A company with no security team gathers assets, vulnerabilities and policies by hand, then tries to map them to the requirements in separate spreadsheets. For an audit, the evidence stays fragmented and always has to be rebuilt.
CyberAgent
NIS2 readiness, attack surface under continuous watch and validated exploitability: qualified risks and ready evidence, not lists of CVEs.
NIS2 readiness
From the NIS2 directive to evidence, even without an in-house SOC.
CyberAgent maps vulnerabilities and measures to NIS2 requirements, keeps the surface under continuous watch and prepares reports and checklists ready for the board and auditors.
What it is
NIS2 extends cybersecurity obligations to thousands of SMEs in essential and important sectors. It requires adequate technical and organizational measures, vulnerability management and accountability at management-body level.
References
Directive (EU) 2022/2555 (NIS2); Legislative Decree 138/2024 (Italian transposition). Framework: ISO/IEC 27001. Financial sector: Regulation (EU) 2022/2554 (DORA).
What CyberAgent surfaces
Attack surface under control
From a quarterly scan to continuous watch across network, web apps and APIs.
Periodic assessments or costly red teams, with a long window in which new vulnerabilities go unseen. The CVE list grows without a priority that reflects real risk.
Continuous asset discovery and vulnerability assessment, a real-time CVE database, correlation with EPSS and CISA KEV. New exposures surface as they appear, already qualified by risk.
What it is
The attack surface changes every week: new services, subdomains, APIs, dependencies. A periodic scan captures a single moment; between one scan and the next, new exposures stay invisible.
References
Risk sources: CVE (MITRE/NVD), EPSS (FIRST), CISA KEV catalog. Aligned to ISO/IEC 27001 controls and to NIS2 vulnerability-management requirements.
What CyberAgent surfaces
Exploitability validated
Not “how many vulnerabilities”, but “which ones are actually exploitable”.
External red teams engaged once or twice a year, costly and point-in-time. In between, teams work on a CVE list without knowing which ones actually matter.
Automated pentest simulates real attacks on network, web apps and APIs and confirms what is exploitable, continuously. The team receives validated risks, not just alerts.
What it is
A pentest checks whether a vulnerability is concretely exploitable in the real context: attack chains, configurations, reachability. A CVE list ranked by CVSS does not tell you: many “criticals” are not reachable, and some “mediums” are.
References
Reference methodologies: OWASP Testing Guide, PTES. Legitimate use: activities run only on assets whose control has been verified (domain validation).
What CyberAgent surfaces
CyberAgent watches the surface and validates exploitability continuously. Scan scope and intensity are agreed on your case, and every activity runs only on assets whose control has been verified.
