Skip to main content

The Supervisory Board asked for a risk picture.
For the attack surface, it was missing.

An attack surface the board can steer on

A public-sector organisation with around 1,700 workplaces, blind to most of its own attack surface. We brought it into view, and made it land where the board can steer on it.

Attack surface · coverageLive view
Completein view
Full attack surfacein view
Before: OS patches onlyfragmented
Blind spot (third-party, exposed)closed
Source · exposure platformOperational · tactical · strategic
Sector
Public-sector organisation
Scale
± 1,700 workplaces
Lead time
Insight and decision in 8 to 12 weeks
Frameworks
NIS2, board level
Lead time
8 to 12 wks
to the first insights and decision-making.
Visibility
Complete
of the attack surface, where it used to stop at OS patches.
SBOM
Complete
Software Bill of Materials: every component mapped.

The challenge

Patching happened. But no one steered.

The Supervisory Board wanted a risk picture: which ICT risks the organisation runs, how they are controlled, and what they could cost. The board could not deliver it, not out of unwillingness, but because the view of its own attack surface simply was not there.

What was in viewAttack surface
OS patches
Third-party · misconfigurations · exposed assets, out of view
In view
Blind spot
  • 01

    Vulnerability management was OS patches, driven by whichever patch happened to become available. Not by risk.

  • 02

    Third-party software, misconfigurations and everything visible from the outside stayed out of view. That is exactly where most of it sits.

  • 03

    No overview, no prioritisation, no owner. Patching happened, but no one steered.

  • 04

    And the clock was ticking: the supervisor expected an answer at the next meeting.

The question was never how many vulnerabilities there were. The question was what an attacker could do with them, and whether anyone would see it.

The approach

One picture, at every level.

First see what is there. Then prioritise on what an attacker can really reach. Then make sure it keeps running.

Strategic: risk picture for the boardBoard
Tactical: prioritisation and ownershipManagement
Operational: the patch due tomorrowTeams
01

Open up the attack surface

Sources mapped, unlocked through an exposure platform, all data brought together into one picture: assets, vulnerabilities, misconfigurations and whatever is visible from the outside. One plate for the first time, instead of separate lists.

02

A risk framework with the organisation itself

Set together with the organisation and its stakeholders: what weighs heavily and who owns it. Prioritisation on exploitability, not on an endless CVSS list no one ever finishes.

03

Insight that steers, at every level

Dashboards at operational, tactical and strategic level. From the patch due tomorrow to the risk picture the supervisor asked for. Everyone looks at the same thing, each at their own altitude.

04

Make it land, not just deliver it

No report that disappears into a drawer. It settled into the governance and the processes, with ongoing guidance on mobilisation and architecture, until it became the organisation’s own cadence.

The solution

Invisible for years, on the map in one move.

The missing OS patches were not the biggest risk. It was third-party software and misconfigurations, a sprawl of versions and builds, and software well past end-of-life. What stands now keeps it visible and governable.

100%SBOM
Software Bill of Materials

Every software component mapped, so version sprawl and end-of-life software can no longer hide anywhere.

Likelihood →Impact ↑
Risk matrix · prioritisation

Prioritisation on what an attacker can really reach, with an owner and a fixed cadence.

Continuous view

One continuous, current view of the entire attack surface, not just OS patches.

Dashboards · 3 levels

With which the board feeds the supervisor’s risk matrix itself, without commissioning an external study each time.

“We now know what is really there. And what we need to do.”

CISO · Public-sector organisation

The result

From a snapshot to steering information that grows with you.

Before
  • -Reactive patching on availability
  • -Blind to third-party and exposed assets
  • -No owner, no prioritisation
  • -Answer to the board: an external study
Now
  • Leadership steers on three questions: what is really there, are we doing the right things, are we doing them well?
  • The board feeds the supervisor’s risk matrix itself, with evidence instead of promises.
  • From reactive patching to steering on risk.
  • The start of an organisation that carries it itself.

A similar challenge?

No pitch. One conversation.

One conversation in which we determine whether, and how, this works for your organisation too.

Schedule a conversation

30 minutes with a senior, no pitch.

Speak with an architectCall directly088 - 163 23 25