Real-time vulnerability management: a step forward in cybersecurity
Vulnerability management has become one of the most important elements within modern cybersecurity. In 2025, 48,185 CVEs were published, 20.6% more than the previous year and a new all-time record: 132 new vulnerabilities every day. In 2026, this trend shows no signs of slowing down.
Identifying, prioritizing, and remediating weaknesses in systems is no longer optional; it is a strategic obligation for any organization.
In this article, you will find a complete guide on what vulnerability management is in cybersecurity, how the complete cycle works, what tools exist, and how the NIST framework can help you structure a robust and sustainable program.
What is vulnerability management?
Vulnerability management is the ongoing process of identifying, assessing, and mitigating weaknesses in an organization's computer systems and networks. These vulnerabilities can be software flaws, misconfigurations, or even human error that can lead to cyberattacks.
The main objective of this procedure is to correct faults and anticipate possible exploitations. In an environment where every second counts, the ability to act in real-time can mean the difference between preventing an incident and dealing with its consequences.
Why is it so essential to manage vulnerabilities in real-time?
New threats emerge daily, from ransomware and phishing to sophisticated targeted attacks that can go undetected for months. Managing vulnerabilities in real time means quickly detecting and responding to these risks, minimizing their impact on the business.
Some of the most prominent benefits of an efficient vulnerability management process include:
- Reduced risk of attack. Identifying weak points before they can be exploited drastically reduces the likelihood of an incident.
- Compliance. Many regulations, such as the GDPR, require companies to implement proactive security measures to protect personal data.
- Cost savings. Preventing an attack is always cheaper than dealing with its consequences.
- Reputation protection. A single incident can severely damage customer and partner trust.
The problem in numbers
| Data | Number |
| CVEs published in 2025 | 48,244: New all-time record (+16.93% vs 2024) |
| New vulnerabilities published every day in 2025 | 132 on average |
| Entries added to the CISA KEV catalog in 2025 | 245 new ones (+28% vs 2024) |
| Average cost of a security breach | 4,4 M$ (IBM Cost of a Data Breach 2025) |
The vulnerability management process
Cybersecurity vulnerability management is not a one-time event but a continuous cycle of several stages. Each is essential to protect systems from known and emerging threats.
- Identification. The first step is to scan systems and networks and trace the external attack surface for potential vulnerabilities. This includes reviewing settings, software versions, and permissions.
- Evaluation. Once identified, vulnerabilities are classified according to their severity and potential impact. This analysis allows you to prioritize the necessary actions.
- Reparation. Here, measures are taken to correct detected flaws, such as applying security patches, adjusting configurations, or educating staff on good practices.
- Continuous monitoring. Vulnerability management doesn't end after fixing an issue. It is crucial to maintain constant vigilance to identify new threats.
Real-time vulnerability management procedure
The traditional vulnerability management process needs to be improved in the face of today's rapidly evolving threat landscape. As a result, more and more organizations are adopting solutions that integrate real-time automated monitoring and immediate response capabilities.
Continuous threat exposure management (CTEM) tools are a clear example of this evolution. These solutions allow not only the identification of vulnerabilities but also the correlation of data, the prioritization of risks, and the execution of responses based on the criticality of each situation and the business's interest.
Vulnerability management according to the NIST framework
The NIST Cybersecurity Framework (CSF) and the special publication NIST SP 800-40 provide a global reference guide for structuring a vulnerability management program. Their main functions align directly with the lifecycle:
- Identify. Asset inventory, criticality classification, attack surface map
- Protect. Patching, hardening configurations, access control.
- Detect. Continuous scanning, real-time monitoring, alerts for new CVEs
- Responder. Prioritization, ticket assignment, coordinated remediation
- Recover. Post-remediation verification, reporting, lessons learned
Adopt the NIST vulnerability management framework. It lends credibility to clients, auditors, and regulators, and facilitates compliance with regulations such as GDPR, NIS2 or ISO 27001.
Vulnerability management audit: what it assesses and why it matters
A vulnerability management audit assesses the maturity and effectiveness of an organization's security program. It doesn't just detect technical vulnerabilities, but examines the entire process:
- Inventory coverage: Are all assets being monitored, including those of third parties and the supply chain?
- Remediation time: How long does it take for an organization to close critical vulnerabilities once they are detected?
- Prioritization: Is it a criterion based on actual risk being applied, or is it being patched up in order of appearance?
- Traceability: Is there documentation of the complete cycle to demonstrate regulatory compliance?
- Integration: Is vulnerability management connected to development, operations, and incident response processes?
Successfully passing a vulnerability management audit is a common requirement in public tenders, ISO 27001 certifications, and enterprise customer audits.
How to choose a solution for vulnerability management?
When looking for vulnerability management cybersecurity tools, it is critical to consider several factors:
- Integration capability: The solution must work with the existing technology ecosystem. The most advanced CTEM solutions operate non-intrusively and do not require integration with the corporate system.
- Automation: Automatic processes for detection and remediation speed up responses and reduce errors.
- Clear Reporting: The ability to generate detailed reports helps justify cybersecurity investments and comply with audits.
- Scalability: The tool must grow along with the organization's needs.
Kartos and Qondar: Advanced Vulnerability Management Solutions
In this context, Enthec offers two cutting-edge solutions designed to address the challenges of today's cybersecurity:
- Kartos. Kartos is a comprehensive cyber surveillance solution for companies that allows continuous threat exposure management. Its approach proactively identifies, analyzes, and mitigates risks, helping organizations secure their data and systems and ensure business continuity.
- Qondar. Designed for individuals, Qondar provides personalized protection that allows people to control their digital presence and reduce the impact of threats such as identity theft or sensitive data exposure.
Both solutions stand out for their ability to operate in real time, integrating advanced intelligence and automated processes to optimize the management of cybersecurity vulnerabilities. By choosing Kartos or Qondar, you will protect your assets and adopt a preventive, efficient approach to modern threats.
Protect your future with Enthec
Cybersecurity is no longer an option; it's a priority. Whether you're a business looking to protect sensitive data or an individual concerned about their privacy, Enthec's vulnerability management solutions are ideal.
With Kartos and Qondar, you'll be one step ahead of cybercriminals, ensuring your systems, information, and reputation are always protected. Discover how our solutions can transform your approach to cybersecurity and provide a safer digital environment for you and your organization.
Don't wait any longer! Contact us to take the first step towards effective, reliable real-time vulnerability management.
Whaling: the attack that targets senior executives and keys to avoid it
Although we don't always consider it, cybercriminals often look for the most influential people within a company: senior executives. Why? Because they have access to critical information, handle large amounts of money, and, in many cases, are not as prepared in terms of digital security as they should be.
This is where whaling comes into play, a type of attack aimed at a company's senior executives, who can approve millionaire transfers or access sensitive data without too many obstacles. And although it may not seem so, these attacks are more common than we think.
To combat this threat, solutions such as Qondar by Enthec help detect and prevent impersonation attempts and fraud targeting senior executives, strengthening the company's security against attacks such as whaling.
What is whaling and how does it work?
