exposuremark.com

What It Is

ExposureMark is an external attack surface assessment provider based in the New York Metro area. Its core proposition is to “view your company from an attacker’s perspective.” It does not require internal access, agents, or installed tools—only domains and IP ranges. Within the agreed scope, it identifies externally reachable assets, performs manual validation, and models attack paths. It also states that most reports are delivered within 72 hours and include a 30-day automated recheck.

Core Capabilities and Deliverables

Its focus is not on exporting raw scanner output, but on having qualified professionals with credentials such as OSCP, CRTO, and CISSP manually validate findings. They confirm whether assets are externally reachable, whether issues are reproducible, and prioritize them by real-world exploitability. Reports are designed for both executives and engineering teams: a one-page summary appears at the top, followed by attack paths, data access paths, remediation priorities, and a corrective action plan. Multi-Domain and Extended Environment plans also cover cloud exposure, credential and data intelligence, insurance underwriting summaries, broker material packs, and control mappings for SOC 2, ISO 27001, PCI DSS, HIPAA, and more.

Pricing and Use Cases

Pricing is transparent: Single Domain costs $1,500 and covers one domain with up to 50 assets; Multi-Domain costs $2,500 and covers multiple domains with up to 200 assets; Extended Environment starts at $4,000 and is intended for multi-cloud, M&A, supply chain, or regulated environments. It is especially suitable for cyber insurance renewals, pre-audit preparation, M&A due diligence, cloud migration, or establishing an external asset baseline after business expansion.

Pros and Cons

The advantages are clear engagement boundaries, low startup cost, no need to modify the environment, and manual validation that helps reduce false positives while making reports easier to understand. The 30-day recheck also helps create an evidence trail for remediation. The limitations are that it mainly assesses externally visible risks and cannot replace internal penetration testing, red teaming, or continuous vulnerability management. The website does not disclose API, SIEM, ticketing integrations, real-time alerting, SLA details, or payment methods, and pricing for continuous monitoring requires consultation.

Access from China and Alternatives

Access from mainland China is not clearly documented, and payment options and local service support are also not disclosed. Before making a cross-border purchase, buyers should confirm network accessibility, payment methods, contracting entity, and data export requirements. If domestic delivery or MLPS-related services are required, alternatives to compare include 奇安信, 绿盟科技, and 安恒信息. If the priority is a global ASM platform, Cortex Xpanse, Tenable ASM, Rapid7, or SecurityScorecard may be worth considering.