We launched something big!

It's been quite a week... but we've got some news that will lift your spirits if not your 401k. ICYMI, we announced some exciting new exposure management capabilities which are now available (for free) in the runZero Platform. 

Our expanded platform offers a new approach to manage the risk lifecycle, enabling you to detect, prioritize, and remediate broad classes of exposures across internal and external attack surfaces, including those that evade traditional vulnerability management and EASM solutions. Our goal is to overcome persistent, decades-old problems with current approaches that we’re all well aware of.

Intrigued? We hope so. Keep reading below and check out these resources:

• Read our launch blog for some unvarnished opinions on why it's high time for a new approach.
  
• Tune in to our webcast with Omdia as HD Moore and Rik Turner unpack "Vulnerability management is broken: what's the fix?"
• Check out our new product capabilities in our release blog.
• Watch next week's runZero Hour for a deep dive and demo of the new features, including risk findings, risk prioritization, and risk management dashboards.

And if you’re headed west for BSides SF and RSAC, come see our talks, swing by our parties, and grab some limited edition swag. You might even spot a large Yeti.

The runZero Team

Vulnerability management is broken: what's the fix?

Live webcast with HD Moore & Rik Turner (Omdia)
April 23 • 11am ET / 8am PT / 4pm GMT

Vulnerability management is a venerable discipline within cybersecurity, dating back to the turn of the millennium. It has undergone some evolution over the years, most notably with the application of prioritization, but runZero founder and CEO HD Moore argues that it cannot address the modern threat landscape.

The volume, velocity, and variety of new threats, the fragmentation of corporate IT brought by cloud and remote working, and the asset sprawl enabled by cloud native app development are all challenges that traditional vulnerability management cannot meet. So what's the path forward? And will exposure management prove to be the fix?

Join HD Moore and Omdia Analyst Rik Turner as they dissect:

• Why vulnerability management is struggling in modern IT infrastructures
• Why CVEs don’t give you the full story
• Why prioritization only papers over the cracks
• How exposure management brings a new and fundamentally different approach that’s fit for the new era

runZero Hour: Exposure Management Launch Edition

Live webcast with Tod Beardsley & Rob King
April 16 • 1pm ET / 11am PT / 6pm GMT

Join us for a deep dive into the new exposure management capabilities just released in the runZero Platform! Come for the demo and stay for the amazing security outcomes. 

Tune in as Tod and Rob take you on a tour of:

• New Risk Findings: We've introduced a whole new paradigm for organizing and addressing exposures, providing focus and comprehensive coverage where traditional tools falter. With runZero, you can detect broad classes of exposures that often fly under the radar, including internet exposures, end-of-life systems, open access services, expired certificates, shared private keys, zero day threats, and more. See how to uncover elusive exposures and go well beyond CVEs to detect the weak spots that attackers target.
  
  
• New Risk Prioritization: Our goal is to offer richer, more meaningful asset and exposure data that effectively prioritizes the risks that truly put your organization in danger. runZero leverages business context, device impact, and key attributes to highlight the most critical exposures in your environment. Discover how we approach prioritization from a new angle to ensure you're never flooded with a sea of irrelevant alerts.
  
  
• New Risk Dashboards: Our beautiful new dashboards deliver a centralized hub for taking action on risks, providing actionable insights with advanced findings widgets and customizable visualizations. We'll show you how to get started immediately with views built for your specific needs.

We'll also have plenty of Q&A, so bring your questions... and your feedback!

If you can't tell by now, we're pretty excited to unveil our latest release. This update accelerates the detection and prioritization of the exposures most likely to be exploited, ensuring you can act fast and effectively. 

Here's a quick summary of all the new capabilities, but we highly recommend you check out the release blog for all the details. Enjoy!

What's New

Our beautiful new risk management dashboard centralizes actionable information like:

• Rapid Response Alerts: Immediate notifications for new, critical risks.
• Comprehensive Findings Overviews: Visual distributions and trend analyses of risk exposures.
• Enhanced Change Tracking: Monitor new assets and evolving risk profiles in real time.
• Customizable Widgets: Tailor visualizations to suit your environment.
• Advanced Risk Scoring: Refined categorizations help you pinpoint vulnerabilities with the highest likelihood of exploitation.

New Risk Findings

We’ve reimagined how you interact with risk data:

• Unified Exposure View: Aggregates all instances by exposure category, mapping them directly to affected assets and services.
• Context-Driven Criticality: Automatically organizes exposures by type and criticality, streamlining your remediation workflow.
• Drill-Down Capabilities: Click on a high-level category — such as publicly exposed operational technology (OT) — to access detailed asset information, including advanced fingerprinting data.

