Bitsight Reviews

My main use case for Bitsight is finding vulnerabilities in the wild, especially in internet-facing web applications and networks.

A specific example of how I have used Bitsight is that we do not know the current ongoing issues day-to-day. There are so many vulnerabilities and zero days that are exploitable and outside. With this platform, we are able to detect vulnerabilities quickly and notify the teams using our communication channel. Along with that, it also helps us to remediate quickly because when issues are identified, they should also be included in the remediation part. That is where we were able to sort it out quickly.

Another use case I would add is that Bitsight builds customer trust because it provides a score based on severities or how the system is currently functioning. If our system is secure and we have strengthened the full security, then we will eventually have a good score. That is going to build customer trust.

The best features Bitsight offers include heavily using external vulnerability scans or network scans, which we have done for a couple of years.

What I appreciate about the external scans feature in Bitsight is that it gives us continuous visibility into our externally exposed assets, which requires finding misconfigurations or any unexpected exposures much earlier than we would have caught through manual review period scans. This essentially allows my team to find issues quickly, and as we get notified, we can validate our attack surface. It helps us to reduce blind spots. We can prioritize remediation faster and validate changes by deploying fixes. Overall, it strengthens our security posture by monitoring and supporting our compliance programs.

Regarding Bitsight's features, they offer different aspects that I agree with, especially in external scans. They also provide a rating based on your externally facing domains, which helps us to rate our scores and aids in building customer trust. They have the capabilities to assess the attack surface, so those are the main areas they focus on.

Bitsight has positively impacted my organization by improving security and customer trust. It is impact-focused with measurable values that show us, for example, it has reduced our mean time to detect external exposure issues before we relied on periodic scans. Plus, it gives us continuous monitoring. Now we find misconfigurations within hours instead of days or weeks, which directly improves our overall security posture. It reduces risk as we catch high-risk exposures early, especially unexpected cloud assets or testing endpoints that accidentally went public. Each early detection helps us reduce the threat exposure time and strengthen the compliance program.

There are areas for improvement; we do notice sometimes finding vulnerabilities which gives us visibility to find them quickly. However, there could be a mechanism they can build on top of that for validation as they identify the issues. What will the real risk be for that identifiable issue? Sometimes it could be open because of the traffic; how they detected it could be seen as vulnerable, but upon testing, it might not be a real issue. It could be a false positive because there could be a honeypot that we built. My thinking is about validation, so if they can build that validation part before they expose the risk to the specific asset, that would help. Additionally, based on their reporting, they could also build risk scores and prioritization, which would also aid us.

I would suggest adding dashboards and custom reporting, which could help us by enabling rich custom reports with filters. That is especially for leadership because they will not look at each technical area, but overall they would be looking at the risk score and what the assets or critical exposure areas are. Customizable reporting based on requirements would be valuable.

I chose 9 out of 10 because the reporting and dashboards would be the first thing I would consider for improvement, and then the second is about the validation part, which could probably improve to 10 out of 10.

I cannot think of too much for additional improvements. Maybe some good automation with the API solutions that could be integrated with the CI/CD pipeline or DevOps tools we are running would also be automated and tested.

I have been using Bitsight in my past job as well as in my current job. I would say it is around eight years.

Bitsight is stable so far.

The scalability of Bitsight is good; it is a cloud solution, so upon usage, it scales out without being a concern at this moment.

We do interact with Bitsight's support team, and we do get a response back from them as defined in the SLAs.

I would rate the customer support from Bitsight as 10 out of 10.

Positive

Previously, I used SecurityScorecard, which is a competitor in that space. I think that Scorecard had functional issues, and because of that reason, we switched to Bitsight.

My experience with pricing, setup cost, and licensing for Bitsight is overall good with the current price model.

I feel the current pricing model is fair. The initial setup and licensing process was straightforward. I did not face any challenges in that part.

I do not have a good answer regarding return on investment with Bitsight.

Before choosing Bitsight, I did not evaluate too many options, but I compared between Bitsight and Scorecard, along with one more tool that I lost the name of, but Bitsight won out of those three.

