My use cases for Zafran Security revolve around two primary areas. One is around vulnerability management and prioritization of vulnerabilities and risks because we're a really large company with a lot of acquisitions and tech debt. If you just go by, say, Nessus or a traditional vulnerability scanner, it says you've got about 100,000 vulnerabilities that you need to address. With Zafran Security, it integrates with your security controls, allowing you to take that risk score and reduce it based on the controls in place or increase the risk based on different factors, such as if the issue is internet reachable or if there's an exploit in the wild.

The second use case is around threat hunting. I have the threat hunting team under me and this focuses on zero-day vulnerabilities and industry threats. If you read the news, you can see sometimes a dozen new threats daily about specific vendors or platforms having new vulnerabilities or CVEs that are being actively exploited without a patch yet. My team ingests those reports and prioritizes which represent the biggest risk to my company, Lumen. With Zafran Security, we can quickly identify if we're using that platform or vendor and check the software version running. It gives us insight into compensating controls and identifies which systems should be targeted first for remediation.

I see the benefits of Zafran Security as soon as we got our first major integration done. We were a little bit different than most companies, having a non-standard setup. We opted for a private SaaS solution, standing up a small, self-contained version of Zafran Security in our private cloud due to certain government and compliance obligations regarding our vulnerability and risk data. It took a couple of months to set that up, and then about another month for the first integration. We started seeing benefits within the first three to four months, and since then we have been dialing it in with additional integrations.

In terms of areas for improvement, Zafran Security is doing a really great job as a new and emerging company. Oftentimes, new companies try to be everything to everyone or overload the system with features, drifting from the core mission. Zafran Security has stayed the course, remaining nimble and responsive to feature requests. I'm struggling to think about what could be done better because we're happy with the technology, features, and support.

In terms of what can be done better, I suggest increased automation and prioritization of new industry threats, especially those related to zero-day vulnerabilities. These come out daily, and they are one of our biggest use cases. We struggle with combing through open-source intelligence, news articles, government partners, and industry peer groups, relying on Zafran Security to help us quickly identify risks for zero-days. Faster automation and prioritization of industry threats is an area where improvement would be beneficial.

I have been using Zafran Security for a little over a year, approximately a year and two months since we officially started ramping the partnership.

The performance and stability of Zafran Security are extremely fast and meet all of our expectations. It has been stable too, with any issues mainly related to our ongoing tuning of the private SaaS solution. Sometimes the issues stem from the individual security vendors we link to. Zafran Security allows integration with firewalls, EDR, antivirus, and WAF controls, and when problems arise, we partner directly with Zafran to resolve them by opening support cases with those vendors.

The scalability of Zafran Security has been great. We have a very large network, with over 30,000 elements loaded into Zafran Security, and we have licensing to scale further. So far, we haven't seen any performance issues in adding additional hosts or changing protections and loading new signatures. It has been a generally very positive experience.

I have contacted technical support and customer support for Zafran Security.

The support quality for Zafran Security is impressive. We get a ticket number assigned immediately, and we have standing weekly calls to discuss open issues and roadmap items. We have direct escalation paths due to our design partnership, enabling quick support up to their CTO level if necessary. The standard support model allows us to prioritize tickets based on impact and urgency, and the weekly calls help us efficiently manage those tickets.

Negative

I've never used any alternatives to Zafran Security. They are quite unique in what their technology does. Just because they're the first to do this doesn't mean the problem of risk prioritization and threat management hasn't existed for years. I can attest that we've developed some internal tools that addressed similar issues. However, Zafran Security puts more focus and effort toward it and does it far better than anything we can do ourselves.

The initial setup approximately took about three to four months. As an aside, being asked to do a peer review, I acknowledge that our unique situation involves a much more complex setup, while others using the public offering likely experience a more straightforward process.

We do have a direct partnership with Zafran Security as we are in a design partnership. We are just users and partners of Zafran Security and do not resell the solution.

From our standpoint, the pricing for Zafran Security is good, especially since we were an early adopter. I know that different companies, as Zafran Security takes off, may have a different pricing model, but it seems worth it and competitive. The return on investment has been significant in a positive way.

