Recently, the UK's National Cyber Security Centre (NCSC) put External Attack Surface Management (EASM) tools to the test. Their goal? See whether EASM tools actually help organizations understand and reduce their digital exposure. They undertook a significant initiative: collaborating with providers, conducting product trials with 27 organizations, and accumulating over 900 combined trial days to evaluate EASM in real-world settings.
The verdict: While EASM is a valuable concept and addition, not every tool delivers on that promise. Some were too complex. Others overwhelmed users with irrelevant data. What worked best were tools that provided clear, actionable insights and prioritized actual cyber risks, rather than just showcasing data volume or visual dashboards.
This isn't our first look at the challenges of selecting cybersecurity tools. We previously explored this issue in our post, Ensuring that cybersecurity solutions work. The biggest headache for organizations remains: large amount of money is poured into marketing cybersecurity products, but there is very little empirical guidance to help buyers understand which solution fits their needs.
Replacing Guesswork with Guidance: A Role for the NCSC
One of the standout messages from the report is that there is a significant gap in the industry regarding guidance. Many organizations lack knowledge of what to look for in an EASM product or how to evaluate its effectiveness effectively. That’s why it is so significant that the NCSC is now taking on a guidance role. The experiment wasn’t just about product testing—it was about taking a leadership role in shaping how the EASM ecosystem should function.
We have seen this same need for structured and standardized evaluation in the NCSC’s report, which emphasizes the importance of consistent risk identification and transparent data presentation across EASM tools. Much like how public health agencies set baselines for environmental safety, the NCSC is helping define what “good” looks like in EASM — offering both a benchmark and a signal to the market on how to improve.
At Arctic Security, that resonates deeply with us. For our products, we require precise yet concise EASM functionality to be effective in our early warning use case. Arctic EWS was built to deliver that same kind of clarity. It uses external scans, matches them to your actual infrastructure, and provides daily alerts that you can act on—quickly and confidently, without overwhelming the recipient. It's not about fancy dashboards (while we do have them). It's about cutting through the noise to highlight what matters.
We are proud to collaborate with national cybersecurity authorities worldwide to raise the standard for external threat visibility and asset discovery. This is just the beginning—more insights from the NCSC-UK experiment will be explored in our following blog entries.