Use case library

Appendix

Total attack surface visibility

Achieving complete visibility is essential for understanding and managing your organization’s attack surface. This encompasses internal and external assets, cloud amd security tooling integrations, and passive discovery methods to ensure comprehensive oversight and proactive threat mitigation.

Active discovery on all internal assets

This use case focuses on identifying all internal assets within defined network boundaries. It ensures organizations can actively monitor their managed networks to maintain up-to-date inventory.

Steps:

  1. Define networks of interest/managed networks/known subnets.
  2. Configure Organization(s) and Site(s).
  3. Install Explorer(s).
  4. Configure scan(s).
  5. Review inventory to verify connectivity and fingerprinting looks good.

Active discovery on all externally facing assets

Gain visibility into external assets, such as domains and IP ranges, that represent your public-facing footprint. This approach ensures you can proactively address vulnerabilities in your external attack surface.

By monitoring external-facing assets, organizations can identify vulnerabilities and misconfigurations before they are exploited. Continuous scanning and updates keep your external inventory current and secure.

Steps:

  1. Define external ranges, domains, and subdomains.
  2. Set external ranges, domains, subdomains, and ASN4 numbers within scan scope.
  3. Run scan using runZero hosted zones.
  4. Review inventory to verify findings.

Passive discovery and enrichment in key network segments

Identify assets and gain insights without active scanning by leveraging network TAPs or SPAN ports. This ensures continuous monitoring with minimal disruption to network operations.

Passive discovery complements active methods by observing traffic patterns and enriching data without interrupting critical operations. This approach is ideal for sensitive network segments.

Steps:

  1. Set up a network TAP or a SPAN port/leverage already existing network TAP or SPAN.
  2. Put explorer on network TAP or host sitting on the SPAN port.
  3. Configure the explorer to listen over relevant interfaces, set scan scope, set and forget.

Integrate with all cloud providers and other relevant data sources

Seamlessly connect with cloud providers and other data sources to ensure complete visibility across hybrid environments. Simplify asset management by unifying data under one platform.

Cloud integration enables real-time visibility into assets spread across various platforms. It reduces manual effort and enhances data consistency by leveraging automated updates from connected sources.

Steps:

  1. Configure integrations with EDR, MDM, directory services, cloud solutions, and vulnerability management platforms.
  2. Ensure on-prem solutions have an explorer to run successfully, whereas cloud solutions do not require an explorer.

Full-spectrum exposure detection

Gain comprehensive visibility across your environment by correlating Rapid Response insights, asset-level context, control coverage gaps, and enriched vulnerability data. This layered approach enables faster detection, better prioritization, and more targeted response efforts.

Rapid Response findings and asset-level pivoting

Quickly investigate Rapid Response findings by moving from high-level dashboards to individual assets. This seamless workflow brings together threat intelligence, exposure history, and asset impact for fast and actionable insights.

Steps:

  1. Review the Risk Dashboard.
  2. Review the Rapid Response blog to see past examples.
  3. Open Rapid Response queries to examine historical trends.

Network misconfiguration findings and control coverage gaps

Identify network misconfigurations and highlight security control gaps—like missing EDR or VM coverage—by using targeted queries and contextual inventory views. This helps prioritize risk reduction efforts based on actual gaps in defense.

Steps:

  1. Review sample network misconfiguration findings.
  2. View all assets with an associated finding.
  3. View assets missing EDR coverage.

Vulnerability enrichment and inside-out findings

Enhance your vulnerability management process with enriched context such as KEV status, exposure points, and related asset attributes. Combine these filters with reports like network bridges to identify exploitable attack paths.

Steps:

  1. Review KEV (Known Exploited Vulnerabilities) findings.
  2. View assets with a finding and vulnerability on the KEV.
  3. View network bridges report filtered to only assets with an associated finding.

Risk prioritization and insights

Prioritize what matters most by aligning dashboards, alerts, and asset context to risk. Use customizable workflows and real-time metrics to drive better decision-making and reduce noise.

Custom dashboards for dynamic visibility

Build dashboards tailored to your environment and objectives. Combine stock widgets, saved queries, and custom metrics to track what matters and highlight key trends.

Steps:

  1. Go the runZero home page to create a new dashboard.
  2. Click Widgets to add your selection.

Rules and alerts for automated monitoring

Turn searches into alerts by creating rules that notify your team of meaningful changes. Use templates and channels to streamline alert creation and delivery.

Steps:

  1. Create channel or destination for your notifications.
  2. Create template for you payload.
  1. Go to create rule.
  2. Finalize logic, review, and save.

Asset criticality, ownership, and search filters

Improve search relevance and response precision by tagging assets with criticality and ownership metadata. These values also drive automated rule actions.

Steps:

  1. Search for specific assets in the inventory view.
  2. Update asset criticality or ownership directly from the inventory.
  3. Use rule with Modify assets Action to update the desired values.

Compliance, Reporting, and KPIs

Adhering to compliance standards requires accurate asset tracking, secure configurations, and effective vulnerability management. runZero simplifies these processes to help organizations meet regulatory demands.

Comply with asset inventory and discovery requirements of relevant frameworks

Maintain compliance with industry standards by ensuring accurate and comprehensive asset discovery. Demonstrate adherence through detailed inventory and reporting.

Comprehensive inventory management helps organizations satisfy regulatory audits. Combining active, passive, and integration-based discovery methods ensures no assets are overlooked.

Steps:

  1. Review documentation maping runZero to compliance frameworks.
  2. Review active, passive, and integrations options.
  3. Use the task history to see when scans or integrations ran.
  4. Display inventory for real-time compliance visibility.

Comply with secure configuration requirements of relevant frameworks

Meet secure configuration standards by identifying and addressing insecure protocols or configurations. Ensure alignment with regulatory requirements.

Secure configurations are critical for mitigating risks associated with legacy protocols and insecure settings. Automation tools enhance efficiency in identifying and remediating issues.

Steps:

  1. Review documentation maping runZero to compliance frameworks.
  2. Use search for insecure protocols like FTP, TFTP, Telnet, and HTTP.
  3. Save searches for tracking and add to the dashboard for reporting.

Comply with malware protection requirements of relevant frameworks

Integrate with Endpoint Detection and Response (EDR) solutions to ensure compliance with malware protection standards. Identify and address gaps in protection.

Effective malware protection depends on real-time monitoring and quick response. Comprehensive integration options streamline the detection and resolution of gaps.

Steps:

  1. Review documentation maping runZero to compliance frameworks.
  2. Review EDR integrations and options for custom integration.
  3. Search for gaps in EDR and alert on newly found gaps.

Comply with vulnerability management requirements of relevant frameworks

Leverage integrations and inventory tools to meet vulnerability management requirements. Track and address vulnerabilities effectively.

Meeting vulnerability management requirements involves continuous monitoring, prioritization, and remediation. Automated tools provide actionable insights to streamline this process.

Steps:

  1. Review documentation maping runZero to compliance frameworks.
  2. Search for gaps in vulnerability scanning.
  3. Use vulnerability inventory with KEV/EPSS enrichments for enhanced insights. ()
Updated
Previous: Types of networks Next: runZero 101 training