My advice for others looking into using Bitsight is that it is definitely a great tool, especially to identify blind spots. If your applications are internet-facing and you have customers using your products or your cloud-based solutions, whether SaaS or PaaS, this tool is going to build trust between the customer and the provider. As the tool deploys for your application or domains, it continuously scans and finds vulnerabilities and reports them. As you find and report, it is also going to build your domain score, showing how well you are doing with publicly available applications, especially those that are internet-facing. I gave this review a rating of 9 out of 10.

My main use case for Bitsight involves multiple reasons; I used it primarily for continuous vendor risk visibility, and I did not want to rely on annual questionnaires. Vendor onboarding risk assessment, continuous third-party monitoring, and high-risk vendor prioritization capability were essential, as I reported this back to the board and used it for executive dashboarding.

A specific example of how I used Bitsight for vendor risk visibility and prioritization is that it serves as an external cyber risk rating platform or a cybersecurity posture platform that provides outside-in visibility of an organization and third parties. I utilized the features for my third-party risk management framework, conducting attack surface understanding and visibility for third parties. It helped me with continuous monitoring and executive reporting. I view this as a continuous cyber risk intelligence layer that can be used for vendors and helps monitor enterprise risk exposure.

Regarding my main use case, I have nothing specific to add, except for the fact that I did not construe Bitsight as a vulnerability management tool or a scanner, which many organizations use this for. In order to manage the external exposure to the organization, wherein I could manage the domains, IPs, and cloud footprint of third-party service providers, it really helped me in conducting due diligence for potential partners and service providers, and it really supported the organization in merger and acquisition strategy.

The best features Bitsight offers include security ratings, also known as cyber score, which helps me do continuous monitoring. I can run this tool for a large number of high-risk vendors, enabling vendor benchmarking. External attack surface visibility is another feature that I used comprehensively, and third-party ecosystem monitoring provides that visibility. Finally, executive reporting dashboards sum everything up.

Among the features including security ratings, attack surface visibility, and executive reporting, scalability is what made the biggest difference for my team's day-to-day work. My colleagues responded positively to the continuous monitoring provided by Bitsight, enabling us to do vendor comparisons and benchmarking, leading to very good executive-friendly risk visualization.

Bitsight has positively impacted the organization by helping with vendor benchmarking and providing outside-in cyber visibility across hundreds of vendors, which is the biggest plus.

The impact includes more contextual prioritization, which is the biggest business benefit I gained. Reporting to the board, getting dashboards, visibility, and analytics is absolutely fine, but contextual prioritization allows me to assess which vendor has the largest exposure and where I need to be more careful, what kind of remediation activities need to be implemented, and this led to faster remediation visibility improvements with the vendor community.

There are opportunities for improvement in Bitsight. Better explainability of cyber scores is something that Bitsight can work upon, along with addressing false positives. Better cloud-native visibility to identify where service providers might be exposed, and further enhancements in predictive risk and analytics are areas that can be developed.

I covered the main points about needed improvements, emphasizing that everything else is operational and not a limitation on Bitsight's usage.

I would rate Bitsight closer to nine, or somewhere between eight and nine, because the reasons I do not rate it a ten relate to opportunities for improvement I mentioned, such as broader risk, cyber risk intelligence, and emphasis on supply chain risk intelligence. There is potential for improvement in AI-assisted prioritization as it matures.

I choose eight as my official rating of Bitsight.

I chose eight as my rating for Bitsight because it needs to move in the direction of providing broader risk, cyber risk analysis, working more on supply chain risk intelligence, and using AI for prioritization further. I talked about areas of improvement concerning predictive risk analysis, reduction of false positives, and better explainability of the scores, which justifies my rating as eight rather than ten.

Regarding Bitsight's AI capabilities, I am not very sure about the governance and security aspects of AI that Bitsight uses, as I am not aware of any policies they may have regarding AI usage for their services. However, I think AI should be used much more strongly to enhance predictive analysis by Bitsight.

