Best UpGuard Breach Risk Alternative: Attaxion EASM

Pricing

Upguard vs Attaxion: Pricing
	Attaxion	Upguard
Free plan	❌	✅ (only Vendor Risk for 5 vendors, Breach Risk does not have a free plan)
Free trial	✅ (30 days)	✅ (14 days)
Pricing monthly	From $129/month	–
Pricing yearly	From $1,290/year	From $3,000/year* (only Breach Risk)
# of assets on cheapest plan	40	unlimited

UpGuard Pricing

To understand UpGuard’s pricing, let’s start with the fact that UpGuard basically offers three products under one brand: 

• UpGuard Vendor Risk is a TPRM platform.
• UpGuard Breach Risk (previously known as BreachSight) is an attack surface management solution.
• UpGuard Trust Exchange is a way to publicly share your security-related information with companies that want to work with you.

UpGuard has a free tier that includes Vendor Risk monitoring for up to 5 vendors, but doesn’t include Breach Risk. So, within the scope of this article, looking at EASM capabilities, the cheapest UpGuard’s option offered on the pricing page is Breach Risk “starting at $250/month” when paid annually, which translates into USD $3,000 per year. 

However, we couldn’t find this option after having started a free trial. The best price that was offered to us was Breach Risk at USD $6,000 per year. We had only one user and a few assets added, so we don’t know the justification behind the increased price. 

If you want to use both Breach Risk and Vendor Risk, you can add vendors for $79/month each or go for the Starter plan at USD $19,188 per year, which includes Breach Risk, Vendor Risk for up to 50 vendors, and monitoring for typosquatting and identity breaches. The Starter plan or higher is required to access to API and integrations.

UpGuard also offers a 14-day trial that allows you to get a taste of all their products, which is enough to try Breach Risk and Vendor Risk, but to see any benefits of Trust Exchange, you’ll likely need much more time.

Attaxion Pricing

Attaxion focuses on EASM and is priced per asset. It doesn’t have a free tier, but when it comes to offering EASM, it’s much more accessible than UpGuard, with its cheapest tier starting at USD $129 per month or $1,290 per year for up to 40 assets. 

IP addresses, domains, subdomains, SSL certificates, and cloud instances – everything that Attaxion can discover, except open ports – all contribute toward the billable asset count. The Starter plan with 40 assets would likely be enough for a small business with one website and a few subdomains. But even Attaxion’s highest tier listed on the public pricing page at $9,490/year for 360 assets is cheaper than UpGuard’s Starter tier. 

How They Compare

Both UpGuard and Attaxion have a transparent pricing model, but Attaxion is much more affordable than UpGuard Breach Risk.

Let’s explore what you get for these prices.

Asset Discovery

The external attack surface management process starts with attack surface discovery. Usually, EASM platforms approach this by requiring you to manually add some root assets such as domains or IP addresses. Then, they use cyber reconnaissance techniques to automatically discover related assets that also belong to the same organization.

In this regard, the process that Attaxion and UpGuard follow is roughly the same, but the results are very different.

Asset Discovery with UpGuard

Adding a root asset to UpGuard is as easy as it gets: just type a domain name, an IP address, or an IP range – and voila, it’s added to your attack surface monitoring. For each domain or IP, you can provide some context by adding labels.

For each added domain, UpGuard automatically adds related IP addresses. They state that UpGuard Breach Risk also discovers subdomains, but in our experience, no subdomains were automatically added, so we had to do that manually. That’s strange, because if we attempted to use the other part of UpGuard’s platform and add the same domain as a vendor into UpGuard Vendor Risk, it managed to discover some subdomains. But Vendor Risk is not meant for your own assets.

Interestingly, UpGuard doesn’t require asset verification: you can pretend to have, for example, both microsoft.com and google.com as parts of your organization or add the 8.8.8.8 IPv4  – and UpGuard will add them to your attack surface monitoring and scan them for you, no questions asked. That is an unusual approach, but it’s probably somewhat justified by the fact that UpGuard uses only non-intrusive scanning, so they are not afraid of triggering any defenses.

Asset Discovery with Attaxion

Attaxion also requires you to add root assets, be it domains, IP addresses, IP ranges, or cloud provider instances, but, unlike UpGuard, it requires to verify the asset ownership notably by adding a TXT record to the domain’s DNS. However, the domain associated with your registration email is added automatically, without additional verification.

After that, Attaxion proceeds with using various cyber reconnaissance techniques to discover related assets – not just subdomains and IP addresses, but also associated domains, open ports, CIDRs, and more. 

