Service Offering 2 · Attack Surface Reporting Enablement
Coverage demonstrated, not asserted.
The Well-connected offering. Composite entities mapped across sources, entity owners certified, coverage gaps named rather than papered over. Trustworthy data from Offering 1 feeds the cross-tool reconciliation that turns "we think we have visibility" into a measurable, audit-ready attack surface report.
The problem this engagement solves
The "we have visibility" claim is rarely true under inspection.
Most attack-surface reporting programs are built on an unspoken assumption: that the sources feeding them agree about what's on the network. They don't. The CMDB says 50,000 assets, the EDR sees 47,000, the vulnerability scanner sees 52,000, and the identity provider counts users that don't map cleanly to any of those. The delta either gets papered over (the report shows a number the analyst doesn't believe) or quietly excluded (the report shows a smaller number that's defensible but incomplete). Either way, the report doesn't say what coverage it actually has.
Underneath the count discrepancy is an entity-resolution problem. The asset identifier field means three different things in three different tools. The user attribute that's authoritative in the IdP is stale in the CMDB. The vulnerability scan that's complete for the cloud estate is silently skipping the OT segment. Vendors sell "single pane of glass" without solving any of this; they present a unified UI on top of unreconciled data and let the customer believe the picture is whole. It isn't. The audit catches this. The executive review catches this. The next breach response catches this, usually too late to fix without budget and time pressure.
Attack Surface Reporting Enablement is the work that makes the reconciliation explicit and the coverage measurable. Composite entities (Asset, User, Configuration, Vulnerability) get mapped across the sources that touch each one. Authoritative-source-per-attribute gets named with confidence and freshness scoring. Coverage gaps get listed as gaps rather than smoothed into the totals. Entity owners sign off on what they own, and the certification rhythm becomes the durable artifact rather than a one-time snapshot. The attack surface report that ships out of this engagement is one your auditor can defend and your incident responder can trust.
What you get
Five deliverables. The certification rhythm is the one that compounds.
Composite entity map.
Four entity types resolved across your tooling:
| Entity type | Spans |
|---|---|
Asset | endpoints, servers, cloud instances, OT devices |
User | identity, service principals, contractors |
Configuration | host configs, network configs, IAM policies |
Vulnerability | open findings, exceptions, compensating controls |
Each entity type carries an authoritative-source-per-attribute mapping with confidence and freshness scoring. The mapping is the data catalog the rest of the reporting depends on; the catalog tells a downstream query which source to read when the analyst asks "what's the authoritative ownership for this host."
Cross-tool reconciliation report.
Where the sources disagree, the deltas are documented. CMDB-vs-EDR asset deltas with the classification rule that determines authority. IdP-vs-CMDB user deltas with the reconciliation method. Vulnerability-scanner coverage versus asset coverage with the named gaps (OT, ephemeral cloud, contractor endpoints, whatever the environment includes). The report doesn't try to make the deltas disappear; it makes them visible and assigns the authoritative-source decision per attribute. That visibility is what turns "we have asset inventory" into "we have asset inventory with measured reconciliation across these eight sources, with these named gaps."
Coverage matrix.
The attack-surface dimensions your reporting has to defend (endpoints, identities, cloud workloads, OT, third-party, configuration drift, vulnerability exposure) scored against the tools currently providing coverage. The matrix says which dimensions are covered, which are partial, which are uncovered. The uncovered dimensions get paired with the candidate tools and the procurement work that would close them. The matrix is the working artifact that turns "what's our coverage" from a qualitative answer into a quantitative one your CISO can present to the board.
Owner certification rhythm.
The durable deliverable. Entity owners (security architecture, IT operations, identity team, vulnerability management) formally confirm what their team owns, what their sources are authoritative for, and what they don't cover. Certification runs on a defined cadence, typically quarterly, with an exception process for transient gaps. The rhythm produces audit evidence over time rather than a single point-in-time snapshot. It's also the mechanism that catches drift: when an owner can't certify because a source feed broke or a tool was decommissioned, the certification flags the gap before the next audit finds it.
Reporting layer with measured coverage.
