Top

Revealing hidden threats: how runZero is redefining network security

In a recent interview with Wes Hutcherson, Director of Product Marketing at runZero, we delved into the growing threat of unknown and unmanaged assets in network security. These hidden devices, accounting for over 60% of connected assets and linked to 70% of breaches last year, often include decentralised IT, IoT, and OT devices that traditional discovery tools fail to detect, leaving organisations vulnerable to sophisticated attacks. Hutcherson emphasised the importance of complete infrastructure visibility to uncover blind spots that disrupt operational resilience and compliance. runZero addresses this challenge through advanced fingerprinting technology, combining active scanning, passive discovery, and API integrations to provide real-time visibility without relying on credentials or agents.

Additionally, with IoT attacks surging by 400% and OT intrusions affecting 75% of systems, Hutcherson highlighted the need for robust defences against increasingly targeted IoT and OT devices, which are exploited by groups like Flax Typhoon and Sandworm. By ensuring no asset remains hidden, runZero offers a proactive solution to mitigate vulnerabilities and strengthen security in today’s rapidly evolving cyber landscape.

Can you elaborate on why unknown and unmanaged assets are considered a silent threat to network security? How can organisations proactively identify and mitigate these risks?

runZero: Unmanaged and unknown assets pose a considerable threat to network security – over 60% of connected devices are invisible to defenders, and unmanaged assets were linked to 7 out of 10 breaches last year. These devices—ranging from decentralised IT assets to unconventional (but highly interconnected) IoT and OT devices—are notoriously hard to identify and secure. Often hidden in the shadows of environments, these assets don’t just represent gaps in visibility—they create vulnerabilities that ripple through every aspect of operational resilience.

To ensure all bases are covered, organisations need complete infrastructure visibility. Unmanaged and unknown assets are like puzzle pieces left out of the box, which make it impossible to see the full picture. Discovery and management of all assets is the true foundation of compliance and resilience. Relying solely on traditional discovery and vulnerability management tools often leaves critical gaps, potentially putting organisations at risk of non-compliance—or worse, being exposed to security threats.

How does runZero help organisations gain visibility into unmanaged devices and assets, especially in complex networks?

Unmanaged devices, shadow IT, and hidden assets provide some of the biggest blind spots for organisations, and that’s where attackers often strike. runZero is unique because it uses a combination of active scanning, passive discovery and API integrations, all powered by advanced fingerprinting technology, to discover assets and provide insights. It integrates with existing security tools—whether it’s an EDR platform or a vulnerability scanner—to pull in additional context and create a full environment picture for security leaders.

Advanced fingerprinting technology enables runZero to help organisations identify devices, operating systems, and services even when security teams don’t have credentials or agents on those systems. This is critical in complex networks where traditional discovery tools often miss assets or require a lot of manual setup.

Another key benefit of using runZero is speed. Networks are constantly changing—new devices get added, old ones get reconfigured, and exposures can crop up overnight. With runZero, organisations can discover assets at a pace that keeps up with this change, ensuring security teams always have an up-to-date view of their environment. And it’s not just about identifying devices— security teams within an organisation can map out their exposures so they can see exactly where vulnerabilities are and take action before attackers strike.

Why do you believe IoT and OT devices will become a primary target for attackers in 2025?

The cyber threat landscape is changing fast, and the numbers tell a worrying story. IoT attacks have exploded by 400% in just one year, with Europe taking the hardest hit—70 attacks per week on average. And it’s not just IoT; OT systems are under fire, too. A staggering 75% of OT professionals reported intrusions this year, compared to just 49% last year.

Attackers are shifting their focus to IoT and OT systems, and for good reason—they’re often the weakest link and lack basic security. With the increasing convergence of these systems with enterprise networks, these devices serve as ideal jumping-off points to other parts of the network. Attackers aren’t storming the front gates anymore; they’re slipping in through the side doors—exploiting IoT devices, OT systems, third-party vendors, and contractors. Their goal? Stay undetected, bide their time, and ultimately steal sensitive data or demand massive ransomware payouts.

Here’s how serious it’s getting at the top levels:

Flax Typhoon (China) hijacked 200,000 IP cameras for their campaigns.

Sandworm (Russia) manipulates industrial control systems with precision.

Elfin (Iran) targets industrial systems to disrupt operations and gather intel.