The accuracy and reliability of Bitsight's output stem from its capability of using AI effectively. AI relies on a lot of data from continuous monitoring, enabling faster risk triaging based on the outcomes generated by the AI engine. I believe it is a highly reliable outcome, and the platform has a mature rating system, provides good benchmarks, and has strong enterprise acceptance, so the outcome from the AI engine is quite reliable but can be further improved for predictive assessments.

I have been using Bitsight for over four years, precisely four and a half years, and I have actually used this at Nissan Motor Corporation, where I was the Global Deputy Chief Information Security Officer.

Bitsight is stable in my experience; I have not faced any significant downtime or reliability issues, aside from some minor occurrences. It is highly reliable, scalable, and always available.

Bitsight's scalability is impressive; it handles increasing workloads and more vendors easily. I found that its scalable third-party risk assessment operating model is not merely a scorecard dashboard but a comprehensive assessment tool.

The customer support for Bitsight is responsive and helpful.

I would rate Bitsight's customer support a nine on a scale of one to ten.

Nine is my rating for Bitsight's customer support.

I did not use any other solution before Bitsight, although I can mention that I conducted POCs with two solutions, SecurityScorecard and RiskRecon, before choosing Bitsight.

I see a return on investment with Bitsight clearly, as it becomes evident when I monitor hundreds or even thousands of vendors and replace traditional assessments with continuous monitoring. The ROI appears due to the reduction in manual risk efforts, as I have continuous monitoring instead of periodic assessments, with visibility into third-party cyber posture. Specific examples include a percentage reduction in manual vendor reviews, leading to substantial time savings during onboarding.

My experience with Bitsight's pricing, setup cost, and licensing reflects strong enterprise acceptance; I did not opt for only a one-year annuity-based contract but a multi-year one that was based on the number of IPs, providing great discounts.

I evaluated SecurityScorecard and RiskRecon before deciding on Bitsight.

I think I have mentioned the features comprehensively. I do not think anything else is left unsaid; I talked about continuous monitoring, benchmarking, dashboards, and attack surface visibility, along with security ratings and security scores.

My advice for others considering Bitsight is that for enterprises with a sizable third-party ecosystem, it is valuable for continuous cyber risk monitoring and understanding external posture, providing visibility. It should be part of a broader third-party risk assessment strategy, aiding decision-making, especially for organizations managing numerous vendors and supply chains with significant dependency. I recommend Bitsight for continuous monitoring of cyber risk at scale, as its value increases significantly with vendor complexity and organizational maturity.

I believe I have mentioned the necessary improvements comprehensively, which include better explainability of scores, contextual prioritization using AI, reduced false positives, and more predictive risk analysis. My overall rating for Bitsight is eight out of ten.

I was primarily using Bitsight for attack surface monitoring and external attack surface monitoring use case.

I was monitoring all the alerts and the risk score that Bitsight provides. We mainly focused on improving the risk score for a particular organization for which we were using this in an MSSP setup. We were monitoring different scenarios and different alerts that Bitsight was throwing in, such as open ports cases, missing web application headers, and missing web application security headers. We then communicated this to our customer to get those particular things remediated so the risk score could improve over the portal.

The user interface and the area that Bitsight covers for attack surface monitoring use cases are excellent features. Bitsight's coverage ranges from open ports to web application security headers and web application headers, which in my opinion are the best features Bitsight offers. Bitsight also covers multiple other scenarios, including email headers, DMARC, and DKIM. Additionally, Bitsight scans for vulnerabilities across the system.

We were able to remediate a lot of positive alerts and our risk score improved on their platform, which further helped us to drive better results in terms of cyber insurance. Cyber insurance providers look for attack surface monitored scores quite seriously, and if your score is good, you are very well covered from an insurance point of view.

There was one case scenario where a lot of parked domains were observed for a particular organization that we were monitoring via Bitsight. Bitsight flagged a missing web application header although no exact web applications or web application had been hosted on that particular domain, and it had been in a parked state. We had a discussion with Bitsight team, and their concern was that although no web application was being hosted on that particular domain, it could still be exploited by threat groups. They provided examples in which those domains had already been leveraged by threat groups to emulate ransomware attacks.