To provide a better understanding of asset relationships and potential attack paths, Attaxion generates discovery and dependency graphs for individual assets and the entire attack surface.

How They Compare

Asset discovery is Attaxion’s stronger side, and it’s clearly visible. For example, during our test, for a domain where UpGuard didn’t find any subdomains with Breach Risk and discovered 11 with Vendor Risk (even though Vendor Risk is not meant for your own assets), Attaxion found 15. 

UpGuard Breach Risk seems to rely on manually adding assets to the list rather than asset discovery, which means that it’s implied that you know everything about your attack surface and are totally sure there’s no shadow IT or forgotten assets in it. Essentially, UpGuard Breach Risk seemingly skips most of EASM’s first stage.

Overall, when it comes to creating a thorough asset inventory, Attaxion is many steps ahead compared to UpGuard. 

Vulnerability Detection and Prioritization

After having found and cataloged all the assets, the next step of the EASM process is to assess them for potential vulnerabilities and prioritize the findings.

Vulnerability detection and prioritization with UpGuard

For each asset, UpGuard analyzes the associated products (technologies and SaaS services) and their versions, pointing out if something seems to be vulnerable. It also looks at security headers, IP and domain reputation, SSL implementation, network layer security, and email implementation to discover related security issues.

As we’ve already mentioned, UpGuard relies on a non-intrusive vulnerability scanner. That approach has both its benefits and drawbacks. The benefits include the ability to run the scanner on any website without any disturbances – that is likely why UpGuard allows anybody to add websites or IP addresses without any verification. The drawbacks are that vulnerability scanning is superficial when compared to dynamic application security testing – UpGuard’s scanning doesn’t use payloads and can’t find some vulnerabilities or verify exploitability of some other.

As a result, UpGuard provides a short list of vulnerabilities where they are listed as either “verified” or “unverified”. “Verified” means that UpGuard looked at the configuration of the website and, based on its passive assessment, determined that the vulnerability is exploitable. “Unverified” means that UpGuard wasn’t able to confirm if a vulnerability is exploitable or not.

For each CVE vulnerability, UpGuard  also offers its CVSS score, EPSS score (exploitability), and CISA KEV status – whether it’s known to be exploited in the wild or not.

Issues that UpGuard identified and that don’t have a CVE are not considered vulnerabilities and can be found under the Risk Profile section. They are classified by severity and category (encryption, email, website, or something else).

Vulnerability detection and prioritization with Attaxion

Attaxion has a similar approach, but it uses a dynamic application security tool as a scanner instead. It’s more intrusive than UpGuard’s (it won’t cause any downtime, but probably can be noticed by intrusion detection systems (IDS)). At the same time, it can detect more vulnerabilities and also verify if they actually exist. That helps reduce the noise.

You can also choose between passive and active scanning. Attaxion’s passive scans are less intrusive and don’t include any real vulnerability scanning (only different asset discovery techniques). Active scans provide dynamic application security testing as well as more deep asset reconnaissance, offering more complete results, but take more time and are more noticeable by IDSs.

Like UpGuard, Attaxion also provides CVSS, CISA KEV, and EPSS data for each CVE vulnerability to help with prioritization. It doesn’t distinguish between CVEs and CWEs, adding them to the same list of issues, even though non-CVE issues don’t get EPSS or CISA KEV data.

How They Compare

When it comes to the results of the vulnerability assessment, Attaxion is once again ahead of UpGuard. Active scanning takes more time, but it provides more reliable results: Attaxion finds more issues and at the same time produces less false positives than UpGuard. 

They have equal prioritization capabilities, but Attaxion is better at detecting issues.

Vulnerability Remediation

After you’ve got a full picture of your external attack surface, the next step is to remediate issues according to the priorities that you’ve determined in the previous step.

Vulnerability Remediation with UpGuard

For each issue, UpGuard allows you to request remediation or waive risk. If you choose to remediate a cybersecurity risk, it creates a remediation workflow, sending an email to a user that you’ve assigned this task to, providing them with details on the issue. Everything is highly customizable, so that you are fully in control of how this email looks like.

There’s also a list of all remediation requests where you can track what’s going on with them. For each remediation request, UpGuard shows how resolving it will impact your overall security score.

If you choose to waive a cyber risk, you can write an explanation about why you’re doing that. Waiving potential risks also impacts your security score, but only internally, while the score that others would see if they select your company as a vendor using UpGuard Vendor Risk remains the same.

UpGuard has an integration with Atlassian Jira if you want to automatically create support tickets there. There’s also a prebuilt integration with Asana that relies on Zapier to connect the two services.

