In our experience working with clients across industries, organisations often find themselves "with all the gear but no idea."
Despite investing in sophisticated attack surface management (ASM) tools, many struggle to gain meaningful visibility into their digital footprint. This challenge becomes particularly acute when organisations grow through acquisitions and legacy systems pile up.
In this edition of our Behind the Scenes series, we look at a recent client engagement that exemplifies our approach to security consulting. We share these experiences and lessons learned to demonstrate how human expertise and deep technical understanding can transform security outcomes.
We believe in transparency about our methods and mistakes, as these insights often prove most valuable to organisations facing similar challenges. Let’s dig in.
Why automated tools are not enough
Traditional ASM tools excel at gathering data but often fall short in providing actionable insights. They typically rely on default parameters and theoretical risk scores, which can lead to a disconnect between identified vulnerabilities and real-world risks.
As our VP of Technical Services, Avinash Thapa, explains: "Any commercial tool will highlight an old version as a high-severity vulnerability. But what if there's no active exploit available? It's risky, but not as risky as an application with smaller access-related issues that's actively exploitable."
At Chaleit, we've developed a methodology that combines the efficiency of automation with the nuanced understanding that only human expertise can provide. Our approach goes beyond traditional Open Source Intelligence (OSINT) to what we call "human-driven OSINT." This means:
Looking beyond default parameters to assess real-world exploitability
Providing contextualised risk assessments
Creating consumable, actionable outputs
Maintaining ongoing validation and refinement
A recent engagement highlights the transformative power of this approach.
From chaos to clarity
A client approached us believing they had a clear picture of their attack surface. However, initial discussions revealed they were only seeing "the tip of the iceberg."
Our team conducted a comprehensive assessment that uncovered previously unknown subsidiaries and acquisitions. Working intensively over a week, we:
Analysed thousands of assets
Validated each potential vulnerability
Created a customised prioritisation framework
Delivered an actionable roadmap for risk mitigation
What began as a one-time assessment evolved into an ongoing engagement, with our deliverable becoming the client's "single source of truth" for security operations. "It's being utilised and improved on a day-to-day basis," notes Avinash. "That's something good — it's not just another report sitting in a drive waiting to be deleted."
Practical lessons and recommendations
Through this engagement, we can draw several crucial lessons that can benefit organisations looking to enhance their security posture:
1. Question your assumptions
Never assume you have complete visibility of your attack surface
Regular assessment reveals unknown assets, especially after mergers and acquisitions
Legacy systems often harbour unexpected vulnerabilities
2. Prioritise based on real-world risk
Look beyond vulnerability scores to assess actual exploitability
Consider business context when prioritising remediation efforts
Focus on vulnerabilities with active exploit potential first
3. Make security data actionable
Transform complex technical findings into clear, business-aligned recommendations
Create living documents that teams can maintain and update
Establish single sources of truth for security operations
4. Implement continuous validation
Regular reassessment keeps asset inventory current
Validate automated findings with manual expertise
Update prioritisation based on emerging threats
From implementation to mastery
Our approach to security assessment is perhaps best understood through an analogy: It's the difference between using AI to generate art and having a master painter create an original piece.
While automated tools can provide a baseline, true mastery comes from:
Deep understanding of the client's context
Manual validation of potential vulnerabilities
Customised risk prioritisation
Actionable, business-aligned recommendations
The value we provide extends beyond initial implementation. Just as with EDR tools, where basic deployment only scratches the surface of potential capabilities, our approach focuses on achieving mastery. We refine and customise our methodology to each client's unique context, ensuring that security investments deliver maximum value.
If you're struggling to gain visibility into your attack surface or questioning the effectiveness of your current security tools, take the first step towards clarity. Our security health check provides a comprehensive baseline assessment of your digital footprint, identifying immediate risks and opportunities for enhancement — without disrupting operations.