My use cases for Zafran Security revolve around two primary areas. One is around vulnerability management and prioritization of vulnerabilities and risks because we're a really large company with a lot of acquisitions and tech debt. If you just go by, say, Nessus or a traditional vulnerability scanner, it says you've got about 100,000 vulnerabilities that you need to address. With Zafran Security, it integrates with your security controls, allowing you to take that risk score and reduce it based on the controls in place or increase the risk based on different factors, such as if the issue is internet reachable or if there's an exploit in the wild.

The second use case is around threat hunting. I have the threat hunting team under me and this focuses on zero-day vulnerabilities and industry threats. If you read the news, you can see sometimes a dozen new threats daily about specific vendors or platforms having new vulnerabilities or CVEs that are being actively exploited without a patch yet. My team ingests those reports and prioritizes which represent the biggest risk to my company, Lumen. With Zafran Security, we can quickly identify if we're using that platform or vendor and check the software version running. It gives us insight into compensating controls and identifies which systems should be targeted first for remediation.

I see the benefits of Zafran Security as soon as we got our first major integration done. We were a little bit different than most companies, having a non-standard setup. We opted for a private SaaS solution, standing up a small, self-contained version of Zafran Security in our private cloud due to certain government and compliance obligations regarding our vulnerability and risk data. It took a couple of months to set that up, and then about another month for the first integration. We started seeing benefits within the first three to four months, and since then we have been dialing it in with additional integrations.

In terms of areas for improvement, Zafran Security is doing a really great job as a new and emerging company. Oftentimes, new companies try to be everything to everyone or overload the system with features, drifting from the core mission. Zafran Security has stayed the course, remaining nimble and responsive to feature requests. I'm struggling to think about what could be done better because we're happy with the technology, features, and support.

In terms of what can be done better, I suggest increased automation and prioritization of new industry threats, especially those related to zero-day vulnerabilities. These come out daily, and they are one of our biggest use cases. We struggle with combing through open-source intelligence, news articles, government partners, and industry peer groups, relying on Zafran Security to help us quickly identify risks for zero-days. Faster automation and prioritization of industry threats is an area where improvement would be beneficial.

I have been using Zafran Security for a little over a year, approximately a year and two months since we officially started ramping the partnership.

The performance and stability of Zafran Security are extremely fast and meet all of our expectations. It has been stable too, with any issues mainly related to our ongoing tuning of the private SaaS solution. Sometimes the issues stem from the individual security vendors we link to. Zafran Security allows integration with firewalls, EDR, antivirus, and WAF controls, and when problems arise, we partner directly with Zafran to resolve them by opening support cases with those vendors.

The scalability of Zafran Security has been great. We have a very large network, with over 30,000 elements loaded into Zafran Security, and we have licensing to scale further. So far, we haven't seen any performance issues in adding additional hosts or changing protections and loading new signatures. It has been a generally very positive experience.

I have contacted technical support and customer support for Zafran Security.

The support quality for Zafran Security is impressive. We get a ticket number assigned immediately, and we have standing weekly calls to discuss open issues and roadmap items. We have direct escalation paths due to our design partnership, enabling quick support up to their CTO level if necessary. The standard support model allows us to prioritize tickets based on impact and urgency, and the weekly calls help us efficiently manage those tickets.

Negative

I've never used any alternatives to Zafran Security. They are quite unique in what their technology does. Just because they're the first to do this doesn't mean the problem of risk prioritization and threat management hasn't existed for years. I can attest that we've developed some internal tools that addressed similar issues. However, Zafran Security puts more focus and effort toward it and does it far better than anything we can do ourselves.

The initial setup approximately took about three to four months. As an aside, being asked to do a peer review, I acknowledge that our unique situation involves a much more complex setup, while others using the public offering likely experience a more straightforward process.

We do have a direct partnership with Zafran Security as we are in a design partnership. We are just users and partners of Zafran Security and do not resell the solution.

From our standpoint, the pricing for Zafran Security is good, especially since we were an early adopter. I know that different companies, as Zafran Security takes off, may have a different pricing model, but it seems worth it and competitive. The return on investment has been significant in a positive way.

Since we stood Zafran Security up in our private cloud, we handle the maintenance on our side. As we opted not to use their public offering, we took responsibility for everything within that boundary. A typical customer of Zafran Security would have them take care of all maintenance.

I'm fine with my name being referenced in the review. I'm already on the Zafran website where they have me given some positive praise. I think it's fine to include my company, as people can find out where I work easily enough. I appreciate the opportunity to read it before it's published. On a scale of 1-10, I rate Zafran Security a 10 out of 10.

