The Demo Trap
Every External Attack Surface Management (EASM) vendor's homepage promises the same thing: 'see your attack surface like an attacker does.' Every demo shows the same screenshot — a map of your domain footprint with red dots over critical issues. Every pricing page says 'contact sales.' After three demos, every product looks identical. After six, you'd be hard-pressed to remember which vendor said what.
This is by design. The category is competitive, the differentiators are subtle, and most differentiation lives in the parts of the product you only see after you've signed a contract — the noise level of the findings, how the dashboard ages over a year of use, how responsive support is when something is broken. We've watched companies pick EASM platforms based on the demo polish and regret it six months in. This guide is the framework we wish we'd had.
It's vendor-neutral on purpose. We make an EASM product, but we're not going to spend 1,500 words explaining why ours wins. Instead, here's how to evaluate the category honestly, what questions cut through marketing, and what to test before signing.
Step 1: Be Honest About What You're Solving
EASM is a broad category covering several distinct problems. Vendors that excel at one often struggle at another. Before evaluating tools, name the problem you're actually trying to solve:
- Asset discovery. You don't know what your attack surface contains. You need a tool that builds an inventory from scratch — domains, subdomains, IPs, cloud assets, third-party SaaS instances. Discovery-first tools (Censys, IONIX, Cortex Xpanse) shine here.
- Vulnerability monitoring on a known surface. You know your assets. You need continuous monitoring for new misconfigurations, expired certificates, dangling DNS, exposed files, open ports. Monitoring-first tools (Detectify, Intruder, FortWatch) shine here.
- Third-party / supply-chain visibility. You need to see the security posture of your vendors. This is technically a different category (TPRM) but several EASM vendors market into it. Tools built for this (Bitsight, UpGuard, SecurityScorecard) optimize for breadth over per-asset depth.
- Compliance evidence. You need a continuous record of your security posture for audit. Most EASM tools produce this as a side effect; the question is whether the format matches your auditor's expectations.
Most teams need a combination, but one of these is usually the dominant pain. If a vendor's positioning doesn't match your dominant problem, the demo will look great and the product will disappoint.
Step 2: Score on Five Dimensions, Not 'Features'
Feature checklists are noise — every vendor checks every box. What actually differs is how each capability behaves in practice. Score every shortlisted tool on these five dimensions:
1. Scan frequency. How often does the tool re-check each asset? 'Continuous' means different things to different vendors. Ask for specifics: 'For my plan, what's the minimum interval between scans of the same asset?' Daily is the floor for a serious tool. Weekly is the norm for the discovery-first category. Anything slower than weekly isn't real continuous monitoring; it's periodic auditing with a dashboard.
2. Severity accuracy. This is the single biggest differentiator and the hardest to evaluate from a demo. Two failure modes: vendors that mark everything 'critical' to look impressive, and vendors that downgrade real findings to keep the dashboard clean. Ask: 'How is severity determined? Is it static-by-rule or context-aware? If I have an SMTP port open on a server with a valid MX record, is it the same severity as one with no MX?' A vendor that can't explain context-aware severity is using static rules, which means a noisy dashboard.
3. False-positive handling. Every scanner produces them. The question is what happens next. Can you mark a finding as a false positive once and have it stay marked across rescans? Does the tool learn from the suppression, or does the same finding reappear at the next scan? How quickly does the vendor ship rule fixes when you report an FP? Ask for the FP-reopen rate from their existing customers — if they can't quote it, it's bad.
4. Asset attribution accuracy. When the tool says 'this subdomain belongs to your organization,' how confident is it? Discovery tools that over-attribute will assign you assets from companies with similar names; tools that under-attribute will miss legitimate assets. Test by giving the tool your apex domain and reviewing the discovered inventory — flag any asset you don't recognize and any obvious miss.
5. Integration depth. Where does the data go? Webhook notifications are table stakes; deep integration with Jira, ServiceNow, PagerDuty, Slack, and your SIEM is what makes the tool usable day-to-day. Ask specifically about two-way integration — closing a Jira ticket should resolve the corresponding finding in the EASM tool, not just create a separate state. One-way integrations are common and create work; two-way are rare and save it.
