When you’re operating at the scale of NHS England, the question of which tools you use to understand and protect your digital estate isn’t academic. It’s existential!
The Scale Problem
NHS England is not one organisation. It has 7,900+ unique procuring organisations including acute trusts, integrated care boards, mental health providers, community services, GP federations, ambulance services. Each operates their own IT estate, each has their own procurement history, and each is ultimately responsible for the safety of patients whose data and care pathways run through those systems.
Each of those organisations manages between 50 and 2,000+ distinct IT systems. Their endpoint counts range from 30 devices in a community pharmacy to 200,000 in a large teaching trust. The aggregate picture is of millions of endpoints, tens of thousands of systems, a vast and heterogeneous collection of on-premises infrastructure, legacy clinical applications, cloud workloads, medical devices, IoT sensors, and operational technology. All systems are interconnected, but often with point to point undocumented integrations and buckets of RPA. All of it requires continuous protection.
This is the environment in which the question “do I need a Cyber Asset Attack Surface Management product, or will a traditional asset management tool do?” must be answered. The answer is not subtle.
Why Traditional Asset Management Breaks Down at This Scale
Traditional IT asset management was built for a different problem. Its core function is maintaining an inventory: what hardware and software exists, where is it, who owns it, when do licences expire, etc. ITAM tools like ServiceNow Asset Management or JIRA do this well in stable, well-bounded environments where the security team and the IT team are essentially the same conversation.
When the estate is diffuse it is under constant change. It transforms continuously as trusts merge, systems are decommissioned, cloud services are provisioned, and new medical devices are deployed. The boundaries are not well-defined, clinical devices connect to patient networks, those networks connect to NHS Spine, third-party suppliers maintain remote access, and shadow IT exists at every level. The security team and the IT team are emphatically not in the same conversation. They operate in parallel, often with different tooling, different data sources, and different views of what the estate actually contains.
What Cyber Asset Attack Surface Management Actually Requires
CAASM is ITAM for exposed services with monitoring and risk assessment of the estate. It also integrates remediation functions for a wide variety of systems. It integrates into the SOC and is proactive in secure operations. A mature CAASM capability needs to deliver across six dimensions. Anything short of all six is a partial solution.
Asset discovery that reaches everything. Not just managed Windows endpoints polled by an agent, but unmanaged devices discovered passively on the network, cloud-native workloads found through API connections to Azure, AWS, and GCP, medical devices identified by their network behaviour. OT systems identified through passive monitoring, shadow IT surfaced by watching DNS and certificate transparency logs. In an NHS trust, the agent-only model covers perhaps 60% of what’s actually on the network. The other 40%, including some of the highest-risk assets, is invisible to it.
Graph-based asset relationships for interdependencies. An endpoint is not an island. A radiology workstation connects to a PACS server which connects to a clinical network segment which connects to NHS Spine. A misconfigured cloud storage bucket is discoverable only if you know it’s connected to an Azure subscription which belongs to a trust which was onboarded six months ago and whose team hasn’t yet reviewed their storage policies. Graph-based relationship modelling makes these chains visible. It transforms a list of assets into a map of how compromise propagates. This is what a SOC analyst actually needs when investigating an incident.
SOC integration. Asset data that lives in a separate product and requires manual querying is not security data; it’s archaeology. CAASM tools must integrate with SIEM platforms (Sentinel, Splunk, QRadar), SOAR workflows, ticketing systems, and vulnerability scanners. When a new CVE drops, the SOC needs to know within minutes which of their assets are affected, how critical those assets are, and what the blast radius of compromise would be. That requires live, bidirectional data flow instead of a weekly export.
Risk profiling at the asset level. Every asset carries a risk score that reflects not just its own vulnerability state but its role in the environment. A server running an unpatched OS in an isolated test network is a different risk from the same server sitting on a segment adjacent to the clinical network. CAASM tools should calculate this contextual risk score continuously, surfacing the assets that represent the highest actual threat rather than simply the longest list of CVEs.
Automated remediation. At the scale no human team can respond manually to every policy violation or configuration drift. CAASM platforms need to trigger automated responses: isolating a device that has deviated from its expected behaviour, raising a ticket in ServiceNow when a new unmanaged device appears on a sensitive network segment, triggering a patching workflow when a critical vulnerability is detected on an in-scope asset. The policy engine needs to be granular enough to distinguish between a clinical system where intervention requires clinical sign-off and an administrative laptop where auto-remediation is safe.