The attack surface report itself, generated from the reconciled data with measured coverage attached to each figure. Asset count by tier with the reconciliation method footnoted. Identity coverage by population with the gap groups named. Vulnerability exposure with the scan-coverage caveat attached. The report passes the audit test (the auditor can trace each number back to its sources) and the incident-response test (the responder can trust the picture during a live event). The template lives in your reporting tooling (Splunk, Sentinel, Chronicle, custom Grafana, doesn't matter) wired into the data catalog so it stays current as the certification rhythm updates the underlying mappings.
The prerequisite
Trustworthy data first. Connected data second.
This offering assumes the sources feeding it are measured, validated, and trustworthy. That work is Offering 1, Data Health Validation, the operational track that gates everything downstream. Programs that try to do attack-surface reporting on unvalidated sources inherit the source-level errors into the composite entities. The report then encodes source problems as architectural problems, which is the wrong diagnosis at the wrong layer.
If Offering 1 isn't already in place, the engagement starts there. The bundle is a two-stage sequence: Data Health Validation produces measured sources, then Attack Surface Reporting Enablement maps the composite entities. Pricing reflects the combined scope when both are run as a single program; the discount applies because the second offering's discovery work overlaps with the first offering's source inventory.
What it costs you
Stakeholder time, sample entity exports, and a commitment to the certification cadence.
The prospect-side investment is mostly people-time. Working sessions with the security architect, the CMDB or asset-inventory owner, the EDR or endpoint platform admin, the identity team lead, and the vulnerability management lead. Each stakeholder runs roughly four to six hours across the engagement window for scoping, reconciliation review, and the first owner-certification pass. Sample entity exports (anonymized) from each tool in scope. Read-only documentation access to each tool's data model and integration points. No production data egress required.
The durable commitment is to the certification rhythm. Once the engagement ships, the entity-owner certifications need to run on the defined cadence, typically quarterly. That's a recurring few hours per stakeholder per quarter. Programs that won't sustain the rhythm get the one-time deliverable without the compounding value; the rhythm is what keeps the picture current as the environment changes. The engagement includes the first certification cycle and the documented runbook for subsequent cycles.
Pricing is sized to scope rather than fixed. The variables are number of source tools to reconcile, entity-type breadth (some programs only need Asset and User; others need all four), regulatory framework requirements that shape the coverage matrix, and whether Offering 1 is already in place or needs to run first. Typical engagements land in the $40K–$90K range with timelines of three to six weeks. The Advisory Retainer is the right vehicle for ongoing certification-cycle support; organizations with mature reporting programs can run the cycles internally after the initial enablement.
What this engagement is not
Four boundaries documented up front.
Not a tool replacement. The engagement assumes you already run a CMDB, an EDR, a vulnerability scanner, an identity provider, and the analytics tier they feed. Attack Surface Reporting Enablement sits on top of those tools, reconciling them and naming the coverage gaps. If the engagement uncovers a tool gap the program needs to close, that procurement decision goes through the matrix and is scoped as a separate body of work.
Not a one-time exercise. The certification rhythm is the actual deliverable. Programs that buy the composite entity map but skip the recurring certification get a snapshot that ages out within two quarters as the environment changes. The engagement is structured around shipping the rhythm; if the organizational commitment to the rhythm isn't there, the engagement isn't ready to ship. That's the right time to scope a different starting engagement instead.
Not vendor-neutral on principle. If the analysis says a specific entity-resolution platform or CMDB candidate ranks higher for your environment than your current tooling, the recommendation says so. Vendor neutrality is a consequence of the empirical-skepticism method rather than the goal. The research page tracks where prior recommendations have moved as evidence shifted.
Not a substitute for the SOC-level controls that produce attack-surface coverage in the first place. Reporting that you have 47,000 endpoints is useful only if the EDR is deployed to those endpoints. The engagement names the coverage gaps but does not close them. Closing them is operational work that follows the engagement, owned by the relevant team.
Measured coverage. Named gaps. A rhythm that compounds.
Start with a 30-minute intro call. If Offering 1 needs to run first, the bundle pricing applies and the work sequences cleanly into one program.