The term whaling comes from the word whale. This attack targets influential company personalities, such as managers, CEOs, CFOs, and others with access to strategic information.
It consists of an advanced form of phishing in which attackers impersonate someone trusted by the victim to trick the victim into performing a harmful action, such as approving a transfer or sharing login credentials.
Criminals often employ several strategies:
- Spoofed emails. They develop spoofing techniques to make an email appear from the CEO, a trusted partner, or even an official body.
- Attacks man in the middle. They intercept communications between managers or employees to modify messages and obtain valuable information.
- Social engineering. They collect information from the victim on social networks or leaked databases to make their attacks more credible.
Unlike common phishing, which sends mass emails hoping that someone will fall for it, whaling is a personalized and well-crafted attack.
A real case of whaling
Imagine you're the CFO of a company. You receive an email from the CEO asking you to urgently approve a €250,000 transfer to an account in another country to close an important deal. The message is well written, with the signature and tone that the CEO usually uses. He even has an answer above that seems authentic.
You will have fallen into the trap if you have no doubts and make the transfer without checking it by phone or via a second channel. Days later, you will discover that the CEO never sent that message and that the money has been lost in a network of accounts that are impossible to trace.
This is not science fiction: companies of all sizes have lost millions to these attacks.
The relationship between whaling and the man-in-the-middle attack
One of the most sophisticated methods cybercriminals use in whaling is the Man in the Middle (MITM) attack.
In this attack, hackers communicate between two parties (e.g., between a manager and an employee) and manipulate messages without the victims noticing.
How does a whaling attack work?
A whaling attack follows a meticulous process that can last for weeks. The most common phases are as follows:
1. Recognition and investigation of the victim
Attackers gather publicly available information about the targeted executive, such as their LinkedIn profile, press releases, media statements, and relationships with suppliers and partners. They may also use leaked databases available on the dark web to obtain credentials or personal data.
This information-gathering phase is critical; the more exposed the executive's digital footprint, the more credible the subsequent attack will be.
2. Construction of the deception
Once they have enough information, the attacker constructs a highly convincing message. The most commonly used cyber whaling techniques include:
- Email spoofing: falsification of the sender's address to imitate that of the CEO or other trusted official.
- Domain typosquatting: register domains that are almost identical to the corporate domain.
- Advanced social engineering: The message replicates the tone, vocabulary, and communication style of the supposed sender.
- Artificial urgency: Temporary pressure is created to prevent the victim from verifying the request.
3. Execution: the attack vector
The most common vector for whaling phishing attacks is corporate email, although an increase in combined attacks using the following methods has been detected in 2025-2026:
- SMS or WhatsApp text messages impersonating the CEO.
- Phone calls with a voice cloned using AI (deepfake voice).
- Fraudulent video calls using visual deepfake techniques.
This last point is especially relevant in 2026, as generative AI tools have put voice and video cloning within reach of any cybercriminal, raising the sophistication of whaling attacks to unprecedented levels.
You might be interested in learning more about-> AI risks to people's online security.
How does a man-in-the-middle attack work in cybersecurity?
The attacker can:
- Intercept emails and modify content before they reach the recipient.
- Spying on network connections on public or misconfigured Wi-Fi networks.
- Spoofing websites to get the victim to enter their credentials on a seemingly legitimate page.
For example, an executive may send an email with payment instructions, but if there is a man-in-the-middle attack, the hacker can change the target bank account without anyone noticing.
In this case, whaling and the man-in-the-middle attack combine to make the scam even more difficult to detect.
How to identify a whaling attack? Warning signs
| Warning sign | Why is she suspicious? |
| Urgent transfer request via email | Time pressure seeks to prevent verification |
| The sender uses a slightly different domain. | Technique of typosquatting to confuse the receiver |
| Request for absolute confidentiality | Attempt to isolate the action of internal controls |
| The CEO is asking for something unusual outside of official channels. | Real executives use established channels and protocols |
| Request for credentials or access via email | No legitimate system requests passwords or access via email. |
| Last-minute bank account change | Classic tactics of BEC |
Keys to avoid a whaling attack
Fortunately, there are ways to protect yourself against these attacks. Here are some fundamental keys to avoid falling into fraud of this type:
1. Two-step verification is always on
If an email or message requests a transfer of money or sensitive information, verify it through another channel. A simple call or message can prevent financial disaster.
2. Avoid overexposure on social networks
The more personal information available about a manager, the easier for an attacker to forge a credible message. It is advisable to limit public information on LinkedIn and other platforms.
3. Implement security filters in emails
Whaling attacks usually come by email, so it is essential to have:
- Advanced email filters that detect phishing.
- Email authentication (DMARC, SPF, and DKIM) to prevent corporate email addresses from being forged.
4. Employ strict procedures for bank transfers
Transfers should not be approved by mail or message alone. Implementing double authorizations and strict protocols can prevent millions in losses.
5. Keep systems and devices up to date
Attacks exploit vulnerabilities in outdated software. Always keeping your computers up to date with security updates is critical.
Whaling is a dangerous attack that can affect any company, from small startups to large corporations. Most worryingly, it doesn't require sophisticated malware: just social engineering, spoofing, and a good bit of deception.
If it is also combined with a man-in-the-middle attack, the risks increase since cybercriminals can modify messages without the victim noticing.
The best defense against whaling attacks is prevention: establishing verification protocols and implementing advanced cybersecurity solutions. Tools such as Qondar make it possible to identify and de-identify exposed personal information and fake social profiles, thereby preventing targeted attacks and protecting senior executives from fraud and impersonation attempts. Investing in security is not an option, but a necessity to avoid being the next victim.
Keys to digital security in companies
Companies that prioritize digital security are better prepared to face cybersecurity threats and thrive in an increasingly complex digital environment. But the risks have continued to grow: according to the WEF Global Cybersecurity Outlook 2026, 87% of security professionals identify AI-related vulnerabilities as the fastest-growing risk vector, and 73% of respondents say they have been personally affected by cyber fraud in the past year.
Below, we explain what digital security is and how our automated monitoring tool for businesses can help you maintain your company's digital security.
What is digital security?
Digital security refers to the practices and technologies used to protect computer systems, networks, devices, and data from unauthorized access, cyberattacks, and data loss. It concerns all actors in the digital environment, people and organizations. In an organization, digital security is crucial to safeguarding sensitive information, ensuring business continuity, and maintaining the trust of customers and business partners.
Protecting sensitive information is one of the main aspects of digital security in companies. Organizations handle large volumes of data, including customer personal information, financial data, intellectual property, and other confidential and sensitive information types.
A security breach that exposes this data will likely cause devastating consequences, including significant financial losses, damage to customer reputation and trust, and legal penalties for non-compliance with data protection regulations.
In the business context, digital security encompasses everything from protecting sensitive information and ensuring business continuity to complying with regulations such as the GDPR, the NIS2 Directive or the DORA Regulation, which require concrete measures for data protection and digital resilience.
Why is digital security important for businesses?
A security breach is not just a technical problem; it has direct consequences for business operations, corporate reputation, customer and partner trust, and the organization's legal standing.
