Sponsored: HD Moore on why vuln scanners are awful and broken - Risky Bulletin

Summary4 min read

Risky Bulletin Episode Summary: Sponsored - HD Moore on Why Vulnerability Scanners Are Awful and Broken

Release Date: June 1, 2025

In this insightful episode of Risky Bulletin, host Casey Ellis engages in a deep conversation with cybersecurity luminary H.D. Moore, founder of Run Zero. The discussion delves into the persistent shortcomings of vulnerability management tools and explores innovative solutions aimed at enhancing cybersecurity defenses.

1. Introduction to Vulnerability Management Challenges

The episode kicks off with Casey Ellis introducing H.D. Moore, highlighting his significant contributions to the cybersecurity landscape through Bugcrowd and Run Zero.

[00:03] Patrick Gray: "This is his Risky Business debut... he speaks with the founder of Run Zero, Mr. H.D. Moore, about vulnerability management and about how it's kind of broken..."

H.D. Moore immediately addresses the core issue:

[01:08] H.D. Moore: "Vuln management's kind of been failing for a long time... none of your data is correct."

He critiques existing vulnerability scanners, emphasizing their inability to provide accurate and comprehensive data, which forces organizations to invest in additional tools for prioritization.

2. Deficiencies in Current Vulnerability Scanners

Casey Ellis references H.D. Moore's recent talk on "Snake Oil in Cybersecurity," prompting an elaboration on the topic.

[03:25] H.D. Moore: "Almost all these vulnerabilities are ones that were identified in the wild first... you're starting weeks or months behind..."

H.D. Moore highlights the critical lag between the discovery of vulnerabilities and their detection by current scanning tools. He points out that authenticated scanning often misses a significant portion of devices due to varied configurations and access issues.

[03:48] H.D. Moore: "If you just point and shoot an authenticated scanner at the network, you're only going to be able to successfully even authenticate to about half of them."

He underscores that most vulnerability scanners offer minimal coverage for unauthenticated scans, leaving organizations blind to numerous threats.

3. Run Zero's Innovative Approach to Vulnerability Management

Transitioning to solutions, H.D. Moore introduces Run Zero's differentiated strategy.

[05:16] H.D. Moore: "Run Zero is a little different. We don't do active scanning... we fingerprint all your stuff so deeply that you can just find it immediately."

Run Zero leverages deep fingerprinting to identify assets swiftly, enabling precise and efficient vulnerability checks. This method contrasts with traditional active scanning, reducing network congestion and avoiding disruptions to critical services.

[07:33] H.D. Moore: "NUCLEI is fantastic. We're already doing the same type of reverse engineering... but the thing that we're going to do differently is use the really precise fingerprinting in Run Zero."

By integrating Nuclei from Project Discovery, Run Zero enhances its vulnerability detection capabilities. This partnership allows for rapid deployment of vulnerability checks tailored to specific assets, ensuring accuracy and efficiency.

4. Rapid Response and Community Collaboration

Casey Ellis expresses admiration for Run Zero's swift response mechanisms, especially in emergent situations like newly discovered vulnerabilities.

[11:19] H.D. Moore: "Run Zero plus, let's say your ER based VM will be so much more accurate and so much more useful..."

H.D. Moore elaborates on Run Zero's collaboration with startups focused on AI-driven monitoring, enabling almost immediate detection and response to emerging threats.

[12:51] Casey Ellis: "Just that in and of itself... the idea of being able to do a rapid targeted asset inventory based on a flash fire that's happening on the Internet..."

This rapid identification allows organizations to promptly mitigate risks before vulnerabilities can be exploited, significantly reducing dwell time.

5. Future Outlook and Industry Impact

Looking ahead, H.D. Moore envisions a cybersecurity landscape bifurcated by device management strategies.

[10:05] H.D. Moore: "We see the world splitting into two buckets... either a device you can put an agent on or... you don't have any other choice but to do an unauthenticated remote scan."

He advocates for enhanced collaboration between vulnerability management vendors and organizations to improve detection accuracy and response times.

[13:08] H.D. Moore: "It's way more important than knowing whether you've got a vuln check for it... We want to shorten that time as much as we can for our customers."

H.D. Moore emphasizes the necessity of proactive and precise vulnerability management to stay ahead of attackers, highlighting Run Zero's commitment to advancing cybersecurity practices.

