Retrospective 2024 and Roadmap 2025

Written on 2025/01/31

First of all, we wish you and your loved ones a wonderful year in 2025. May it be the year of all fulfillment in your lives.

This is the time of year for us to communicate on what we have achieved through 2024, and what is coming for 2025. Many awesome features have been released and more are planned :)

A new category is born: CTISCAN category

We are very proud to inform you that our CTISCAN category is now live and available to all Griffin View & Griffin View ASM Edition users.

This new category can be seen as a brand new product dedicated to Cyber Threat Intelligence (CTI) use-cases. From our perspective, CTI means having the right data to uncover an attacker’s infrastructure. Until now, we focused solely on Attack Surface Management (ASM) and so only collected data for that purpose.

With CTISCAN, we want to fill the gap between some of our highly-successful competitors in this field and our current categories of information. In CTISCAN, we want to have the most pivot points possible to uncover an attacker’s infrastructure, and also to have a better refresh rate on exposed assets.

Please note that the data model for this category is new and different to our existing data model, so we’re presenting CTISCAN as an entirely new product. Because it was created with a Threat Intelligence Analyst in mind, CTISCAN can’t readily be used to correlate information with other categories.

Today, we can announce general availability of the following CTISCAN features:

• 1000 ports scanned once a week
• Top 100 ports scanned twice a week
• New pivots not available in ASM categories of data:
  • ja4t fingerprint
  • ssh fingerprint
  • hassh fingerprint
  • favicon MD5 & MMH3 hashes compatible with other well-known search engines
• 30 days of historical data
• capability to search for specific IP addresses with a list of open ports
• HTTP pivots like E-Tag, Last-Modified or Cookie headers

And we will add more CTI pivots thorough the year; more on that in a separate communication. Last but not least, we will scan more ports as we want to compete with “The Leading Internet Intelligence Platform for Threat Hunting and Attack Surface Management”.

Full data model description is available in our Docs portal, along with sample queries.

Do you need a quick introduction to CTISCAN? Contact us at support[at]onyphe{dot}io

Some words on Griffin View ASM Edition

2024 was the year of Griffin View ASM Edition. It was launched during the last quarter of 2023, and we already have quite a few customers using that license. What does it give you?

• Customizable dashboards
• Easy to navigate graphical interface
• Access to all of your asset data in one place
• Capability to set custom alerts, for example, generating Webhooks to your own ticketing system

And at the start of this year, we added, as standard, an On-demand scanner so you can refresh your data at will. Without increasing the price of this license.

Retrospective 2024

We did a lot of work during 2024, though with the bare minimum of communication. But this year, we are investing in marketing, so expect us to become more widely known around the world.

The main reason for our busy silence in 2024 is that we were totally focused on entirely rebuilding our scanning infrastructure with one simple goal in mind: to be able to scale-up to scan tens of thousands of ports. Along with that goal, we were working to improve our storage infrastructure to scale-up to petabytes of data. For the record, we have currently 300TB of storage capacity, and querying it is still lightning fast for our customers.

During 2024, we achieved the following:

• Increased volume of collected data by 100% (we doubled the size). And that doesn’t take into account the new category (CTISCAN) of data, where we store 3 times the current volume we have in datascan. Thus, for raw data customers, we store ~65GB of compressed JSON (BZ2) for datascan per day, while we store ~130GB of compressed JSON for CTISCAN;
• In terms of global monthly volume of collected data, we more than tripled the volume from 1.7TB in January 2024 to 5.9TB in December 2024;
• New category of information: CTISCAN dedicated to Cyber Threat Intelligence (CTI);
• Added dozens of new CVEs to vulnscan;
• Improved CVE detection in vulnscan by using data collected from CTISCAN;
• From 200+ ports scanned to more than 400 ports;
• Activated scanning of IPv6 at application layer in datascan;
• Improved DNS information gathering, we now collect NS records for all domains we see. That allows for pivoting on name servers to list all domains bound to the same name servers;
• Greatly improved favicon scanning;
• Improved HTTP redirections: we now follow up to 5 redirections;
• Merged data fields from synscan into datascan category (rtt & ttl fields);
• Deprecated synscan category to focus on what matters most: datascan;
• Scanner engine update to improve some protocol detections;
• Better detection for obvious honeypots through the tag:honeypot;
• Complete review of scanning infrastructure to scale to tens of thousand of ports;
• Rework of storage infrastructure to scale to petabytes of data;
• Bi-monthly refresh rate from FR and US countries, instead of once per month previously;
• Improved fetching of Certificate Transparency Logs (CTL) with more DNS resolutions and URL scanning;
• Open-sourced new Cortex analyzers for querying ONYPHE data from within TheHive;
• Allow searches through our APIs using regexps and /8 CIDRs;
• More scanning from HK and SG locations (86 ports for SG & 42 for HK);
• And many new protocol detections along with many new CPEs.

Some key metrics from the previous 12 months

• Number of collected banners: from 1B to 5B per month
• Number of DNS requests: from 1.5B to 4B+ per month
• Number of scanned ports: from 200+ to 1300+ per month
• Storage capacity: from 100TB to 300TB
• Known domain names: from 100M to 300M+
• Known FQDNs: from 1.5B to 3B+
• Critical CVEs identified: from 60 to 110+

And that’s just a subset of what we collect:

Roadmap 2025

• OQLv2: better query language supporting grouping (parentheses);
• Attack Surface Management (ASM) Inventory API: capability for ASM Edition customers to autonomously add, list, remove pivots from their inventory and define realms;
• On-demand scan functionality within ASM Edition dashboards: to allow authorised users to launch an active scan of assets from the graphical interface;
• Asset enrichment: allowing for notes and tagging for assets from within ASM Edition;
• Attack Surface Discovery (ASD) APIs: automatic discovery of an attack surface by starting from a domain name or keywords;
• CTISCAN integrated in On-demand scanning APIs: so we have all CTI pivots also in On-demand scans;
• CTISCAN integrated in Griffin View ASM Edition: so we have an even better view on exposed assets;
• New CTISCAN pivots: ja3s, jarm, and many others.
• More ports. Lots more ports.

Conclusion

Over the course of only 12 months, we have massively increased our visibility of Internet exposed assets. Until now, we were focused on the ASM market, but this year we will improve our automatic ASD capabilities and expand into the CTI segment.

Furthermore, we never invested in marketing. We were generally only focusing on the technical side of doing business. Doing is great, but letting others know what we are doing is even better. This year will be a year of marketing for ONYPHE and our products so we can reach more customers with our pioneering ASM platform built on top of a data lake we’ve been building for nearly 8 years.

You can count on us to be a leader in ASM, ASD & CTI and to compete robustly with “The Leading Internet Intelligence Platform for Threat Hunting and Attack Surface Management”.

Do you have any questions? Contact us at support[at]onyphe{dot}io