We caught up with our CEO, Casey Cammilleri, as Sprocket Security launches Sprocket ASM on February 11, 2025! This ASM tool is new to the public but has been used in-house by testers at Sprocket for years. It’s a tool that helps our red team be efficient in their continuous penetration testing practice and provides the hacker perspective. Hear from Cammilleri why the hacker perspective should be your company's perspective and how Sprocket ASM can help you gain this valuable insight.

What does Attack Surface Management mean?

Casey Cammilleri: Attack Surface Management (ASM) is a live data feed of all the assets and data that can be used by hackers to compromise your company. You want to track that and discover anything new that pops up. Anything that your company is using, or any asset or data that changes in some way that can impact security. That's the way that we [Sprocket Security] view attack surface management.

What is the value of an organization using Sprocket ASM?

CC: Visibility. They get to identify all the new assets, even ones that didn't know they had or were related to their company. The larger the company, the harder it is to understand and track everything that you have and own. And it's even harder to do that in cloud and DevOps heavy environments where things are constantly changing.

But the real value is seeing the change between those assets. We focus heavily on change just because change is where there is an opportunity for risk to be created. The next time that you invoke some sort of security testing, you will have the latest change, or the newest discovery folded into testing. That way the testing is way more valuable and beneficial.

How can Sprocket ASM help an organization move towards Continuous Threat Exposure Management (CTEM)?

CC: The discovery phase is extremely important in CTEM. You can’t protect what you don't know you have. So, priority number one is to identify everything you have related to your organization. Anyone with a credit card and your company data can stand something up in a cloud like AWS, Azure, or whatever it may be, and put your customer’s data in there unprotected. That type of shadow IT happens across different departments and is extremely common this day and age.

It's not necessarily just discovery of assets or things connected to the Internet. Breach data dumps and other information disclosures that happen about your company can then be used against you. So, discovery is not just necessarily IP addresses or web applications. It extends to data about your company and how that data, how that metadata, can then be used against your company.

Does Sprocket ASM enhance an organization’s offensive security approaches?

CC: Yeah, bleeding edge. The thing to touch on the most here is how ASM helps testing. As a tester, if I'm doing some sort of human- driven approach and today there's a new exploit that comes out that affects WordPress sites, I should not be spending my time saying, “Where are the WordPress sites?” I should know within two seconds where they are and we have that capability on our [Sprocket ASM] platform. Now I'm going to move onto validation. Can this exploit actually work against these targets that should be vulnerable? If yes, what is the impact? You need ASM to do it at scale. If you have ASM, you can spend less time in discovery phases and move straight into testing and validation phases. You will be more efficient and scalable in your offensive testing.

Difference between Sprocket ASM and other no cost ASM tools?

CC: Seeing the hacker's perspective and a heavyweight on change detection. What has changed from yesterday and does it impact my security? That's how we've thought about building [Sprocket] ASM.

It’s the same engine that our red team and testers use in their continuous pentesting practice. You're going to get notifications on new discoveries and changes. But then you can seed the ASM with additional assets you own and manage. If there's something that an attacker would be totally blind to on the Internet, you could still feed in that information into the ASM and start tracking it for changes and security issues.

Hacker Vision

Are you ready to see what a hacker would see if they had free reign over your attack surface? Sprocket ASM was a tool built for testing teams and has been tried and true at protecting organizations for years. We believe that everyone should have this visibility to take the next step in becoming more secure.

Create your account today.