Name: Partner Webinar: Vulnerability Management, Detection, and Response - Technical
Uploaded: 2026-04-16T15:31:09.386Z
Duration: 53 min 56 s
Description: Partner Webinar: Vulnerability Management, Detection, and Response - Technical

Transcript for "Partner Webinar: Vulnerability Management, Detection, and Response - Technical": Hello there. Good afternoon, everybody. Thank you for joining this, this second session of the day of the Armisteaducates. This is our more technically focused session. So we'll just give it, the obligatory one minute to let everybody join the call, get settled in, cup of tea at the ready, and, then we will look to start today's session. Okay. Yep. I see people coming in. Gained some familiar names on there, some people from the first session as well. Thank you, and welcome back. K. Alrighty. By my clock, I make it one minute past, so let's start. So, yeah, indeed. Thank you, everybody, for joining. Good afternoon. Welcome to the, Armis educate technical session on, VMDR. My name is Jamie Andrews. I'm the channels director here at Armis, and I have the pleasure of hosting today's session. So if you've, if you're a regular viewer, you had been with us last month where we talked about another new product, which was our AppSec product, which we released in February. Today, we're gonna be talking about our vulnerability management and detection response product, which we, released and launched in the March. We call it VMDR for short. The name is, is quite catchy, But this is a next generation take on an age old problem around, vulnerability scanning. So, Chris, we can go to the next slide. So we we bought this product out, as I say, to assist in and drive, organizations to be able to be more efficient in the way that they're managing their vulnerability issues. Everybody's fully aware that there are challenges. There's lack of efficiencies. Efficiencies. There's lack of consistency. There is a real overhead where it comes to managing vulnerabilities in organizations. The tooling and the techniques that have been used are are out of date, do not keep up with the scale and the speed of which we have. And therefore, we by bringing this new approach out that we're gonna talk through today, we're gonna actually demonstrate how new efficient methods and more accurate methods have come into play and how we can help organizations be a lot more efficient in how they are managing their vulnerabilities across their estate. So over the next fifty minutes, we'll talk through and share some of those ideas, some of those concepts, what we're doing in the technology. There'll even be a live demo as well if the demo gods are are playing on our side, to talk through all those areas. Next slide, Chris. So as regards to the Armist Centris platform, this is a new module that we've added in. So many of you would have seen this, this graph in the slide before. Talks about the the platform that we have, which is underlying all the asset intelligence, all the asset knowledge that we have across everything that we do, and then we have the the blades and modules that either help pull that data or help, operationalize that data. So with the VMDR module, you can see there highlighted. That is another blade, another module within the the platform approach that we have. And you can see to the right of it, the AppSec one that we talked about last week or last month, should I say. These are now helping organizations understand the findings and understand what actions to take with the data that we're pulling out. So it's all part of the the Sentriets platform. You'll see that, actually, it comes together to give a full view across all aspects of everything that we do here at Armis. And you're but today, we'll be deep diving into the VMDR module. So, Chris, next slide. So today, I am, joined by Chris Hamill. Chris will be driving today's session. He is our subject matter expert in the vulnerability side of our business. Chris has been with the company for, about six months or so now, and we'll, we'll be driving this and is, looking forward to hosting this session and answering any of your difficult questions. So if there are questions we go through, please pop them in the chat, and we'll get to them at the end. And with that, Chris, let me pass across to you to take today's session. Thank you. Thanks. Welcome, everyone. Hopefully, everyone can hear me okay. So so today, as Jimmy mentioned, we're gonna, we're gonna talk about our vulnerability detection, and management engine. And, really, the goal here is to, first walk you through some of the challenges that we see in the space, and then how we at the Armus team have tried to sort of take those challenges into consideration, and build our our new product, which, hopefully, will try to address a lot of those. Now, there are a few vendors in the space, and I think it's been a sort of well worn space now. Some of the challenges that we've had from customers over the last twelve months that we've been talking to as we sort of build out our product is around, you know, agent overloads. That's a common one that we've heard when we when we're talking about what are the issues that you might be facing. And what we mean there is, for some tools, you have to actually deploy, an agent onto a host so that you can carry out that, remote scan. Then there's a couple of challenges that that that are incorporated with that. One is the operational overhead to actually roll that, agent out to all of those devices. So to attain your coverage, you have to deploy the agent to every host. And then there's the additional, overhead of actually running that agent on the host itself, and, that's the CPU and memory that that agent then will be running on the host or server device, whatever it is. That that creates an additional sort