Taming the Infinite Attack Surface: The “What” of Black Hat 2025
In our last post, we tackled the who of identity as the new perimeter. Now, our Black Hat 2025 debrief turns to the next fundamental question: What?
What assets, applications, devices, and data make up your enterprise? For most organizations, the answer is a hot mess. The foundational rule of security is the one we break every single day: You can’t protect what you can’t see. The explosion of assets across on-prem data centers, multiple public clouds, and sprawling IoT and OT environments has turned a complete asset inventory into the elusive holy grail of cybersecurity. Without it, every other security discipline, from vulnerability management to incident response, is built on a foundation of pure guesswork. This year’s conference wasn’t just about admiring the problem, it was about a class of technologies designed to finally solve this visibility crisis and, more importantly, to proactively shrink the attack surface before its exploited.
The Gospel of Visibility: The CAASM Revolution
For years, we’ve tried to stitch together an asset inventory with a patchwork of spreadsheets, CMDBs, and siloed security tools. The result? A fragmented, outdated, and often contradictory picture of the enterprise. The rise of Cyber Asset Attack Surface Management (CAASM) is a notable shift, aiming to create a single source of truth through API-driven data aggregation.
Axonius is at the forefront of this movement. Its platform acts as a central hub, connecting to over 1,300 sources to continuously aggregate and normalize data. This isn’t just a static inventory; it’s dynamic asset intelligence. In my conversations with Axonius’s team of rockstar field CISOs, it became clear this has implications far beyond the security team.
My friend Liz Morton, a 30-year industry veteran who ran security for ICE, the company who owns New York Stock Exchange, put it perfectly. She’s seen a major shift in her conversations with customers, who are now forced to justify every dollar of spending. “The CFO is not coming to the board going, ‘We think we have earned about a billion dollars this quarter,’ she told me. ‘It was great!’ . Why should security leaders get a pass on not knowing what they have?”
Liz stressed that so much of security is about combating the unknown, and you can’t do that if you don’t have a fundamental understanding of your environment. This is how you bridge the gap between IT and security, aligning budgets around a shared, factual understanding of risk.
While Axonius nails the breadth, runZero, co-founded by the legendary HD Moore of Metasploit fame, brings the depth. It specializes in agentless scanning that uncovers assets other tools miss, especially in sensitive OT and IoT environments.
The emergence of these platforms reveals a deeper transformation. The real value here isn’t just a list, it’s creating a unified data model that acts as a “Rosetta Stone” for the entire business. It translates the disparate languages of security (vulnerabilities), IT (configurations), finance (costs), and risk (compliance) into a common language of asset context. Suddenly, a CISO can have a data-driven conversation with a CFO about ROI. This is how you finally achieve the long-sought goal of running “security like a business.”
From Seeing to Shrinking: Proactive Attack Surface Reduction
Okay, so you can finally see everything. Great. A perfectly clear picture of a dumpster fire is still a dumpster fire. The goal isn’t just admiring the problem, it’s proactively shrinking the attack surface.
Minimus is taking one of the most radical approaches. Instead of participating in the endless, soul-crushing game of “whack-a-mole” that consumes so many security resources, Minimus aims to prevent vulnerabilities from ever entering the software supply chain in the first place.
As a former data scientist, I am the poster child for their target user. The rule was always
pip install everything you could ever possibly wantcreating bloated, vulnerable containers full of “God only knows what,” as Minimus’s Kat Cosgrove put it . In my chat with Minimus CTO John Morello, he gave a killer example: the official NGINX image is about 80MB on disk, while the Minimus version is just 7MB—with 98% fewer vulnerabilities. By building every component from source and including only what’s absolutely necessary, they effectively erase security debt before it’s even created.
Morello pointed out that this saves developers from “tedious, uninteresting, undifferentiated effort”. But the real magic is in the C-suite pitch. As Kat Cosgrove wisely noted, “If you are a CISO and you are trying to sell, ‘Our containers will be more secure,’ you are dead in the water… If you are selling your CEO by making our containers more secure, we’re going to save 50%, 75%, 80% of the costs, that’s a really easy way to get somebody to write a check” . It’s not just a security play; it’s a cost-optimization and efficiency play.
Where Minimus secures the building blocks, Apiiro secures the entire development lifecycle. Its Application Security Posture Management (ASPM) platform provides a risk-based view from code to cloud, using its proprietary Risk Graph™ to connect the dots across the SDLC. By understanding the context of how code is deployed, Apiiro prioritizes the risks that truly matter and embeds automated guardrails directly into developer workflows, turning security from a bottleneck into a collaborator.
For the vulnerabilities that inevitably remain, the practice of testing is also evolving. Intruder is focused on making vulnerability management “effortless,” especially for the small and mid-sized businesses that can’t afford huge security teams. Meanwhile, BreachLock is a good example of the industry’s shift toward Penetration Testing as a Service (PTaaS). Instead of a point-in-time snapshot, PTaaS combines human expertise with AI and automation on a unified platform, enabling more continuous and cost-effective security validation. BreachLock bases their remediation recommendations on Adversarial Exposure Validation (AEV), which prioritizes the vulnerabilities adversaries are actually able to exploit.
Conclusion: Ditching Whack-a-Mole for Proactive Prevention
The technologies on display at Black Hat 2025 paint a clear picture: the future of attack surface management is a two-pronged strategy. First, achieve complete visibility of every asset, real, virtual, human, non-human, or hallucinated. Second, use that visibility to move from a reactive posture of endless patching to a proactive one of prevention. This means building security in from the start and continuously testing what remains, as well as identifying, securing, and monitoring all of your crown jewels.
This proactive stance is critical in the complex cloud environments where the modern attack surface primarily lives. In our next post, we’ll delve into the “Where,” exploring the platforms and strategies designed to secure the cloud and navigate the intricate web of governance, risk, and compliance.
Check out theCUBE for all of our Black Hat USA 2025 coverage!
