Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

“You can’t secure what you don’t know exists.” It’s a common refrain in cybersecurity (and for good reason!). But the reality is a bit more complex: it’s not enough to just know that something exists. To effectively secure your assets, you need to understand what each of them is. Without proper classification, applying the right security processes or tools becomes a guessing game.

As 9 out of 10 valuable web apps are missing testing, we’re launching new capabilities to help teams know what else, beyond core applications, is likely to require in-depth testing. The new features automatically classify discovered web assets based on attacker reconnaissance techniques and deliver recommendations on where to run DAST, bridging the gap between broad and deep testing across the entire attack surface.

A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, these vulnerabilities allow for configuration injection through the Validating Admission Controller.

If you are a mature organization, you might manage an external IP block of 65,000 IP addresses (equivalent to a /16 network). In contrast, very large organizations like Apple may handle an astonishing 16.7 million IP addresses or more (about a /8 network). However, this isn’t the case for many of us. IP addresses are fixed assets and can be costly, so most modern organizations do not have a large number of directly assigned IP addresses for every service they expose to the internet.

We are excited to announce Detectify Alfred, a revolutionary system that uses AI to completely autonomously collect and prioritize threat intelligence and generate high-fidelity security tests for the CVEs that are most likely to be exploited in the wild.

The traditional perception of security within an organization is as a barrier rather than a facilitator, imposing approval processes and regulations that inevitably slow down operations. In this blog post, along with our friends at Knowit Experience, we explore how a new mindset keeps growing. One that embraces security as an enabler and a business value contributor.

Below, we’ll take a look at how both DAST as a methodology and DAST as a tool relate to what we do at Detectify. More specifically, we’ll explain how Detectify’s solution applies DAST methodology to the full breadth of an attack surface, automating the heck out of application security testing. With these methods, we cover millions of domains before you’ve even had breakfast.

At Detectify, we help customers secure their attack surface. To effectively and comprehensively test their assets, we must send a very high volume of requests to their systems, which brings the potential risk of overloading their servers. Naturally, we addressed this challenge to ensure our testing delivers maximum value to our customers while being conducted safely with our rate limiter.

Below, we’ll take a look at how both DAST as a methodology and DAST as a tool relate to what we do at Detectify. More specifically, we’ll explain how Detectify’s solution applies DAST methodology to the full breadth of an attack surface, automating the heck out of application security testing. With these methods, we cover millions of domains before you’ve even had breakfast.

When was the last time you checked DNS configurations for subdomains pointing at services not in use? According to Crowdsource ethical hacker Thomas Chauchefoin, while expired and forgotten subdomains can easily become an entry point for an attacker to steal sensitive data and launch phishing campaigns, having the right tool in place can keep them at bay.