6. Conclusion and Call to Action

The episode concludes with H.D. Moore inviting listeners to explore Run Zero's offerings.

[14:25] H.D. Moore: "Runzero.com try and if you have a home lab, it'll convert to a community edition after 21 days..."

Casey Ellis commends Run Zero's advancements, expressing enthusiasm for their contributions to the cybersecurity community.

[15:13] H.D. Moore: "Thank you. Casey, Sam."

Key Takeaways:

Inadequacies of Current Vulnerability Scanners: Existing tools fail to provide comprehensive and accurate vulnerability data, leading to delayed responses and increased risk.
Run Zero's Solution: Through deep fingerprinting and integration with tools like Nuclei, Run Zero offers a more precise and efficient approach to vulnerability detection.
Rapid Response Importance: Immediate identification and mitigation of vulnerabilities are crucial in minimizing exploitation windows.
Future Directions: Enhanced collaboration and innovative scanning methodologies are essential for advancing vulnerability management and cybersecurity defense mechanisms.

This episode serves as a compelling exploration of the current pitfalls in vulnerability management and presents Run Zero's pioneering strategies as a beacon for the future of cybersecurity.

Loading summary

Transcript27 lines

[00:04]
Patrick Gray
Hey, everyone, and welcome to this sponsored interview podcast here in the old Risky Bulletin RSS feed. My name's Patrick Gray, but I am not the one who has done this interview. The person who has done this interview is actually the founder of bug crowd, Mr. Casey Ellis. And we've been talking to Casey for a while about getting him to do some stuff with us. And yeah, this is his Risky Business debut. And in this interview, he speaks with the founder of Run Zero, Mr. H.D. moore, about vulnerability management and about how it's kind of broken and some stuff they're trying to do at Run Zero to make it better. So I hope you enjoy this. Here it is. Casey Ellis interviewing HD More. Enjoy.
[00:52]
Casey Ellis
Hey, hd, how you doing?
[00:54]
H.D. Moore
Oh, good, thanks.
[00:55]
Casey Ellis
Casey, you did a talk recently on Snake Oil in cybersecurity, which I immediately pricked my ears up to when I saw the title. It's a pet subject of mine, but do you want to kind of expand what you were getting out there? What we want to talk about today.
[01:08]
H.D. Moore
Yeah, Short version is vuln management's kind of been failing for a long time. We've seen folks accept the fact that their vuln scanning was so garbage that they had to buy another tool to put in front of it to prioritize the garbage, to figure out what to go fix. And our take is like, none of your data is correct. There is no source data that you have today that is even starting from the right place. Even if you have one of the big three bolt scanners, you're still missing a lot of stuff for a bunch of reasons, both related to authenticated versus unauthenticated scanning device configurations, things like that.
[01:36]
Casey Ellis
Right? Yeah. And when you going through the talk, it sort of ties into what you guys are doing, what you built at Run Zero, and kind of where it's going. But just sort of unpacking the talk a little bit more. There was a part in there that I found really interesting and kind of topical to some of the stuff that I've seen and thought about in a Bug bounty context. And just in general, like this whole idea of edge devices and these kind of long windows that we end up with between discovery of a vulnerability and ultimately when it's able to be tested so that it can be fixed. Do you want to go into that a little bit?
[02:05]
H.D. Moore
Yeah, sure. I mean, the short version is if you look at the mandate and returns report, the top four most exploited vulnerabilities were all in security products at the edge. It's Palo Alto, Avanti and Fortinet and Two different bugs in Avanti and there's a weekly Avanti bugs. It's hard to keep track of them. But the challenge is these devices have to be on the Internet for them to function. You cannot have a VPN service that your users can't access and still get on the vpn. That's the whole point. So attackers have chosen these devices as being their best targets because they're the most effective way into the network. And we saw that play out last year and arguably the year before and the year before that. And we're not really learning our lesson. So our take was like, let's go look at how security products are actually helping people identify these vulnerabilities. And the short burden is they're not doing a good job. Most products don't support authenticated scanning of these types of devices. Oftentimes these checks aren't enabled by default or when the check is enabled, it takes weeks or months or even years to be deployed after the vulnerability is identified. What's particularly troubling in these cases is that almost all these vulnerabilities are ones that were identified in the wild first. And so the CSA cab date is almost all of the publication date from the vendor because they've already been sitting on for a month and a half watching people getting popped and now they're disclosing it to everybody else. So you're starting weeks or months behind from a tackle perspective, just by the time you hear about it, and then you're also waiting on your vendor again, days, weeks, months to be able to respond, to detect the vulnerability. And that doesn't work at that point you already owned.