Continuous external exposure monitoring. For NHS organisations, the boundary between internal and external is increasingly artificial. Clinical portals, patient-facing applications, supplier connections, and remote working infrastructure all create an external attack surface that must be continuously mapped from the outside in — not just inventoried from the inside out.
Microsoft’s Position: Defender EASM in an Azure-Dominant World
Across NHS England, Azure is the dominant platform. That dominance is well-earned: the NHS-Microsoft agreement provides a foundation of licensing, compliance coverage, and integration that is difficult for any other vendor to match. In the Cyber Security Operations Centre (CSOC) space, the Microsoft security stack, Sentinel, Defender XDR, Defender for Cloud, is the de facto standard for many trusts.
Into this context arrives Microsoft Defender External Attack Surface Management (EASM), Microsoft’s lead product in the attack surface management space. For NHS organisations already invested in the Microsoft ecosystem, it is the natural first look. But it is important to understand precisely what it is and what it is not.
Defender EASM is an External Attack Surface Management tool. It works from the outside in: it discovers your internet-facing assets, domains, subdomains, IP addresses, web applications, SSL certificates, exposed services. It crawls the internet from an attacker’s perspective. It identifies what an adversary can see, what vulnerabilities are exposed to the outside world, and what assets you may not know you own. It integrates natively with Microsoft Sentinel and Defender XDR, and its Security Copilot integration allows natural-language querying of the discovered inventory.
For NHS organisations, this capability is genuinely valuable. Shadow IT proliferation, forgotten subdomains, legacy web portals, and misconfigured cloud storage are real problems that EASM-style outside-in discovery surfaces quickly.
But Defender EASM does not do what CAASM does. It does not connect to your existing security and IT tools via API to build a unified internal asset inventory. It does not model the relationship between a medical device, the clinical network it sits on, and the EPR system it feeds into. It does not provide the graph-based interdependency mapping that makes risk contextual rather than absolute. It does not reach unmanaged internal devices, OT environments, or the clinical systems that never have any external presence but represent significant internal risk.
In a Microsoft-centric NHS trust, Defender EASM should be part of the picture. But it only addresses the external perimeter, not the full CAASM requirement. The two are complementary and not interchangeable.
How the Leading CAASM Vendors Compare
Six vendors are the natural comparators for evaluation: Axonius, Armis, Qualys CSAM, JupiterOne, Lansweeper, and runZero. They occupy distinct positions in the market, from heavyweight enterprise platforms to fast-deploy discovery specialists.
Axonius
Its core architecture is integration-first. Rather than deploying agents, Axonius connects to the tools an organisation already uses: Active Directory, Azure, AWS, endpoint security platforms, vulnerability scanners, MDM solutions. It aggregates their data into a unified, deduplicated asset inventory. It claims 600 integrations available.
The policy engine allows security teams to define granular policies. For example, “alert when a device with no endpoint security agent appears on a clinical network segment” or “raise a ticket when a device running Windows 7 is discovered”. Each discovery can trigger automated responses. The platform’s graph relationships assesses how assets are connected and their risk of compromise.
Axonius is strongest where the existing tooling landscape is complex and heterogeneous. Its weakness in healthcare-specific environments is that it relies on integration with existing tools to discover medical devices and OT systems. If those devices are not already visible to a scanner or MDM, Axonius does not find them independently.
Armis
Armis began as a specialist in IoT and OT security and has evolved into a comprehensive CAASM platform. Its differentiating capability is passive network monitoring. It identifies and profiles devices on the network by observing their traffic behaviour without requiring agents, credentials, or integration with existing tools. This is the critical difference for healthcare.
In an NHS trust, the network carries traffic from Windows workstations, Linux servers, iPads, infusion pumps, ventilators, MRI machines, building management systems, and CCTV cameras. Most of which will never have an agent installed and many of which have no management interface at all. Armis discovers and profiles all of these assets by watching how they communicate. It maintains a database of over 800 million device profiles to identify and classify devices from their network behaviour alone.
For NHS organisations with significant medical device estates, Armis is the strongest technical fit. Its SOC integration is mature, its risk scoring is asset-aware, and its automated response capabilities extend to network-level containment of compromised devices. Its growth trajectory in the CAASM market reflects strong adoption in healthcare and critical infrastructure.