of challenge making sure that it doesn't, overconsume on its, on the device itself. Now when you've got your your agents deployed, and depending on the size of your customer's estate or your estate, you might then have to think about how often you scan, and perform a scan. And we're seeing pretty, wide ranges of, times or scan cycles that customers perform, and it can range from, like, a week to, four to six weeks. And and the challenge here is that, you know, you kick off a scan that's a it's a bit of a snapshot or a point in time scan, and you've got this period while the scan running, before you can then rescan, an an existing device. So if you were a device that was scanned at the start of the scan, you've then got to wait for that full scan to complete before you can either validate that a vulnerability that was found on that device has been resolved or, you've got to wait another period of time, that same period of time to validate if it still exists, after the fact. There's challenges with that scan cycle duration, and that's definitely one of the key ones that we're looking to solve with our continuous, scanning capability, our our continuous assessment. I'll get into more detail about how we do that a little bit later. Now with the agents being deployed and with the concept of active scanning that you have with more traditional vendors operating the space, you do then have to create that additional load on your network. If we take the agent use case, if an agent is deployed on a host and then you initiate a scan on that host using that agent, It will perform the scan and maybe send, data back to your central host to report on and to build up a picture of what all the agents are actually reporting. That then creates another level of overload on your networks. So you've now got all of this additional data coming over your network. Especially if you start to run frequent scans, then you could have this constant stream of data coming through. So that's that's sort of like those sort of challenge you've got with the traditional. Now depending on the the vendor that's that's in place, you could be having to deal with some false positives. And, again, this is something that's quite subjective. It ranges per tool. But obviously, the challenge with the false positive is that if you receive something, if you're the remediation team that has to actually address a vulnerability, you've got to invest that time to, one, review the vulnerability, and Then you've got to determine if it's a true positive or if it's not really something that you should care about. That's time and effort that the remediation or your destination, teams have to, invest in. And it could sort of erode trust as well in the existing tool. If it's generating lots of, false positives, it could generate some, trust issues there. Now another one we've heard quite often, as we've talked to customers is around, lack of context. Now what we mean there is that maybe a tool can detect that a device exists, but it might might even detect that it contains vulnerabilities. And those vulnerabilities could be criticals. They could be, you know, things that you would normally wanna, really take the necessary action to fix them. But if you don't have the right context, then it's hard to prioritize which of those you need to address. If I give you an example, if we had an IP address and we didn't know if that was maybe one of our, crown jewel assets or a critical asset versus if it was a device that exists in a lab environment or a non critical environment. You don't want to be investing your limited resources fixing critical issues on non critical devices. If you're going to spend that time and energy and dedicate teams to fix issues, you want to make sure you're prioritising those crown jewel assets. Having context about where that device sits in the business, is really important. Now the other final point that we've heard and really sort of when customers talk to us what they want a solution to try and achieve is that they want some capability to determine what gets scanned. And and this really makes sense if you're looking at, anyone who's got IT and OT or sensitive assets. There's a need to make sure that any of those production or critical resources don't get disrupted by doing what could sometimes appear to be a light touch scan. Even a simple ping scan on a really old, OT device could be enough to cause it to go into a reboot cycle or have a bit of an impact on production. Making sure that anything that you're doing, if you do need to make scans or if you do need to run some active scans, that they're not actually disrupting your environment. Now with Armis, we're hoping we can address, we're confident we can address these key challenges where we can help you detect everything. And I'll I'll go into quite a lot of detail about, you know, how we're gonna be using passive discovery to discover all of the assets on your, in your estate. And then once we've discovered all of those assets, we then use, that enriched data, that contextual data to then determine what vulnerabilities we can, find on those assets and what we need to actually fix, and what and how you should prioritize the fix of those, over over other assets. That's what we mean by focusing on what's important. That's that contextual and the prioritization of really making sure that if you're going to invest time and effort to remediate, that you're fixing the right assets and the right issues. Now when we talk to customers about, you know, what drives them to come and evaluate a solution in the space, quite often, there's the regulatory compliance need where, they need to actually meet some compliance requirements, and VMDR from Armis will help you meet that, whether it's PCI DSS, NIST, or DORA. Having that real time and that