From their point of view, Bitsight continues to flag those particular domains in their platform under the missing web application headers criteria. Since if the number of findings increases for a particular month, your overall risk score decreases, which can become a challenge for a team working on this particular issue. Bitsight could work on this use case scenario where they could either exclude or include findings, or create a separate criteria which would not affect the score. When delivering reports to a CISO, CTO, or CIO level, the score is one of the things that gets focused on first. My suggestion is that Bitsight might consider whether findings from parked domains where no web application is being hosted really need to be included in the mainstream findings. Bitsight could create a separate tab or criteria where they could inform customers about these findings without directly including them in the total number of findings. If the total number of findings increases for a particular month, that will impact the overall score, which becomes a challenge for a team working on this field and they have to explain why the score has dropped and whether remediations were not completed the previous month. This is an area that could be improved.

I used this particular platform for more than one year in my last role at PwC.

Bitsight is quite stable in my experience without any downtime or reliability issues.

Bitsight handles growth and increased workload well when it comes to scalability.

Customer support seems fine to me, and I have interacted with them.

Bitsight was my first external attack surface monitoring tool that I used, as I did not previously use a different solution before Bitsight.

If you are exactly looking for external attack surface monitoring, and you are exploring options, then Bitsight is a very good option that you can explore. I have not worked upon any other solutions, but as far as Bitsight is concerned, it gives flexibility in choosing third-party vendor risk agreements and licenses, or a first-party point of view. You can publish your own score as well in case you have any concerns. That flexibility particularly depends upon the license and agreement that you have, whether you are using it from a first-party perspective or a third-party perspective. Bitsight provides this flexibility. I would rate this review an overall rating of eight.

I use Bitsight for security monitoring, serving as external security monitoring and as a TPRM tool. For external security monitoring, we used Bitsight for our internet-facing assets because vendors were requesting to access those assets without requiring agents or direct access. Our security teams valued Bitsight because they could access both their own external attack surface and third-party vendors from an attacker perspective. We detected exposed services, tracked security posture changes over time, and provided visibility into the vendor ecosystem using Bitsight. For third-party risk management, our organization used it to assess vendors before onboarding, continuously monitor supply chain security posture, and prioritize high-risk vendors.

On the executive and board reporting side, Bitsight helped us by providing cyber risk metrics and offering benchmarking against peers. It also supported risk-based conversations with leadership.

The best features Bitsight offers in my experience are continuous monitoring and TPRM, along with external attack surface management.

When considering continuous monitoring and attack surface management features, I compared mostly with Black Box. I found the security rating to be better, and vendor comparison is much simpler with Bitsight compared to other tools. The security posture trends can be communicated visually, which is fantastic. For monitoring and attack surface management, we can identify vulnerable internet-facing assets very easily, and it can provide visibility into the vendor ecosystem, so compared to other tools, it is much better.

When we started using Bitsight, it effectively identified problems. Our engineering teams could understand their tools, and security consultants also performed RCs with the help of Bitsight. This has improved the RC side and continuous monitoring for our operations L1 and L2 team.

By utilizing Bitsight, we observed faster response times, and our endpoint security controls matched better than previously. We improved remediation processes, and user behavior analytics became much better than the tools we were using before.

I see challenges with scoring methodologies, as security teams often ask questions such as why their score dropped, which finding caused the drop, and how much weight each issue has. Our team spends significant time explaining score changes to leadership when the underlying calculation is not fully obvious compared with Black Box. There are limitations with Bitsight; I am not saying everything is 100 percent accurate. The scoring methodology can be improved, along with addressing false positives and asset attribution issues.

The pain point I highlighted is that external scanning platforms face challenges with false positives and asset attribution issues. Common complaints I receive from my team are assets being incorrectly associated with organizations, where parent companies are penalized for subsidiary findings. Third-party infrastructure also affects scores, so Bitsight specifically needs to work on those issues. Additionally, with everyone moving towards AI and cloud, improvements are needed in their cloud-hosted services.