[03:26]
Casey Ellis
Yeah, I mean part of what you were talking about, part of what I think is interesting is that dwell time and you know what you were saying about sort of the deficiencies in existing vault scanners, can you, can you go a little bit more into the importance like the delta between authenticated scanning unauthenticated and why unauthenticated is actually kind of really important when it comes to this sort of pants on fire problem solving state?
[03:48]
H.D. Moore
Yeah, absolutely. I mean if you go into any, pick any large enterprise in the world, about half the device in that work you cannot connect to with a single credential. There's no single ad password that'll let you log into the device to figure out what's on it or a single SH key or password. There's multiple identity domains, there's multiple configurations. You've got devices that are firewalled off for some ports. So if you just Point and shoot an authenticated scanner at the network, you're only going to be able to successfully even authenticate to about half of them. And some of those things you authenticate to maybe attackers actually just capturing your password. So it's not even just that you're only able to auth the haps that you're able to give your password to anybody who's on the network in a lot of cases, which is also a bad outcome. So where that gets bad is that vendors in the space have been only about 5 to 15% of their total coverage even works for unauthenticated scanning at all. So if you have 200,000 checks, well, you're only really getting 15,000 checks with the CVE that you can run unauthenticated. Even worse, a lot of those checks are not enabled by default. You have to enable like paranoid mode or thorough mode or web app crawling or whatever to even get that check in the first place. So if you're a customer of one of these companies and you're running this product, you assume they've got coverage. I ran the product. It's going to tell me where my vulnerabilities are. Even if you're waiting a week and a half, at least you think you're going to get the data. You never get the data. And you also don't get a big red flag saying you didn't get the data. You just get a no vulnerabilities here. So end of the day, you're stuck prioritizing a list of vulnerabilities that could all be solved by automatic patch updates, but you're still missing the big red ones, the big red flags, like your Palo Alto ExposedNet.
[05:08]
Casey Ellis
Yeah, that makes total sense. I mean, when you were comparing some of the scan vendors in there, there was a couple of like little razor sunshine that you called out. So do you want to speak about those?
[05:17]
H.D. Moore
Yeah, absolutely. I mean, the way we do it, run zero is a little different. We don't do active bone scanning at least nine until recently. What we do instead is we fingerprint all your stuff so deeply that you can just find it immediately. So if you need to find out where your Palo Altos are on day zero, we say, here's your source query. In seconds, you get all your. All your stuff. Right. So that's our approach, which is a little bit different than actively bone scanning. And going forward, we're doing active bone scanning too. But one of the bone scanners that did a fantastic job is actually the cheapest one, nuclei. So project nuclei or sorry, Nuclei from Project Discovery is open source. It's got about 11,000 checks. They were one of the best options for zero day response for all these types of vulnerabilities. I think they missed the Sonic wallet we talked about, but other than that, they were pretty much one of the fastest to market for remote unauthenticated checks for all these products, leading the larger.
[05:57]
Casey Ellis
Vendors that are getting paid to do this stuff in a very different way, which is quite extraordinary. But yeah, sorry, go on.
[06:03]
H.D. Moore
And unauthenticated by default. Right? There is no authenticated shek and nuclei. They assume that they have to prove the vuln and test it out. So that's pretty much like my background is coming from the metasploit side where our proof of vulnerability was a shell, not a vulnerability report. It's nice to kind of see that approach nuclei like, no, let's go exercise actual bug. So I was really excited to see the open source options kind of kicking everyone else's butt and excited enough about it that we decided that, you know what, let's just adopt nuclei at run zero and let's let our customers both use Nuclei plugins. Let's help them make them safe and fast and all that. And let's also contribute the stuff we build back to the community.
[06:33]
Casey Ellis
That's super cool. How does that work? To me, the partnership there makes a ton of sense just in terms of anyone who's run zero or even rumble back in the day. You can see it's a whole bunch of HD kind of magic sprinkled onto identification. There's stuff popping up that's. Oh, really? And it happens very quickly as well. So there's been obviously a ton of work done on that since and it's. I know that it's improved and continued to do so since that. That visibility of what's running where, like what things are running on which. Which, you know, bit of tin that you might not knew that you had and all that. All that kind of stuff, like combining a best of breed solution on that side with this idea of, okay, now let's get the best of breed thing when it comes to unauthenticated vulnerability detection. Actually put those two things together because having nuclei without knowing where to fire it is a challenge. And obviously this is something that can augment what you guys are already really good at, right?
