Your security tool flagged a few dozen things as "internet-facing" this morning. Here is the question it cannot answer: how many of them can a stranger actually reach right now?
Every CSPM works the same way. It reads your configuration and infers exposure. A security group open to 0.0.0.0/0. A database with a public IP. A VM in a public subnet. Each one earns a red "critical, internet-facing" badge. That badge is an inference drawn from config. It is not a measurement. Nobody went and checked.
The gap between "open" and "reachable"
That gap is where two teams lose their week.
DevOps gets handed the list. A good chunk of it is config debt that exposes nothing. A firewall rule open to the world, sitting in front of a host with no public address. A "public" database behind an allowlist that answers no one. They chase it anyway, because the badge said critical. By the third dead end they have learned the tool cries wolf, and they start skimming the criticals instead of working them.
Security has the opposite problem. Forty red badges, no way to rank them. The one that matters, an SSH port genuinely answering on a production box, sits in the same pile as the forty that answer nobody. The expensive failure is not the false positives you waste time on. It is the true positive you walked past because it was the same color as the noise.
A configuration scanner can tell you a door is unlocked. It cannot tell you that the door exists, faces the street, and is standing open right now. Those are different facts, and only one of them gets you breached this weekend.
So we measured it
We added one thing to the Exposure page. After every scan, VikingCloud goes to each internet-facing entry point it found and checks, from the outside, whether it actually answers. Then it puts a tag on it: Reachable, or Not reachable.
That is the whole feature. A tag.
Reachable is red, because something is genuinely answering from the public internet, and that is live attack surface rather than a theory. Not reachable is green, because the thing your config screamed about is, in reality, a closed door. The check is non-destructive, and it runs on its own after each scan. You do not request it. You stop guessing.
The tag is a fact, not an opinion. We did not infer it from your rules. We connected from the outside and wrote down what answered.
What it found in our own cloud
We pointed it at our own production environment. It tagged one of our VMs Reachable on SSH from the public internet, the kind of open door you want to find before a stranger does. In the same scan it tagged a security group that was wide open to 0.0.0.0/0 as Not reachable, because the host behind it had no public address at all. Config said exposed. Reality said no. Both true. Both useful.
That is the part people miss. A reachability tag confirms the real door and greys out the forty that lead nowhere, in the same pass. The quiet it buys you is worth as much as the alarm it raises.
Why one tag changes the work
Your external attack surface stops being a list of maybes and becomes a map of what is actually true. DevOps only chases what answers. Security can stand in front of the board and say "this is what a stranger can reach from the internet today," and be right, because something on the other end picked up.
And because the platform already maps what is running on the host that answered, the tag is where a real priority order starts, not where it ends. A reachable box on a version with a known, actively exploited bug is a different problem than a reachable box that is fully patched. Same color tag, very different night. The platform is built to tell those two apart. That is a separate post.
What to check today, with or without us
You can run a cheap version of this yourself today. Take your top ten "internet-facing criticals," open a laptop on a network that is not your own, and count how many actually answer. The number will be lower than the badge count. The difference is the work you have been funding for nothing.
Stop fixing your configuration's opinion of your attack surface. Fix the part a stranger can actually reach.
Start your 14-day free trial to connect your first cloud account and see which of your internet-facing entry points actually answer from the outside, right after your first scan, or book a demo if you would prefer we walk through the platform with your team.