My open question to you both and others is this: In your view, is that "organizational compliance with minimal logging" use case substantial enough to warrant a new, standardized protocol? Or is it adequately served by either
a) mandating HIBP's API, or
b) telling companies to download and manage the full HIBP dataset locally?
What's the approach from a consumer standpoint?
You’ve summed it up perfectly. This is fundamentally about the trade-off between total privacy (local DB) and practicality (server query). The protocol exists only if that middle ground has real users. The compelling case might not be for individuals, but for organizations that must prove due diligence in password screening for compliance like for example, ISO 27001, but want to minimize their own liability and logging footprint.
You’ve summed it up perfectly. This is fundamentally about the trade-off between total privacy (local DB) and practicality (server query). The protocol exists only if that middle ground has real users. The compelling case might not be for individuals, but for organizations that must prove due diligence in password screening for compliance like for example, ISO 27001 but want to minimize their own liability and logging footprint.
Congrats on the launch. Open-source ASM is desperately needed.
Looking at this, I'm thinking about the evolution of the external attack surface. It's not just about finding assets anymore, but understanding their security posture in depth with minimal intrusion.
This connects to work I'm doing on "zero-knowledge" security protocols. Imagine your platform discovers a web app, and a next-generation, privacy-aware scanner could then check for credential exposure (using a protocol that doesn't expose the creds) or misconfigurations without collecting sensitive payloads.
A technical question/thought: For asset discovery and fingerprinting at scale, how do you handle the privacy/data minimization aspect? For instance, when your scanner encounters a login page, is there a consideration for what signals are collected and stored? As we build more autonomous security scanners (and later, AI agents), baking in privacy-by-design from the start seems critical.
Tools like Open-ASM that map the territory will be the foundation for a new wave of respectful, efficient security testing. Excited to see this.
In practice, we aim to identify as many real risks as possible across the external attack surface, since expanding visibility is what most improves an administrator’s understanding of their system. From our perspective, broad and accurate risk discovery is a prerequisite for effective security management, and it should be balanced with intentional choices around how deeply we inspect and what data we persist.
Fully agree that broad, accurate discovery is the crucial first step. My point is about how we achieve the depth. The goal is deeper inspection through privacy-aware protocols like a scanner proving a login page is vulnerable without ever seeing credentials—so administrators get comprehensive risk understanding without the data liability.
reply