For internal visibility, Bitsight only sees what is externally observable. Sometimes we want to monitor internal assets and need internal visibility as well. Bitsight cannot directly assess internal Active Directories, endpoint security controls, and internal segmentation. Therefore, Bitsight needs to provide internal visibility in addition to being one data source rather than a complete security posture platform.

I used Bitsight for around three years.

If Bitsight could add threat intelligence along with dark web monitoring to their external attack surface management, that would be a significant improvement.

My advice for those looking into using Bitsight is that if someone is specifically looking for third-party risk management or external attack surface management, Bitsight is a good choice. However, if they are looking for other tools and capabilities, they should compare Bitsight's performance with others to ensure they find the right fit. I gave this review a rating of six out of ten.

My main use case for Bitsight is to identify the available vulnerabilities on the network side, and I rely on it for that the most.

The best features that Bitsight offers include the way of presenting the data, which is very good because you can get proof while reviewing your findings. This helps our infrastructure team identify and fix those findings.

Those features help our team by making things easier. For example, if we have a specific security header missing, Bitsight shows us that, such as HSTS being missing, providing specific details on what header is lacking on our websites.

I would add that Bitsight has a task assignment feature that allows us to keep assigning tasks to different team members so they can work on the specific findings assigned to them. Additionally, it has report features, enabling us to generate reports and send them to our clients to show how well we are remediating issues. We can also share our score with the client to improve our client relations.

Bitsight has positively impacted our organization. After using it, we discovered many things. As I mentioned, we have many vulnerabilities available, and it keeps identifying and showing us them, which is valuable.

Bitsight has been good overall, and I do not see any negative points. However, if another organization can spy on us, that is concerning, as they can see our score and we cannot see theirs.

I wish for the addition of features such as leak credentials within Bitsight, which would be more useful because we need to rely on some other third-party tools. If those features were available, there would be no need to use additional tools.

I chose 8 out of 10 because if we receive invites from clients every 45 days, our subscription ends, and we have to renew it. Additionally, it does not show vulnerabilities according to the CVSS score or the impact they are causing. Instead, it labels these vulnerabilities as bad or one, which can be confusing for those unfamiliar with identifying errors. It would be better to categorize them as high vulnerability, critical vulnerability, or low vulnerability.

A quick specific example of how I have used Bitsight to identify a vulnerability is when it helped us catch bad and one vulnerabilities we mostly search for, giving us a better idea if we have any public IP available on the internet that can directly expose us and is already bypassing our firewalls. Those IPs we need to make private to secure ourselves.

In my day-to-day work with Bitsight, we do not have to do any manual scans. We just put our company name and the details, and it automatically identifies all our assets and all our internal things and all the details, such as NS lookup and any other technique it is using. We discover multiple things such as open ports, CSV vulnerabilities, missing security headers, and publicly available IP addresses.

Regarding specific outcomes, earlier we had a bad score of around 600 with many vulnerabilities. After using Bitsight, we know about vulnerabilities whenever they are published or observed, and we keep remediating those vulnerabilities. This actually increased our score to 670.

My advice to others looking into using Bitsight is that it provides a lot of information that was not available before, and it is especially good in recon as it can identify many things about an organization that have never been found earlier, making it a valuable tool.

Overall, I believe Bitsight is good because everything is covered, including user management, so I have no additional thoughts beyond that. I give this product a rating of 8 out of 10.

My main use case for Bitsight when I was at Virtusa was to monitor the external security posture for Virtusa, as Bitsight rates your company based on findings on external assets.

I was part of the internal security team and Bitsight used to report findings, such as open ports on specific IP addresses or web applications owned by Virtusa, and based on that it used to give a rating on the severity based on how severe the vulnerability is or the possibility of any vulnerability. I used to take that information and then fix that problem internally. That is how we used to use Bitsight. Our main aim was to use Bitsight to enhance the security of the company so that our score is good on Bitsight, which really matters.

