Attack Surface Management
Attack surface management (ASM) is the continuous process of discovering, inventorying, classifying, and monitoring all internet-facing assets that an adversary could target.
# Attack Surface Management
Definition
Attack surface management (ASM) is the continuous process of discovering, inventorying, classifying, and monitoring all internet-facing assets that an adversary could target. The attack surface is the sum total of every point where an unauthorized actor could attempt to enter or extract data from an environment: web applications, API endpoints, email gateways, VPN concentrators, cloud storage, DNS records, SSL certificates, exposed databases, development servers, and any other asset reachable from the internet.
ASM operates from the attacker's perspective. Unlike internal vulnerability management (which scans assets the organization knows about), ASM discovers assets by looking at the organization from the outside, the same way an adversary conducting reconnaissance would. This outside-in perspective is critical because the most dangerous assets on the attack surface are the ones the organization does not know exist: the forgotten development server, the decommissioned-but-still-running cloud instance, the DNS record pointing to an acquired company's infrastructure, the SaaS application a department provisioned without IT involvement.
The discipline emerged as a distinct category around 2020, driven by the recognition that digital transformation, cloud adoption, remote work, and SaaS proliferation had expanded organizational attack surfaces far beyond what traditional vulnerability scanners could track. Gartner named External Attack Surface Management (EASM) a critical emerging technology in 2022. Major vendors in the space include Censys, Shodan, Mandiant (now Google), CrowdStrike (Reposify acquisition), Microsoft (RiskIQ acquisition), and Palo Alto (Cortex Xpanse).
How It Works
Continuous Discovery
ASM platforms continuously scan the internet for assets associated with the target organization. Discovery starts with known seed data (primary domain names, IP ranges, ASN numbers, brand names) and expands outward through automated techniques:
DNS enumeration. Resolve all DNS records for known domains. Discover subdomains through certificate transparency logs, DNS brute forcing, and passive DNS databases. Identify dangling DNS records (records pointing to IP addresses or cloud resources that the organization no longer controls, which can be hijacked by attackers through subdomain takeover).
Certificate transparency monitoring. Certificate transparency (CT) logs are public records of every SSL/TLS certificate issued. Monitoring CT logs for the organization's domain names reveals newly provisioned services (someone stood up a new web server and obtained a certificate), unauthorized certificates (a phishing site obtained a certificate impersonating the organization's domain), and shadow IT (a department provisioned a cloud service using a company subdomain).
Port scanning and service fingerprinting. Scan discovered IP addresses for open ports and identify the services running on them. A web server on port 443 is expected. An RDP service on port 3389 exposed to the internet is a critical finding. A database management interface on port 8080 with no authentication is an emergency.
Cloud asset discovery. Identify cloud resources (storage buckets, virtual machines, serverless functions, container registries) associated with the organization across multiple cloud providers. Misconfigured cloud storage (publicly accessible S3 buckets, Azure blob containers, GCP storage buckets) is one of the most common attack surface findings.
Acquired asset discovery. When organizations acquire other companies, they inherit the acquired company's attack surface. ASM platforms detect assets associated with acquired domains and infrastructure that may not have been inventoried during the acquisition integration process.
Classification and Prioritization
Not every discovered asset is equally important. ASM platforms classify assets by:
Exposure level. Is the asset directly internet-facing, or behind a CDN/WAF/load balancer? Direct exposure is higher risk than filtered exposure.
Service type. Administrative interfaces (SSH, RDP, management consoles) are higher priority than public-facing web servers because administrative access enables deeper compromise.
Vulnerability status. Does the asset have known vulnerabilities (CVEs with public exploits)? Is the software version current or end-of-life?
Data sensitivity. Does the asset handle or store sensitive data (based on the application's function and the organization's data classification)?
Ownership. Is the asset managed by IT, by a business unit, by a vendor, or unowned? Unowned assets (shadow IT) are highest risk because nobody is responsible for their security.
Classification enables prioritization. A publicly exposed, unpatched RDP server with no MFA (high exposure, administrative service, known vulnerabilities, likely sensitive data access) is a critical priority. A CDN-fronted marketing website with current patches (filtered exposure, public-facing, no known vulnerabilities, no sensitive data) is low priority. ASM platforms rank findings so that security teams address the most dangerous exposures first.
Continuous Monitoring
The attack surface is not static. New assets deploy daily. Cloud instances spin up and down. DNS records change. Acquisitions add entire new networks. Shadow IT appears when a department signs up for a new SaaS tool. ASM must be continuous, not periodic.
Continuous monitoring detects changes: new assets appearing on the surface (a developer deployed a test server to the internet), existing assets changing risk posture (a patch was missed and a known vulnerability is now exploitable), and assets disappearing (a decommissioned system was properly removed, or a system went offline unexpectedly).
Change detection is where ASM provides the most operational value. The organization's attack surface at 9:00 AM may differ from its attack surface at 5:00 PM. A weekly scan captures one snapshot. Continuous monitoring captures the drift.
Why It Matters
The Unknown Surface Is Where Breaches Start
Organizations scan the assets they know about. Vulnerability management programs are built around inventoried assets. But the assets that cause breaches are often the ones nobody inventoried: the forgotten server, the shadow SaaS application, the acquired company's unmanaged infrastructure, the test environment that became permanent.
ASM closes this gap by discovering assets from the outside, the same way an attacker does. If ASM finds an asset that the organization's internal inventory does not contain, that asset is a blind spot, and blind spots are where attackers establish footholds.