We connect this to our vulnerability scanner as input, our security tools to better determine risk, and our change management tool to provide risk-based vulnerabilities to the remediation teams.

We have three use cases:
1) What is the real Applicable Risk in our environment for new, risky vulnerabilities, especially Zero Day and CISA KEVs?

2) Do the security tools that we have in place today reduce the risk of those vulnerabilities such that we don't have to panic and patch?

3) When the patch remediation team submits an exception to delay patching a particular vulnerability on a particular system, when is the risk of accepting that exception?

We are able to see the real risk of a vulnerability on our environment with our security tools. We don't have to panic patch for high CVSS/EPSS scored vulnerabilities that are on system that are protected by our network and system security tools.

Overall, we can adjust the risk-based expectations to remediate vulnerabilities to the Applicable risk. This, in turn, will reduce the stress level of the patching teams because fewer vulnerabilities will be rated Critical or High which causes quicker expectations for patching.

I advise you to look at this if you want to improve your maturity in vulnerability management.

Integration with security tools to determine the real risk. This is one of the key differentiators: CVSS and EPSS are not always completely accurate for every organization. By connecting directly to these tools, Zafran is able to determine if a security tool alerts or blocks on exploits for an open vulnerability. If the system is protected with a block mode prevention capability in a security tool, the applicable risk is reduced. This can provide more measured and change-managed patching and remediation. We are continuing to add new integrations as we bring them into the company, including a Breach & Attack (BAS) tool. While you have options on what tools to integrate with, the more you integrate, the better it is to determine Applicable Risk.

Zafran is a new startup. Features are continuously being added or improved.

1) Continued integrations with existing (less popular) security tools. Not everyone is using the Gartner Magic Quadrant upper right corner security tools, so additional tools will continue to be onboarded as requested.

2) Bringing in anything considered a gap or weakness. This includes AppSec tools using CWEs and System Configuration tools based on CIS Benchmarks to further determine if an exploit is currently blocked or prevented across the entire vulnerability spectrum.

Our primary use case for Zafran involves leveraging it to enhance our vulnerability risk scoring methodology. In today's rapidly evolving threat landscape, accurately prioritizing vulnerabilities is crucial, and Zafran provides us with the necessary tools to achieve this. It seamlessly integrates with our existing security infrastructure, including Endpoint Detection and Response (EDR), Next-Generation Firewalls (NGFW), and Web Application Firewalls (WAF). By doing so, Zafran assesses the risk reduction capabilities these controls offer against the exploitation of identified vulnerabilities.

One of the standout features of Zafran is its ability to analyze and augment risk scores by considering real-world mitigating factors that might not be apparent through standard vulnerability assessments. Traditional methods often highlight numerous vulnerabilities, many of which are not immediately exploitable or are mitigated by existing security measures. Zafran helps us cut through the noise by highlighting truly critical vulnerabilities—those with either insufficient or no mitigating controls in place. This refinement allows our security team to focus on addressing vulnerabilities that pose the highest risk, significantly enhancing our efficiency and security posture.

Beyond risk scoring, Zafran enriches our understanding of our risk landscape by providing insights into various situational aspects. It detects internet-facing assets, evaluates whether a vulnerable process is actively running, and checks for the presence of known threats targeting specific weaknesses. These additional layers of context are invaluable, allowing us to make informed decisions quickly and effectively.

Incorporating Zafran into our security operations has improved our overall vulnerability management strategy. It not only helps in prioritizing vulnerabilities but also supports strategic decision-making by providing a holistic view of our threat environment. This ensures that scarce resources are used effectively, focusing on vulnerabilities that require immediate attention and intervention.

Zafran's user-friendly interface and comprehensive reporting capabilities make it accessible to our entire security team. Reports generated through Zafran are detailed and actionable, equipping our analysts with the insights needed to communicate risks effectively across different stakeholders within the organization.

Zafran has become an indispensable tool in our cybersecurity arsenal. Enhancing our vulnerability risk scoring methodology, not only aids in identifying critical vulnerabilities but also ensures that our mitigation efforts are strategically aligned with the realities of our operational environment. In an era where cyber threats are increasingly sophisticated, having a nuanced understanding of our vulnerability risk is invaluable, and Zafran delivers precisely that. With Zafran, we've moved beyond arbitrary scoring to a more strategic, context-aware assessment of vulnerabilities, significantly bolstering our capacity to protect our assets and reduce risk enterprise-wide.