Step 3: Run a 14-Day Pilot With Real Assets
Demos don't reveal the things that matter. Schedule a paid or free pilot — most vendors offer 14-30 days — and use these pilot tasks to surface what marketing won't:
- Add one obviously-broken asset (an old subdomain with a known issue, or a test domain you've intentionally misconfigured) and time how long it takes to appear with the right severity. Slow detection is a leading indicator of slow continuous monitoring.
- Add an asset with a known false positive — for example, a domain behind Cloudflare where the EASM tool might flag missing security headers that Cloudflare actually serves. See whether the tool detects the CDN and suppresses the finding, or whether you spend a week marking false positives.
- Trigger an alert by introducing a new finding (open a port intentionally, expose a backup file in a non-production directory). See how long until the alert reaches Slack/email, how clear the finding's wording is, and whether the proposed remediation is actionable.
- Resolve a finding. Fix one in your environment and watch what happens in the tool. Does it auto-resolve on the next scan? Does the resolution stick across subsequent scans, or does the finding re-open if a different scan path detects the same issue? Resolution stability is one of the hardest things to get right.
- Pull the data out. Export findings via API, dashboard, or CSV. Is the data structured enough to use elsewhere, or is it locked behind the vendor's UI? Lock-in is a real risk in this category.
If a vendor refuses a meaningful pilot, that's a signal. The category has matured to the point where a 14-day trial is reasonable; vendors that gate it behind a sales cycle are usually optimizing for ACV, not customer fit.
Step 4: Read the Pricing Page Literally
EASM pricing falls into three buckets:
- Per-asset pricing. You pay per domain, per IP, or per 'attack surface unit.' Predictable but punishes growth — every new acquisition, every new subdomain, every new asset is a line-item expense. Common with Detectify, Intruder, FortWatch.
- Per-asset-with-overage pricing. A base bundle plus per-unit overage. Works well when your surface is mostly stable but punishes spiky growth.
- Custom / enterprise pricing. 'Contact sales.' Common with Wiz, Bitsight, Palo Alto, IONIX, CrowdStrike. Pricing scales with negotiation, not posted rates. This usually correlates with longer sales cycles, larger minimum contracts, and stronger procurement leverage on the vendor side.
For an SMB or mid-market team, posted per-asset pricing is almost always the right model. You can predict the cost, scale it transparently, and walk away when it stops being worth it. Enterprise pricing makes sense only when your needs (custom integrations, dedicated CSM, white-glove onboarding) actually require it.
What to look for: is the pricing model aligned with your usage model? A tool that charges per scan but you want to run continuously is a misalignment. A tool that charges per discovered asset but discovers your entire CDN edge network as separate assets is going to be expensive in a way the demo didn't preview.
What FortWatch Optimizes For
This is the only vendor-specific section, and we'll keep it short. FortWatch is monitoring-first, not discovery-first. We assume you can tell us your domain and IP list and we'll watch them continuously — every scanner runs against every asset every day. We optimize hard for severity accuracy (context-aware rules, asset-role gates, CDN-aware suppression at issue creation time) because we've watched too many dashboards drown in static-rule noise. We integrate two-way with Jira and Slack. Our pricing is posted, per-asset, no overage games. We don't pretend to do third-party risk monitoring or compliance frameworks — those are different products, and we'd rather be the best monitoring tool than a mediocre everything-tool.
If discovery is your primary problem, we're not the right fit and we'll tell you on the call. If continuous monitoring with low false-positive rate is your primary problem, we want the chance to prove it.
What Do I Do With This?
- Write down your dominant problem (discovery, monitoring, third-party, compliance) before booking any demos. Vendors will reshape their pitch to match whatever you say you care about, so you need a fixed reference point to compare them against.
- Shortlist three vendors maximum. Beyond three, your evaluation degrades into noise. Pick one each from the discovery-first, monitoring-first, and enterprise-platform buckets if you want category coverage.
- Insist on a real 14-day pilot with real assets and the test tasks above. Skip vendors that refuse.
- Score on the five dimensions — scan frequency, severity accuracy, false-positive handling, asset attribution, integration depth — not on feature checklists.
- Read the pricing page literally. If it says 'contact sales,' factor in the sales cycle. If it's per-asset, model your 12-month asset growth before signing.