Cloud and SaaS Expansion
Cloud adoption and SaaS proliferation have expanded attack surfaces dramatically. A mid-market organization in 2015 might have had 50 internet-facing assets. The same organization in 2026 might have 500: production web applications, staging environments, cloud APIs, SaaS integrations, third-party portals, and developer tools. Managing this expansion without continuous ASM is guessing.
Regulatory Pressure
Regulatory frameworks increasingly reference attack surface management. NIST CSF 2.0's Identify function includes asset management as a foundational category. PCI DSS 4.0 requires identification of all system components in the cardholder data environment. CISA's Cross-Sector Cybersecurity Performance Goals reference external attack surface monitoring. The direction is clear: regulators expect organizations to know what they expose to the internet.
M&A Risk
Acquiring another company means inheriting their attack surface. Due diligence that does not include ASM can miss critical exposures: the acquired company's forgotten test server with default credentials, the subsidiary's unpatched web application, the domain names pointing to infrastructure nobody manages. ASM should be standard practice in M&A cybersecurity due diligence.
CDA Perspective
Attack surface management sits in the VSD (Vulnerability and Surface Defense) domain of the Planetary Defense Model. VSD is the ocean layer: the coastline where adversaries probe and land. ASM is the discipline of knowing the exact shape, length, and vulnerability of that coastline.
CDA's Continuous Surface Reduction (CSR) methodology governs VSD: "Every surface you expose is a surface we eliminate." ASM provides the discovery that CSR acts on. You cannot reduce a surface you have not mapped. ASM maps it. CSR reduces it.
The historical parallel: Hadrian's engineers surveyed the entire northern frontier of Britannia before deciding where to build the wall. They mapped the terrain, identified the natural obstacles, cataloged the crossing points, and selected the defensive line that provided maximum coverage with minimum resource expenditure. ASM is the digital equivalent of that survey: map the entire surface before deciding where to concentrate defenses and what to eliminate.
Three TOP missions connect directly to ASM:
- VSD-R01 (External Attack Surface Discovery): The initial ASM operation. Discover every internet-facing asset, classify by risk, and identify unknown exposures. 16 estimated hours. This is the mission that reveals the organization's real attack surface versus their assumed attack surface. The delta between those two numbers is the measure of their blind spots.
- VSD-B03 (Attack Surface Reduction): Act on the discovery findings. Decommission unnecessary services. Consolidate entry points. Harden remaining exposed assets. Apply WAF protection. Restrict administrative interfaces. 24 estimated hours. This is CSR in action: every surface identified in VSD-R01 that is not operationally necessary is eliminated.
- VSD-C01 (Continuous Surface Monitoring): Sustain ASM in steady state. Continuous discovery, change detection, and new-asset alerting. 8 estimated hours per month. The attack surface does not stop changing. Monitoring does not stop either.
The interaction with adjacent domains: SPH provides the configuration data that explains why an asset is exposed (a misconfigured firewall rule, a default cloud security group). IAT provides the authentication context (is the exposed service protected by MFA, or is it accessible with default credentials?). TID consumes ASM data as threat intelligence input (an asset discovered by ASM that also appears in a threat actor's reconnaissance tooling is an elevated priority). DPS determines the impact (what data is accessible through the exposed asset?). RGA mandates the ASM program through compliance requirements and funds it through risk-based investment.
CDA approaches ASM differently from vendor-only deployments in one specific way: ASM tools produce discovery data. CDA's operators produce reduction. The tool tells you the surface is 500 assets. CDA's CSR methodology reduces it to 200. The tool discovers. The operator eliminates. That operational cycle, discovery followed by reduction followed by verification, is the CSR closed loop that makes ASM investment produce measurable security improvement rather than a longer list of known exposures.
Key Takeaways
- ASM continuously discovers, classifies, and monitors internet-facing assets from the attacker's perspective, revealing the organization's real attack surface including unknown and shadow IT assets.
- The most dangerous assets are the ones nobody knows about: forgotten servers, acquired company infrastructure, shadow SaaS, and unmanaged cloud resources. ASM discovers them before attackers do.
- ASM must be continuous, not periodic. The attack surface changes daily with cloud deployments, SaaS signups, DNS changes, and business operations.
- CDA's CSR methodology closes the loop: ASM discovers the surface, CSR reduces it, and continuous monitoring verifies the reduction holds. Discovery without reduction is a longer list of problems.
- Three VSD missions map directly to ASM: VSD-R01 (discover), VSD-B03 (reduce), VSD-C01 (monitor continuously).
Related Articles
- Vulnerability and Surface Defense (VSD): The Oceans
- Penetration Testing
- Zero Trust Architecture
- Ransomware
- NIST Cybersecurity Framework (CSF) 2.0
- Why the PDM Never Needs a Seventh Domain
Sources
- Gartner. "Hype Cycle for Security Operations, 2024: External Attack Surface Management." Gartner, 2024.
- Cybersecurity and Infrastructure Security Agency (CISA). "Binding Operational Directive 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks." CISA, October 2022.
- National Institute of Standards and Technology (NIST). "Cybersecurity Framework (CSF) 2.0: ID.AM (Asset Management)." U.S. Department of Commerce, 2024.
- OWASP Foundation. "OWASP Attack Surface Analysis Cheat Sheet." OWASP, 2024.
- Mandiant (Google Cloud). "M-Trends 2024: Special Report." Mandiant, April 2024.
Word count: 1,882
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.