This week, AttackIQ acquired DeepSurface to broaden its vulnerability and attack path management capabilities to help enterprises identify and mitigate the most pressing vulnerabilities in their environments.

The acquisition enables AttackIQ to add automated vulnerability prioritization within complex IT environments. Founded in 2017 and headquartered in Portland, Oregon, DeepSurface’s RiskAnalyzer platform contextualizes, using roughly 50 data points, vulnerability risks, including an organization’s existing security defenses and other compensating controls, such as network configurations, user behavior, and threat intelligence to predict exploitable attack paths. 

The acquisition combines that contextual risk analysis from DeepSurface into AttackIQ’s AEV platform, enabling organizations to predict and neutralize threats by simulating real-world adversary behavior and contextualizing vulnerabilities within specific infrastructure environments. This allows security teams to prioritize risk based on potential business impact. Security and operations teams can patch highly vulnerable systems first and then fix or mitigate the rest through other steps that keep the systems secure. 

Traditional BAS tools automate the process of simulating cyberattacks to evaluate defenses by analyzing identified vulnerabilities and validating existing security controls.

Michael Farnum, advisory CISO at enterprise technology services provider Trace3, said the extended capabilities in AttackIQ’s platform should make time-stressed security and operations teams work smarter. “It currently gives an edge to AttackIQ over other BAS tools that don’t do a good job at helping to figure out prioritization of the vulnerabilities that they reveal during testing,” he said.

AttackIQ chief commercial officer Carl Wright highlighted the platform’s role in cutting through “exposure noise,” enabling teams to focus remediation efforts on vulnerabilities most likely to be exploited and enable customers to validate defenses against the most current tactics, techniques, and procedures, along with active threat monitoring, attack path mapping, and automated security control validation. 

The integrated system aligns with MITRE’s continuous threat exposure management framework and works across complex enterprise environments. Wright added that future development will focus on expanding attack path analysis and purple teaming automation, ensuring defenses evolve in lockstep with adversarial innovation. 

Wright added that many organizations have teams that are often too siloed and don’t collaborate as well as they should, such as threat intelligence teams, red teams, and security operations analysts. “What we’re doing will help integrate these different teams better, providing a more comprehensive view of the organization’s security posture and respond faster,” he said.

Scott Crawford, research director for information security with 451 Research, part of S&P Global Market Intelligence, said the combination of AttackIQ and DeepSurface complements the two companies’ capabilities and may provide value to the results that AttackIQ’s BAS tools provided. “Breach and attack simulation and controls testing must have targets to evaluate, but without knowing the scope of an organization’s cyber exposure, an understanding of the target landscape may be incomplete,” he said. This combination should give customers a better view of their exposed risk posture. “This includes assets the organization may not know are exposed, which then gives security controls evaluation a more complete view of the landscape to evaluate. The deal appears largely to be one of complementary technologies,” Crawford said.

The capabilities will be released at RSAC, formerly RSA Conference, in late April. The capabilities will be integrated throughout AttackIQ’s portfolio, including AttackIQ enterprise product, AttackIQ Ready! (for mid-sized organizations), and ad-hoc testing with AttackIQ Flex.