update policies

• Test incident response procedures

Threat landscapes change rapidly, meaning cybersecurity programmes must evolve continuously rather than remaining static.

Encouraging Transparency

Employees are often hesitant to report mistakes because they fear punishment. However, delayed reporting can significantly worsen security incidents. Organisations should encourage transparency and rapid communication regarding suspicious behaviour, accidental exposure, or potential vulnerabilities. A culture of openness improves detection speed and organisational resilience.

Measuring Exposure and Maturity

Continuous exposure management also requires measurable performance indicators. Organisations increasingly track:

• Vulnerability remediation times

• Internet-facing asset exposure

• Patch management performance

• Identity risk levels

• Security control effectiveness

• Mean time to detect threats

Measurement allows organisations to identify weaknesses, prioritise improvements, and demonstrate progress over time.

Setting Up for Continuous Threats

The modern cybersecurity landscape is defined by constant change, expanding attack surfaces, and increasingly sophisticated attackers. Recent incidents involving ransomware groups, social engineering campaigns, supply chain attacks, and state-sponsored actors demonstrate that organisations face continuous exposure to cyber risk.

Traditional security approaches based on periodic assessments and static defences are no longer sufficient. Organisations must instead adopt continuous exposure management strategies that focus on ongoing visibility, prioritisation, validation, and remediation.

Continuous exposure management helps organisations identify weaknesses before attackers exploit them. By continuously evaluating attack surfaces, monitoring vulnerabilities, securing identities, validating controls, and prioritising high-risk exposures, businesses can significantly improve resilience against modern threats.

However, technology alone is insufficient. Successful exposure management also requires cultural change. Leadership involvement, employee participation, continuous learning, and organisational transparency all contribute to stronger cybersecurity outcomes.

Ultimately, continuous exposure management is about reducing uncertainty. Organisations cannot eliminate all cyber risk, but they can continuously improve visibility, reduce exposure, and strengthen resilience against evolving threats.

Key conclusions include:

• Modern attack surfaces are larger and more complex than ever before

• Organisations must continuously identify and reduce exposures

• Visibility into assets and vulnerabilities is critical

• Risk prioritisation is essential because resources are limited

• Identity security and cloud security are major focus areas

• Organisational culture strongly influences cybersecurity effectiveness

• Cybersecurity should be integrated into overall business risk management

In the modern digital environment, continuous exposure management has become an essential part of organisational security strategy rather than an optional enhancement.

Further reading

#242: Using Wazuh, Learning from 2025

Austin Miller · May 1

Learning to use tools which can actually aid in overcoming the adversary is difficult. To begin with, there’s the difficulty of knowing what the adversary is going to do, why they’re going to do it, and the signs that they’re actually doing it now. Not an easy task whatsoever. However, there is also the matter of understanding what

Read full story

#243: Suricata in Modern Network Defence

Austin Miller · May 8

Over the last decade, endpoint telemetry, cloud-native security tooling, and identity-driven controls have dominated defensive strategy discussions. Yet the persistence of ransomware, data exfiltration campaigns, and hybrid intrusion operations has reinforced a familiar reality: attackers still have to move data across networks.

Read full story

#244: Hopping over the FortiGate

Austin Miller · May 15

The rapid growth of artificial intelligence in cybersecurity has transformed both defence and attack. While AI tools have allowed organisations to automate detection and improve monitoring, they have also lowered the barrier to entry for attackers. Threat actors no longer need elite technical expertise to launch sophisticated campaigns. Instead, AI syst…

Read full story

#245: Trust Under Pressure

Austin Miller · May 22

Trust has always been one of the invisible foundations of cybersecurity. Every email opened, every password entered, and every file shared depends on a basic assumption that the system, person, or message involved is genuine. For decades, cybercriminals relied on simple deception techniques such as fake websites, phishing emails, and malware disguised a…

Read full story