Most organisations believe they have a solid grip on their security posture. They invest in tools, run tests, and build out security teams. Yet when a breach happens, the entry point is often an asset no one was monitoring, something unknown, unmanaged, and fully exposed.

That gap between perceived security and actual exposure is the core challenge Rob Gurzeev has spent his career trying to solve. In this episode of Security Strategist, host Richard Stiennon speaks with Rob Gurzeev, CEO of CyCognito, to unpack the realities of external attack surface management and why many organisations continue to fall behind despite years of investment.

The Attack Surface Has Outgrown 

The scale of the problem is difficult to overstate. Where an enterprise once managed a handful of websites and internal systems, it now contends with hundreds of thousands of applications, cloud assets, APIs, and connected devices, many of which were provisioned quickly, handed off between teams, or simply forgotten.

Gurzeev points out that in large enterprises, the number of externally exposed assets can reach into the tens of millions. Up to 50 per cent of those assets are often entirely unknown to the security team. They are not in any inventory. Nobody is patching or monitoring them. From an attacker's perspective, they are the most attractive place to start. This is the nature of the modern external attack surface, not a defined perimeter, but a constantly shifting sprawl of exposure that grows faster than most teams can track it.

Why Traditional Security Approaches Fall Short

The instinct for many organisations is to run more tests. It is a reasonable response, but it addresses only a fraction of the actual risk. Manual pen testing, by its nature, is scoped and time-limited. Gurzeev is direct on this point: in environments with hundreds of thousands of assets, traditional testing leaves the vast majority of the attack surface unexamined. The result is a false sense of security; teams believe they have assessed their exposure when, in practice, they have assessed a small and carefully selected slice of it. The big issue is visibility. Security investments have historically been built around known assets, things that are already in the inventory, already behind a firewall, already being monitored. The unknown assets fall outside that perimeter entirely, and it is precisely those assets that attackers seek out.

The Shift AI Has Made Possible

This is where the conversation turns. AI has fundamentally changed what is achievable in attack surface management, and Gurzeev is clear about the practical impact: real-time threat detection, at scale, across the entire external surface, not just the assets that are already known. Continuous automated testing now makes it possible to assess every exposed asset, not a curated sample of them. Vulnerabilities that would previously have gone undetected for months can now be surfaced within hours. The economics have shifted as well. The prohibitive cost of testing at scale, which once made comprehensive coverage impractical, has been dramatically reduced. For CISOs and CIOs operating under resource constraints, that matters. The question is no longer if comprehensive coverage is possible. It is whether the organisation has decided to pursue it.

What Security Leaders Should Take Away

Visibility is not something organisations can assume; it has to be actively built and continuously maintained. In large enterprises, unknown assets often make up the bulk of real exposure, rather than being a marginal risk. AI-driven tools are now making it possible to assess this landscape continuously and at scale. In this context, mean time to remediation becomes the defining metric separating organisations that actively manage risk from those that only measure it. Thinking like an attacker means asking a simple question: which of our assets does nobody know about? The answer to that question is where the real work begins. For more on external attack surface management and enterprise cybersecurity, visit cycognito.com. Connect with the guest:

Rob Gurzeev: LinkedIn | Co-Founder & CEO, CyCognito 

Takeaways

  • External attack surface complexity
  • Impact of AI on cybersecurity
  • Strategies for attack surface visibility
  • Continuous monitoring is essential, not one-off assessments
  • Proactive exposure management reduces breach risk