COMPLIANCE · CIS CONTROLS

CIS Controls v8 on your external surface.

The CIS Controls bring together 18 prioritized and internationally recognized security controls. CSURFACE does not cover the 18 — it acts on the external exposure, helping to support the controls that depend on what is visible to the internet.

WHAT ARE THE CIS CONTROLS

A risk-based prioritized framework

The CIS Controls — Critical Security Controls, maintained by the Center for Internet Security — are a set of 18 security controls organized by impact order. Version 8 condenses best practices into concrete and prioritized actions: the goal is to guide where to invest first rather than treating all requirements as equally urgent. It is one of the most adopted security frameworks in the world and serves as the basis for various compliance programs.

The 18 controls cover from asset inventory and vulnerability management to incident response, training, and physical security — a spectrum that goes well beyond what a single tool can address. CSURFACE does not replace a CIS Controls program: it contributes to the portion that depends on external exposure. Everything an organization publishes for the internet — domains, applications, services, subsidiary assets, and digital supply chain assets — needs to be inventoried, secured configured, and monitored for vulnerabilities. It is exactly in this scope where the platform acts.

The following matrix maps, with honesty, the controls that CSURFACE helps sustain and the level of coverage for each one. Where the contribution is partial, we say it is partial. Controls that depend on internal processes, endpoints, identity, or people do not appear here — because the platform does not address them.

COVERAGE

Which CIS Controls does CSURFACE help to meet

The selection below brings only the controls in which the platform genuinely contributes. The other controls of the framework remain under the responsibility of the organization's security program.

Does not cover Partial Good High Complete
CIS ControlCoverageHow CSURFACE contributes
Control 1Inventory and Control of Corporate Assets High Continuous discovery with Machine Learning identifies and classifies assets exposed to the internet — including shadow IT and subsidiary assets not on the official inventory. Coverage is high for the external portion; internal network assets remain out of scope.
Control 2Inventory and Control of Software Assets Partial The platform fingerprints technologies, services, and detectable software versions on exposed assets. It provides an external partial view — does not replace a software inventory authorized at endpoints and internal servers.
Control 4Secure Configuration of Assets and Software Partial External detection of inadequate configurations on exposed assets — unnecessary services published, accessible administrative panels, weak TLS headers and buckets, open directories. Covers what is observed from the outside; internal hardening remains with the organization.
Control 7Continuous Vulnerability Management High Continuous monitoring of vulnerabilities on the external surface, with prioritization by real exploitability — threat intelligence and active exploitation indicators recognized by industry. High coverage in the external perimeter; internal asset vulnerabilities require complementary scanning.
Control 12Network Infrastructure Management Partial Maps the presence of network assets exposed to the internet — domains, IP ranges, edge services and accessible ports — pointing out undocumented exposures. Does not manage internal network infrastructure configuration.
Control 13Network Monitoring and Defense Partial Continuous monitoring of the perimeter signals new exposures and relevant changes on the external surface. It is an external layer of observation, complementary — does not replace SIEM, IDS/IPS or internal traffic monitoring.
Control 15Service Provider Management Good Digital supply chain analysis evaluates the external exposure of third parties connected to your environment, helping to sustain the inclusion of provider risk in the security program. The contractual and governance process with providers remains with the organization.
Control 18Intrusion Testing Partial Validation of exploitability confirms, actively when modules are available, if external exposures are truly exploitable — a continuous input that supports the testing program. The platform also helps to define the right scope for intrusion testing: instead of repeating known targets always, the continuous external inventory directs pentesting towards assets that are actually exposed — including shadow IT, subsidiaries, and supply chain. The attacker follows the path of least resistance; the test scope must reflect this reality. Does not replace a formal and comprehensive intrusion test conducted by experts.

Scope: CSURFACE's contribution focuses on the external exposure — what your organization publishes to the internet. Controls related to endpoints, identity and access, data protection, email and browsers, recovery, training, and incident response are not addressed by the platform and remain under the responsibility of the internal security program.

WHAT YOU GET

Concrete evidence for perimeter controls

Always-updated external inventory

Continuous discovery supports Perimeter Controls 1 and 2 for the exposed portion: you know what is published to the internet, even what was not registered.

Prioritized vulnerabilities by real risk

Control 7 is no longer a static list: the patch queue follows what is being exploited now, in the perimeter that matters.

Path for audit and maturity

Each finding generates dated and auditable evidence, useful for demonstrating the evolution of external exposure controls in CIS Controls maturity assessments.

FREQUENTLY ASKED QUESTIONS

FAQ

Does CSURFACE cover the 18 CIS Controls?

No. The platform acts on the external exposure and contributes to a subset of controls — including Controls 1, 2, 4, 7, 12, 13, 15, and 18. Controls that depend on internal processes, endpoints, identity or people are not addressed by CSURFACE and remain under the responsibility of the organization's security program.

Does CSURFACE replace a CIS Controls program?

No. The CIS Controls form an overarching framework that involves technology, processes, and people. CSURFACE is a component that strengthens external exposure-dependent controls — it complements the program, not replacing it.

Why are some controls marked as partial coverage?

Because CSURFACE observes only what is visible from the internet. For controls like 2 (software inventory) or 12 (network infrastructure), external visibility provides part of the information, but does not cover endpoints, internal servers, and configurations that are only visible within the network. Marking "partial" is a choice in transparency.

Is CSURFACE certified by the Center for Internet Security?

The CIS publishes the control framework, which is an open adoption model; there is no individual product certification in this model. CSURFACE is not certified by CIS — the matrix on this page transparently describes, at what controls and level the platform contributes to the external surface.

See your external surface through the lens of the CIS Controls.

Enter your company domain and receive a preliminary analysis of your external exposure. No card, no meeting required.

Receive preliminary analysis