Zafran Security has brought significant improvements to our organization by refining how we manage vulnerabilities and risk prioritization. Primarily, it has reduced the number of urgent critical vulnerabilities by accurately highlighting those that need immediate attention, allowing our security team to focus on truly high-risk issues. The platform’s integration with our existing controls, such as EDR, NGFW, and WAF, provides a comprehensive analysis of risk mitigation, thereby maximizing resource utilization and demonstrating the value of our controls. Additionally, the contextual insights from Zafran, like identifying if vulnerable processes are in runtime and detecting internet-facing assets, enhance our threat intelligence, enabling informed decision-making. As a result, it strengthens our overall security posture by ensuring that we allocate resources effectively, minimize risk exposure, and maintain continuous protection against evolving threats. Overall, Zafran not only enhances operational efficiency but also ensures strategic alignment of cybersecurity efforts with organizational goals.

The features we have found most valuable in Zafran Security are the Mitigations and Exposure Tracker modules, as they significantly enhance our risk management processes. The Mitigations module is particularly beneficial because it identifies impactful risk-reducing measures that can be implemented by simply enabling minimal features. This efficiency allows us to bolster our security posture without substantial changes to our existing processes or infrastructure. It's incredibly useful for prioritizing actions that yield maximum security benefits with minimal effort, ensuring that our resources are utilized where they make the most difference.

Meanwhile, the Exposure Tracker module provides an insightful view of our risk landscape over time. By allowing us to monitor changes and trends in our vulnerability exposure, we can proactively adjust our defenses in response to evolving threats. This ongoing assessment capability is crucial in maintaining a dynamic and responsive cybersecurity strategy, as it helps us to track risk levels and ensure ongoing vigilance. Together, these features maximize our ability to manage vulnerabilities effectively.

While Zafran Security is already a powerful tool, there are areas where it could be further improved to provide even greater value. One key area for enhancement is the searching capabilities within its vulnerabilities module. By incorporating the ability to create Boolean searches, users would gain the ability to apply more complex filters and customize their search criteria. This would greatly enhance the precision and efficiency with which security teams can identify and prioritize vulnerabilities. Having such tailored search capabilities would save time and resources by narrowing down vast lists of vulnerabilities to those that meet specific parameters relevant to our unique risk environment.

Additionally, integrating more robust reporting and visualization tools would be advantageous. Enhanced dashboards that offer customizable visual representations of risk configurations and threat landscapes would facilitate better communication with stakeholders, making it easier to explain vulnerabilities and the rationale behind certain security measures. This would also aid in demonstrating the improvements and value derived from existing security investments to leadership and non-technical team members.

I have been using Zafran Security since October 2023.

Initially, we were somewhat concerned about the scalability of Zafran due to our large asset count and the substantial amount of information we needed to process. We did experience some slow response times on the platform at first. However, after reporting these issues to the support team, they were addressed promptly, and we haven’t encountered any further problems since. 

Now, Zafran handles our data efficiently and scales well with our needs, allowing us to manage our extensive asset portfolio seamlessly. This experience has reinforced our confidence in Zafran's ability to grow with our organization and support our expanding requirements effectively.

Our experience with Zafran's customer service and support has been excellent. Their team consistently meets or even exceeds our expectations, adhering to our defined service level agreements (SLAs) effectively. Whenever we've reached out with requests or issues, they have responded promptly and with thorough solutions. I genuinely feel that the support team goes above and beyond to ensure we're satisfied and fully informed, providing not just answers but also guidance that enhances our overall use of the product. This strong support relationship adds tremendous value to our investment in Zafran and reinforces our confidence in their solutions.

Positive

We did not use a different solution prior to implementing Zafran. It was introduced as a new tool because it offered unique capabilities that were not available in our previous cybersecurity setup. Zafran provided us with an innovative approach to vulnerability risk assessment and management, enabling us to analyze and prioritize threats in ways that were not possible before. Its integration features, alongside the ability to offer real-time insights into our security posture, made it an ideal choice as our first comprehensive vulnerability management tool. This innovative addition has since been instrumental in enhancing our cybersecurity strategy and effectively managing our risk landscape.

We deployed it in-house.

I find that the pricing for Zafran aligns well with the comprehensive features it offers. The asset and user-based licensing model is particularly advantageous as it allows for scalability in line with our organizational needs. When considering setup costs, it's important to ensure that you're fully aware of what is included in your package, as this can vary depending on the size and requirements of your organization. I advise others to evaluate their asset count and user base carefully to choose the appropriate licensing tier. Additionally, take advantage of any support or onboarding services that Zafran may provide to ensure a smooth implementation process. 

Overall, the cost reflects the value and capabilities Zafran brings to vulnerability management.

No