Exposure management

runZero redefines exposure management with unrivaled visibility across your entire internal and external attack surface — covering IT, OT, IoT, mobile, and cloud. Uncover the unknown and unmanageable, reveal elusive exposures, and target the true risks other approaches miss. No agents, no authentication, no appliances. And most importantly, no blind spots.

Comprehensive asset inventory

runZero provides a comprehensive and unified asset inventory by combining active scanning, passive traffic sampling, and integrations with deep fingerprinting and world-class correlation capabilities. Assets are normalized, deduplicated, and tracked as they move across your environment.

Total attack surface management

runZero offers comprehensive attack surface management for external, internal, cloud, IoT, and OT environments.

External & Cloud

runZero offers hosted scan engines for external monitoring. In addition to CIDRs, hostnames, and IPs, the runZero scan scope enables automatic target detection through specific keywords:

• domain:runzero.com: This keyword will find all hosts associated with runZero.com and then scan both the IPb4 and IPv6 addresses of the results.
• asn4:1233: This keyword will resolve all CIDRs associated with ASN 1233 and then scan these.
• country4:us: This keyword can be used to scan entire countries, but more often it is used in the Excludes field to limit external discovery to a particular regions.
• defaults: This keyword expands to all CIDRs and hostnames registered in the associated site.

These keywords can be combined and used for both Scope and Exclusions. When the Initialize action is take in the scan page, a preview of the expanded targets is shown, along with an estimate of the scan time based on address count and full scope.

Integrations are also used to identify and monitor the external attack surface. Assets imported from cloud providers like AWS, Azure, and GCP also include their external IPs and hostnames.

Internal

runZero enables comprehensive internal network attack surface enumeration using active scans, passive discovery, and integrations.

The runZero scanner supports subnet sampling, which allows for incredibly fast discovery of massive internal ranges. Subnet sampling works by trickling packets into the most commonly used octets of each /24 and only scanning subnets where at least one reply was observed. This method also parses ICMP error messages to identify the network ranges used by the network equipment itself. runZero’s RFC1918 report can be used to identify blind spots and launch scans to close the gaps.

In addition to scans, runZero can import PCAP files directly into the web interface, as well as turn any deployed Explorer into a passive network sensor. Passive discovery uses up to one CPU core of resources to parse all traffic passing through the interface, including broadcast, SPAN port data, and encapsulated traffic (VLAN, VXLAN, GRE, etc.).

Lastly, runZero’s extensive set of integrations makes it easy to determine what internal endpoints are missing a particular security control. For example, if you use CrowdStrike as your EDR, runZero can flag all Windows systems missing this agent. This also works for finding gaps in vulnerability management scopes.

IoT & OT

runZero was built for fast, unauthenticated, and safe scanning of all devices in all environments. This results in comprehensive coverage of internet of things (IoT) devices and reliable fingerprinting of operational technology (OT) equipment. runZero worked with the US Department of Energy to ensure that our active discovery is safe and accurate for OT environments.

Users who are unable to deploy active scanning can still take advantage of passive discovery, PCAP imports, and integrations with OT and IoT management tools.

Inside-Out

runZero also offers a unique capability called Inside Out Attack Surface Management (IOASM). IOASM works by comparing the unique fingerprints of internal assets with a global database of public endpoints. This feature is enabled by default for customers using a runZero-hosted platform and is optionally available for self-hosted customers through additional configuration. IOASM can quickly tell you if an internal device is publicly exposed through an unexpected IP, including port forwards, VPNs, IPv6-tunnels, and more. Additional information can be found in this presentation.

IOASM reports four distinct vulnerabilities based on heuristics and detection type:

• (TLS|SSH) Private Key is Public
• (TLS|SSH) Private Key is Widely Shared
• Potential External Access to Internal Asset (SSH, TLS)
• Potential External Access to Internal Asset (MAC Address)

The reported risk also varies based on heuristics. A publicly service attached to a Remote Desktop or Secure Shell system is considered higher risk than reuse of a public TLS key for a web application.

IOASM also makes use of the BadKeys compromised key database.

Vulnerability detection

runZero identifies, imports, and manages vulnerabilities across your total attack surface using a combination of query-based detection logic, active scans, and API-based integrations with leading endpoint management and vulnerability management platforms.

runZero’s Rapid Response program drives real-time detection and notification for zero-hour exposures.

You can find the complete list of runZero-provided queries in the Query Library. Custom queries can created to report vulnerabilities on matching assets and services.

Scan-based vulnerabilities are identified using an embedded version of Nuclei, the leading open source vulnerability scanner, in conjunction with curated templates and runZero’s best-in-class network discovery and fingerprinting engine. Vulnerability categories are configured as part of the scan configuration and specific templates are chosen dynamically by precisely matching assets and services.

runZero recalculates vulnerabilities, findings, and asset risk as part of task processing. The resulting vulnerabilities and findings are shown in the respective product sections.

Risk prioritization

runZero normalizes and assigns risk scores to all assets. These scores are influenced by a combination of threat intelligence, vulnerability information, and exposure measurement. Asset criticality can be set through automated rules or manually through the product interface. Assets can be assigned to specific owners for remediation. Tags are imported from API integrations and can be managed natively within the interface, including rule-based tagging. Exported assets include the risk, criticality, and tag information set through the product interface.

Continuous monitoring

runZero continuously monitors your organization for changes to exposure, at a per-asset and per-service level. Recurring active scans, background passive traffic sampling, and regular sync with your existing infrastructure enable quick detection and reporting of new risks. Alerts can be managed in-product, sent by email, or delivered by webhook to the platform of your choice. All asset data can be synced to external platforms, including popular SIEMs and data lakes.