The Armis platform is more expensive than the alternatives and is more complex to deploy. For a large trust with a significant medical device and OT estate, the cost is justified. For a smaller organisation with a primarily managed IT environment, it may be over-specified.
Qualys Cybersecurity Asset Management (CSAM)
Qualys is already deployed as a vulnerability management platform in many NHS organisations, and its CSAM product extends that foundation into full asset management.
Qualys CSAM discovers assets through the Qualys Cloud Agent (deployed on managed endpoints), passive network scanning, API integrations with cloud platforms and security tools, and external attack surface discovery.
For NHS organisations already using Qualys for vulnerability management, CSAM is the natural extension. It leverages existing deployments, existing data, and existing team familiarity.
Its weakness relative to Armis is the medical device and OT space. Qualys’s discovery remains primarily agent-based and API-driven, which means unmanaged clinical devices require additional configuration to surface.
JupiterOne
JupiterOne is built from the ground up as a graph database. Every asset, every user, every configuration, every permission, every finding is a node in the graph. The relationships between them are first-class data. The result is a platform that excels at answering complex, multi-hop questions: “which internet-facing assets are connected to systems that process patient data and have not been patched in the last 30 days?”. JupiterOne’s graph model provides genuinely superior relationship modelling. Its query language (J1QL) allows security engineers to write precise queries against the full relationship graph, supporting both ad-hoc investigation and continuous compliance monitoring.
JupiterOne is primarily API-driven and does not include passive network discovery. Excellent for cloud-native security engineering teams, less suited to the broad heterogeneity of a large NHS trust.
Lansweeper
Lansweeper has a significant existing NHS footprint. Often without fully realising its CAASM potential. Widely deployed across the NHS as an IT asset management and network scanning tool, Lansweeper has invested significantly in extending its capability into the security domain.
Lansweeper’s ITHealth integration maps its Assurance Dashboard directly against the NHS Digital Data Security and Protection Toolkit (DSPT), supporting 35 of the mandatory, cyber-related DSPT assertions. Lansweeper already understands the regulatory language of the NHS.
The technical architecture is agentless. Lansweeper uses credential-free device recognition (CDR) to discover and profile assets across a network without requiring agents on endpoints. The platform discovers servers, workstations, virtual machines, IoT devices, OT assets, and network infrastructure, building a comprehensive inventory that feeds into patch status monitoring, vulnerability dashboards, and compliance reporting.
Where Lansweeper is weaker relative to dedicated CAASM platforms is in the security operations layer. Its policy engine and automated remediation capabilities are less mature than Axonius. Its SOC integration, while present (SIEM connectors exist), is less deeply built than Armis or Axonius. Lansweeper is also primarily an inside-out tool. It does not provide external attack surface discovery. And while its graph relationship modelling has improved, it is not as sophisticated as JupiterOne’s native graph architecture.
runZero
runZero is the most technically distinctive product in the CAASM market. runZero’s uses the same active fingerprinting techniques as Metasploit (they share the same founder).
The core capability is an active scanning engine that combines safe network probing, passive traffic analysis, and API integrations with cloud platforms and identity providers. Each discovered asset is profiled against nearly 1,000 attributes: OS, services, open ports, protocols, firmware versions, device type, etc. Fingerprinting techniques refine the data. The OT and IoT discovery is particularly strong. runZero supports a wide range of industrial protocols (Modbus, BACnet, EtherNet/IP, DICOM for medical imaging) and can identify clinical and building management devices that passive-only tools frequently misclassify.
For NHS organisations, two capabilities stand out. runZero supports fully disconnected, air-gapped installations. Which is highly relevant for clinical networks where internet connectivity is restricted or prohibited for security reasons. runZero’s lightweight “Explorer” scanning nodes deploy in minutes, not weeks, and begin delivering results immediately. Especially useful for a trust that needs rapid situational awareness following an incident or during a security review
Rating: Gartner Customers’ Choice, 4.6 stars. Best suited to environments requiring deep, rapid network discovery — particularly where OT, IoT, or air-gapped networks are in scope.