The best features Bitsight offers, in my experience, are the ratings that it gives to vulnerabilities and how frequently they conduct scans for a particular company. Bitsight also used to manage our third-party providers regarding how their security is, so it is better for us to manage the vendors we are currently engaged with and the third-party vendors so that we are aware of their security posture as well, instead of us monitoring their security. That is the most useful use case from Bitsight.

Bitsight gives me a holistic view of my entire security posture, which is something any organization would want to have after getting a tool such as Bitsight. It was sufficient in that way, serving the purpose that we took Bitsight for, and there is something that we continued our relationship. We had annual contracts and then we renewed it every year based on the performance of Bitsight.

We had internal KPIs based on the number of findings that we finalized from Bitsight and then tracked it internally to work on that. The more vulnerabilities that we close, the rating would subsequently reflect on Bitsight because they work independently; they do not work as we do inside the company. As long as we are fixing the vulnerabilities, we used to see the score getting improved, and that is something that the board of directors and the internal community were looking for.

Bitsight's scan could be more rigorous and then more accurate.

I think it would be good to try to see each and everything of the company in a more accurate way.

Their scan scheduling could be improved and they could take more inputs from the companies they are working with. If they can speed up that process, they would obviously increase that score. We found that some of the findings are clear false positives, but they still report that, and based on that, the rating goes down until we rectify them. So that is something they need to work towards; the number of false positives they are rating should focus on producing more accurate results to get a higher rating.

Bitsight had a professional support service where whenever there are any ratings which we know to be a false positive and a wrong finding, we used to get on a call with support from Bitsight to submit our review as to what we found and what the evidence is for it being a false positive, and they used to consider that and then try to revise that internally and adjust the rating accordingly.

Bitsight is a useful tool to monitor your external posture and it is backed by a good professional support service. The respective other teams such as pre-sales, support service, and customer success team are very good in terms of dealing with customers, so there is something to look for in such products.

Neutral

There is nothing particularly unique about Bitsight because we were also using another product along with Bitsight, and we used to compare the results of Bitsight with that tool and then try to see what the unique proposition or the unique findings are that we can evaluate and then work internally.

If the ratings were very poor, low, or below the benchmark that we expected for Virtusa, we used to have a meeting with them, and then try to negotiate if they can improve their security, or else we would discontinue the business with them. So to that extent, we took actions based on the findings that we got from Bitsight. I give Bitsight a six out of ten for this review.

We use BitSight to check security scores for my organization, subsidiaries, and providers.

The product helps us identify the vulnerabilities of internet-facing applications.

BitSight's most valuable feature is its ability to list the vulnerabilities.

There could be an ability to adapt the score faster. At the moment, when the vulnerability score decreases, it remains the same for quite a while, even though issues are resolved in 24 hours. It reduces faster and increases very slowly. This particular area needs improvement.

I have been using BitSight for three years now.

It is a stable product. I rate its stability a ten out of ten.

We have 20 BitSight users in our organization. I rate its scalability a nine out of ten.

You require prior experience to implement the product. I rate the process an eight out of ten. It allows you to set the requirements manually and purchase the subscription accordingly. It takes a day to complete.

The product has a reasonable price.

I have evaluated SecurityScorecard before.

I recommend BitSight because it is very convenient to use. It has become a standard tool used in many companies. It is easy to share a few components of an algorithm for users. It is not ideal as it only reflects some of the reality of Internet-facing applications. However, it is the best solution at the moment.

I rate it an eight out of ten.

Bitsight provides comprehensive insights into security posture, enabling us to effectively reduce risks. it increases the security of writing and reduces the risks.

We work directly on their website to define all the assets that we need to scan. We have some meetings with the manager. For example, we set objectives to evaluate cyber risk periodically in our organization. One of these objectives is to assess the rating for our internal enterprise. We maintain a comprehensive database to ensure compatibility with our objectives. We aim to prevent a decrease in our security rating and maintain its value over time.

The solution is user-friendly. The features are to conduct scans, identify findings, and provide a rating. This rating serves as a measure of our security risk.

