The compliance landscape shifted dramatically in 2024. Organizations scrambling to meet requirements from DORA, PCI DSS 4.0, SEC cybersecurity rules, and NIST CSF 2.0 discovered an uncomfortable truth: their asset inventories were incomplete. The problem wasn’t in their data centers or corporate offices. The blind spot was in employee home networks.
When the European Union’s Digital Operational Resilience Act took effect in January 2025, financial institutions faced strict requirements around ICT risk management. DORA Article 8 mandates comprehensive identification and classification of all ICT assets. Article 15 requires vulnerability management across the entire ICT infrastructure.
The challenge? Traditional asset discovery tools stop at the corporate network boundary. They can’t see what’s connecting from the other side of a VPN tunnel. They don’t know about the compromised router in an employee’s home office or the unpatched smart TV on the same network as corporate credentials.
PCI DSS 4.0, which became mandatory for most organizations in March 2024, introduced similar challenges. Requirement 11.3.1 now demands external vulnerability scans and 11.3.2 requires internal scans. But what constitutes “internal” when your workforce operates from hundreds or thousands of home networks? Payment card data flows through these environments. The Payment Card Industry Security Standards Council recognized this reality, yet most security teams lack the tools to address it.
The SEC’s cybersecurity disclosure rules, which took effect in phases through 2024, require public companies to maintain and assess cybersecurity risks as part of their business strategy and financial planning. Material cybersecurity incidents must be reported within four business days.
Here’s the uncomfortable question: How do you assess risks you can’t see? How do you report incidents originating from assets you didn’t know existed?
NIST updated its Cybersecurity Framework to version 2.0 in February 2024. The framework now emphasizes governance and supply chain risk management more heavily than before. It calls for continuous asset discovery and vulnerability management. The word “continuous” matters. Point-in-time assessments won’t cut it when your attack surface changes every time an employee moves between their home office and a coffee shop.
A Fortune 500 financial services company recently implemented our platform. Within the first week, they discovered assets in employee home networks they didn’t know existed. Not dozens. Hundreds. These weren’t theoretical risks. These were actual devices on the same networks where employees accessed customer financial data, trading systems, and regulatory reporting tools.
Some of these devices had known vulnerabilities. Some were running outdated firmware. Some were consumer-grade routers with default passwords. All of them represented potential entry points into corporate resources. None of them appeared in the organization’s asset inventory or vulnerability management system.
Under DORA, this would constitute a gap in ICT asset identification. Under PCI DSS 4.0, it would be a scope definition failure. Under SEC rules, it would be an undisclosed material risk. Under NIST CSF 2.0, it would be a breakdown in the Identify function.
Our approach starts with visibility into the one place traditional tools can’t reach: employee home networks. We discover every device on these networks. We identify the hardware manufacturer, model, and firmware version. We determine the operating system and patch level. We catalog network infrastructure devices like routers, access points, and IoT equipment.
This discovery happens continuously, not as a quarterly scan. When an employee brings a new device online, we know about it. When a vulnerability is disclosed affecting devices in your distributed workforce, we can tell you within hours which of your employees have affected devices and where those devices are located.
We match discovered devices against the National Vulnerability Database maintained by NIST. We cross-reference against CISA’s Known Exploited Vulnerabilities catalog. We score risk based on CVSS ratings and actual exploitation activity. This gives security teams the context they need to prioritize remediation efforts.
For DORA compliance, this means you can demonstrate comprehensive ICT asset identification as required by Article 8. You can show active vulnerability management across your distributed infrastructure per Article 15. You can provide evidence of continuous monitoring and testing under Article 25.
For PCI DSS 4.0, you gain visibility into the security posture of networks where cardholder data transits. You can run vulnerability scans that actually cover your cardholder data environment, even when that environment extends into home networks. You can demonstrate compliance with requirements around network segmentation and access controls.
For SEC cybersecurity rules, you can assess and disclose material risks with confidence. You know your attack surface. You can quantify your exposure. When an incident occurs, you have the asset context to understand scope and impact quickly.
For NIST CSF 2.0, you strengthen every core function. Identify becomes truly comprehensive. Protect extends to previously invisible assets. Detect catches threats at the network edge. Respond has the context it needs. Recover can account for the full scope of affected systems.
Discovering problems is only half the equation. Our platform includes AI-powered remediation capabilities that let end users fix issues without waiting for security team intervention. When we identify a vulnerable router in an employee’s home network, we provide step-by-step guidance for updating firmware or adjusting security settings. We make remediation accessible to non-technical users.
This matters for compliance because frameworks increasingly expect organizations to reduce time-to-remediation. DORA requires proportionate and effective resilience measures. PCI DSS 4.0 sets specific timelines for addressing high-risk vulnerabilities. The SEC expects material weaknesses to be addressed promptly. Waiting for your security team to manually touch every vulnerable home router doesn’t scale.
These regulatory changes aren’t temporary. They reflect a permanent shift in how regulators view cybersecurity obligations. Distributed workforces are here to stay. Hybrid work models are standard. Security tools need to match this reality.
The question isn’t whether your organization needs visibility into home networks where employees access corporate resources. The question is whether you can demonstrate that visibility when auditors, regulators, or incident responders ask for it.