Overview
Coalition uses BinaryEdge scanning technology to collect information about publicly reachable internet services so we can better understand external exposure and identify security issues that may increase cyber risk.
If your organization is asking “Why are we being scanned?”, the short answer is: Coalition scans the public internet to identify exposed services, understand what attackers may be able to see and exploit, and use that information to help reduce cyber risk and prevent cyber insurance claims.
Important clarification
Being scanned does not necessarily mean Coalition believes your organization has been compromised.
More commonly, it means your systems are internet-facing, and Coalition is collecting the same type of exposure data needed to understand what is visible externally and whether any of that exposure may create risk.
What the scanner does
The BinaryEdge scan engine performs automated scanning of the public internet and looks for systems and services that are exposed to the internet.
In practice, this means the scanner is designed to identify things such as:
- Open ports
- Exposed services and protocols
- Service metadata that helps identify what is running on an internet-facing system
- Technology, device, or version indicators such as CPE data when available
Coalition does not rely on scanning every possible port on the internet. Instead, the scanning program is focused on the ports threat actors are most likely to target, with coverage across hundreds of important ports based on attacker activity, newly disclosed vulnerabilities, and research signals.
Why Coalition collects this data
Coalition uses the data to understand external attack surface exposure and support cyber security use cases such as:
- Identifying internet-facing services that may present risk
- Enriching external asset and service visibility with protocol and technology details
- Prioritizing issues on services and ports that attackers are actively targeting
- Helping cyber insurance policyholders and customers reduce the likelihood of security incidents and claims
Why your organization may appear in scans
Your organization may be scanned if you have public IP addresses, services, or applications that are reachable from the internet.
This is not unusual. Internet-wide scanners observe exposed infrastructure across the public internet so security teams can understand what is externally visible and where cyber risk may exist.
In other words, the scan is aimed at public exposure, not private internal systems.
How often scanning happens
Coalition’s scanning program is effectively continuous, with a full refresh of public IP data approximately every 30 days.
Some ports may be rescanned more frequently based on:
- Threat actor activity
- New zero-day vulnerability announcements
- Security research signals
- Ad hoc risk-driven needs
How the collected data is used by Coalition
Coalition does not market or sell scan data as a commercial product. The data collected by our scanning infrastructure is used for cyber insurance underwriting, surfaced to affected parties through Coalition Control and our risk assessment reports, and made available at no cost to any organization that signs up to Coalition Control(R) to view their own cyber security exposures and vulnerabilities.
Coalition uses collected scan data to help determine:
- What services appear to be exposed externally
- What technologies or devices may be present
- Which exposures are most critical based on current observed cyber attacker behavior
- Where additional enrichment or investigation may be needed to support risk reduction
This same type of external scan data is also used in Coalition Control. Coalition Control continuously scans an organization’s internet-facing systems, combines that data with Coalition’s threat intelligence and claims expertise, and translates it into a view of cyber risk with prioritized cyber security recommendations.
In practical terms, that means the information collected by the BinaryEdge scanning technology can help power what a company sees in Coalition Control, including details about its public attack surface, identified vulnerabilities, and related risk context.
Organizations that want to review information about their own company can sign up for free access to Coalition Control. At a high level, the goal is to turn public internet scan data into actionable cyber security insights that can help support prevention efforts and make that information accessible to organizations that want visibility into their own external exposure.
Opt-out / do-not-scan requests
Q. How to be excluded from our scans?
A: Send an email to support@binaryedge.io requesting to be excluded. Include the IP addresses you would like excluded from scans.
Q: How to block our scanners?
A: Our scanners publish reverse DNS entries in the binaryedge.ninja domain, so you can identify our traffic in your logs and firewalls. Full lists of current scanner IP ranges for both IPv4 and IPv6 are also available via API.