Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: A set of identifying elements of a first network is determined from a set of data. For each identifying element of the set of identifying elements, a first frequency at which the identifying element is associated with a first set of systems connected to the first network is determined, and a second frequency at which the identifying element is associated with a second set of systems of other networks accessible via the Internet is determined. It is determined if each identifying element is associated with the first set of systems at a greater frequency than with the second set of systems based, at least in part, on the first frequency and the second frequency. If an identifying element is associated with the first set of systems at a greater frequency than with the second set of systems, the identifying element is indicated as a fingerprint of the first network.

Abstract: Systems and methods for network asset lifecycle management are described. Network assets may include ephemeral Internet-accessible assets such as IP addresses, domain names, digital certificates, and cloud infrastructure accounts. A set of addresses associated with a computer network such as the Internet are scanned. Response data is received from one or more network systems connected to the computer network and processed to identify one or more network assets associated with an entity such as an enterprise organization. Asset data indicative of the identified network assets are then stored to build a record of the network assets associated with the entity.

Abstract: A system for an event driven query includes an input interface and a processor. The input interface is configured to receive an indication from an external system. The processor is configured to determine a scanning query based at least in part on the indication; and perform the scanning query.

Abstract: Introduced here are security management platforms configured to estimate the risk posed by a public communication activity that involves an internal Internet Protocol (IP) address that resides on an internal network. Initially, a security management platform can examine network data to detect a public communication activity involving an internal IP address and an external IP address. Thereafter, the security management platform can probe the external IP address by transmitting a query designed to elicit a response, and then evaluate a risk posed by the public communication activity by analyzing response(s) received from the external IP address, if any, responsive to the query. For example, the security management platform may be able to determine whether a service determined to be vulnerable to unauthorized access is running on the external IP address.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: A distributed system of scanning nodes is provided job portions to collectively scan network systems numbering in the tens of thousands and beyond million across the Internet. A scanning controller creates the job portions to fulfill a scanning request. The scanning controller creates the job portions based on availability of scanning nodes and a size of the scanning request (i.e., number of network addresses indicated by the request). The scanning controller creates each job portion with scanning instructions for an available scanning node to execute on a selected set of the network addresses indicated in the request, with each job portion having a different set of addresses to scan and being independently executable.

Abstract: A system for an event driven query includes an input interface and a processor. The input interface is configured to receive an indication from a client system. The processor is configured to determine a scanning query based at least in part on the indication; and perform the scanning query.

Abstract: Introduced here are security management platforms configured to identify, assess, and monitor organizational vulnerability to security threats. By monitoring netflow data regarding the traffic traversing the Internet, a security management platform can identify security threats that would otherwise go undetected. Such action can be performed instead of, or in addition to, monitoring netflow data regarding the traffic traversing a local network (also referred to as an “internal network”) associated with an organization under examination. Thus, rather than monitor the traffic leaving public-facing Internet Protocol (IP) addresses residing on the local network, the security management platform can instead monitor traffic traversing the Internet and then filter the traffic to identify flows originating from the local network, flows destined for the local network, or any combination thereof.

Abstract: A system for determining fingerprints includes an interface to receive an indication to determine fingerprints using a set of client data, and a processor to determine a set of indicators based at least in part on the client data and for one or more indicators of the set of indicators, determine whether the indicator comprises a fingerprint based at least in part on a frequency analysis, and in the event it is determined that the indicator comprises a fingerprint, store the fingerprint in a fingerprint database associated with the client.

Abstract: A system for scanning a network includes an interface and a processor. The interface is configured to receive an indication to scan a set of network addresses. The processor is configured to determine a set of available scanning nodes and determine a job plan for scanning the set of network addresses using the set of available scanning nodes. The job plan includes one or more job portions. The processor is configured to, for a job portion of the one or more job portions, select a scanning node of the set of available scanning nodes and provide the job portion to the scanning node.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: A system for determining fingerprints includes an interface to receive an indication to determine fingerprints using a set of client data, and a processor to determine a set of indicators based at least in part on the client data and for one or more indicators of the set of indicators, determine whether the indicator comprises a fingerprint based at least in part on a frequency analysis, and in the event it is determined that the indicator comprises a fingerprint, store the fingerprint in a fingerprint database associated with the client.

Abstract: Systems and methods for network asset lifecycle management are described. Network assets may include ephemeral Internet-accessible assets such as IP addresses, domain names, digital certificates, and cloud infrastructure accounts. A set of addresses associated with a computer network such as the Internet are scanned. Response data is received from one or more network systems connected to the computer network and processed to identify one or more network assets associated with an entity such as an enterprise organization. Asset data indicative of the identified network assets are then stored to build a record of the network assets associated with the entity.

Abstract: Introduced here are security management platforms configured to identify, assess, and monitor organizational vulnerability to security threats. By monitoring netflow data regarding the traffic traversing the Internet, a security management platform can identify security threats that would otherwise go undetected. Such action can be performed instead of, or in addition to, monitoring netflow data regarding the traffic traversing a local network (also referred to as an “internal network”) associated with an organization under examination. Thus, rather than monitor the traffic leaving public-facing Internet Protocol (IP) addresses residing on the local network, the security management platform can instead monitor traffic traversing the Internet and then filter the traffic to identify flows originating from the local network, flows destined for the local network, or any combination thereof.

Abstract: A system for an event driven query includes an input interface and a processor. The input interface is configured to receive an indication from an external system. The processor is configured to determine a scanning query based at least in part on the indication; and perform the scanning query.

Abstract: A system for an event driven query includes an input interface and a processor. The input interface is configured to receive an indication from an external system. The processor is configured to determine a scanning query based at least in part on the indication; and perform the scanning query.

Abstract: A system for network mapping includes an interface and a processor. The interface is configured to receive an indication to scan a set of addresses using a fingerprint. The processor is configured to for an address of the set of addresses: receive a response associated with the address; determine whether the response matches the fingerprint; and store the address in a client network database in the event the response matches the fingerprint.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: Introduced here are security management platforms configured to estimate the risk posed by a public communication activity that involves an internal Internet Protocol (IP) address that resides on an internal network. Initially, a security management platform can examine network data to detect a public communication activity involving an internal IP address and an external IP address. Thereafter, the security management platform can probe the external IP address by transmitting a query designed to elicit a response, and then evaluate a risk posed by the public communication activity by analyzing response(s) received from the external IP address, if any, responsive to the query. For example, the security management platform may be able to determine whether a service determined to be vulnerable to unauthorized access is running on the external IP address.