Since we stood Zafran Security up in our private cloud, we handle the maintenance on our side. As we opted not to use their public offering, we took responsibility for everything within that boundary. A typical customer of Zafran Security would have them take care of all maintenance.

I'm fine with my name being referenced in the review. I'm already on the Zafran website where they have me given some positive praise. I think it's fine to include my company, as people can find out where I work easily enough. I appreciate the opportunity to read it before it's published. On a scale of 1-10, I rate Zafran Security a 10 out of 10.

We brought Zafran Security in to provide continuous threat exposure management, awareness, and vulnerability management.

What I appreciate the most about Zafran Security is that it is awesome, and the ability to identify truly critical vulnerabilities that needs to be addressed is a standout feature.

We saw benefits from Zafran Security almost immediately after deploying it.

We have asked for many feature requests related to Zafran Security, and they have been really responsive. I think the ability to have some enhanced reporting capabilities is something they can improve on, as they have good reports but we have asked for some specific reporting enhancements.

The specific enhancements of Zafran Security are reports that will support our mission, our business' mission, and the mission of our security team.

We have been using Zafran Security for just under a year.

I do not know the exact length of time it took to fully deploy Zafran Security, but I know when it was finished.

Zafran Security is a very stable platform, with no issues of lagging, crashing, or downtime.

Zafran Security is very extensible, very scalable, and reliable.

I have not contacted Zafran Security's technical support, but my team has.

My team's experience with the support for Zafran Security is excellent.

Positive

I have evaluated some of the alternatives, and Zafran Security was the leader, which is why we chose them.

The initial deployment of Zafran Security is easy for my team.

The deployment model and cloud provider information are not provided.

I think the pricing of Zafran Security is fair based on our analysis of how much time and effort it saves in terms of FTEs working additional patching, so we were able to cost justify it, even though I am always going to say it is more than I want to pay.

We chose Zafran Security because of their core functionality in exposure management, their willingness to be a partner and not just a vendor, and their eagerness to take our recommendations for feature enhancements, looking to us to make the product better because of our experience with the platform.

We are just a customer of Zafran Security; we are not an official partner or a reseller.

On a scale of one to ten, I rate Zafran Security a nine.

Zafran Security is helping reduce the amount of critical vulnerabilities in our environments that require prompt remediation. It has helped us focus on the assets and critical vulnerabilities that actually matter and have a real impact in preventing an incident or breach. Zafran has really helped us stay current with threat intelligence and all the new vulnerability insights that come out, especially for vulnerabilities in actively exploited and may exist in runtime.

The solution has helped us get new information out in front of those who must remediate immediately, which has allowed us to move swiftly with reducing vulnerability risks on the network. Because of this, the amount of time required to address vulnerability remediation has reduced. The product has also aided us in addressing infamous vulnerabilities and threat actors that are the constant variable in the threat landscape.

Overall, we have seen about an eighty-seven percent reduction in the number of vulnerabilities that require high urgency to remediate. 

Zafran has also significantly reduced the amount of time to identify which assets are more vulnerable to specific threat actors. The tool has also cleaned up our vulnerability database and centralized all of our data sources, eliminating the need to jump between multiple tools.

The compensating controls consideration of Zafran brings a new light to TVM that we've never had before. It is unique compared to other Continuous Threat Exposure Management (CTEM) platforms where vulnerability risk is adjusted based off protections in place for our assets. When we were going to market for a solution, this feature alone drew our attention. Integrating with our existing security stack and encompassing all of this data together has been game changing.

The dashboarding and reporting functionality of Zafran Security is an area that definitely could use some improvements. Overall, you get some dashboards and widgets to start with that are helpful, but customization was lacking. It is definitely a weaker point of the product right now, but am confident this will be changing soon!

We have been using Zafran Security for about eight months.

We have never experienced any downtime, crashing, or slowness with Zafran .

Scalability with Zafran Security can happen very quickly because it is an easy solution to implement. Because it leverages existing investments in your environments and technologies you own, the scalability is very quick and easy for anything more. If you have a new solution you are bringing in, you would be able to easily integrate that because Zafran Security supports dozens of integrations, and they continue to add more, so they are scaling with you. If you had a particular need to do a more custom integration, they could build you an integration within a month.

