Written by: Santosh Nair, Co-founder & CTO of Styx Intelligence.
Is Your Security Budget Where The Risk Actually Is?
Most security money stacks up inside the network. A disproportionate amount of budget today goes entirely to endpoint protection, network security, and building out the SOC. Those controls work. The question is what they guard.
Global security spending is set to reach about $240 billion in 2026. Line up where it goes by category, and the pattern is hard to miss. The largest slices all sit inside the firewall, and the work that watches outside it lands at the bottom of the list.
Threat intelligence and dark web monitoring, the bucket that holds digital risk protection, takes about 4% of spend. That puts it next to OT and IoT, at the very bottom. Everything above it defends a boundary that attackers have mostly stopped hitting head-on.
The risk moved the other way:
- Your brand: Impersonation, lookalike sites, fake storefronts.
- Your executives: Fake-boss messages, deepfakes, exposed personal details.
- Your domains: Registrations attackers use to map everything you own.
- Your vendors: The weakest link in a chain you don’t fully control.
That’s your external attack surface, the part your internal tools were never built to watch. The money and the risk have drifted apart. Closing that gap is the budget question worth asking, not whether your endpoint stack is good enough.
How Are Attackers Actually Getting In?
“Attackers don’t force the strong door; they look for the open one.” They go after the weakest link in the chain. I call it finding the least path of least resistance.
Picture it from their side. They take your domain name and, with open-source tools, map every asset tied to it.
A leaked credential is another way in: if no one rotates it, it keeps working.
They also watch executives who post a lot and turn that exposure into impersonation. A new hire then gets a message from “the CEO” before they know what the real one sounds like.
A few examples here:
| Path | What it exploits | Why inside-out defenses miss it |
| Leaked or stolen credentials | A valid login nobody rotated | It looks like a normal user, so endpoint and network tools wave it through |
| Lookalike domain | Trust in your brand name | Registered outside your network, so internal monitoring never sees it |
| Executive impersonation | A new hire’s instinct to trust the boss | It arrives by email, text, or call, not a system you run |
| Weak vendor | Access you handed a third party | Their gap becomes your breach, and you don’t watch their security |
My read is that the inside is mostly handled.
Teams built endpoint, logging, and a SOC, and those controls work, so attackers go around them. The numbers back that up: third-party breaches now reach 48% of the total, up 60% in a year (Verizon 2026 DBIR), and as people learn to spot email scams, impersonation moved to text and voice, landing 40% more often.
Each path runs outside the firewall, where your tools were never pointed.
What Counts As Outside The Firewall Now?
The external attack surface is much more than just IT assets. It’s the public, human side of your company, the part attackers can see without ever touching your network.
What “outside the firewall” now includes
- Your brand: The name and look others can copy.
- Your executives and key people: The CEO, CFO, and anyone visible online.
- Your social accounts: Company pages, and the personal ones tied to your leaders.
- Your domains: Every registration that maps back to you.
- Your vendors and contractors: The access you extend past your walls.
- Your leaked data: Credentials and documents already out there.
I see executives as a preferred target, because so many post often and openly. That exposure feeds impersonation, and AI made it cheap. In one case, a finance worker approved $25.5 million in transfers after a deepfake video call where every colleague except the victim was AI-generated.
None of it ran through a system the security team controlled. And it isn’t a one-off. The scam business now runs at an industrial scale, with Southeast Asian scam centres earning just under $40 billion a year.
Is Disinformation Really a Security Problem?
Yes, and it’s the problem of now, not the future. Most attacks try to break a system. However, disinformation skips that and goes after perception, because the target is trust.
That’s why I don’t place it under marketing. A false narrative about your company, or a fabricated clip of your CEO, does what a breach does. It costs you trust, and trust is what people buy on.
What people get wrong about disinformation
| The old view | What’s actually true |
| It’s marketing’s job | It targets trust, a security and business risk |
| It’s a future problem | It runs now, often in 24 to 48 hour bursts |
| It only dents reputation | For listed companies it can move the share price |
| One team handles it | It takes security, comms, legal, and brand together |
The market is catching up. Gartner expects half of enterprises to adopt products that address disinformation by 2028, up from under 5% in 2024 (Gartner). That jump is the industry admitting what I see every week: this lands on security teams, not only the comms desk.
The teams that get ahead of it treat it as one shared job across functions.
You Can’t Fix What You Can’t See
This is the line I come back to with every team: you can’t fix what you can’t see. The risk outside your firewall doesn’t announce itself, and when you don’t see it, it just becomes a blind spot.
So the first move isn’t a new tool. It’s a clear view of what you actually have facing the world: your domains, your social accounts, your executives, your vendors, and your exposed data.
When teams look for the first time, the same things surprise them.
What teams usually find:
- Legacy systems they thought were dead: These are usually shut down on paper, but still live online.
- Credentials nobody acted on: Exposed logins sitting unrotated.
- A third-party footprint they didn’t know about: Examples of contractors and vendors off the radar.
- Shadow accounts: Social pages a marketer set up, then left, with no one watching.
None of that shows up in a quarterly pen test. It shows up when you map the outside on purpose. I treat visibility as step one, the foundation for getting ahead of external risk instead of reacting to it. You can’t act on what you never saw.
Three Questions to Ask Before Your Next Budget Cycle
Before you defend a single line item, answer three questions for yourself. They’re the ones I’d want answered before walking into a board meeting, and they map straight to where the risk actually sits.
Three questions for your next budget conversation
| Ask yourself | What a strong answer sounds like |
| Do I know what my external attack surface looks like? | A current map of your domains, social accounts, executives, vendors, and exposed data, not a once-a-quarter snapshot |
| What am I doing about the risk outside the firewall? | Named controls and an owner for brand, impersonation, leaked credentials, and third-party exposure, not “that’s marketing’s job” |
| Where are my blind spots? | An honest list of what you don’t watch yet, and a plan to close it before the next cycle |
If you can answer all three with confidence, you’re ahead of most teams.
If u can’t, you’ve just found what to fund. That gap, between what you can see and what you can’t, is the most useful thing to bring to your next budget conversation.
See What Attackers Already See
The whole point is visibility. If you can’t see your external risk, you can’t act on it, and right now most of it sits outside the tools you already pay for.
That’s why Styx Intelligence was created. It maps your brand, executives, domains, and vendors in one view. It surfaces the exposure your internal tools never showed you, from lookalike domains to leaked credentials to impersonation.
If that’s the gap you want to close, take a look at the platform.
