Bitsight for Security Performance Management

My main use case for Bitsight  is finding vulnerabilities in the wild, especially in internet-facing web applications and networks.

A specific example of how I have used Bitsight  is that we do not know the current ongoing issues day-to-day. There are so many vulnerabilities and zero days that are exploitable and outside. With this platform, we are able to detect vulnerabilities quickly and notify the teams using our communication channel. Along with that, it also helps us to remediate quickly because when issues are identified, they should also be included in the remediation part. That is where we were able to sort it out quickly.

Another use case I would add is that Bitsight builds customer trust because it provides a score based on severities or how the system is currently functioning. If our system is secure and we have strengthened the full security, then we will eventually have a good score. That is going to build customer trust.

The best features Bitsight offers include heavily using external vulnerability scans or network scans, which we have done for a couple of years.

What I appreciate about the external scans feature in Bitsight is that it gives us continuous visibility into our externally exposed assets, which requires finding misconfigurations or any unexpected exposures much earlier than we would have caught through manual review period scans. This essentially allows my team to find issues quickly, and as we get notified, we can validate our attack surface. It helps us to reduce blind spots. We can prioritize remediation faster and validate changes by deploying fixes. Overall, it strengthens our security posture by monitoring and supporting our compliance programs.

Regarding Bitsight's features, they offer different aspects that I agree with, especially in external scans. They also provide a rating based on your externally facing domains, which helps us to rate our scores and aids in building customer trust. They have the capabilities to assess the attack surface, so those are the main areas they focus on.

Bitsight has positively impacted my organization by improving security and customer trust. It is impact-focused with measurable values that show us, for example, it has reduced our mean time to detect external exposure issues before we relied on periodic scans. Plus, it gives us continuous monitoring. Now we find misconfigurations within hours instead of days or weeks, which directly improves our overall security posture. It reduces risk as we catch high-risk exposures early, especially unexpected cloud assets or testing endpoints that accidentally went public. Each early detection helps us reduce the threat exposure time and strengthen the compliance program.

There are areas for improvement; we do notice sometimes finding vulnerabilities which gives us visibility to find them quickly. However, there could be a mechanism they can build on top of that for validation as they identify the issues. What will the real risk be for that identifiable issue? Sometimes it could be open because of the traffic; how they detected it could be seen as vulnerable, but upon testing, it might not be a real issue. It could be a false positive because there could be a honeypot that we built. My thinking is about validation, so if they can build that validation part before they expose the risk to the specific asset, that would help. Additionally, based on their reporting, they could also build risk scores and prioritization, which would also aid us.

I would suggest adding dashboards and custom reporting, which could help us by enabling rich custom reports with filters. That is especially for leadership because they will not look at each technical area, but overall they would be looking at the risk score and what the assets or critical exposure areas are. Customizable reporting based on requirements would be valuable.

I chose 9 out of 10 because the reporting and dashboards would be the first thing I would consider for improvement, and then the second is about the validation part, which could probably improve to 10 out of 10.

I cannot think of too much for additional improvements. Maybe some good automation with the API solutions that could be integrated with the CI/CD pipeline or DevOps tools we are running would also be automated and tested.

I have been using Bitsight in my past job as well as in my current job. I would say it is around eight years.

Bitsight is stable so far.

The scalability of Bitsight is good; it is a cloud solution, so upon usage, it scales out without being a concern at this moment.

We do interact with Bitsight's support team, and we do get a response back from them as defined in the SLAs.

I would rate the customer support from Bitsight as 10 out of 10.

Previously, I used SecurityScorecard , which is a competitor in that space. I think that Scorecard had functional issues, and because of that reason, we switched to Bitsight.

My experience with pricing, setup cost, and licensing for Bitsight is overall good with the current price model.

I feel the current pricing model is fair. The initial setup and licensing process was straightforward. I did not face any challenges in that part.

I do not have a good answer regarding return on investment with Bitsight.

Before choosing Bitsight, I did not evaluate too many options, but I compared between Bitsight and Scorecard, along with one more tool that I lost the name of, but Bitsight won out of those three.

My advice for others looking into using Bitsight is that it is definitely a great tool, especially to identify blind spots. If your applications are internet-facing and you have customers using your products or your cloud-based solutions, whether SaaS or PaaS, this tool is going to build trust between the customer and the provider. As the tool deploys for your application or domains, it continuously scans and finds vulnerabilities and reports them. As you find and report, it is also going to build your domain score, showing how well you are doing with publicly available applications, especially those that are internet-facing. I gave this review a rating of 9 out of 10.

My main use case for Bitsight  is to identify the available vulnerabilities on the network side, and I rely on it for that the most.

The best features that Bitsight  offers include the way of presenting the data, which is very good because you can get proof while reviewing your findings. This helps our infrastructure team identify and fix those findings.

Those features help our team by making things easier. For example, if we have a specific security header missing, Bitsight shows us that, such as HSTS being missing, providing specific details on what header is lacking on our websites.