These are the four pillars that justify investment in digital security for businesses:
- Protection of sensitive information. Organizations manage customer data, financial information, and intellectual property that must remain secure. A data breach can result in significant financial losses and regulatory penalties.
- Business continuity. Attacks like ransomware can completely paralyze operations. A robust digital security strategy minimizes the risk of disruptions and ensures business resilience.
- Trust and reputation. Customers and partners demand that their data be handled with the utmost care. Digital security not only protects; it also differentiates and creates a competitive advantage.
- Regulatory compliance.GDPR, NIS2, DORA, and other regulations establish legal obligations, with penalties of up to 4% of annual global turnover for non-compliance.
Benefits of Digital Security in Business Continuity
Beyond information protection, digital security is essential because it helps prevent operational disruptions. Cyberattacks such as ransomware can disrupt an organization's operations by blocking access to critical systems and data. This affects productivity and leads to economic losses due to the interruption of business activities. Implementing robust security measures helps minimize the risk of these attacks and ensures that the business continues to operate even amid an incident.
Customer trust and organizational reputation are also highly dependent on digital security. Consumers and business partners expect companies to protect their data adequately. Therefore, investing in digital security protects against cyber threats, strengthens the organization's market position, and improves customer confidence.
Another critical factor in digital security is compliance with regulations and standards. In most countries, protecting sensitive data is a legal obligation. As a result, European organizations are subject to strict data protection laws and regulations, such as the General Data Protection Regulation (GDPR).
Failure to comply with these regulations results in significant penalties and legal actions. Implementing proper digital security practices ensures the company complies with these regulations, avoids fines, and protects its legal reputation.
Finally, digital security is and should be considered an investment in the company's future. As cyber threats evolve, organizations must be prepared to address new security challenges proactively. Investing in advanced security technology, training employees in secure practices, and developing robust security policies are essential steps toward building a resilient security infrastructure that can adapt to emerging threats.
Types of IT Security You Should Consider
| Type of digital security | Key technologies | Main objective |
|---|---|---|
| Application security | WAF, DevSecOps, DAST/SAST testing | Protecting Software and APIs Against Attacks: OWASP Top 10 |
| Information security | Encryption, IAM, DLP | Ensure the confidentiality, integrity, and availability of data |
| Cloud security | CSPM, CASB, cloud identity management | Protect cloud environments (IaaS/SaaS/PaaS) and data in transit |
| Network security | Firewalls, NGFW, IDS/IPS, ZTNA | Defend network infrastructure against unauthorized access |
| Endpoint security | EDR/XDR, antivirus, MDM | Protect corporate and personal devices (BYOD) |
| Attack surface management | EASM, CTEM, continuous monitoring | Identify and reduce the external exposure of digital assets |
Keys to establishing an effective digital security strategy
In addition to covering the different types of digital security, to ensure digital security in the company it is necessary to carry out a series of actions regularly:
Analysis of potential risks
Conducting a thorough risk analysis is the first step in establishing an effective digital security strategy. This involves identifying critical business assets, assessing potential vulnerabilities and threats, and determining the impact a security incident could have. Based on this analysis, resources and efforts can be prioritized in the most critical areas, and a risk mitigation plan can be developed.
Staff training
The human factor is often the weakest link in the security chain. Therefore, it is essential to train staff in secure practices and raise their awareness of cyber threats.
This includes training on identifying phishing emails, the importance of using strong passwords, and the need to report suspicious activity. A strong safety culture starts with knowledgeable and vigilant employees.
Security policies
Security policies establish the rules and guidelines employees must follow to protect company assets. These policies should cover aspects such as acceptable use of company systems, password management, handling sensitive data, and procedures to follow during a security incident.
Policies should be reviewed and updated regularly to reflect new threats and changes in the company's technology infrastructure.
Security audits
Regular security audits are essential to check the effectiveness of the digital security strategy and detect possible failures. An advanced cybersecurity solution that enables continuous auditing through ongoing threat monitoring is highly recommended.
Digital security and well-being in the workplace
Digital well-being in the workplace is a comprehensive concept that encompasses protecting against cyber threats and creating a healthy and safe working environment in the digital sphere.
Digital security and employee well-being are closely linked. A secure environment allows employees to work more efficiently and with less stress, reducing the risk of social engineering attacks.
- Digital security in the workplace. It involves protecting the company's systems, networks, and data from cyberattacks. It includes using advanced security tools, such as firewalls, intrusion detection systems, and antivirus software, and implementing strict security policies. However, it is also crucial to consider the human factor in the equation. Training employees on good security practices, such as identifying phishing emails and using strong passwords, is critical to preventing security incidents.
- Digital employee well-being. This involves creating a work environment where employees can use technology safely and in healthy ways, preventing digital burnout, promoting healthy work practices, and supporting employees in managing their digital time and resources.
- Culture of cybersecurity and digital well-being. Fostering a culture of cybersecurity and digital well-being within the organization is essential for digital security. It involves implementing policies and tools and creating an environment where employees feel supported and valued.
Cyber intelligence as the next level of digital security
Cyber intelligence transforms digital security from a reactive to a proactive approach. By collecting and analyzing information about active threats, companies can anticipate attacks, reduce response times, and make informed decisions before an incident occurs.
Cyber intelligence platforms use Machine learning and artificial intelligence to process large volumes of data and provide an up-to-date view of the organization's security status: compromised credentials, exposed assets, supply chain vulnerabilities, and real-time threats.
This is especially relevant in the context of the NIS2 regulations and the DORA Regulation, which require organizations to demonstrate the capability to detect and respond to cybersecurity incidents.
Kartos reinforces your organization's digital security strategy.
Kartos is the Cyber Intelligence platform for companies developed by Enthec. It helps your organization detect leaked or publicly exposed information in real time.
Kartos continuously and automatically monitors the external perimeter to identify open gaps and exposed vulnerabilities in real time, both within the organization and across its value chain. Thanks to the issuance of immediate alerts, Kartos enables the organization to implement the necessary remediation and protection measures to minimize or eliminate the detected risk.
Contact us for more information on how Kartos can strengthen your organization's digital security.
Web Vulnerability Scanning: Featured Tools
Web security is a key concern for any business or professional with an online presence. With threats evolving daily, continuous web vulnerability scanning has become essential for protecting data, applications, and reputation. Do you really know how to find vulnerabilities on a website before an attacker does?
In this article, we show you how to improve the security of your website with continuous management solutions to threat exposure, such as Enthec.
What is web vulnerability scanning?
Web vulnerability scanning is scanning, detecting, and evaluating potential security flaws in web applications, servers, and databases. Attackers can exploit these flaws to steal information, modify data, or even take control of a system.
Simply put: it's the practice of proactively reviewing your digital infrastructure to identify open doors before someone crosses them without permission.
The most common vulnerabilities detected during these analyses include:
- SQL Injection (SQLi): manipulation of database queries.
- Cross-Site Scripting (XSS): execution of malicious code in the user's browser.
- Incorrect settings: exposed services, missing security headers, or default credentials.
