The cybersecurity industry has developed an uncomfortable truth that few want to acknowledge: most successful breaches don't happen because defenders ignored known vulnerabilities. They happen because attackers exploited assets that organizations never knew existed in the first place.
HD Moore, founder and CEO of RunZero and creator of the legendary Metasploit framework, has spent decades observing this pattern across countless penetration tests for high-security organizations. His findings challenge the fundamental assumptions underlying modern vulnerability management programs.
The Discovery Problem
Through repeated testing engagements, Moore identified a consistent flaw in how organizations approach security. Teams invest heavily in patch management, threat intelligence, and incident response, yet they routinely miss half their actual attack surface. These unknown assets—from unmanaged IoT devices to forgotten development servers—create pathways that bypass even the most sophisticated security controls.
"Organizations often believe they have complete visibility into their environment," Moore explains. "But when we conduct discovery using attacker-grade techniques, we typically double the asset count they thought they had."
This visibility gap stems from reliance on authenticated scanning tools and agent-based discovery methods that only identify properly managed systems. Meanwhile, shadow IT deployments, legacy hardware, and misconfigured devices remain invisible to traditional security tools.
Beyond CVE Lists
The industry's obsession with Common Vulnerabilities and Exposures (CVE) identifiers compounds the problem. While CVE tracking serves important functions, it creates a false sense of security by focusing attention on catalogued vulnerabilities while real-world attacks often exploit misconfigurations, weak credentials, and zero-day flaws that never receive CVE assignments.
Moore's approach at RunZero deliberately inverts this model. Instead of starting with vulnerability lists, the platform begins with comprehensive asset discovery using unauthenticated techniques that mirror how actual attackers probe networks. This reveals exploitable conditions from an adversary's perspective, identifying systems with accessible management interfaces, outdated firmware, and dangerous network connections.
Practical Impact
The business implications extend beyond theoretical risk reduction. Organizations discovering their complete attack surface can optimize security tool deployment, eliminate dangerous network segmentation gaps, and focus remediation efforts on the small subset of vulnerabilities that pose genuine business risk.
Rather than managing thousands of low-impact findings, security teams can concentrate on the specific assets and configurations that create pathways to critical data. This transforms vulnerability management from a reactive patching exercise into a strategic risk reduction program.
Community Contributions
Moore's commitment to advancing the field extends beyond commercial products. Through Project Discovery, he continues contributing to open source security tools, particularly enhancing the nuclei scanner to accelerate vulnerability detection across the community. This approach ensures that improved discovery techniques benefit all defenders, not just paying customers.
The Path Forward
The lesson for security leaders is clear: effective defense requires honest assessment of what exists in your environment. Traditional discovery methods, designed for asset management rather than security assessment, provide incomplete pictures that leave dangerous blind spots.
Organizations serious about reducing breach risk must adopt discovery techniques that reveal their networks as attackers see them. Only then can they build security programs based on reality rather than assumptions.
The cybersecurity industry's evolution toward zero trust architectures and continuous monitoring reflects growing recognition of this principle. But implementation requires tools and techniques that can actually see the complete attack surface—including the assets that traditional methods miss.
Until security teams achieve genuine visibility into their environments, they remain vulnerable to the oldest trick in the attacker playbook: exploiting the things defenders don't know they need to protect.
Learn more about runZero: https://itspm.ag/runzero-5733
Note: This story contains promotional content. Learn more.
Guest
HD Moore, Founder and CEO of RunZero | On Linkedin: https://www.linkedin.com/in/hdmoore/
Resources
Learn more and catch more stories from runZero: https://www.itspmagazine.com/directory/runzero
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
