NIST Cybersecurity Framework
What it is — The NIST Cybersecurity Framework (CSF) is a set of guidelines published by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. The current version, CSF 2.0 (released February 2024), organizes cybersecurity activities into six core Functions: Govern, Identify, Protect, Detect, Respond, and Recover. While originally developed for U.S. critical infrastructure, NIST CSF is widely adopted globally.
Appsec relevance — Several CSF Categories and Subcategories address vulnerability management, asset management, and continuous monitoring — areas where DAST and ASM provide direct value. The Identify and Detect functions have the strongest alignment with Detectify’s capabilities.
How Detectify Supports NIST CSF 2.0
| Function / Category | What it covers | Detectify Capability | Coverage |
|---|---|---|---|
| ID.AM — Asset Management | Maintain inventories of hardware, software, services, and data managed by the organization | Surface Monitoring discovers and inventories internet-facing assets (domains, subdomains, IPs, ports, technologies, certificates) | Partial |
| ID.RA — Risk Assessment | Identify and assess cybersecurity risks to the organization, its assets, and individuals | CVSS-based severity scoring, vulnerability categorization, OWASP Top 10 reporting support risk identification and analysis | Partial |
| PR.DS — Data Security | Protect the confidentiality, integrity, and availability of data at rest and in transit | Detects information exposure (CWE-200 ), cleartext transmission (CWE-319 ), and cleartext storage (CWE-312 ) | Partial |
| PR.PS — Platform Security | Manage and secure the hardware, software, and services of physical and virtual platforms | Security misconfiguration detection CWE-16 , default credentials, technology fingerprinting | Partial |
| PR.AA — Identity Management, Authentication, and Access Control | Create, manage, and verify identities and credentials; manage access to assets based on authorization | Authentication bypass (CWE-287 , CWE-306 ), access control (CWE-284 , CWE-285 ), path traversal (CWE-22 , CWE-23 ) vulnerability detection | Partial |
| DE.CM — Continuous Monitoring | Monitor assets continuously to find anomalies, indicators of compromise, and other potentially adverse events | 24/7 Surface Monitoring with change detection, scheduled scanning, integrations for alerting (Slack, PagerDuty, Teams) | Full |
| DE.AE — Adverse Event Analysis | Analyse anomalies and potential adverse events to characterize the events and detect cybersecurity incidents | Vulnerability findings with HTTP request/response evidence, severity classification, and contextual information | Partial |
What Detectify Covers
Detectify aligns most strongly with the Identify and Detect functions of NIST CSF. Surface Monitoring supports asset management (ID.AM) and continuous monitoring (DE.CM). Vulnerability scanning with CVSS scoring supports risk assessment (ID.RA). Detection of authentication, access control, and data protection vulnerabilities supports the Protect function’s subcategories.
NIST CSF is a comprehensive risk management framework — the Govern, Respond, and Recover functions require organizational processes, governance structures, and incident management capabilities outside DAST scope.
Complementary Tools You May Need
- GRC platform — For GV (Govern) function implementation
- SIEM — For comprehensive DE.AE adverse event analysis
- Incident response platform — For RS (Respond) function
- Backup and DR — For RC (Recover) function
- IAM — For comprehensive PR.AA identity and access management
- Endpoint and network security — For PR.PS platform security beyond web applications
- SAST / SCA — For additional vulnerability identification in the Identify function