- Outdated components: unpatched libraries, plugins, or operating systems.
- Exposure of sensitive data: API keys, passwords, or publicly accessible personal information.
To minimize risks, specialized tools detect security gaps and correct them before they are exploited. This is especially important for companies that handle sensitive information or customer and third-party data, as a security breach could have catastrophic consequences.
You may be interested in our third-party risk management solution→ Kartos Third Parties.
Main objectives of web vulnerability scanning
The purpose of web vulnerability scanning is not only to identify security flaws, but also to strengthen protection against potential attacks. Key objectives include:
| Aim | Description |
|---|---|
| Vulnerability detection | Identify vulnerabilities in applications and servers before they are exploited. |
| risk assessment | Prioritize vulnerabilities according to their severity and potential impact on the business. |
| Correction and mitigation | Implement patches or controls to eliminate or reduce the detected risks. |
| Regulatory compliance | Verify that the infrastructure complies with NIS2, DORA, ISO 27001 or other applicable frameworks. |
| Continuous monitoring | Maintain active vigilance to detect new threats as they emerge. |
Types of web vulnerability analysis
Before choosing a cybersecurity tool is important to know what type of analysis you need:
| Type | What does it analyze? | Ideal for |
|---|---|---|
| SAST (static) | The source code before its deployment. | Secure Development (DevSecOps). |
| DAST (dynamic) | The application running, as an attacker would. | Web applications in production. |
| IAST (interactive) | Internal behavior during testing. | QA and staging environments. |
| External Scanning / ASM | Attack surface visible from the internet. | Companies that need continuous vision. |
Key features of web vulnerability tools
Web vulnerability scanning tools offer different functionalities depending on their capabilities and the target audience. Some of the most important features include:
- Scan automation. It enables periodic analyses without manual intervention, ensuring continuous surveillance.
- Detection of known vulnerabilities. They compare infrastructure against widely documented databases of security flaws.
- Simulated penetration tests. Some tools include the ability to simulate attacks to assess system resilience.
- Detailed reports. They provide structured data on the risks detected and recommendations for resolving them.
- Integration with other security tools. Compatibility with risk management systems, SIEM, and other cybersecurity platforms.
What makes Kartos different from other tools?
While there are various solutions on the market, Kartos, developed by Enthec, positions itself as one of the best options for continuous threat exposure management (CTEM) in enterprise environments. Highlighting features such as:
- Automated and continuous monitoring. Unlike spot scanning tools, Kartos maintains constant surveillance of an organization's external attack surface. There are no gaps in exposure between scans: detection is continuous.
- No false positives. All findings are validated before reaching the security team. This eliminates the usual noise from other scanners and allows professionals to focus on real threats rather than dismissing irrelevant alerts.
- Without HumInt intervention. The process is 100% automated. It requires no human operators to interpret signals or activate the system, reducing operating costs and eliminating reliance on human intervention in detection.
- Monitoring of leaked credentials. Kartos detects corporate credentials exposed in data breaches or on the dark web before they are used in an attack. This capability goes beyond traditional web vulnerability analysis, which lacks visibility into what happens outside the organization's own perimeter.
- Phishing and brand impersonation detection. The platform identifies fraudulent domains that mimic the company's identity, enabling action before they are used to deceive customers or employees.
- Third-party risk management. Kartos extends monitoring beyond its own infrastructure to cover the exposure of critical suppliers and partners, an increasingly common attack vector that is often ignored by conventional web vulnerability analysis tools.
Why web vulnerability analysis should be continuous
Web vulnerability analysis is not a one-off task. Threats evolve every week: new vulnerabilities (CVEs) are published daily, applications are constantly being updated, and a company's attack surface changes with each new domain, API, or vendor it adds.
For this reason, the modern approach is Continuous Management of Threat Exposure, a framework that enables organizations to shift from one-off, reactive analyses to proactive, continuous monitoring.
The advantages of adopting an approach CTEM are:
- Real-time threat detection before they are exploited.
- Automation of security processes reduces the operational burden on the IT team.
- Full visibility of the external attack surface, including subdomains, filtered credentials, and forgotten assets.
- Regulatory compliance is easier than with regulations such as NIS2 or DORA, which require active monitoring.
Kartos: A Complete Solution for Enterprise Security
For businesses seeking comprehensive, automated protection, Kartos is a consideration. This cyber surveillance platform is designed for continuous management of threat exposure, enabling risks to be detected, analyzed, and mitigated in real time.
Why choose Kartos?
- Constant monitoring. Detects vulnerabilities before they are exploited.
- Intelligent automation. Reduce the security team's workload.
- Detailed reports. It offers an in-depth analysis with recommendations for action.
- Easy integration. Compatible with other security systems.
- Global vision. It allows companies to have complete control over their exposure to online threats.
It is a tool for scanning web vulnerabilities and offers a proactive approach to cybersecurity, helping businesses prevent attacks before they happen.
Contact us if you want an advanced solution to protect your company. Don't leave security to chance: protect your business with a proactive and effective security strategy.
Discover how Kartos can help you continuously and automatically detect and manage web vulnerabilities, without false positives or manual intervention. Don't leave your company's security to chance.
Differences between IDS and IPS, and how they complement your security strategy
Most organizations invest in firewalls, antivirus software, and authentication systems, yet still experience incidents. The reason is usually the same: detecting a threat is not the same as stopping it, and stopping it without understanding what's happening creates blind spots. That's where IDS and IPS systems become essential.
This article explains what they are, how they differ, and, above all, how they fit into a security strategy that aims to go beyond reaction.
What is an IDS or an IPS, and what is it used for?
Before discussing differences, it's important to be clear about what we're talking about.
IDS: Detect to understand
An IDS (Intrusion Detection System)
monitors network traffic or system activity for suspicious behavior or known attack patterns. When it detects something out of the ordinary, it generates an alert.
What an IDS doesn't do is act.. It observes, records, and alerts, but it doesn't block. This might seem like a limitation, but it makes sense: the IDS is designed to give you visibility, not to interfere with legitimate traffic.
IPS: detect to block
An IPS (Intrusion Prevention System) goes one step further.. It works similarly to an IDS, analyzing traffic and detecting threats, but it can also act automatically by blocking a connection, discarding malicious packets, or isolating a network segment before an attack materializes.
The essential difference, therefore, is the capacity for response. While the IDS reports, the IPS intervenes.
IDS vs IPS: What are the real differences?
When discussing IDS vs IPS, the comparison is often limited to "one detects and the other blocks." But the difference is more nuanced.
Network position
The IDS is typically placed outside the main traffic flow, in passive mode. It receives a copy of the traffic (via a mirrored port, for example) and analyzes it without interfering. This makes it ideal for environments where availability is critical, and a false positive that could disrupt a legitimate connection cannot be risked.
The IPS, on the other hand, is located on the path of actual traffic.. Everything that enters or leaves passes through it. This allows it to operate in real time, but it also means that a failure or misconfiguration can degrade performance or block legitimate traffic.