comprehensive detection and response is critical to fulfill those requirements. Then the most important for me, I spent a lot of my time working in the VIPER space as well. Moving from awareness and understanding where your vulnerabilities are and making that leap in the CTEM framework, moving into that mobilization, section of the CTEM framework where you're driving remediation, you're giving your engineering teams not just, what they need to fix, but you're really generating those engineering grid work items to ultimately help them understand that this is something that can't really be delayed and you have to implement that fix as soon as possible based on their environment. Now we're gonna get into some detail, when we get into the demo. I'll walk you through this in a bit more detail. But at a high level, I want you to at least understand that we've got three sources that we can use to determine and to build out our asset inventory. Now the first one, is our, passive discovery. So you can leverage. So if you have customers today that are leveraging, our Sendrix platform for, asset management, then we we can already leverage all of that asset intelligence that we've got. And we're seeing some great, early early customers who have leveraged that have seen a really, fast time to value because there's nothing to roll out, there's nothing to deploy. You've already built integrations into, lots of security tools. We've already got a very rich asset inventory. We just pass the asset inventory over to the NDR, and then we can start doing the, risk assessment. Now for the devices that you are not already, aware of, Maybe you've got a collector, deployed in your network. So an Armus collector, which is a device that can sit on the network and actually detect, devices based on the traffic. We can also leverage, any device that's being detected and report it to the Cendrix platform by a collector will then also be passed through to our assessment engine. Now moving from there, we we typically are recommending that you focus on doing as much passive discovery as you can. Really try to establish that 75%, 80% coverage without having to do any scanning whatsoever. We're just using that intelligence information that we've got. We pass that straight across to the vulnerability, engine. And from there, then you start to look at where your coverage gaps are. What do you need to then do, and and pick that more surgical or that precise approach to decide, okay. I've got a gap gap here. I need to do a a a specific, scan type to then, add those assets into my overall coverage. And we're gonna be able to give you, guidance on how to go from 75%, 80%, and above. We make suggestions in the platform to help you sort of navigate that progression in your coverage. And when we make scans, the the goal with our scanning is to be very precise, very surgical, and and really only just to do scanning for enrichment of that inventory. So our overall inventory, the goal is to build it up using passive discovery, and then we use the active active scanning for enrichment, and really closing off those gaps. Okay. Now when we when we build the inventory, which is a big part of what we, want to do or or in the first phase of, our VMDR solution, We then pass that against our, AVID database. So it's our vulnerability intelligence database, which is a, AI powered, database, where we're aggregating intelligence from sources like NVD, C SecaV, and other vendor advisories. And one once we build up that database of vulnerabilities, we then enrich that, data with, descriptions so that it's easy for people to understand the the risk of these vulnerabilities. And we've also been boosting our remediation information that we provide, so that when you find a vulnerability on a particular asset, you you then get the necessary remediation advice to take, forward into our remediation engine, and and implement and and make sure that you're actually closing off, those security issues. Now this is what it looks like, and we're gonna get into the demo in a second. But, ultimately, you'll hear me talk a lot about data coverage. So we will build up a, an understanding of your overall inventory. And then based on the inventory, we will then be able to establish which parts of the inventory do we have the necessary asset data to actually make a valid, vulnerability assessment. So we'll be at a really high level if we find a device and we weren't able to determine what the OS is of the device, if there was applications from that, that's where we might make a suggestion that you might wanna try and enrich that that device with more data so that we could then make a AI driven, assessment against it. And, really, from our perspective, you know, we've got our vulnerability AI module. It's continually learning with the goal that we want it to become better at improving, our detection and also being able to do that association between a vulnerability and an asset, as well as that remediation aspect. Now, one of the pins I mentioned at the top was really common one that we hear probably most calls that I've been on with customers. It's around how do we eliminate those, vulnerability blind spots. And it's really how we look at the difference between, continuous scanning and what we see quite often with, other tools in this space where they do a periodic assessment or a dedicated scan cycle of two to four weeks. The idea here with a traditional scanner, maybe you've got it on a schedule where it runs once every two weeks. The scan would kick off, approximately, you know, midnight, and we detect 50 critical vulnerabilities. Right? So at this point, you're aware of those 50 critical vaults. And then at a point maybe later in the day, one of your admins goes on to one of your devices and installs a new piece of