My main use case for Bitsight is finding vulnerabilities in the wild, especially in internet-facing web applications and networks.

A specific example of how I have used Bitsight is that we do not know the current ongoing issues day-to-day. There are so many vulnerabilities and zero days that are exploitable and outside. With this platform, we are able to detect vulnerabilities quickly and notify the teams using our communication channel. Along with that, it also helps us to remediate quickly because when issues are identified, they should also be included in the remediation part. That is where we were able to sort it out quickly.

Another use case I would add is that Bitsight builds customer trust because it provides a score based on severities or how the system is currently functioning. If our system is secure and we have strengthened the full security, then we will eventually have a good score. That is going to build customer trust.

The best features Bitsight offers include heavily using external vulnerability scans or network scans, which we have done for a couple of years.

What I appreciate about the external scans feature in Bitsight is that it gives us continuous visibility into our externally exposed assets, which requires finding misconfigurations or any unexpected exposures much earlier than we would have caught through manual review period scans. This essentially allows my team to find issues quickly, and as we get notified, we can validate our attack surface. It helps us to reduce blind spots. We can prioritize remediation faster and validate changes by deploying fixes. Overall, it strengthens our security posture by monitoring and supporting our compliance programs.

Regarding Bitsight's features, they offer different aspects that I agree with, especially in external scans. They also provide a rating based on your externally facing domains, which helps us to rate our scores and aids in building customer trust. They have the capabilities to assess the attack surface, so those are the main areas they focus on.

Bitsight has positively impacted my organization by improving security and customer trust. It is impact-focused with measurable values that show us, for example, it has reduced our mean time to detect external exposure issues before we relied on periodic scans. Plus, it gives us continuous monitoring. Now we find misconfigurations within hours instead of days or weeks, which directly improves our overall security posture. It reduces risk as we catch high-risk exposures early, especially unexpected cloud assets or testing endpoints that accidentally went public. Each early detection helps us reduce the threat exposure time and strengthen the compliance program.

There are areas for improvement; we do notice sometimes finding vulnerabilities which gives us visibility to find them quickly. However, there could be a mechanism they can build on top of that for validation as they identify the issues. What will the real risk be for that identifiable issue? Sometimes it could be open because of the traffic; how they detected it could be seen as vulnerable, but upon testing, it might not be a real issue. It could be a false positive because there could be a honeypot that we built. My thinking is about validation, so if they can build that validation part before they expose the risk to the specific asset, that would help. Additionally, based on their reporting, they could also build risk scores and prioritization, which would also aid us.

I would suggest adding dashboards and custom reporting, which could help us by enabling rich custom reports with filters. That is especially for leadership because they will not look at each technical area, but overall they would be looking at the risk score and what the assets or critical exposure areas are. Customizable reporting based on requirements would be valuable.

I chose 9 out of 10 because the reporting and dashboards would be the first thing I would consider for improvement, and then the second is about the validation part, which could probably improve to 10 out of 10.

I cannot think of too much for additional improvements. Maybe some good automation with the API solutions that could be integrated with the CI/CD pipeline or DevOps tools we are running would also be automated and tested.

I have been using Bitsight in my past job as well as in my current job. I would say it is around eight years.

Bitsight is stable so far.

The scalability of Bitsight is good; it is a cloud solution, so upon usage, it scales out without being a concern at this moment.

We do interact with Bitsight's support team, and we do get a response back from them as defined in the SLAs.

I would rate the customer support from Bitsight as 10 out of 10.

Previously, I used SecurityScorecard, which is a competitor in that space. I think that Scorecard had functional issues, and because of that reason, we switched to Bitsight.

My experience with pricing, setup cost, and licensing for Bitsight is overall good with the current price model.

I feel the current pricing model is fair. The initial setup and licensing process was straightforward. I did not face any challenges in that part.

I do not have a good answer regarding return on investment with Bitsight.

Before choosing Bitsight, I did not evaluate too many options, but I compared between Bitsight and Scorecard, along with one more tool that I lost the name of, but Bitsight won out of those three.

My advice for others looking into using Bitsight is that it is definitely a great tool, especially to identify blind spots. If your applications are internet-facing and you have customers using your products or your cloud-based solutions, whether SaaS or PaaS, this tool is going to build trust between the customer and the provider. As the tool deploys for your application or domains, it continuously scans and finds vulnerabilities and reports them. As you find and report, it is also going to build your domain score, showing how well you are doing with publicly available applications, especially those that are internet-facing. I gave this review a rating of 9 out of 10.

My main use case for Bitsight is to identify the available vulnerabilities on the network side, and I rely on it for that the most.

The best features that Bitsight offers include the way of presenting the data, which is very good because you can get proof while reviewing your findings. This helps our infrastructure team identify and fix those findings.

Those features help our team by making things easier. For example, if we have a specific security header missing, Bitsight shows us that, such as HSTS being missing, providing specific details on what header is lacking on our websites.

I would add that Bitsight has a task assignment feature that allows us to keep assigning tasks to different team members so they can work on the specific findings assigned to them. Additionally, it has report features, enabling us to generate reports and send them to our clients to show how well we are remediating issues. We can also share our score with the client to improve our client relations.

Bitsight has positively impacted our organization. After using it, we discovered many things. As I mentioned, we have many vulnerabilities available, and it keeps identifying and showing us them, which is valuable.

Bitsight has been good overall, and I do not see any negative points. However, if another organization can spy on us, that is concerning, as they can see our score and we cannot see theirs.

I wish for the addition of features such as leak credentials within Bitsight, which would be more useful because we need to rely on some other third-party tools. If those features were available, there would be no need to use additional tools.

I chose 8 out of 10 because if we receive invites from clients every 45 days, our subscription ends, and we have to renew it. Additionally, it does not show vulnerabilities according to the CVSS score or the impact they are causing. Instead, it labels these vulnerabilities as bad or one, which can be confusing for those unfamiliar with identifying errors. It would be better to categorize them as high vulnerability, critical vulnerability, or low vulnerability.

A quick specific example of how I have used Bitsight to identify a vulnerability is when it helped us catch bad and one vulnerabilities we mostly search for, giving us a better idea if we have any public IP available on the internet that can directly expose us and is already bypassing our firewalls. Those IPs we need to make private to secure ourselves.

In my day-to-day work with Bitsight, we do not have to do any manual scans. We just put our company name and the details, and it automatically identifies all our assets and all our internal things and all the details, such as NS lookup and any other technique it is using. We discover multiple things such as open ports, CSV vulnerabilities, missing security headers, and publicly available IP addresses.

Regarding specific outcomes, earlier we had a bad score of around 600 with many vulnerabilities. After using Bitsight, we know about vulnerabilities whenever they are published or observed, and we keep remediating those vulnerabilities. This actually increased our score to 670.

My advice to others looking into using Bitsight is that it provides a lot of information that was not available before, and it is especially good in recon as it can identify many things about an organization that have never been found earlier, making it a valuable tool.

Overall, I believe Bitsight is good because everything is covered, including user management, so I have no additional thoughts beyond that. I give this product a rating of 8 out of 10.