False positives: the Achilles' heel of the IPS
This is a point that deserves attention. When an IPS blocks something incorrectly, that is, generates a false positive,the consequences can be immediate, such as a transaction that isn't processed, a user who can't access the service, or a service that goes down. Therefore, the
quality of the signatures and the detection rules is fundamental.
A well-configured IPS can drastically reduce containment time, but only if pre-detection is reliable.
The difference between IDS and IPS is not one of hierarchy, but of function.
A common mistake is thinking that IPS is "better" than IDS because it does more things. But the difference between IDS and IPS doesn't mean that one replaces the other.
In many mature environments, both coexist: the IDS provides visibility and historical context, while IPS handles the automated response. . They are complementary, not competing, functions.
In fact, many manufacturers offer solutions that integrate both capabilities (the so-called IDS-IPS combined systems, or IDPS), allowing the organization to configure which actions are taken automatically and which require human validation.
What limitations do IDS-IPS systems have?
Although they are valuable tools, IDS-IPS systems have limitations that should be known.
Perimeter visibility, not comprehensive
Intrusion detection systems (IDS/IPS) analyze the traffic passing through them. If the attacker is already inside the network, if the threat arrives through a poorly managed encrypted channel, or if the entry vector is an employee with compromised credentials, these systems may detect nothing.
Dependence on well-known firms
Signature-based systems only recognize threats that have already been cataloged; zero-day threats, highly customized attacks, or living-off-the-land techniques (using legitimate system tools to attack) can go unnoticed.
Absence of external vision
Neither the IDS nor the IPS analyzes what happens outside your perimeter.Leaked credentials on cybercrime forums, exposed data in public repositories, mentions of your company on the dark web, or vulnerabilities in the digital supply chain. A different approach is needed for these.
How to complement IDS-IPS systems with a CTEM strategy
This is where many organizations make the leap to a more proactive model, such as CTEM (Continuous Threat Exposure Management).
The CTEM approach does not replace IDS-IPS systems but rather integrates them into a broader cycle: identify, prioritize, validate, mobilize, and remediate exposure to threats continuously, from both internal and external perspectives.
The external cyber-surveillance layer
While an IDS-IPS monitors what happens inside the perimeter, a cyber surveillance solution monitors what happens outside, that is, what information about your organization circulates on the surface, deep, and dark web; what digital assets are exposed without your knowledge; what vulnerabilities your attack surface has that are visible from the outside.
Kartos, Enthec's automated monitoring tool, is designed to address this layer precisely. It enables organizations to maintain continuous visibility into their external digital exposure, detect data leaks, identify compromised assets, and anticipate threats before they trigger IPS alerts.
It's not about adding another tool. It's about to close the blind spot that IDS-IPS systems, by their nature, cannot cover.
What should you consider when choosing or evaluating your IDS-IPS system?
If you're reviewing your security architecture, here are some criteria worth considering:
- Behavior-based detection capability not only in terms of signatures but also for addressing unknown threats.
- Integration with your SIEM or other event correlation tools, so that alerts have context.
- False positive management, especially if you opt for an IPS in active mode.
- Encrypted traffic coverage, since a growing portion of malicious traffic travels over HTTPS.
- Complementary visibility on the external attack surface, which IDS-IPS systems do not cover on their own.
The IDS-IPS systems are a relevant component in any serious security architecture. They enable detection of anomalous activity, response to known attacks, and maintenance of an event log that facilitates forensic investigations. But they are reactive in nature.
Modern cybersecurity demands going further: continuously monitoring external exposure, understanding how attackers perceive you before they act, and managing risks with a 360-degree view.
If you want to know how Kartos can complement your security infrastructure with continuous cyber surveillance focused on CTEM, discover what Enthec can do for your organization.
Do you have questions about how these solutions fit into your specific context? Contact the Enthec team and analyze your digital exposure without obligation.
Systems hardening: what it is, phases, and why it should be combined with attack surface surveillance
To protect a technological infrastructure, one of the first measures implemented is hardening. The concept is simple: minimize a system's attack surface by eliminating everything unnecessary, and reinforcing what remains.
Hardening a system is like removing all flammable material before someone tries to set it on fire. Services disabled, ports closed, default settings replaced, permissions reviewed.
Hardening networks and systems is now a fundamental practice in any cybersecurity strategy. Any organization that manages data, provides digital services, or relies on a connected infrastructure needs to implement it.
Phases of system hardening
The hardening process is not a one-time action. It is a structured cycle that should be thoroughly understood before implementation.
1. Inventory and analysis of the infrastructure
Before hardening anything, you have to know what exists. This phase includes identifying all assets (servers, network devices, and user equipment) and documenting their current configurations. Without a clear inventory, hardening is, by definition, incomplete.
2. Definition of the security baseline
Once the infrastructure is known, a minimum secure configuration for each system type can be defined.. There are widely used frameworks for this, such as the CIS Benchmarks (published by the
Center for Internet Security) or the NIST guides, which offer recommended configurations for the most common operating systems and applications.
3. Hardening of equipment and servers
This is where the technical work is carried out. The Equipment hardening encompasses actions such as:
- Uninstall unnecessary software.
- Disable unused services and ports.
- Apply the principle of least privilege to accounts and permissions.
- Change default credentials.
- Configure password and authentication policies.
Server hardening adds specific layers, such as secure configurations for web services, databases, remote access protocols, and event logging systems. A misconfigured server is, statistically, one of the most exploited entry points.
4. Validation and testing
Once the changes have been implemented, it is essential to verify that the system continues to function correctly and that the implemented measures are effective. . This includes functionality testing and vulnerability scans to confirm that no known vulnerabilities remain.
5. Documentation and ongoing maintenance
Hardening networks and systems doesn't end with validation. Every software update, every new service added, or every infrastructure change can introduce new vulnerabilities. Documenting the process and conducting regular reviews are part of the cycle.
The hardening has limits: the exposed attack surface
Fortifying is necessary, but not sufficient. And this distinction is important.
The hardened system operates on what is under the organization's direct control: its servers, its networks, its equipment. However,
a company's actual attack surface extends far beyond its internal perimeter.
Data leaked on the dark web, compromised credentials circulating on underground forums, third-party services with vulnerabilities, similar domains used for impersonation… All of that is part of the threat landscape that any organization faces, and hardened security does not cover it.
This is where the continuous monitoring of the attack surface becomes an essential complement.
Why combine fortification with cyber surveillance
A fortified system without continuous monitoring is like a safe without an alarm; it is well protected, but no one is warned if someone tries to force it open from the outside.
The combination of bastioning with Continuous Management of Threat Exposure allows organizations not only to reduce their internal exposure, but also to detect in real time what information or assets are being exposed abroad.
KartosEnthec's enterprise-oriented cyber surveillance solution, operates precisely at this layer. It continuously monitors the organization's external attack surface, including leaked credentials, exposed assets, vulnerabilities, mentions in intelligence sources, and any other signals that might foreshadow an attack. It does not replace the hardening; it complements it by covering what the hardening, by its nature, cannot see.
This combined approach of hardening and continuous external monitoring best aligns with modern risk management frameworks and is being adopted by more organizations as attackers refine their methods.