Expanded Risk Categories

The release covers a diverse set of risk findings, including:

• Internet Exposures: Detects internal assets inadvertently exposed to the internet, like Remote Desktop services or sensitive OT devices.
• End-of-Life Systems: Flags outdated hardware or software (e.g., aging Cisco Small Business Switches, obsolete Windows versions).
• Open Access Services: Identifies misconfigurations such as unauthenticated databases (MongoDB, Redis) and exposed management interfaces.
• Known Exploited Vulnerabilities: Leverages insights from CISA KEV and VulnCheck KEV catalogs to highlight active threat targets.
• Compliance Challenges: Monitors for equipment and configurations that violate regulations (e.g., NDAA Section 889).
• Certificates & Security Configurations: Spots issues with TLS certificates, SSH host keys, and best practice violations (e.g., SMBv1, weak SSL protocols).
• Rapid Responses: Continuously queries emerging threats, updating your risk status dynamically.
  
  

Fire up a free trial of runZero
Don't have runZero yet? Start your 21-day, fully-loaded free trial for up to 100,000 assets, with a smooth transition to our free Community Edition – no sales call required.

BSidesSF 2025
April 26 - 27 @ San Francisco, CA

Join us at BSides SF, a volunteer-led infosec conference driving open dialogue and community-powered progress in security. runZero is proud to sponsor Saturday’s Daytime Social. Come say hi, grab some limited-edition swag, and if you’re lucky, catch a glimpse of our lovable mascot, Zeti.

Don’t miss our speaking sessions:

Charting the SSH Multiverse
April 26 @ 1:30PM PT
AMC IMAX
SSH is the most commonly exposed dedicated management protocol on the internet, second only to HTTP, and it's had a rough year. This talk explores the diverse SSH implementations, their unique weaknesses, and real-world exposure data.

There and Back Again: Discovering OT Devices Across Protocol Gateways
April 27 @ 3:00PM PT
AMC Theatre 09
As IT and OT systems converge, security risks rise. This session dives into OT protocols, security implications, and how to discover OT devices even when they’re hiding behind legacy protocol gateways.

RSAC 2025 Conference
April 28 - May 1 @ San Francisco, CA

We’ll be just steps away from Moscone during RSA Conference and would love to connect with you. Our executive and technical experts are ready to talk through your biggest security challenges, provide personalized demos, discuss our product roadmap, and hear your runZero experiences. Schedule your meeting today!

RSA Hottest Innovators Party
April 29 @ Southside Spirit House

Join us for the 3rd Annual RSA Hottest Innovators Party, hosted by Ghost Security and powered by sponsors: runZero, Arms Cyber, Abstract Security, and Embed Security. It's the party the cool cyber kids are talking about.

runZero is thrilled to join Trace3 and other technology partners for an unforgettable Tech Day at the legendary Churchill Downs. This is more than an event—it’s a fusion of tradition, innovation, and opportunity that you simply can’t miss.

See all events ›

Your Next Incident Won't Have a CVE
On-Demand

HD Moore dissects why your next breach won’t be tied to a CVE and reveals why your security stack is failing you through the lens of an attacker. Get new perspectives on what’s required in the next era of exposure management to overcome decades-old challenges with existing tooling. See how you can finally illuminate the true risks that can get you owned, fill the dangerous gaps your legacy solutions left behind, and shrink the window of exploitability.

Dark Reading: Next-Gen SecOps Panel (Feat. HD Moore)
On-Demand

HD Moore joins the Next-Gen SecOps panel to discuss the evolution of security operations with cloud services, automation, and decentralized teams. Watch on-demand to learn how new tools enhance threat detection, streamline operations, and improve visibility across your expanding attack surface. The panel also explores how to build a modern SecOps team, select the right technologies, and gain clear visibility into your cloud and enterprise assets.

See all Rapid Responses ›

[Podcast]
Risky Business: Signal-gate + HD Moore on New Approaches to Exposure Management

[Press Release]
runZero Ushers in a New Era of Exposure Management

[runZero Blog]
Labelling for End-of-Life Consumer IoT

[ars TECHNICA]
Large enterprises scramble after supply-chain attack spills their secrets

[ars TECHNICA] 
DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers

[ComputerWeekly.com]
Visibility the starting point for many security pitches

[Cyber Defense Magazine]
Silent But Deadly: The True Impact of Unknown & Unmanaged Assets on Network Security


Read more ›