We have contacted the technical support of Zafran Security through their support portal, and they have provided very quick responses. They listen to our feedback and have been very responsive. We have had phone calls with some of their leadership for specific use cases and feature requests. Overall, it has been very good, and we have always achieved a resolution.

Positive

No

The initial deployment of Zafran Security was very easy. The solution does not require a lot of infrastructure to stand up and support. It is a cloud-based solution that leverages your on-premise or cloud-hosted security components and tools. It simply requires pointing all of those to their cloud, which made it very easy and seamless to implement.

The deployment of Zafran Security required maybe two people, definitely not a full team. Zafran's staff truly feel like a part of our team and it's easy to tell they care about your organization just as much as you do. Their engineers and technical folks have been able to answer all of our questions and allowed implementation to go very smooth.

It took probably about six to seven months to fully deploy Zafran Security, primarily because we had to do a lot of training. We have a fairly big group using this tool. The technology itself being stood up and implemented with the integrations and data only took about three or four months.

The current pricing of Zafran Security is fair overall. They were good to work with to accommodate our organization with a longer-term cost model that worked best for us, so they are a good partner in that respect.

We have never used any CTEM alternatives to Zafran Security that include the compensating controls factor, and we're not aware of any equivalent product that does this. The only comparison that has came close is a tool called called Xdome from Claroty. That tool does some vulnerability data aggregation and risk analysis for vulnerabilities but it does not auto calculate compensating control effects on vulnerabilities.

On a scale from one to ten, we would rate Zafran Security a nine for support.

They were able to guide us every step of the way to implement the solution, taking out the guesswork.

Overall, we would rate Zafran Security a nine out of ten for everything.

We connect this to our vulnerability scanner as input, our security tools to better determine risk, and our change management tool to provide risk-based vulnerabilities to the remediation teams.

We have three use cases:
1) What is the real Applicable Risk in our environment for new, risky vulnerabilities, especially Zero Day and CISA KEVs?

2) Do the security tools that we have in place today reduce the risk of those vulnerabilities such that we don't have to panic and patch?

3) When the patch remediation team submits an exception to delay patching a particular vulnerability on a particular system, when is the risk of accepting that exception?

We are able to see the real risk of a vulnerability on our environment with our security tools. We don't have to panic patch for high CVSS/EPSS scored vulnerabilities that are on system that are protected by our network and system security tools.

Overall, we can adjust the risk-based expectations to remediate vulnerabilities to the Applicable risk. This, in turn, will reduce the stress level of the patching teams because fewer vulnerabilities will be rated Critical or High which causes quicker expectations for patching.

I advise you to look at this if you want to improve your maturity in vulnerability management.

Integration with security tools to determine the real risk. This is one of the key differentiators: CVSS and EPSS are not always completely accurate for every organization. By connecting directly to these tools, Zafran is able to determine if a security tool alerts or blocks on exploits for an open vulnerability. If the system is protected with a block mode prevention capability in a security tool, the applicable risk is reduced. This can provide more measured and change-managed patching and remediation. We are continuing to add new integrations as we bring them into the company, including a Breach & Attack (BAS) tool. While you have options on what tools to integrate with, the more you integrate, the better it is to determine Applicable Risk.

Zafran is a new startup. Features are continuously being added or improved.

1) Continued integrations with existing (less popular) security tools. Not everyone is using the Gartner Magic Quadrant upper right corner security tools, so additional tools will continue to be onboarded as requested.

2) Bringing in anything considered a gap or weakness. This includes AppSec tools using CWEs and System Configuration tools based on CIS Benchmarks to further determine if an exploit is currently blocked or prevented across the entire vulnerability spectrum.

Our primary use case for Zafran involves leveraging it to enhance our vulnerability risk scoring methodology. In today's rapidly evolving threat landscape, accurately prioritizing vulnerabilities is crucial, and Zafran provides us with the necessary tools to achieve this. It seamlessly integrates with our existing security infrastructure, including Endpoint Detection and Response (EDR), Next-Generation Firewalls (NGFW), and Web Application Firewalls (WAF). By doing so, Zafran assesses the risk reduction capabilities these controls offer against the exploitation of identified vulnerabilities.