A mature approach to a changing environment
Cybersecurity is not a state to be achieved; it is a process to be maintained. Hardening is a central part of that process, but it needs to be integrated into a broader strategy that also accounts for what happens outside the perimeter.
Threats evolve, environments change, and assets multiply.. Relying solely on internal hardening measures without visibility into external exposure leaves blind spots that attackers can exploit.
If your organization wants to build a solid security posture adapted to the current reality, the starting point is to know what it is exposed to, both internally and externally.
Do you want to know what information about your organization is currently exposed? Contact us for a first look at your external attack surface, with no commitment.
Threat hunting: 3 reasons why it is necessary to have it
Threat hunting is a proactive cybersecurity practice that allows organizations to detect and neutralize advanced threats before they cause harm. In a context where attacks are becoming increasingly sophisticated and the average time an attacker spends within a network remains alarmingly high, relying solely on automated detection tools is no longer sufficient.
In this article, we explain what threat hunting is, how to implement it step by step, what you need to get started, and why it has become a pillar of modern corporate cybersecurity.
What is Threat hunting?
Threat hunting is a proactive process of searching for and detecting cyber threats capable of evading traditional security defences. Unlike reactive methods that rely on automated alerts, threat hunting involves actively searching for suspicious or malicious activity within the system or network, both internally and externally. The primary goal of threat hunting is to identify, mitigate, or nullify advanced threats before they can cause significant damage. This includes the detection of advanced persistent attacks (APTs), malware, exposed vulnerabilities and other risk factors that may not be detected by conventional security tools.
Threat hunting methodology
Now that you know exactly what Threat hunting is, it is essential that you discover its methodology. This process generally follows an iterative cycle that includes the following phases:
- Hypothesis. Threat hunting starts with formulating threat hypotheses based on threat intelligence, behavioral analysis, and knowledge of the environment.
- Data collection. Data is collected from a variety of sources, such as event logs, network monitoring, and endpoint data.
- Analysis. The collected data is analyzed for unusual patterns or indicators of compromise (IoCs).
- Research. If suspicious activity is identified, further investigation is carried out to determine the nature and extent of the threat.
- Response. If a threat is confirmed, measures are taken to contain, nullify, or mitigate the impact.
Threat hunting uses a variety of tools and techniques, including:
- Intrusion detection systems (IDS): to monitor and analyze network traffic for suspicious activity.
- Log and behavioral analysis: to review and correlate events recorded in different systems and identify deviations in the normal behavior of users and systems.
- Threat intelligence: to obtain information on open breaches and exposed vulnerabilities on the web, dark web, deep web, and social networks.
How to do Threat hunting: steps to follow
Implementing threat hunting effectively requires a structured process. These are the fundamental steps:
- Define objectives and strategy. Determine what you want to achieve, identify advanced threats or improve incident detection, and develop a strategy that includes the necessary resources, tools, and procedures.
- Form a Threat hunting team. The team must have experience in cybersecurity and data analysis, and it is essential that they stay up to date on the latest threats and techniques.
- Collect and analyze data. Compilation through event logs, network traffic, and Intrusion Detection Systems (IDS), automated Cyberintelligence. platforms.
- Formulate the hypotheses. Based on threat intelligence and behavioral analysis, hypotheses about potential threats are formulated, and steps are defined to investigate each.
- Execute the hunt. Active searches of collected data are conducted to identify suspicious activity. If indications of a threat are found, further investigation is conducted to confirm the nature and extent.
- Respond and mitigate. When a threat is confirmed, measures are taken to contain, nullify, or mitigate its impact.
- Documentation and reporting. All findings and actions taken are documented, and reports are provided to senior management and cybersecurity managers to improve defenses and security strategies.
What is needed to start threat hunting?
To implement an effective Threat Hunting program, we need to prepare and organize several key components to ensure its success. These fundamental elements include proper team selection, collection and analysis of relevant data, and integration of threat intelligence.
Human capital
Selecting the right threat hunting team is crucial to the success of the strategy. A threat hunting team should combine technical skills, practical experience, and the ability to work as a team. The threat hunting team should be composed of professionals with backgrounds in cybersecurity, data analysis, attacker techniques and procedures, with official certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), or GIAC Certified Incident Handler (GCIH), and, if possible, extensive hands-on experience. The team must be able to work collaboratively and communicate their findings effectively to other departments and senior management. They should be continuously updated on cybersecurity and threats.
Data
To initiate threat hunting, it is essential to collect and analyze a variety of data that can indicate suspicious or malicious activity. This data should be extracted from event logs, such as system or security logs; network traffic, such as packet captures or network flows; endpoint data, such as activity logs or sensor data; threat intelligence, such as indicators of compromise or information gathered from monitoring external sources; user data, such as authentication logs or behavioural analysis; and data on exposed vulnerabilities and open breaches extracted from scans of the organisation's internal and external attack surfaces.
Threat Intelligence
Threat Intelligence focuses on the collection, analysis, and utilization of information about potential and current threats that may affect an organization's security. It provides detailed insight into malicious actors, their tactics, techniques, and procedures (TTPs), as well as exposed vulnerabilities and open security breaches that can be exploited to execute an attack. In threat hunting, threat intelligence serves as a solid foundation, guiding the team in identifying and mitigating risks. With access to up-to-date, accurate threat information, threat hunting professionals can anticipate and detect suspicious activity before it escalates into a security incident. In addition, Threat Intelligence enables prioritization of countermeasure efforts by focusing on the most relevant and immediate threats to the organization.
3 reasons why threat hunting is necessary in your organization
Threat hunting offers several key features and advantages that distinguish it from traditional security practices. The most relevant of these are highlighted below:
1. Proactive and immediate approach
Unlike traditional security methods that tend to be reactive, threat hunting empowers organizations to anticipate threats before they materialize. This proactive approach involves actively looking for signs of malicious activity rather than waiting for incidents to occur. By taking an immediate approach, threat hunting professionals can identify and neutralize threats in real time, minimizing the potential impact on the organization. This not only reduces incident response time but also improves the organization's ability to prevent future attacks. In addition, the proactive approach allows organizations to stay one step ahead of attackers by quickly adapting to new tactics and techniques used by malicious actors.
You may be interested in→ Proactive security: what is it and why use it to prevent and detect threats and cyberattacks?
2. Continuous improvement
Threat hunting enables organizations to constantly evolve and adapt to new threats and tactics employed by malicious actors. Through threat hunting, security teams can identify patterns and trends in threats, allowing them to continuously adjust and improve their defense strategies. Continuous improvement involves a constant feedback loop in which threat hunting findings are used to refine security policies, update detection tools and techniques, and train staff on new defense tactics. This process not only strengthens the organization's security posture but also increases resilience to future attacks.
3. High adaptability
Through threat hunting, organizations can quickly adjust their defense strategies in response to emerging threats and evolving attacker tactics. Adaptability in threat hunting involves continuously updating the tools, techniques, and procedures used to detect and mitigate threats. Thanks to this adaptability, security teams can respond more effectively to new challenges and vulnerabilities that emerge in the cybersecurity landscape. In addition, adaptability enables organizations to integrate new technologies and methodologies into their defense processes, thereby improving their ability to protect their critical assets.