software, which unfortunately turns out to be, vulnerable. So now we're vulnerable to this particular, vulnerability laptop which joins the network, which looks like it hasn't been patched. So now we've got two sort of incidents that are occurring, in our environment. And our scan is still running at this point. Like, everything's still happening. The scan cycle is due to complete after two weeks. So the idea here is that, you know, during maybe a week after the initial install of that software, it's it's exposed, and maybe that's where an attacker could potentially exploit that vulnerability. And it's only after two weeks after the original scan, we go back onto our schedule. We detect 55 critical volumes now. We may be detecting that this is vulnerable software, but it highlights that on in that interim period, you you have this period where you're exposed. Now with Armus VNDR, it's it's really important to understand that as we build our asset inventory, all of our integrations and, the the collectors that we use and even the, scanning that you can do, the goal is to sort of understand what exists in our inventory today and as we see changes to that inventory. So in the same event, as the admin makes that deployment, we would detect that that new piece of software has been deployed on that host, and then that would automatically trigger a reassessment in VNDR. So we would detect that the OS has changed. We would then retrigger a scan, directly. And then if we find vulnerabilities, we will surface those in the VNDR UI. Nothing needs to be, you don't need to instigate a scan. This is something that will continually happen as your ecosystem changes, as your hosts get updated. You will see these automatic reassessments. It's not just going to be for new Vols. If there was the opposite, if you had a host that previously had a vulnerability reported, as you upgrade that host and remediate that issue, we would also trigger the reassessment to validate that it's no longer occurring. Right? So, your your your results are gonna change as you make changes to your environment in real time. Okay. So let me jump into the UI. So this is this is the, for those that are familiar with, Armis, you would our new platform, if if you've if you've logged in before, so this is our typical sort of AMS, centric view. We would have this additional, picker which shows the VNDR, products. If you're new to Armus, then, you know, just think of these as sort of all part of the same platform, but a sort of slightly different UI that you would use. And when you first log in to VMDR, the goal is to give you that initial understanding of what your data coverage, actually looks like. So here, what we're saying is we're saying that, of the assets that we're aware of, we have, coverage or we have asset data that's sufficiently, been enriched to allow us to perform, vulnerability assessment. So we have, parts of our inventory where we're lacking some information that we would need to then perform that vulnerability scan. And that's what we're trying to highlight. Like, the goal is to try and get you to that 90%, 95% coverage. And we've helped customers get really high into the nineties in terms of the coverage in a really quick, you know, a few upgrades, a few integrations. And, you know, customers have been able to achieve high coverage in a really short space of time, because we really focus on those integrations. We make suggestions to you. If you need help in determining how you're going to get closer to 90%, we can make suggestions. We can give you that return on investment that if you make that change, these are the number of assets that would be, updated as a result of each of these changes. So, if you if you need some guidance on how to progress, from that initial sort of coverage, then we can help you with that. What I would say is for existing Armis customers who've been you know, who've built out a lot of the integrations, in Centrix today, we're seeing that quite a lot of the time when they when they transition into VNDR, we're seeing around 70 to 80% coverage from day one. It's something that I mentioned on the call earlier today for those who were on the earlier call. It's definitely one of those things that we're really pushing in terms of time to value. With a few changes, you can achieve a high percentage of coverage, with the EMDR. Okay. Now I did cover again, I'll try to make sure it'll be bridged for those that were on the call this morning. I touched on, the the way that we integrate. This is an important view in terms of what we're doing in terms of collecting and building our asset inventory. There's two paths that you can leverage here. This is what we would regard as our CASM data. Looking at your whole attack surface, what are all of the tools that currently contribute into or that you're using in your ecosystem today? Can you just build an integration into each of those two tools? And then we can pull in, all of the asset information that you've already got. So there's nothing to be deployed. You just do a an API like integration into these tools, and then we pull all of that data in to help give you that initial, data coverage. Again, here it's 51. Quite often, if you're already a customer, it would be in the 70% range. If you're completely new to Armis, and this is your this will be your first time, we have seen net new customers also get to like 75% really quickly because the integrations themselves are not that heavy. It's a wizard that you create a token and you create a back end connection to the existing tool. And then within twenty four hours, we would usually get most of the data coming through. Now, I just wanted to share what that looks like because, I did want to go a little bit deeper into how we build up that inventory. In our existing integrations