I would add that Bitsight has a task assignment feature that allows us to keep assigning tasks to different team members so they can work on the specific findings assigned to them. Additionally, it has report features, enabling us to generate reports and send them to our clients to show how well we are remediating issues. We can also share our score with the client to improve our client relations.

Bitsight has positively impacted our organization. After using it, we discovered many things. As I mentioned, we have many vulnerabilities available, and it keeps identifying and showing us them, which is valuable.

Bitsight has been good overall, and I do not see any negative points. However, if another organization can spy on us, that is concerning, as they can see our score and we cannot see theirs.

I wish for the addition of features such as leak credentials within Bitsight, which would be more useful because we need to rely on some other third-party tools. If those features were available, there would be no need to use additional tools.

I chose 8 out of 10 because if we receive invites from clients every 45 days, our subscription ends, and we have to renew it. Additionally, it does not show vulnerabilities according to the CVSS score or the impact they are causing. Instead, it labels these vulnerabilities as bad or one, which can be confusing for those unfamiliar with identifying errors. It would be better to categorize them as high vulnerability, critical vulnerability, or low vulnerability.

A quick specific example of how I have used Bitsight to identify a vulnerability is when it helped us catch bad and one vulnerabilities we mostly search for, giving us a better idea if we have any public IP available on the internet that can directly expose us and is already bypassing our firewalls. Those IPs we need to make private to secure ourselves.

In my day-to-day work with Bitsight, we do not have to do any manual scans. We just put our company name and the details, and it automatically identifies all our assets and all our internal things and all the details, such as NS lookup and any other technique it is using. We discover multiple things such as open ports, CSV vulnerabilities, missing security headers, and publicly available IP addresses.

Regarding specific outcomes, earlier we had a bad score of around 600 with many vulnerabilities. After using Bitsight, we know about vulnerabilities whenever they are published or observed, and we keep remediating those vulnerabilities. This actually increased our score to 670.

My advice to others looking into using Bitsight is that it provides a lot of information that was not available before, and it is especially good in recon as it can identify many things about an organization that have never been found earlier, making it a valuable tool.

Overall, I believe Bitsight is good because everything is covered, including user management, so I have no additional thoughts beyond that. I give this product a rating of 8 out of 10.

My main use case for Bitsight  when I was at Virtusa was to monitor the external security posture for Virtusa, as Bitsight  rates your company based on findings on external assets.

I was part of the internal security team and Bitsight used to report findings, such as open ports on specific IP addresses or web applications owned by Virtusa, and based on that it used to give a rating on the severity based on how severe the vulnerability is or the possibility of any vulnerability. I used to take that information and then fix that problem internally. That is how we used to use Bitsight. Our main aim was to use Bitsight to enhance the security of the company so that our score is good on Bitsight, which really matters.

The best features Bitsight offers, in my experience, are the ratings that it gives to vulnerabilities and how frequently they conduct scans for a particular company. Bitsight also used to manage our third-party providers regarding how their security is, so it is better for us to manage the vendors we are currently engaged with and the third-party vendors so that we are aware of their security posture as well, instead of us monitoring their security. That is the most useful use case from Bitsight.

Bitsight gives me a holistic view of my entire security posture, which is something any organization would want to have after getting a tool such as Bitsight. It was sufficient in that way, serving the purpose that we took Bitsight for, and there is something that we continued our relationship. We had annual contracts and then we renewed it every year based on the performance of Bitsight.

We had internal KPIs based on the number of findings that we finalized from Bitsight and then tracked it internally to work on that. The more vulnerabilities that we close, the rating would subsequently reflect on Bitsight because they work independently; they do not work as we do inside the company. As long as we are fixing the vulnerabilities, we used to see the score getting improved, and that is something that the board of directors and the internal community were looking for.

Bitsight's scan could be more rigorous and then more accurate.

I think it would be good to try to see each and everything of the company in a more accurate way.

Their scan scheduling could be improved and they could take more inputs from the companies they are working with. If they can speed up that process, they would obviously increase that score. We found that some of the findings are clear false positives, but they still report that, and based on that, the rating goes down until we rectify them. So that is something they need to work towards; the number of false positives they are rating should focus on producing more accurate results to get a higher rating.

Bitsight had a professional support service where whenever there are any ratings which we know to be a false positive and a wrong finding, we used to get on a call with support from Bitsight to submit our review as to what we found and what the evidence is for it being a false positive, and they used to consider that and then try to revise that internally and adjust the rating accordingly.

Bitsight is a useful tool to monitor your external posture and it is backed by a good professional support service. The respective other teams such as pre-sales, support service, and customer success team are very good in terms of dealing with customers, so there is something to look for in such products.

There is nothing particularly unique about Bitsight because we were also using another product along with Bitsight, and we used to compare the results of Bitsight with that tool and then try to see what the unique proposition or the unique findings are that we can evaluate and then work internally.

If the ratings were very poor, low, or below the benchmark that we expected for Virtusa, we used to have a meeting with them, and then try to negotiate if they can improve their security, or else we would discontinue the business with them. So to that extent, we took actions based on the findings that we got from Bitsight. I give Bitsight a six out of ten for this review.