Introduction
May sees an exciting new addition to Hexiosec ASM with scan metrics. We’ve introduced some key statistics about your scan, allowing you to track your security position over time. We also made some other improvements to allow you to add an executive summary to the web presence report and search your secondary assets. We’ve also updated one of our TLS certificate checks to align with updated industry standards.
Scan metrics
We’ve added some key metrics to scans, to allow you to track your key statistics over time, and compare different scans. Instead of using a single, opaque score to rate organisations’ security, we provide a number of meaningful metrics that allows you to assess, compare and track your attack surface’s health.
The metrics we’ve added are:
- Risks per asset - The number of risks relative the number of primary assets a scan has. This allows you to understand the density of risk within your organisation and compare yours with organisations of any size.
- Days of risk exposure - The average age of your current risks.
- Known exploited risks - The number of CISA known exploited vulnerabilities your organisation has.
- Average EPSS score - The average EPSS probability across all CVEs identified in your scan.
- Days to resolve risks - the average number of days it takes to resolve risks.
Note Days of risk exposure and Days to resolve risks are only available on continuous scans.
In addition to these metrics being added to the scan overview, you can also review the metrics over time to understand your progress. You can view how each of the metrics has changed over your chosen time period, and review the minimum, maximum and average values for each, and export the data.
Executive summary on the web presence report
In February, we introduced the web presence report. It allows you to visualise everything you have exposed online, and shows you what a user would see if they browsed to every URL identified on your attack surface.
You can now add an executive summary to the report, to add any additional commentary or context to the report before sharing it with your Board or other stakeholders.
Search Secondary assets
The Secondary page, now has a search option, allowing you to more easily search through the domains and IPs that are related but not linked to your scan.
TLS certificate risk for validity over 200 days
As of 15th March 2026, the industry standard for web browsers is to enforce a validity period of 200 days for TLS certificates. If certificates fail the validity period check, it means that someone browsing to a website using this certificate would be presented with a security warning.
We have added a check for this, meaning a medium risk will be raised if you have a certificate with a longer validity period identified.
Coming soon
We’ve got some exciting features coming over the next couple of months. Please get in touch if there are any features you would like to see us add to our roadmap.
- Tags for results - when a scan produces a large number of results, it can be difficult to manage and prioritise them effectively. We’ll be introducing tagging, allowing you to organise results, filter more easily, and focus on what matters most.
- Supply chain risk management - while Hexiosec ASM already supports scanning your supply chain, we are making some exciting changes to how you can view and manage the risks associated with your supply chain. This includes a dashboard to allow you to view suppliers side by side, and a number of new meaningful metrics which will allow you to really understand the security posture of your supply chain, rather than hiding behind an opaque risk score.
Related Posts