Types of threat hunting according to need
Organizations can adopt different threat hunting models depending on their specific needs. Each approach offers a different perspective for identifying and mitigating threats.
Intelligence models
These models focus on identifying cyber threats using Cyber Threat Intelligence. They enable organizations to identify suspicious activities and patterns of behavior that could indicate the presence of malicious actors, as well as exposed vulnerabilities and open gaps in the network, using indicators of compromise obtained from threat intelligence sources. They address the organization's need to detect, monitor, and understand threats at its external perimeter to neutralize them or respond effectively to their use by cybercriminals.
Hypothesis models
These models focus on formulating hypotheses about potential cyber threats. They rely on the knowledge and experience of security analysts to develop plausible assumptions about potential attacks, how they could be executed, and the vulnerabilities that could be exploited. They respond to the organization's need to anticipate any threat and proactively adapt to new ones as they emerge.
Personal models
These are advanced models tailored to an organization's specific needs. They are based on in-depth knowledge of the corporate environment, weaknesses, and particular requirements, and use the organization's own data and patterns to identify potential threats. They respond to the need to detect specific threats, adapt the strategy to their infrastructure and operations, and optimize organizational resources. These models can be run through human teams, advanced Cyber Intelligence platforms that allow search customization, or a combination of both.
Discover how Kartos helps you with your threat hunting strategy
Kartos is the corporate cyber surveillance platform developed by Enthec, enabling you to implement and scale a threat-hunting strategy within your organization. Its continuous, automated, and customizable monitoring capabilities of the internet, the deep web, the dark web, and social networks keep you permanently informed about exposed vulnerabilities and open gaps that can become attack vectors.
Thanks to its proprietary AI, Kartos eliminates false positives in search results, ensuring that every piece of data it receives is truly useful for decision-making and neutralizing latent threats. Furthermore, it issues real-time alarms, it sends constantly updated information, and generates detailed reports on its findings.
Want to know how Kartos can strengthen your threat hunting program? Please contact our team to learn more about the full range of possibilities our corporate surveillance solutions offer.
The impact of man-in-the-middle attacks on companies
Communications security is a cornerstone of any man-in-the-middle cybersecurity strategy. Cybercriminals are constantly refining their techniques to intercept data and exploit vulnerabilities undetected. Among all the methods they employ, the Man-in-the-Middle (MitM) attack stands out for its ability to compromise highly sensitive information without any of the parties involved noticing.
But what exactly is a Man-in-the-Middle attack, and how can it affect a company? In this article, we explain its characteristics, impact, real-world examples, and how to protect yourself against this type of cyber threat.
Discover how advanced solutions like Kartos can help you protect your company's communications and prevent such attacks.
What is a Man-in-the-Middle attack?
A Man-in-the-Middle attack occurs when a cybercriminal is positioned between two parties who believe they are communicating directly with each other. The attacker intercepts the information, modifies it if desired, and forwards it without any party suspecting anything.
Imagine you're in a coffee shop, and you connect to public Wi-Fi to check your work email. Unknowingly, a hacker is on the same network and has created a fake access point with the same name as the premises' Wi-Fi. When you enter your login credentials, the attacker captures them without you noticing.
MitM attacks can occur in various contexts: open Wi-Fi networks, corporate email, HTTPS sessions with forged certificates, or even communications between a company's internal systems.
What dangers does a Man-in-the-Middle attack pose?
For businesses, a Man-in-the-Middle scam can have devastating consequences. Confidential information is put at risk, and relationships with customers and suppliers can also be affected. Let's look at some of the most significant impacts:
1. Credential theft and unauthorized access
Man-in-the-middle attacks can capture sensitive data such as usernames, passwords, and corporate service access credentials. A cybercriminal with access to this data could perform financial fraud, modify key information, or even sabotage internal processes.
2. Identity theft and financial fraud
Sometimes, the attacker intercepts the information and modifies it in real-time.
For example, a company may transfer money to a supplier. If a hacker has compromised the communication channel, he can alter the account number in the message before it reaches the recipient. Thus, the money ends up in the attacker's account instead of the provider's.
This attack is becoming more common in business transactions and electronic payments, and many businesses have lost large sums of money.
3. Leaking sensitive data
Man-in-the-middle attacks can also spy on a company's communications. If employees send unencrypted emails or use unprotected public Wi-Fi networks, an attacker can gather insights without anyone noticing.
This poses a significant risk for companies that handle sensitive data, such as law firms, technology companies, and financial institutions. Data breaches can damage a company's reputation and lead to legal penalties for non-compliance with data protection regulations.
4. Reputational damage and loss of trust from customers and partners
Businesses depend on the trust of their customers and business partners. If a company suffers a Man-in-the-Middle attack and customer data is compromised, its corporate image will be affected.
People are becoming increasingly aware of the importance of digital security, and such an incident can prompt customers and partners to seek safer alternatives.
5. Industrial espionage and intellectual property theft
Sectors such as legal, pharmaceutical, technology, and defense are priority targets. An attacker with continuous access to a company's communications can exfiltrate valuable intellectual property for weeks or months before being detected.
Real-world examples of Man-in-the-Middle attacks
To better understand the scope of these attacks, let's look at a real-world examples of a Man-in-the-Middle attack:
Attack on Wi-Fi networks in European airports (2015)
In 2015, security researchers discovered a large-scale Man-in-the-Middle (MitM) attack on public Wi-Fi networks in European airports. The cybercriminals had installed fake access points with names similar to those of legitimate networks.
When the passengers connected, the attackers could intercept login credentials, banking information, and personal data. Many business executives were victims without even realizing it.
This attack demonstrated how easy it is to exploit insecure connections and how a cybersecurity failure can jeopardize critical business data.
Operation Dark Caracal (2012–2017)
Researchers from the EFF and Lookout documented a massive espionage campaign attributed to a Lebanese state actor. The attackers deployed man-in-the-middle (MitM) infrastructure to intercept communications of journalists, lawyers, military personnel, and businesses in more than 21 countries, exfiltrating confidential documents, private conversations, and credentials over several years.
MitM attacks on online banking in Spain (recurring, 2020–2025)
INCIBE has documented multiple campaigns targeting corporate clients of Spanish banking entities, combining MitM attacks with phishing to capture access credentials to business online banking platforms and authorize fraudulent transfers.
The usual modus operandi follows a well-defined pattern. The attacker intercepts the active session between the employee and the bank portal, captures the OTP in real time, and immediately reuses it before it expires, thereby bypassing the Strong Customer Authentication (SCA) required by PSD2 regulations. The money appears to be transferred legitimately to accounts under the attacker's control, and the company only detects the fraud when it reviews its bank transactions.
How to protect your company from a Man in the Middle attack
Fortunately, there are several strategies to minimize the risk of a Man in the Middle attack. Here are some key measures:
1. Use of encryption in all communications
Data encryption is one of the best defenses against these attacks. HTTPS, VPNs, and encrypted emails should be used whenever sensitive information is exchanged.
