Companies are struggling to understand their attack surface. (Image: Datacentrix)
If there’s one shift currently defining cyber security today, it’s not that organisations aren’t able to see their attack surface, it’s the fact that they’re struggling to understand it.
For years, the focus has been on visibility. Businesses have invested heavily in tools to monitor networks, scan for vulnerabilities and track activity across ingress and egress points. On paper, it might look comprehensive, but in practice, though, it can create a false sense of assurance.
“The biggest gap isn’t visibility,” says Pillay. “It’s the ability to measure whether the controls already in place are actually working.”
Modern attack surfaces are vast, stretching across internal systems, cloud environments and external-facing infrastructure. Organisations can run penetration tests, undergo footprinting, identify vulnerabilities and flag known CVEs (common vulnerabilities and exposures), but that only tells part of the story.
“What’s often missing is the ability to measure the efficacy of existing controls,” Pillay explains. “Organisations can have all the right tools in place, but if it isn’t possible to validate how they perform under real conditions, they’re operating on assumption. This is where approaches such as continuous threat exposure management (CTEM) are gaining traction, shifting the focus from static visibility to continuous validation.”
Exposure is expanding faster than control
If measuring effectiveness is already a challenge, the problem becomes significantly more complex when factoring in shadow IT, cloud sprawl and AI.
“Shadow IT and cloud sprawl increase the risk of exposure exponentially,” says Pillay. “And even that feels like an understatement.”
Unmanaged cloud instances, unsanctioned applications, shared drives and decentralised environments create blind spots that traditional security models struggle to cover.
Kyle Pillay, Security as a Service Manager at Datacentrix.
“When assets fall outside formal governance, they are often left unmonitored and unprotected. The reality is simple,” he adds. “What you can’t see, you can’t protect.”
AI is compounding this issue from the attacker’s side. Threat actors are now using it to continuously scan, probe and analyse environments at scale, effectively running their own automated discovery and exploitation processes. “They’re doing their own reverse version of CTEM, constantly looking for gaps, misconfigurations and exposed assets,” Pillay notes. “This is why visibility and speed are critical, because the longer something sits exposed, the higher the risk.”
Despite the growing complexity, anticipating threats before they are exploited is still possible, but only with a more integrated, layered approach.
“It comes down to connecting the dots,” he continues. “This starts with real-time event correlation, typically through a SIEM platform, combined with managed vulnerability practices that extend beyond traditional scanning. We’re effectively looking at three things at once: gaps in infrastructure, vulnerabilities in controls and behaviour within the network and data flows.”
When these layers are aligned, anomalies begin to stand out, allowing organisations to identify risks earlier and act before they escalate.
Building a proactive security posture
For many organisations, the next step is moving towards a more proactive attack surface management (ASM) strategy, driven by governance and data alignment.
“A proactive ASM programme comes down to maturity,” says Pillay. “It’s about having the right metrics and making sure they tie back to real-world threat behaviour. This includes mapping internal metrics against known attacker tactics, techniques and procedures (TTPs), enabling organisations to prioritise risks based on how attacks actually unfold in practice.”
Frameworks such as MITRE ATT&CK are increasingly being used to guide this process, while AI is also playing a role internally, helping to reduce noise and highlight what matters most.
“Ultimately, the change taking place in cyber security is one of mindset,” Pillay states. “Many organisations are actively monitoring, scanning and collecting data, but activity alone does not equal capability. Without the ability to validate, prioritise and respond effectively, that activity risks becoming little more than background noise.
“The gap between activity and capability is where the real risk sits, and how it is closed will define effective cyber security going forward,” he concludes.
For more information on Datacentrix’s cyber security services, please visit https://www.datacentrix.co.za/cybersecurity-services.