that you have with Centrix, so VMDR can use these same integrations. We've got a rich library of integrations that you can leverage with lots of different vendors in the space. That's a great first question that you can ask both yourselves and your customers. What are the tools that we've already got deployed that we can integrate with to help us build up that asset inventory. And a lot of these integrations are you follow the wizard, a really low effort type integration, audit a token, and then we pull in all of that information, through, as I mentioned before. Once you've got that in place, that provides that sort of that passive discovery, that that sort of rich, level of asset inventory that you would then start to compare against our, vulnerability database. Now, the other option is if you had a network, if you had a collector deployed in the network, you can actually deploy additional software, on that collector. If it's just doing network, passive network monitoring today using a SPAN port, for example, you can now upgrade that existing collector, which is already in place in the network. You can upgrade it with additional software that allow you to then turn that into a active network scanner. And with that, you can then do a scheduled network scan. You can do a point in time on demand scan. Essentially, again, the the objective here is how can we leverage what we've already got in place to really build that overall inventory? Then you could do the active networks to try and close off some of those gaps that you've got in your overall coverage. Now, the final option that you could use for for scanners is, if you've got EDR agents deployed across your device base. So we have support for CrowdStrike EDR. We've also got support for tuning. So we essentially think of it as a, like, a micro agent that will be deployed on top of the existing EDR agent, and it will go in. It will collect the information it needs to enrich our asset inventory record. Then once we've got the information that we need, it's an ephemeral agent that will then be removed. Essentially, then we have enough information. We've got that enriched asset data that allows us then to perform the asset assessment or the vulnerability assessment. Again, really emphasizing that point that I mentioned before, it's not something that we're doing all the time. When we need to build on and bridge the gap in your coverage, it's either using that that that that scheduled, network collector scan or running the micro agent on an EDR agent to try and give us the extra context that we need. So once you've got that overall asset inventory, we we then pass that against our vulnerability database. So this is, this is the database itself. It's our AVA database, and it's being curated to really track and make sure that we're staying in tune with all the latest CVs that are being published. We agree that context if it's been published onto CISA KEV. We can also give examples of where we've determined the early warning status that we have with Armis. But really, the idea is like we're like, this is what the V MDR, back end will be using to determine if we've got vulnerable components in our inventory. Then the final part of the overall assessment overview is making sure that we don't just, build that inventory, carry out the necessary vulnerability detections, that we don't just stop there. Like, there's a there there's the risk that we okay. We carry out the report and we report on what we find, making sure we make that final step into remediation, following the CTEM framework, making sure we make that progression into the mobilization phase where we prioritize based on context. Like, what are my critical assets? What are the things that are exploitable? What is the highest priority vulnerabilities I've got on those assets? And then using the viper engine to actually go ahead and actually deploy, and making sure that we're issuing tickets to have those issues resolved. Okay. Now let's look at some of the the assets. So here, if you look, you'll be able to see, we'll we've determined that there are 15 or a thousand assets that we've discovered. It's probably over over thirty days. We'll probably see we've got one and a half thousand assets. And you can see here, these are the total assets discovered, that the total unique assets. We also tell you, like, how the asset base has grown in the past seven days. So you'll be able to get an indication, you know, is your, asset base, shrinking, or is it growing at a at a fast pace? And then we also give an indication of how many scans we've carried out in the past seven days. And I think that's a really great indicator. Even though we're, we we have this passive approach, we're carrying out lots of, assessments of those assets, during that period of time. For every asset, we can then give you that context that you would have. What's the IP, what model, what operating system we've determined, and where we've been able to carry out an assessment on the asset, we will also be able to surface what findings. And we can give you an indication of how did we build up knowledge of that asset. Was it through an integration with CrowdStrike? Was it through something that we've determined through a SPAN port or traffic inspection? So you'll always be able to get an understanding of how did we build up our inventory profile of this particular asset. Now, when the findings so we can compare the findings for a specific asset. You can also look at all of the findings in general. We try to surface, like, the top 10 critical vulnerabilities. You can also pivot here if you wanna look at, anything that's got an early warning, for example. But, ultimately, you might find yourself really honing in and drilling down into a single, finding. And we provide, a lot of useful