[07:34]
H.D. Moore
Yep, you nailed it. I mean, I don't want to speak ilofnuclei by any means. It does a fantastic job for what it does, which is you throw it out a particular service and it tells you whether it's vulnerable or not. Right. But knowing what service to throw it at is most of the battle. It's like you can't throw 11,000 checks at every device and you can't do that on 11,000 printers and expect them to still print afterwards. Right. So our approach is like NUCLEI is fantastic. We're already doing the same type of reverse engineering and vulner work for every type of a new emerging thread Anyways, let's just go ahead and get a NUCLEI checkout for it. And if we get beat to the punch by some of the open source community, great, we'll use theirs and tweak it. But the thing that we're going to do differently is use the really precise fingerprinting in run zero to say for this asset. Here are the NUCLEI templates that make sense to run because we know exactly that this thing is a Zyxel router of this firmware to that firmware. Therefore it's safe to run these Zyxel checks. We're not going to be throwing a bunch of Windows based phone checks or IIS checks against your home routers and vice versa. So getting really precise with how you check is how you're able to do. In our testing so far, we actually couldn't tell that there's any long. It didn't actually change our scan times to include NUCLEI checks because we're running so few number of appropriate checks per target, it doesn't really change how much time it takes to scan. So instead of waiting for hours or days to run a scan, we're usually in a few minutes for a small network and maybe an hour for a really big network. So we're able to do this incredibly fast, almost at the same speed that we do our normal active discovery and scanning.
[08:50]
Casey Ellis
Yeah, that's cool. And I mean even just from like a network congestion standpoint, let alone, you know, if you happen to have something fragile that pops up in the mix and you want to make sure that you're touching it like gently in the process, that's very cool. So using the data and the intelligence that you guys have to basically tailor the scan to make sure that only the checks that are required are being sent and then obviously having those checks be best of breed in terms of what you're applying out to market, that's awesome. With that, I guess. Where do you see this going over the next period of time? Because one of the things that I found really interesting about your talk and something I think about a lot is this idea that the researcher on the good or the bad side, they always have the decision advantage and the information advantage because they're the ones that are actually operating in the gap. We've obviously seen that play out with these edge device vulnerabilities alongside this whole kind of attacker shift in behavior towards just the Internet as opposed to targeting as stealthily as they maybe did back in the day. In terms of, I guess, how organizations consume this and how they work it into what they're doing to try to stay ahead. How do you see that playing out over the next little while?
[10:05]
H.D. Moore
Your vendors have to be doing the heavy work. You can't expect every customer to be glued to the Internet, looking at every new volume coming by. That's what we do as our job is we watch all that stuff, you know, spend all night working on a check. If we need to, we get it out as quick as we can. We're hoping that as we're going through some of the nuclei templates, there's things to fix or make it better. We'll automatically do that as part of it. So we're hoping just to kind of improve quality as we go. It's nice to have some funding to build a higher engineer to do this kind of work, so we think it'll be helpful on that front. But I mean, long term, we kind of see the world splitting into two buckets. It's either a device you can put an agent on and you have really good on device visibility because you have an EDR or something else already doing bone scanning on that device, or where it's a device where you don't have an agent on and you don't really have any other choice but to do an unauthenticated remote scan against it. Because trying to do an authenticated scan is just a bad idea across the board and then doesn't work half the time. So we really see like the legacy VM market. I mean, if you look at legacy VM coverage, only 5% of some of these vendors even do remote scan coverage. So you're only getting 5% of what they say they're selling. And even then you still have to enable all these checks. So we think we can do better than that by far. And we think that especially working with vendors that have an agent on device already, the combination of run zero plus, let's say your ER based BM will be so much more accurate and so much more useful than let's say taking a, you know, tenable quality, et cetera approach to the same day.
[11:19]
Casey Ellis
