Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

November 10, 2021

Why Zero-Days Are Essential to Security

By: David Wolpoff

Share on facebook
Share on twitter
Share on linkedin

At Randori, we believe experience is the best defense — and we’re not alone. Successful security programs have long assumed compromise and invested heavily in testing and adaptation in order to build resilience. As the threat from zero-days grows, organizations need access to realistic ways to prepare for and train against these unknown threats. This is the reason we founded Randori.

As an innovator in offensive security, Randori is always pushing the edge of what is possible to provide our customers with the most realistic possible experiences. While most security companies focus on detecting and testing yesterday’s threats, Randori is striving to push the art of the possible to ensure our customers and the industry are ready for and resilient against whatever threats the future holds.

We provide our customers with a highly realistic experience — from reconnaissance to compromise to actions on objectives. When the number of vulnerabilities disclosed per year exceeds 20,000 and in-the-wild exploitation of zero-day is commonplace, organizations require commensurate tools and techniques to test and defend themselves. That is why at Randori, our objective is to have capabilities on par with nation-state and criminal organizations, to utilize those capabilities against our customers with their authorization, and to do so at scale — providing not just a single organization, but the industry more broadly, the opportunity to learn from a trusted adversary.

To do this, we:

  • Recruit and hire top offensive security talent
  • Acquire N-day and other capabilities from outside parties
  • Actively invest in discovering zero-day and other novel attack capabilities
  • Leverage these capabilities to benefit our customers


Together, these capabilities enable us to phish, crack passwords, use publicly disclosed vulnerabilities, conduct novel research, and develop techniques, capabilities, and processes just like those used by threat actors. We find and utilize previously unknown vulnerabilities in our customers’ applications and environments.

This may sound scary, but it doesn’t need to be. In fact, there is high demand for what we do because the reality of our world involves unknowns, including zero-day exploits. Companies face zero-day threats every day, but there have been far fewer opportunities to test resilience against such attacks. 

Red team tools and techniques, including zero-day exploits, are necessary to the success of our customers and the cybersecurity world as a whole. However, like any offensive tooling, vulnerability information must be handled carefully and with the respect it is due. Our mission is to provide a highly valuable experience to our customers, while also recognizing and managing the associated risks.

While patching vulnerabilities is an important component of a security program, you can only patch threats that are known. Unfortunately, adversaries today are increasingly compromising organizations using unknown vulnerabilities or unpatchable techniques. When a defender is unable to patch a flaw, they must rely on other controls. Real exploits let them validate those controls, and not simply in a contrived manner. Real exploits let customers scrimmage against the same class of threats they are already facing. Zero-day exploits take patching off the table as the only solution, and lets us move the conversation from “how do we prevent failures from occurring?” to “how do we recover when failures inevitably occur?” 

The offensive mindset is extremely valuable to the defender. It provides the opportunity to improve proactively rather than reacting to known issues, and gives security teams the opportunity to develop skills and capabilities that they can’t develop on their own. These skills come from being able to break outside your own assumptions and confront institutional failures head-on. A trusted adversary makes this possible — enabling teams to assess what’s really working, so we can all move forward together. 

If the above philosophy resonates with you, we’re looking for hackers, engineers, and defenders to help us change the way the security industry operates. Come join us and put your skills to work for good. Follow us on Twitter at @RandoriAttack and reach out to join the conversation.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.