A Comparative Summary
CAASM Vendor Comparison — NHS England Context
| Capability |
Defender EASM Microsoft Azure |
Axonius Asset Cloud |
Armis Centrix |
Qualys CSAM |
JupiterOne Graph CAASM |
Lansweeper + ITHealth NHS |
runZero Exposure Mgmt |
|---|---|---|---|---|---|---|---|
| External asset discovery | Core | Partial | Partial | Partial | Partial | × | Partial |
| Internal asset inventory | × | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Medical device & OT discovery | × | Partial | Strong | Partial | × | Partial | Strong |
| Graph-based relationships | Partial | ✓ | ✓ | Partial | Strong | Partial | Partial |
| SOC & SIEM integration |
✓ Microsoft native |
✓ | ✓ | ✓ | ✓ | Partial | Partial |
| Automated remediation | Limited | ✓ | ✓ | ✓ | Partial | Limited | Limited |
| Risk profiling | Partial | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Agent-free discovery | ✓ |
✓ API |
✓ Passive |
Partial |
✓ API |
✓ CDR |
✓ Active scan |
| Air-gapped deployment | × | × | × | × | × | × | ✓ Only |
| NHS DSPT alignment | Partial | × | × | × | × |
✓ ITHealth / 35 assertions |
× |
| UK data residency NHS / UK GDPR critical |
No UK region Nearest: Rep of Ireland |
Partial AWS London / on-prem |
Partial On-prem or EMEA cloud |
Strong Dedicated UK instance, G-Cloud 14 |
Unconfirmed US-hosted; verify with vendor |
Partial Cloud = AWS Ireland; on-prem for UK |
✓ Self-hosted Full UK control / air-gapped |
| Best fit for NHS | Perimeter & EASM only |
Complex enterprise |
Healthcare & OT / IoT |
Qualys-invested orgs |
Cloud-native environments |
Budget-conscious & DSPT focus |
OT / air-gapped & rapid deploy |
The Right Answer for NHS England
There is no single vendor that is right for all procuring organisations. The answer depends on scale, existing tooling, budget, and the specific risk profile of each organisation’s estate. However any CAASM solution would be better than simply following an ITSM approach. CAASM applied across a highly distributed organisation will reduce vulnerabilities and discover previously unregistered risks.
Large acute trusts with significant medical device and OT environments — major teaching hospitals, ambulance services, integrated care systems with physical infrastructure should look at Armis. The passive network discovery reaches clinical and OT assets that every other product in this comparison misses. In a trust where an infusion pump or a ventilator represents both patient risk and network risk, the tool that can actually see it is not optional.
Trusts with complex, multi-vendor IT environments and mature security tooling (larger ICBs, shared service providers, national bodies) will find Axonius provides the broadest integration coverage (600+ connectors), the most flexible policy engine, and the clearest path to automated remediation at scale.
Organisations already invested in the Qualys platform for vulnerability management should extend into Qualys CSAM. The asset discovery, vulnerability correlation, and risk scoring are unified under a single platform, reducing both complexity and cost.
Cloud-first transformation programmes and new-build digital health environments (predominantly cloud-native estate) and where the team has security engineering capability and graph-based querying is a meaningful workflow will get the most value from JupiterOne.
Organisations with constrained budgets, or those already running Lansweeper should extend what they have before replacing it. Lansweeper’s DSPT alignment via ITHealth, agentless CDR discovery, and per-asset pricing model make it the most accessible CAASM-capable platform in the NHS context. It will not do everything Axonius or Armis does, but it will do more than most NHS organisations are currently using it for. Compliance mapping to DSPT is a genuine differentiator.
Organisations that need rapid situational awareness, operate air-gapped networks, or are assessing their estate for the first time should evaluate runZero. Its deployment speed (minutes, not months), its Metasploit-heritage fingerprinting, and its free tier for smaller environments make it uniquely suited to rapid discovery exercises, incident-driven asset audits, and clinical networks where air-gapped deployment is a requirement rather than a preference.
Microsoft Defender EASM is not a substitute for CAASM. It is a valuable, well-integrated tool for external perimeter visibility in Microsoft-centric environments, and NHS organisations using Sentinel should absolutely have it in their stack. It addresses the outside-in view. The inside-out view: the full picture of what’s on the network, how it’s connected, how it’s behaving, and what happens when something goes wrong, requires a dedicated CAASM platform.
At the scale of NHS England, that is not optional. The question is not whether to invest in CAASM. It is which product fits your environment, your existing tools, and your team’s capability to operate it.
