Today, we are thrilled to announce the launch of Zafran, the first Risk & Mitigation platform. 
In this blog post, I will share our exciting journey, outlining our vision and approach enabling organizations to quickly defuse threats.

New Attackers, Faster Attack Methods 

Increased exploitation expertise, publicly available exploit-kits and AI are making attackers faster and more impactful. In the early days, exploiting vulnerabilities was limited to few threat actors. Now the practice is much more widely spread. According to the NCSC, AI is expected to increase the volume and impact of cyber attacks in the next two years. This technological leap forward is also lowering the barrier to entry for novice attackers, empowering them to execute more sophisticated and damaging attacks.

Just recently, notorious ransomware groups exploited vulnerabilities in ScreenConnect software, targeting healthcare giant Change Healthcare, which disrupted hospitals and pharmacies across the United States. Also, Apache ActiveMQ vulnerabilities were exploited by the Kinsing malware to deploy cryptominers and Microsoft issued a patch for the Microsoft Defender SmartScreen vulnerability, which was widely used against the financial sector.

Same Defenders, Same Challenges

And while attacks are becoming easier to carry out, defenders are still facing significant issues with remediation processes.

Determining Exploitability

One of the primary struggles is the difficulty in determining what vulnerabilities are truly exploitable and require immediate attention. This requires comprehensive asset inventories, accurate vulnerability scanning tools, analyzing the attack surface and determining exposure, together with validation of security controls configurations and effectiveness. Moreover, these need to take place within different environments (Cloud, On-Prem Servers, Endpoints, etc.).

Today, this information is available, but it is scattered around across different tools and owners, making it very hard to generate insights.

Resource Limitations

Furthermore, defenders face the harsh reality that they can't patch every vulnerability. Attempting to do so would consume a huge amount of time and resources, which is not feasible or practical. Even if they try, they might not reach the riskiest or most impactful vulnerabilities on time, before it’s too late.

Organizational Silos and Friction

The challenges defenders face are not solely technical in nature. Even when vulnerabilities are identified and prioritized, that doesn’t mean they will immediately get fixed. This is because of the collaboration hurdle. While vulnerability management and application security teams identify the vulnerabilities, it's often up to IT and development teams to implement the necessary fixes. Silos in processes, different technical jargons and different priorities can make this handoff a frictional process. The resulting delays diminish the security posture of the organization, while everyone involved has the opposite intention in mind.

One of the main reasons these delays occur is when dev and IT teams are required to patch vulnerabilities which turn out to be low-risk or not genuinely dangerous. When trust between the teams suffers, the result is frustration and a lack of confidence in the security processes.

Turning Cumbersome Risk Assessment and Mitigation Processes into a Product

Effective cybersecurity requires efficiently leveraging the expertise and collaboration of multiple teams: those in charge of vulnerability assessment, prioritization and finding the application owners, as well as IT and dev teams, who are the ones responsible for the actual patching. Not to mention, this entire process has to fit in the defined SLA.

This is why we created Zafran.

Zafran was built to productize expert-level risk assessment and mitigation. Zafran relieves you from the time and effort required to manually gather information and insights from all your teams to correctly evaluate and protect against emerging threats. The amount of time you have on your hands is limited. Instead of spending time on cross-referencing information or holding team brainstorming sessions, Zafran automatically understands which actions are important to take for risk reduction. It productizes the expertise of understanding if a threat is applicable to you, and what you can do to resolve it as quickly as possible.

Holistic View, No Agents

A key aspect of Zafran's approach is our holistic perspective to risk assessment. Zafran combines asset inventory, vulnerability correlation, threat intelligence and security controls configurations. By infusing the risk data with your existing controls’ configurations, Zafran articulates risk comprehensively so organizations can address vulnerabilities effectively.

The focus of Zafran is not on setting up new security tools. We understand you already have a notable security stack. This is why we emphasize mobilizing your already-existing defenses correctly. Our upstream mitigation recommendations optimize your existing tool capabilities. This enables you to make the most of what you have while enhancing your security posture.

From my experience of building products at scale, I know that the operational perspective is just as important as the product’s offered capabilities. Rest assured, Zafran is agentless and offers a unified solution tailored for both cloud and on-premises environments. We chose this approach to eliminate the need for additional deployments and maximize efficiency.

We designed Zafran to connect disparate security functions and promote a cohesive approach to risk management. A unified view of risks and defenses facilitates collaboration between teams, fosters trust and strengthens your security posture.

You got this, we’re just here to help you connect the dots.

‍