information to help you decide, is this something that I need to address right now? So we'll we'll provide information that you're probably used to, like the first scenes. When was the first time you've seen this vulnerability? When was the last time you've seen it in a recent scan? What's the confidence level that we've got? Do we have all of the identification attributes? Are they all present for us to make a really good match from a public source? We give you that confidence rating on every finding that we get. We provide that much evidence using the CP two or the CP 2.3, format, and we recently really, elevated the remediation advice that we provide for any findings. We'll give you the actual version that you need to move to. If there's a patch that you can move to, or KB that you can move to, we can suggest that as well. So, if there's multiple remediation paths, we'll actually surface multiple, suggestions here as well. And then if you wanted to, you could actually go all the way back to the original asset, in SentriX if you want to look at all of the all of the metadata that we capture there. Okay. From there, once you've understood your, your overall, assessment, and you've got some findings, just just keep in mind, as part of the VMDR offering, we give you the ability to hook up to these, integrations. You get the ability to build these integrations to build up your asset inventory. We also give you access to the remediation engine. So from here, now that you've got, findings, you can you can triage here and you can search through here, but all of these findings are all being pushed through to the viper engine as well. So from here, you could then filter, findings that you've got, and the source for those are our VNDR scanning engine. Now, this is where if you had other tools, if you didn't want to complete rip and replace, if you wanted to live in a world where you have multiple tools all scanning across your environment, this is where we would then deduplicate in the findings view where maybe a finding has been found by multiple tools. Here, we would be able to surface that. It's not like you have to rip and replace. This is definitely something that you can use to maybe fill a gap in your network where you you don't wanna do, active scanning. Maybe for that part of your your your ecosystem, you wanna focus on just doing passive, discovery and passive scanning. And that can be a great approach to tackle, and that's definitely something that we're seeing customers, contemplate and and and really start to embrace that approach where we've got multiple scanners depending on the need of the business. Now from here, this is where you take your findings. You can assign ownership. The Vypr engine can infer ownership based on, tagging and metadata information as well. And ultimately, you want to get in a situation where you can either create a ticket directly into ServiceNow or into Zendesk or whichever ticketing engine your remediation teams need to work on. You can start the process of assigning that, ownership, putting the ticket in place, and you can also track all of this using campaigns. You can assign all of these issues to your mediation campaign, for example. If you had a celebrity CVE or an urgent critical fix that you wanted to sort of create a small project around, campaigns are a great way to actually, put all of those, specific findings in one place and then track the progress of that in your stand ups and and in your weekly meetings that you have with each of those remediation teams. There's lots of power of the remediation engine that you get as part of your VNDR license. Okay. Now we talked about active scanning. One thing that I wanted to spend a bit more time here is around the different types of scans. Like I said, our goal, our recommendation is build as much of that coverage as you can with the passive scanning. Where required, you can create scanners as well. So, two types of scans. One would be a an existing collector in your network, and that could be a physical collector that you would deploy and and hook it up to your actual network, and run it as a spam port, for example, or you could run what's called a virtual collector, and that's definitely a good approach if your goal is to try and get up and running quickly and and really decrease your deployment time. Virtual collectors would allow you to try and get some scanners into the network in a much faster fashion. Now, the other option is leveraging our EDR agent scanner. Like I said, it's a sort of micro agent that gets deployed, where you've already got EDR agents running on each device. We can then use that existing EDR agent to pull the necessary information that we need. So you first build that scanner. You you create a scanner, with the ability to connect to CrowdStrike or TNA. And then once you've got your scanner in place, you can then create, scanned policies. This is where you actually start defining what scans you want to carry out. There's lots of different, approaches that you can take here. You can create a network policy that will scan to help me build my asset inventory. Like, let's I think I've got some asset inventory gaps. Let's use one of our collectors, to to look on the network and see if we can build up more information so that we can have a much richer, data coverage. You can also use it to detect. So you can have it to using our, EDR agent, for example, you could define a specific site or a, a part of your existing site, or a specific set of IP addresses, for example. You could have it target a specific part of the network, and that's that surgical, precise approach where you wanna do a targeted active scan on a specific part of the network, to try and help you, again, build the asset coverage. And from here, there's lots of options that you