2. Avoid public wifi networks
Open Wi-Fi networks pose a significant risk. If employees need to connect in a public place, they should use a VPN to protect their data traffic.
3. Implementing Multi-Factor Authentication (MFA)
If an attacker intercepts credentials, multi-factor authentication can prevent them from accessing the account. This method adds an extra layer of security, such as a code sent to the user's mobile.
4. Network traffic monitoring
Businesses should use security tools to detect suspicious activity on their network. Traffic analysis can identify unusual patterns that indicate the presence of an attacker.
5. Staff education and awareness
Many attacks exploit employees' lack of knowledge. Training staff in good digital security practices, such as recognizing fake websites and avoiding using unsecured networks, is essential.
6. Digital certificates and electronic signatures
Businesses can use digital certificates to authenticate their communications. This makes it difficult for attackers to impersonate identities or modify messages.
The Man-in-the-Middle attack is one of the most dangerous threats in enterprise cybersecurity. In minutes, it can compromise critical data, cause financial losses, and damage a company's reputation.
The Man-in-the-Middle attack, an active threat in 2026
As such, organizations must adopt protective measures, such as data encryption, multi-factor authentication, and staff awareness. Advanced cybersecurity solutions, such as Enthec's Kartos, can be essential for detecting and blocking MitM attacks in real time, ensuring the protection of your company's sensitive information.
In a world where digital security is more important than ever, being prepared can distinguish a safe company from another victim of cybercriminals.
Compliance with CRA regulation: How can you achieve it in your company?
The CRA or Cyber Resilience Act regulation marks a turning point in cybersecurity regulation in the European Union. This cyber resilience law establishes, for the first time, a uniform legal framework for the introduction of products with digital elements into the European market, from enterprise software and IoT devices to critical infrastructure components.
And the deadlines are closer than many companies realize. Vulnerability reporting obligations will apply starting on September 11, 2026, while the full implementation of the cyber resilience regulation will arrive on December 11, 2027. All operators involved in the value chain of products with digital elements must know and prepare to comply with their obligations before time runs out.
What does this mean in practice for your company? Who exactly is bound by the European cyber resilience law? And how can you structure compliance without it becoming an unmanageable burden for your teams?
This is where Kartos comes in, Enthec's cyber-surveillance platform based on a Continuous Threat Exposure Management model. Kartos allows you to proactively identify, monitor, and manage your organization's and your suppliers' external exposure, aligning directly with the requirements of the CRA regulation.
What is CRA regulation?
The CRA regulation, or cyber resilience regulation, is a legislative proposal of the European Union that seeks to ensure the safety of products with digital components throughout their life cycle.
This horizontal regulation affects all types of devices connected to the internet, from business management software to smart home appliances. The objective is clear: prevent security flaws from becoming entry points for attackers.
This cyber resilience law requires manufacturers, distributors, and importers to comply with a series of security requirements, including:
- Risk assessment before launching the product.
- Active vulnerability management.
- Transparency about security incidents.
- Security updates throughout the product's life.
According to a report from the European Union Agency for Cybersecurity (ENISA), over 50% of attacks in Europe originate from known vulnerabilities that remain unpatched.
Who is affected by the CRA regulation?
Although it may seem that only technology companies should be concerned, any organization that markets products with digital elements in the EU is subject to this regulation.
That includes:
- Software manufacturers.
- Companies that integrate digital systems.
- Connected hardware distributors.
- To a lesser extent, business users are obliged to demonstrate good practices in the digital supply chain.
In this sense, if your company integrates third-party software into its processes, you should check that these suppliers are aligned with the standards of the CRA regulation. If they fail, the problem can also reach your business. Under our third-party license, you will be able to manage these relevant issues.
You may be interested→ Keys to carrying out supplier evaluation: how to manage third parties in your company.
CRA regulation deadlines: what you need to know in 2026
The European cyber resilience law came into force on December 11, 2024. From then on, the phased implementation schedule is as follows:
- September of 2026: The obligations to report incidents and vulnerabilities to ENISA become applicable.
- December 2027: Full application of the regulation. All products with digital elements must comply with all applicable requirements to be marketed with a CE marking.
Companies that have not yet begun their adaptation process are, in practice, at significant regulatory risk.
How to achieve compliance with CRA regulations?
Compliance with CRA regulations is not a one-day task, but a continuous process that requires planning, resources, and strategic vision. Here are some keys to tackling it successfully:
1. Map your external attack surface
Before taking action, you need to know what's exposed. The CRA regulation requires manufacturers to understand and manage the risks associated with their products. The first step is to conduct a thorough inventory of digital assets, including domains, subdomains, IPs, exposed services, leaked credentials, and third-party dependencies.
With Kartos, you can get an up-to-date, automated view of your external exposure, without manual intervention or false positives.
2. Establish a vulnerability management process
The cyber resilience law requires manufacturers to identify, document, and correct vulnerabilities throughout the product's lifecycle. This implies having a formal vulnerability management process that includes prioritization by criticality and recording of actions taken.
3. Implement a CTEM strategy
One of the best ways to comply with CRA regulations is to adopt a Continuous Threat Exposure Management model(CTEM). This strategy is based on:
- Constantly identify new threats
- Validate the effectiveness of your security controls.
- Automate detection and response processes.
Through Kartos, we offer precisely a CTEM-based approach that perfectly fits this need.
4. Establish incident reporting processes
The cyber resilience regulation establishes strict notification obligations; actively exploited vulnerabilities and serious security incidents must be reported to ENISA within 24 hours of the manufacturer becoming aware of them.
Having the processes and tools in place to detect, classify, and report incidents on time is not optional; it is a legal requirement starting in December 2026.
5. Document and audit
The cyber resilience regulations require transparency. Therefore, it is essential to document security actions, to implement controls, and to record incidents. This way, if an audit occurs or a decision needs to be justified, you'll have all the necessary documentation.
Benefits of complying with the CRA regulation
Although it may seem like just another obligation, the truth is that compliance with the CRA regulation can become a competitive advantage:
- Improves your brand reputation.
- Increases the confidence of customers and partners.
- Reduces the risk of sanctions and economic losses.
- Prepares you for future similar regulatory frameworks.
Plus, keeping your digital exposure under control minimizes the risk of cyberattacks, which cause billions of euros in annual losses, according to data from Cybersecurity Ventures.
Kartos: your ally in compliance
You are not alone in this process. Enthec offers solutions designed to help you address all of these challenges. With Kartos, you can:
- Continuously detect external threats.
- Prioritize corrective actions.
- Comply with the requirements of the cyber resilience regulation more simply.
Adapting to the CRA regulation should not be seen as a burden but as an opportunity to improve your company's cybersecurity posture.. The sooner you start, the better prepared you will be to face the digital challenges that lie ahead.
At Enthec, we know security is not static. That's why we offer tools that evolve with your company.
Do you want to see how Kartos can help you comply with CRA regulations simply and effectively? Contact us to start working together.