Lazarus Group (North Korea) zeroes in on IoT and OT to exploit vulnerabilities.

runZero: Most organisations don’t even know what they’re missing. About 60% of assets are hidden from security teams, creating massive blind spots. Attackers are fast, too—72% can find and exploit a vulnerability in a single day. And last year, unmanaged, internet-facing assets were behind 7 out of 10 breaches. Businesses need to be focused on visibility more than ever. By identifying and cataloguing every IoT and OT device— even the ones hiding in the shadows—, organisations can truly understand their attack surface and lock down any weak points, especially those that connect to IT systems and sensitive data. It’s not just about throwing money at the problem and adding more tools–no one needs that; it’s about consolidating tools and approaches to understand where vulnerabilities exist and taking smart, targeted action.

What measures can organisations take today to protect IoT and OT devices, given their unique vulnerabilities, compared to traditional IT infrastructure?

Protecting IoT and OT devices is a complex challenge because these devices are fundamentally different from traditional IT infrastructure. They’re often designed with minimal security in mind, and in the case of OT, they’re critical to operations—think power grids, manufacturing systems, or healthcare devices. The stakes are incredibly high, and the consequences of disrupting them during discovery can be catastrophic.

Traditional discovery tools are just not built for these environments. They rely on aggressive scanning techniques or authenticated access, which can destabilise sensitive devices or miss them entirely, especially since IoT and OT devices can go online and offline frequently. What organisations need is a careful, continuous discovery process—one that’s sensitive enough not to disrupt operations but robust enough to provide a complete picture of the environment.

Discovery is only the first step. It has to be an ongoing process of not just identifying the devices but also understanding their exposures, connections, and convergence points between IT, OT, and IoT systems. These devices often serve as jumping-off points for more sophisticated attacks, so prioritising based on their criticality and connectivity is absolutely essential.

Organisations need to move away from fragmented approaches. Sprawl is overwhelming security teams—too many tools, too many integrations, and too much noise. While integrations are useful, they’re often just stitching together disparate systems, which can lead to duplication of data, discrepancies, and missed insights. What’s really needed is a consolidated approach that combines discovery and exposure management in one platform with native capabilities that reduce complexity and provide actionable insights.

runZero
runZero

How do you see resilience testing posing challenges for organisations seeking compliance with DORA? What are the common pitfalls they should be aware of? How does exposure management contribute to meeting resilience testing requirements?

At its core, DORA mandates resilience in Information and Communication Technology (ICT) systems, covering five primary pillars, including resilience testing. It’s important to note that resilience testing is a component of exposure management—they’re deeply connected and not separate processes. This is because exposure management is a collective approach that brings together programs, tools, and processes with one core mission: to find vulnerabilities across the entire attack surface, identify which ones are most critical to business objectives, and shut down the window of exploitability as quickly as possible.

Resilience testing fits into this framework as part of a continuous cycle that exposure management encompasses, but it’s also highly dependent on other parts of the cycle to be effective. Here’s why:

Attack Surface Visibility as a Prerequisite: Effective resilience testing starts with understanding what is being tested. If visibility into the attack surface is incomplete—particularly across OT, IoT, or shadow IT devices—critical components of real-world attack scenarios may be missed. One cannot test what is unknown.

Beyond Traditional Exposures: Resilience testing relies on identifying exposures, but it goes beyond results from traditional vulnerability scanners. Many tools overlook exposures in OT and IoT devices, which attackers increasingly target. Without this deeper identification, resilience testing lacks critical context.

Validation and Prioritisation: By simulating or emulating real-world attacks, resilience testing validates the severity of exposures and helps prioritise remediation efforts based on exploitability. It’s about testing not just in theory, but in practice.

Accelerating Mobilisation: Resilience testing informs faster remediation by proving which vulnerabilities are most critical to address. This accelerates action and closes gaps sooner.

Systemic Improvement: Resilience testing helps measure the efficacy of existing defences, identifying systemic weaknesses and guiding improvements to the overall security posture.

That said, resilience testing isn’t a silver bullet. It can’t be conducted continuously, at least not manually. Automated testing can fill some gaps but struggles to replicate the nuance of real-world attacker tactics, especially in sensitive environments like OT systems, where testing risks disrupting critical operations.