One of the standout features of Zafran is its ability to analyze and augment risk scores by considering real-world mitigating factors that might not be apparent through standard vulnerability assessments. Traditional methods often highlight numerous vulnerabilities, many of which are not immediately exploitable or are mitigated by existing security measures. Zafran helps us cut through the noise by highlighting truly critical vulnerabilities—those with either insufficient or no mitigating controls in place. This refinement allows our security team to focus on addressing vulnerabilities that pose the highest risk, significantly enhancing our efficiency and security posture.

Beyond risk scoring, Zafran enriches our understanding of our risk landscape by providing insights into various situational aspects. It detects internet-facing assets, evaluates whether a vulnerable process is actively running, and checks for the presence of known threats targeting specific weaknesses. These additional layers of context are invaluable, allowing us to make informed decisions quickly and effectively.

Incorporating Zafran into our security operations has improved our overall vulnerability management strategy. It not only helps in prioritizing vulnerabilities but also supports strategic decision-making by providing a holistic view of our threat environment. This ensures that scarce resources are used effectively, focusing on vulnerabilities that require immediate attention and intervention.

Zafran's user-friendly interface and comprehensive reporting capabilities make it accessible to our entire security team. Reports generated through Zafran are detailed and actionable, equipping our analysts with the insights needed to communicate risks effectively across different stakeholders within the organization.

Zafran has become an indispensable tool in our cybersecurity arsenal. Enhancing our vulnerability risk scoring methodology, not only aids in identifying critical vulnerabilities but also ensures that our mitigation efforts are strategically aligned with the realities of our operational environment. In an era where cyber threats are increasingly sophisticated, having a nuanced understanding of our vulnerability risk is invaluable, and Zafran delivers precisely that. With Zafran, we've moved beyond arbitrary scoring to a more strategic, context-aware assessment of vulnerabilities, significantly bolstering our capacity to protect our assets and reduce risk enterprise-wide.

Zafran Security has brought significant improvements to our organization by refining how we manage vulnerabilities and risk prioritization. Primarily, it has reduced the number of urgent critical vulnerabilities by accurately highlighting those that need immediate attention, allowing our security team to focus on truly high-risk issues. The platform’s integration with our existing controls, such as EDR, NGFW, and WAF, provides a comprehensive analysis of risk mitigation, thereby maximizing resource utilization and demonstrating the value of our controls. Additionally, the contextual insights from Zafran, like identifying if vulnerable processes are in runtime and detecting internet-facing assets, enhance our threat intelligence, enabling informed decision-making. As a result, it strengthens our overall security posture by ensuring that we allocate resources effectively, minimize risk exposure, and maintain continuous protection against evolving threats. Overall, Zafran not only enhances operational efficiency but also ensures strategic alignment of cybersecurity efforts with organizational goals.

The features we have found most valuable in Zafran Security are the Mitigations and Exposure Tracker modules, as they significantly enhance our risk management processes. The Mitigations module is particularly beneficial because it identifies impactful risk-reducing measures that can be implemented by simply enabling minimal features. This efficiency allows us to bolster our security posture without substantial changes to our existing processes or infrastructure. It's incredibly useful for prioritizing actions that yield maximum security benefits with minimal effort, ensuring that our resources are utilized where they make the most difference.

Meanwhile, the Exposure Tracker module provides an insightful view of our risk landscape over time. By allowing us to monitor changes and trends in our vulnerability exposure, we can proactively adjust our defenses in response to evolving threats. This ongoing assessment capability is crucial in maintaining a dynamic and responsive cybersecurity strategy, as it helps us to track risk levels and ensure ongoing vigilance. Together, these features maximize our ability to manage vulnerabilities effectively.

While Zafran Security is already a powerful tool, there are areas where it could be further improved to provide even greater value. One key area for enhancement is the searching capabilities within its vulnerabilities module. By incorporating the ability to create Boolean searches, users would gain the ability to apply more complex filters and customize their search criteria. This would greatly enhance the precision and efficiency with which security teams can identify and prioritize vulnerabilities. Having such tailored search capabilities would save time and resources by narrowing down vast lists of vulnerabilities to those that meet specific parameters relevant to our unique risk environment.

