Hacking has always felt like a superpower to me. It is a skill that I have worked on and learned with time. I was introduced to this field by my brother, he is my role model and I have always followed in his footsteps. Once I stepped into this field, there was no turning back. I knew this is what I want to excel at and be known for.

I have a history of creating my own custom “bug bounty automation” systems to automate the process of performing reconnaissance, vulnerability discovery at asset prioritization. These days it’s called “External Attack Surface Management” (EASM). In essence, EASM is hardly a new concept. The name has become fancier since Gartner listed EASM as an emerging product but the concepts are very similar.

Gone are the days when gate-based security processes were the most effective way to ensure security of an organization’s external attack surface. Getting the security team to sign off on every new application or asset before they go live simply is not scalable.

Detectify is aiming to make security understandable and easy to work with. That is why we visualize your security status in several ways in the tool: You can track the progress over time and your Threat Score gives you an instant security level ranking. In the blog post, we will focus on how you should interpret and work with your Threat Score.

“Crowdsourced security provides a way for security teams to expand their efficiency, especially when it comes to managing their external attack surface,” said Rickard Carlsson, Co-founder and CEO of Detectify. “Hackers have eyes and ears all over the web, and they’re constantly monitoring attack surfaces for exploitable entry points.

The holidays are coming up quickly and while many of us are looking forward to getting some human downtime (not technical), some may be feeling the pressure and some stress to make sure everything that needs to be done by the end of the year is in fact done by then, especially with the ongoing log4j aka log4shell security fires happening.

The vulnerability, dubbed CVE-2021-43798 impacted the Grafana dashboard, which is used by companies around the world to monitor and aggregate logs and other parameters from across their local or remote networks. The privately reported bug became a leaked zero-day but was first spotted by Detectify Crowdsource hacker Jordy Versmissen on December 2, after which Grafana was notified by Detectify about the bug.

Thanks to Detectify Crowdsource hackers, Detectify quickly developed a security test to detect Critical vulnerability CVE-2021-44228 Apache log4j RCE. This vulnerability has set the internet alight over the past few days. Right now, exploit developers and security researchers are still understanding the potential capabilities provided by the vulnerability. Detectify received a working POC for this critical 0-day vulnerability from the Crowdsource community on Friday.

Detectify co-founder and expert bug bounty hunter Fredrik Nordberg Almroth (@almroot) recently spoke at Hack Your Stockholm, our first in-person event after a 2-year hiatus, addressing the issue of the growing attack surface of companies and how it is the most pressing issue facing CISOs today. He recaps his thoughts in this post.

Global organizations are working towards making data privacy a fundamental right. However, as the privacy paradigm shifts to a digital world, businesses are more exposed than ever before. That’s because security has not been the focus of this revolution in IT infrastructure.