can explore. But, essentially, the goal would be you would give us, like, a, set of credentials, and you can actually store credentials on the platform as well. We have support for secrets management tools that on the devices. Now the other approach, could be that you want to then maybe use a collector, and you've got lots of different scans. So you can do, if it's if you've got a a mix of devices, you've got some Windows, you've got some Linux, you can choose multiple of these that you want to be carried out, and we will then adjust the scan, protocol based on the type of device that we're going to be, in are making that scan that authenticated scan to. So there's lots of different approaches. If you have some network devices like Cisco devices, for example, you can also, scan and use the correct protocol to, you know, reach out to those devices, again, with the goal to, one, enrich the data that we hold on the asset in our inventory so that we can then perform, a valid assessment. Now, the final one you see here is exploit verification. Now for any CTEM enthusiasts out there, this really, embraces the validation phase in in CTEM, where it's one thing to say, right, I've got a critical asset. It has a critical volume that we need to fix. We know it's exploitable, and we know that it's exposed to the Internet. Those are four things that typically you'd want to try and include in any remediation ticket that you send to an end user. With the validation phase in CTEM, the goal is if we can include validation of that exploit also, then it boosts that engineering grade work item. It really gives them everything that they need to understand that this is something that needs to be addressed immediately and that they shouldn't really, delay the remediation. Now we can we started with this where you can use a zero day vulnerability. So at the minute, we have support for React to Shell, but the goal is to add more celebrity CVEs, to the exploit verification so that you can start to build up that validation. We'll also be able to capture this information. As we validate vulnerability within VMDR, we will then be able to pass that through to vyper as a metadata item. So you'll be able to see in viper that that's a validated, vulnerability. So then you'll be able to prioritize those issues that have been validated as well. So, it's a really nice addition that we're adding and I'm excited to see how that matures over the coming months as well. Alright. Now I've covered most of what you can do with, VNDR. Given that we've got a more technical audience in this session, one thing that I really want to sort of be clear or at least highlight, we can do a one for one match to what you find in your integration. You could say, right, if I discover a thousand devices, I want a thousand devices to be sent through to the vulnerability engine. Now you might be wanting to start small, right, or you might be using that use case that I mentioned before where, actually, we've already got a tool in place and it's covering that part of the ecosystem. I don't really want to have that part of the, of our ecosystem also being scanned by Armis. So you've got the ability to actually define the scope of what we what we would then use as part of our inventory. So you can actually configure specific sites, specific boundaries that you would actually leverage as part of that integration. If you want to make sure that a specific network in your environment never gets scanned by Armis or if you want it to only limit it to a particular site or location, you've got that flexibility when you do the asset scoping or the ingestion scoping. So you've got lots of control over where we do this, the, the passive discovery and the active scans as well. Okay. Hopefully, that was useful. Let me just jump back into the slides, and I'll, I'll just finish up with a few key points. So in terms of value and benefits, really emphasizing that that smarter detection, leveraging, the the passive discovery, trying to build up as rich a asset inventory as we can without ever having to make a scan. And then where we have some gaps, we've got the capability to be, more surgical and create those, those precise active scans to then complement and and bridge those gaps in our coverage. You know, we're putting a lot of work and effort into our, AVA database to make sure that if we do ever service a vulnerability, it's as accurate as possible, We've got really good false positive rates that we're hearing from customers that have done evaluations. Then also, focusing leveraging both EMDR on the remediation engine, fast time to detection. I touched on it in the little timeline view that as soon as someone makes a change to a device, if they upgrade a device to a version which is known to be vulnerable, every change on that device in the inventory will automatically trigger a reassessment. You'll get instant real time updates on where that vulnerability is being detected. Our mean time detection is really fast. Then with VIPER and the remediation engine, you can really shrink your MTTR to make sure that you're closing off vulnerabilities as soon as possible. Lots of efficiency gains, all that overhead, all of the things that you maybe have to issue how to do with deploying agents across your whole estate, there's a lot less overhead in terms of getting started, as I mentioned. Lots of time saved. All of that time can be repurposed, either focusing on how to prioritize and how to issue tickets and tracking those campaigns, like I mentioned in Vypr. Spend less time with the deployment and the reporting of issues, more time focusing on, maybe validation steps or, actually driving remediation. Now, we touched on the differences, earlier around in around if you're an existing customer. And I've hopefully given you a flavor. If