Additionally, integrating more robust reporting and visualization tools would be advantageous. Enhanced dashboards that offer customizable visual representations of risk configurations and threat landscapes would facilitate better communication with stakeholders, making it easier to explain vulnerabilities and the rationale behind certain security measures. This would also aid in demonstrating the improvements and value derived from existing security investments to leadership and non-technical team members.

I have been using Zafran Security since October 2023.

Initially, we were somewhat concerned about the scalability of Zafran due to our large asset count and the substantial amount of information we needed to process. We did experience some slow response times on the platform at first. However, after reporting these issues to the support team, they were addressed promptly, and we haven’t encountered any further problems since. 

Now, Zafran handles our data efficiently and scales well with our needs, allowing us to manage our extensive asset portfolio seamlessly. This experience has reinforced our confidence in Zafran's ability to grow with our organization and support our expanding requirements effectively.

Our experience with Zafran's customer service and support has been excellent. Their team consistently meets or even exceeds our expectations, adhering to our defined service level agreements (SLAs) effectively. Whenever we've reached out with requests or issues, they have responded promptly and with thorough solutions. I genuinely feel that the support team goes above and beyond to ensure we're satisfied and fully informed, providing not just answers but also guidance that enhances our overall use of the product. This strong support relationship adds tremendous value to our investment in Zafran and reinforces our confidence in their solutions.

Positive

We did not use a different solution prior to implementing Zafran. It was introduced as a new tool because it offered unique capabilities that were not available in our previous cybersecurity setup. Zafran provided us with an innovative approach to vulnerability risk assessment and management, enabling us to analyze and prioritize threats in ways that were not possible before. Its integration features, alongside the ability to offer real-time insights into our security posture, made it an ideal choice as our first comprehensive vulnerability management tool. This innovative addition has since been instrumental in enhancing our cybersecurity strategy and effectively managing our risk landscape.

We deployed it in-house.

I find that the pricing for Zafran aligns well with the comprehensive features it offers. The asset and user-based licensing model is particularly advantageous as it allows for scalability in line with our organizational needs. When considering setup costs, it's important to ensure that you're fully aware of what is included in your package, as this can vary depending on the size and requirements of your organization. I advise others to evaluate their asset count and user base carefully to choose the appropriate licensing tier. Additionally, take advantage of any support or onboarding services that Zafran may provide to ensure a smooth implementation process. 

Overall, the cost reflects the value and capabilities Zafran brings to vulnerability management.

No

We use Zafran Security for threat prioritization. We establish priority to understand which risks should be patched or mitigated first.

I appreciate the weekly insights Zafran provides, which include critical topics for networks and IT security, allowing us to evaluate which insights apply to our environment. The organization score feature is valuable to keep the leadership team updated on how our infrastructure fares security-wise. The applicable risk level versus base risk level feature is beneficial because prior to Zafran, we only used the base risk level, but now understand that risk depends on the asset itself. Zafran is an excellent tool.

I would like to see an integration with Check Point firewalls. It's essential for us and they are currently working on it.

I have been using Zafran Security for almost a year.

I have not experienced any stability or reliability issues with Zafran Security.

I have not faced any scalability issues with Zafran Security.

The Zafran tech support is excellent. They respond quickly, usually within a day or less, despite their operations being based in Israel. We are a global company and understand their time zone, so for example, they do not answer on Fridays, but we receive responses on Sundays.

Neutral

We did not have a similar solution before Zafran Security.

The initial setup was complex due to our complex environment, but the tool itself is easy to set up. We had a proof of concept for several months, and implementation took around four months.

Our implementation was done in-house with support from the vendor.

We are replacing another old tool, and we anticipate a return on investment in approximately three years.

Pricing for Zafran Security is not expensive. We have a contract for five years, and the cost is lower than other tools, making it economically viable for us.

We evaluated other options, but I do not remember the names.

I recommend Zafran Security because it is an easy-to-use tool, and the prioritization displayed on the main screen is impressive. I would recommend it to any user. On a scale of one to ten, I would rate the overall solution a nine.