Vulnerability Remediation with Attaxion

Attaxion also allows you to create remediation requests with all the necessary vulnerability information in them, but it relies on Jira rather than on email for delivering them. 

Every issue has a “Create Jira ticket” button that allows you to generate a support ticket with relevant vulnerability details.

Attaxion also has different statuses that you can assign to an issue – it could be open, fixed, or named a false positive or an accepted risk.

How They Compare

UpGuard has more flexibility in creating remediation requests, offering more customization and allowing the use of email or one of the support task management platforms. 

Attaxion is more focused on speeding up the process – creating a ticket only takes two clicks, but there’s not much customization involved.

It’s worth noting that UpGuard Vendor Risk basically offers the same functionality as Breach Risk, but for third-party cyber risks. It also scans third-party vendors’ assets for vulnerabilities and other issues, giving them security scores and allowing you to perform vendor risk assessments and create remediation requests for vendor representatives to handle. It also allows you to send security questionnaires to assess vendor compliance. Attaxion doesn’t have any such capabilities because they are not related to EASM.

Continuous Monitoring

Finally, EASM solutions are supposed to continuously monitor your external attack surface for new assets and new issues.

Continuous Monitoring with UpGuard

According to the documentation, UpGuard scans your websites at least once per day. In addition to that, you can always trigger a scan manually for a certain asset. With the same regularity, it reports typosquatting permutations for you to review – roughly once per day, if there actually is something to report.

You can also set up notifications for a bunch of different events – from new vulnerabilities being detected or overall security score dropping below a certain threshold to just getting an email when news about relevant vendors are being published. You can get these notifications to your email inbox or to Slack, using the native integration. Relying on Zapier and webhooks, UpGuard can also send these notifications to Microsoft Teams.

UpGuard also offers very flexible reporting: there’s about 5 types of different reports which you can tweak to your liking and automate their delivery to your inbox (or your stakeholders’ inboxes). The reports are available in PDF or PPTX. 

You can also export the lists of issues under Vulnerabilities or Risk Profile sections, but for some reason, UpGuard only allows you to export them in PDF and XSLX. There’s no CSV option, which makes it not so automation-friendly. We’ve seen multiple reviews from G2 where users complain about the lack of this option.

Continuous Monitoring with Attaxion

Attaxion scans your attack surface continuously, which includes not only vulnerability testing, but also running cyber reconnaissance to discover new assets (which, in turn, would be scanned for issues upon detection). Since it uses a bunch of different scanners, it runs them independently, but the overall resulting frequency is roughly the same – most scanners run once per day.

When it comes to notifications, you’ll get notified about new assets and new issues. For the latter, you can specify the minimum severity. As for the medium, you get to choose between email and Slack.

Attaxion also allows you to create reports in PDF for individual assets or export lists of assets or issues in CSV format, which is easy to feed to other security automation tools.

How They Compare  

Both Attaxion and UpGuard continuously monitor your external attack surface, but Attaxion includes both asset discovery and vulnerability scanning, while UpGuard focuses on issues found in known assets, limiting its EASM capabilities.

Where UpGuard stands out is that it also reports on potential typosquatting, even though it adds some noise to the notifications dashboard. UpGuard also offers a broader range of integrations to deliver notifications.

Conclusion

UpGuard is a vendor risk management platform used by hundreds of organizations that want to manage third-party risks. Its Vendor Risk tool is well known and very convenient for this purpose, offering a comprehensive suite of TPRM capabilities. UpGuard also offers Breach Risk – a tool that works similarly to Vendor Risk, but looks at first-party external assets. That essentially makes UpGuard an attack surface management vendor as well.

But UpGuard Breach Risk has limited capabilities when compared to full-fledged EASM solutions. Its two main drawbacks are lacking asset discovery capabilities and only passive vulnerability scanning, which makes UpGuard Breach Risk’s assessments superficial and incomplete. Unlike Attaxion or other EASM solutions with proper asset discovery and active vulnerability scanning, it doesn’t give you the full picture of your external attack surface.

Attaxion and UpGuard are not direct competitors, as UpGuard is a cyber risk rating platform and a third-party risk management tool in the first place, and Attaxion is a dedicated EASM platform. To have a strong security posture, organizations may even want to use both. For TRPM purposes, UpGuard’s platform is a great choice, offering a nice user experience and a good perspective into third-party vendor security. But for first-party external attack surface management, security teams should use a platform specifically designed for this purpose, like Attaxion, that can discover unknown and forgotten assets and scan them for vulnerabilities in a more thorough manner.

Ready to try Attaxion EASM? Start a 30-day free trial, or request a personal demo.