if one of your customers already uses Armist today, then they can definitely see a really short time to value by turning on VMDR. I've seen some customers within twenty four hours having 75%, 80% coverage in the asset inventory. So the time to value, if you're an existing customer, is really quick. That shouldn't put you off if it's a net new customer. If it's someone that doesn't use Armus today, they can also get to a high percentage of coverage really quickly because the integrations that we give you access to are really lightweight. It's mostly an API integration. I've seen customers who are net new, they've achieved fifteen, sixteen integrations in the first day and then the data is available on the second day. It's not like you have to then think about having months of delays. You can also achieve a very high deployment rate if you're net new. Now, for the technical folks, we have built out really detailed. Like I said, we we we've been building this product for around twelve months. We've got really detailed admin deployment guides and best practices. We've got great sort of workflows on how to leverage between VNDR and Vypr. So for those of you that have to help customers, you know, go through that deployment guide, there's lots of great information that you'll be able to take, and and do a lot of that without support for Armis. Obviously, the Armis team are here to support when and required, but, there's a lot of great documentation to help you get going. A common question that I get is, can we pull information from the EMDR into our existing, reporting structures like, scenes and socks? It's a really good question, especially for zero days. That's a common one where, actually, we need to know all into via API. Now a really nice part, especially if you're using SentriX today, if we pull in the SentriX information from, AMS into VMDR and then we start the process of enriching that and doing scans to to build up that inventory. It's a QA integration. So the information that we've we that we gain in vMDR doesn't just go into vypr. It also goes back into into AMS. So any asset that previously in AMS was showing with little information, if you start to learn more around an EDR integration, for example, we pass that new information back to AMS as well. So there's lots of really like, when we talk about our overall UVM approach, it really is this this platform approach that each part of the platform is being enriched overall by adding VNDR into the ecosystem. And then the final point, we added support for Tanium, and there's a we've got a nice list of, other EDR vendors that we're working through to add those in. So, if you have another EDR vendor that you're keen on maybe exploring, just reach out to the team and we can make sure we can share the roadmap or get that onto the roadmap. Okay. A lot of information. Jamie, I guess we can check if there are any questions. Indeed, Chris. Thank you for that. Your Internet was a little bit lumpy at times, but, I don't think anything, important was lost there. But thank you folks for, hanging in there whilst we lost Chris for the couple of seconds at a time there. But, hopefully, didn't take away from the, the session. There are a couple of questions, in there. They were quite early on, and I've we may have covered them off actually. But with still actually around, Vypr Pro and Vmdr, you know, how are they extending the the capability? If someone is already a Vypr Pro customer, what are they getting actually from, Vmdr in particular? Are we making it redundant? Do we still need both tools? I think you probably covered a lot of that in the demo, but a quick just summary just in case that, wasn't covered would be great just to close off with if we can. Yeah. Yeah. So definitely not making ViteRepro redundant first. Definitely, there's a place for both. Yep. So ViteRepro will allow you to integrate with the other tools in your armory, directly. And Vmdr will become an additional source of, findings and and assets into Viber Pro. Viber Pro has the ability to then connect to CMDB and pull in CMDB information or remediation on information, and that will always be where that that work is carried out. VMDR, a common one we've heard is that some of the remediation advice that we that gets pulled in ultimately to viper and gets DGIP into viper, can sometimes be a bit lacking. That that remediation improvement that I mentioned before, that's the one that we're getting a lot of really positive feedback on because we put a lot of work into really improving the guidance that we when we find a vulnerability, we tell you what version that you gotta go to, what what the next patch is to solve that problem, and that will then feed into viper as well. So, hopefully, the remediation device that you then get surfaced in viper and ultimately gets passed through in a ticket will be much richer by adding VNTR into the ecosystem. Awesome. Thank you. Thank you, Chris. If anybody actually is interested in getting their hands on a little bit in, we do have, demos, and demo of the platforms available in the partner portal for SentriX AMS, for VMDR, and for, Vypr Pro. So if you don't have that, please speak to your partner manager to work out how we get it, and we can get that in. With that, if there are no further questions, we're up at time. So if there are any other questions, please speak to your local teams, and they can, cover that or reach out to me. More than happy to do that. But, with that, thank you for presenting the session, Chris. Thank you for driving through and, demonstrating that to our partners. Thank you, partners, for attending, and look out for next month's session. It'll be, into early mid May, and invites will be out shortly. But thank you for attending, and I wish you well. Thank you very much. Bye bye.