Yeah, that's that's very cool. Yeah, I mean, I've always been a big fan somewhat evidently of trying to disrupt sleepy incumbents. So I definitely think that that's a, it's a valiant effort to pursue and yeah, it makes a lot of sense. That just reminds me actually when you mentioned that you've, you've got a rapid response approach that you've got that sort of came up and saw it pop out in the news over the past week or so with this whole ASUS thing. You want to just speak to that real quick?
[11:49]
H.D. Moore
Yeah, absolutely. We're working with a small startup here in town that does AI driven monitoring of interwebs to find things that are kind of on fire but not quite public yet. So when something starts to simmer, we see something starting getting more attention or people trying to figure out this particular device or vulnerability. If we don't know what the device is, we immediately go figure out how to find the device. And then what we provide customers like that second is here's a search query you can use against your existing inventory that will find all the things affected by that vulnerability. And if we can get it precise enough to determine if it's vulnerable, not just that, it's that type of technology, great, we're done. We've already created the vuln checked effectively through a passive scan of your existing data. So often what we do is do a technology check first. Like if it's a new device we haven't seen before, we'll provide like a really quick search query that looks for like HTML, title or body, favicon banner, things like that, just to really quickly identify that particular type of technology. And that's kind of our first salvo. And then as soon as that goes out the door, which is within an hour of us identifying the issue, customers are able to identify that triage mitigate. And then we're working on the more specific check to look for the vulnerability itself. And that's where going forward, we're hoping to put that directly into nuclei as we go forward.
[12:51]
Casey Ellis
Yeah, okay, that makes sense. So you're able to determine that something's there. And by virtue of the fact that there's a known vulnerability in that thing and you've ascertained a patch level or whatever it might be, like that thing is vulnerable, like you know, one of these ASUS routers at the moment, if you just see that, then you need to assume it's.
[13:09]
H.D. Moore
Yeah, there's, there's no patch and, but.
[13:11]
Casey Ellis
There'S no real need necessarily in that Circumstance in the very early stage to, to, you know, be able to programmatically check for the vulnerability itself. Unauthenticated. You just need to know the thing is there and that's like your immediate response and then obviously you can increase the fidelity of that over time. Is that, is that about right?
[13:27]
H.D. Moore
Yeah, that's right. I mean oftentimes people forget they've got a backup VPN appliance and a side network. They forget about a backup exchange server. We help people find all that stuff that isn't kind of top of mind for them. And thing is like on day zero hour zero, you know, it's vulnerable, no one's applied the patch to it. You know, your team hasn't got around to doing it yet because they haven't found out about the bug yet. So it's one of those things where, especially in that first 24 hour window, like you just need to know where your stuff is. It's way more important than knowing whether you've got a vulner check for it. It doesn't make sense to wait for your vendor to put on an update, wait for your scan window, wait for your scan to complete, then do a report. Like all that time is you getting out and we want to shorten that time with as much as we can for our customers.
[14:01]
Casey Ellis
Yeah, that's brilliant. I mean just, just that in and of itself, you know, the idea of being able to do like a rapid targeted asset inventory based on a trash fire that's happening on the Internet, that's definitely something I've, we've actually used the crowd to deliver that at various points in time, like probably nowhere near as efficiently as you guys do it, but yeah, with the same driver and kind of towards that same goal. So that's, that's really super cool that you guys are doing that. So I mean, where do I sign?
[14:26]
H.D. Moore
Well, the good news is you've got a free trial. You don't have to talk to a salesperson. So runzero.com try and if you have a home lab, it'll convert to a community edition after 21 days and you can play there forever. And even our home community version supports external hosted scanning. So you want to scan outside your firewall, scan someone else's firewall, we don't care. So you can basically use most of the enterprise features in the community version. Right now it just has a low asset limit of about 100 assets. But other than that, it's a great product to play with and we have a lot of folks who play with it at home for a couple months first, then take it to work once they feel comfortable with what it does and how it does it.
[14:56]
Casey Ellis
That's super cool. That's super cool. Well, yeah, thanks for catching up, hd. It's super exciting what you guys are doing on the Nuclei side. Great to get an update on kind of where it's all up to as well. As I said before, always been a big fan of your work and been a longtime fan of the product as well. So congrats on the progress and cheers. Till next time.
[15:13]
H.D. Moore
Thank you. Casey, Sam.