We face difficulties in acquiring designs and findings. There may be room for improvement in the methodology for identifying findings, as occasional errors occur on the technical side of BitSight.

I have been using Bitsight Third-Party Risk Management for more than six years.

The product is very stable.

I rate the solution’s stability an eight out of ten.

The solution is scalable. We have 100 users. We cater to a very large and international group. This extends to our presence not only in the US but also in other regions.

I rate the solution’s scalability a nine out of ten.

The initial setup is easy and takes two or three days to complete.

I rate the initial setup a nine out of ten, where one is difficult, and ten is easy.

The product is a little expensive and very oriented to large companies.

My recommendation depends on the size of the company. You need to have some people to see our platform and distribute all the work.

Overall, I rate the solution a nine out of ten.

BitSight is good for us because we require third-party monitoring of vendors as per our new regulations. Since we are a financial company, we need to monitor our suppliers, software design houses, and others to ensure their information security labels.

The Score is a valuable feature, especially the diverse evaluation points. However, since I don't have access to trial licenses, I'm unsure about the kind of report I will get.

A trial license or login account would allow me to understand, and maybe I would think differently. We are a local company, and our vendors are local. BitSight caters to companies like ours and gives a general return score. It's pretty important to us. Also, the tool has been easy to use.

The solution’s benchmarking should be improved. The weakness was that they could only benchmark five companies simultaneously. I'm unsure whether this was due to the trial or another reason.

We have been testing the solution for the past two months.

I have contacted the customer support through e-mail and their response rate is fast.

Positive

We are also using Black Kite. I prefer BitSight over Black Kite due to its patch management capabilities. BitSight provides a view of patch management. I also found that Black Kite tends to generate false alarms.

I’m unaware about this.

We are also looking at another tool called SecurityScorecard. We will choose between BitSight and SecurityScorecard.

Overall, I rate the solution a nine out of ten.

BitSight provides information about the external servers, botnet infection and credential leaks. It also offers open ports from an external point of view, so we benefit before any adversary misuses the particular servers that are exposed externally.

There has been quite a bit of data discrepancy in BitSight. When we observe a particular event or alert and check it three to four days a month, the alert seems to be gone, but the vulnerability still exists. In addition, certain assets are becoming repetitive for the same vulnerability. We have reported these couple of instances to BitSight, but we haven't received any updates from them yet. So we are unsure if the issue is from the access end or the BitSight end when it fails to detect that particular asset.

We would like to see better data enrichment to give more information about the particular asset. For example, if BitSight scouts a specific website, it tells you that the website is using TLS Version 1.1 or that the web server is accessible using this server. It will be good if it can give a screenshot of what version BitSight scouts and allow us to validate whether it is aligned. Also, I think the alert system can also be fixed. Still, data enrichment is the major issue because we only see some information that is provided by the data and specific fixes about particular vulnerabilities. If we check for remediation tips for certain vulnerabilities, it only gives generic information.

We have been using this solution for five months. It is a cloud-based solution, but I am unsure what version we use.

It is a scalable solution. We gave access to BitSight to multiple people in our organization, from the security team and other teams. About 30 or more people have access to BitSight.

Expanding usage depends on giving permissions on an ad hoc basis and who handles certain assets. It is not mandatory to give everybody access to BitSight, and it is based on a need to know.

We raised the issue of alerts with technical support and put in a ticket. We have a meeting with them in two weeks. The technical support is pretty solid because I've raised a couple of tickets in the past month, and they fixed it in a concise amount of time. It took them about one or two days to get back to me.

We haven't used another solution, but I know there's a product called Census, but we haven't had an opportunity to work with it. I believe they are a competitor of BitSight.

I was not a part of the implementation of BitSight.

I can't comment on the pricing because different parties evaluate it, and a different department administers it.

I rate this solution an eight out of ten. Regarding advice, BitSight scours assets to discover exposure and searches for existing vulnerabilities. Vulnerabilities that exist on the internet might try to abuse a company's assets, and it is important to get the upper hand before adversaries try to take advantage of organizational assets.