While resilience testing is a critical piece of the puzzle, it needs to be used strategically and in conjunction with other parts of the exposure management cycle. To fill the gaps, organisations must rely on comprehensive exposure management platforms. Exposure management isn’t just about checking the box on resilience testing—it’s about creating a cohesive, ongoing strategy that integrates discovery, validation, and action to stay ahead of threats and protect the organisation effectively.

With 95% of UK organisations reporting cybersecurity incidents in their supply chain, what advice do you have for businesses to improve their supply chain security posture?

It all starts with visibility. Security is only as strong as the weakest link in the supply chain—and that’s often where vulnerabilities emerge. While an organisation can’t control the security practices of every supplier or partner, it can protect itself from potential risks they introduce. The first step is gaining clear visibility into the assets they interact with and how those assets connect to internal infrastructure.

Supply chains are often the path of least resistance for attackers. These connections are trusted by design, making it difficult to distinguish between legitimate and malicious activity. Organisations need a strategy that goes beyond trust and focuses on concrete measures like:

Comprehensive Asset Discovery: Identify every device, system, and connection involved in the supply chain, whether internal or external.

Mapping Connections and Dependencies: Understand how supplier systems interact with internal infrastructure and map out these connections to identify weak points.

Policy Enforcement: Set clear security policies and expectations for suppliers, ensuring they adhere to minimum standards.

Segmentation: Limit the scope of what suppliers can access within the network and impede lateral movement.

Exposure Discovery and Risk Assessment: Continuously monitor for vulnerabilities in supplier-connected assets.

Attack Pathway Analysis: Simulate and analyse how an attacker could exploit supply chain connections to reach critical systems and harden defences accordingly.

Third-Party Monitoring: Monitor the suppliers’ cybersecurity posture through vendor risk assessments or tools that provide insights into their external-facing assets and potential exposures.

Incident Response Planning: Assume a supply chain incident will happen and prepare for it. Have clear response plans that ensure continuity of operations with minimal disruption.

Collaboration and Information Sharing: Work with suppliers to share threat intelligence across the supply chain to help identify risks earlier and reduce the likelihood of incidents.

Ultimately, supply chain security is about reducing the “attack surface” that partners and vendors might expose. By combining visibility with proactive policies and measures like segmentation, exposure discovery, and pathway analysis, businesses can strengthen their supply chain security posture and minimise the likelihood and impact of incidents. It’s about turning trusted connections into secure connections.

As we move into 2025, what do you see as the most significant trend shaping exposure management and cybersecurity?

Comprehensive discovery and tool consolidation are leading the way. The market is heading towards platforms that don’t just provide a unified view but actually solve multiple problems—visibility, exposure discovery, prioritisation, and response—all in one. Organisations don’t need more tools adding complexity to their already-overwhelming stack of 60+ security solutions. They need fewer, smarter tools that work seamlessly to give them clear and actionable insights.

We’re already seeing this shift. Vendors specialising in portions of the attack surface, such as external attack surface management, OT, and IoT, are being acquired by bigger players who recognise the need for consolidated solutions (and the unified visibility they provide). And the stats support why this is going to be more critical than ever:

60% of devices have limited visibility to defenders.

7 out of 10 organisations were compromised last year by unmanaged, internet-facing assets.

OT and IoT attacks have skyrocketed by 400% in the past year.

These are alarming numbers, and they’re only going to get worse with the increasing convergence of IT, OT, and IoT. Attackers are thriving in these blind spots, and they’ll keep doing so until organisations catch up. After all, the assets organisations didn’t know were there are exactly the opportunities they are looking for.

The key to staying ahead is attack surface visibility. Organisations that take a proactive approach—prioritising discovery and complete visibility within their exposure management programs—will drastically reduce the window of exploitability.

The consolidation happening now is a direct response to what security teams need most: simplification, visibility, and the ability to stay ahead of attackers. It’s not just a trend; it’s the future of Exposure Management.

Andriani has been working in Publishing Industry since 2010. She has worked in major Publishing Houses in UK and Greece, such as Cambridge University Press and ProQuest. She gained experience in different departments in Publishing, including editing, sales, marketing, research and book launch (event planning). She started as Social Media Manager in 4i magazine, but very quickly became the Editor in Chief. At the moment, she lives in Greece, where she is mentoring women with job and education matters; and she is the mother of 3 boys.