·SurfaceScan·9 min read

What Is External Attack Surface Management (EASM)?

External Attack Surface Management is the continuous process of discovering, analysing, and securing every internet-facing asset your organisation owns. Learn why EASM has become essential, what it covers, and how it differs from traditional vulnerability scanning.

Your organisation is bigger than you think

Ask your IT team how many domains, subdomains, IP addresses, and cloud services your company has exposed to the internet. Then compare their answer to reality.

The gap is almost always significant. Research consistently shows that organisations underestimate their external attack surface by 30 to 80 percent. The assets they do not know about -- forgotten staging servers, orphaned DNS records, cloud buckets spun up by a developer two years ago, SaaS integrations that marketing configured without a ticket -- are precisely the assets that attackers find first.

External Attack Surface Management (EASM) exists to close that gap.

Defining EASM

External Attack Surface Management is the continuous process of discovering, inventorying, analysing, and monitoring all internet-facing assets belonging to an organisation -- and identifying the security risks they introduce.

The key word is external. EASM looks at your organisation the way an attacker does: from the outside, without credentials, without network access, without insider knowledge. It answers a deceptively simple question: what can someone on the internet see, reach, and potentially exploit?

That includes:

  • Domains and subdomains -- your primary domains, but also the long tail of subdomains created by different teams over the years
  • IP addresses -- owned ranges, cloud-allocated IPs, CDN endpoints, and third-party hosting
  • Web applications -- production sites, staging environments, admin panels, API gateways, documentation portals
  • Email infrastructure -- MX records, SPF/DKIM/DMARC configuration, mail server TLS
  • DNS records -- every A, CNAME, MX, TXT, and NS record, including the ones that point to resources you no longer control
  • TLS certificates -- validity, chain correctness, cipher suites, protocol versions
  • Open ports and services -- every network service reachable from the internet, from SSH to databases to legacy protocols
  • Cloud resources -- storage buckets, serverless functions, container registries, and anything else deployed in your cloud accounts that faces the internet

EASM is not a one-time audit. It runs continuously because your attack surface changes continuously. New assets appear, configurations drift, certificates expire, and the threat landscape evolves.

Why traditional approaches fall short

Organisations have been doing vulnerability scanning and penetration testing for decades. Both are valuable. Neither solves the problem EASM addresses.

Vulnerability scanning assumes you know what to scan

Traditional vulnerability scanners require a target list: here are our IPs, here are our domains, scan these. But the entire point of EASM is that you do not have a complete target list. You cannot scan what you do not know exists. EASM starts with discovery -- building the target list from the outside in, using the same techniques an attacker would use.

Penetration testing is deep but narrow

A penetration test focuses on a specific scope (usually a single application or network segment) and goes deep. It is excellent at finding complex, chained vulnerabilities that automated tools miss. But it happens once or twice a year, covers a fraction of your surface, and produces a report that is outdated within weeks as infrastructure changes.

Asset inventories are always stale

Most organisations maintain a CMDB or asset inventory. Most of those inventories are incomplete and out of date the moment they are created. They rely on teams self-reporting what they have deployed, which only works for assets that went through the proper change management process. The assets that slip through -- the shadow IT, the temporary projects, the acquired company's infrastructure -- are exactly the ones that create risk.

Cloud changed everything

In a data centre world, new infrastructure required a purchase order, a rack, and a network engineer. The attack surface changed slowly, and manual inventory was feasible. In a cloud world, anyone with an AWS access key can create a publicly accessible service in seconds. The rate of change has outpaced manual tracking.

The EASM lifecycle

Effective EASM is a continuous cycle with five stages.

1. Discovery

Discovery is the foundation. It answers: what assets does this organisation have on the internet?

EASM tools start with seed information -- your known domains, IP ranges, and organisation name -- and expand outward using techniques like:

  • DNS enumeration -- resolving subdomains through wordlists, zone files, and recursive queries
  • Certificate Transparency (CT) logs -- every publicly trusted TLS certificate is logged in CT logs, revealing subdomains and services you may not have known about
  • Reverse DNS and WHOIS -- mapping IP ranges to organisations and discovering related infrastructure
  • Web crawling -- following links, JavaScript references, and API calls to find connected services
  • Search engine and internet scanner data -- leveraging databases like Shodan, Censys, and search engine caches

The goal is a complete inventory of everything your organisation exposes to the internet, including assets that no internal team has documented.

2. Classification

Once assets are discovered, they need to be classified:

  • What type of asset is this? (Web server, mail server, DNS record, cloud storage, API endpoint)
  • What technology stack is it running? (Nginx, Apache, WordPress, Node.js, a specific SaaS platform)
  • Who owns it? (Which team, department, or business unit is responsible?)
  • Is it supposed to be here? (Known production asset vs. unknown or orphaned)

Classification turns a list of IP addresses and hostnames into an intelligible map of your infrastructure.

3. Risk assessment

With a classified inventory, EASM evaluates the security posture of each asset:

  • TLS configuration -- expired certificates, weak cipher suites, missing HSTS, certificate chain issues
  • Email security -- SPF, DKIM, DMARC configuration and enforcement level
  • Network exposure -- open ports, unnecessary services, legacy protocols like Telnet and FTP
  • Web security -- missing security headers, exposed admin panels, default credentials, API documentation endpoints
  • DNS health -- orphaned records that enable subdomain takeover, missing or misconfigured records
  • Known vulnerabilities -- outdated software with published CVEs
  • Cloud misconfiguration -- public storage buckets, overly permissive access policies

Each finding gets a severity rating so your team can prioritise what to fix first.

4. Remediation

Findings without remediation are just noise. Effective EASM integrates with your existing workflows:

  • Findings are assigned to the team that owns the asset
  • Severity-based SLAs define how quickly each issue must be addressed
  • Progress is tracked and escalated when SLAs are missed
  • Remediation is verified automatically on the next scan

5. Continuous monitoring

The cycle repeats. New scans detect new assets, configuration changes, newly expired certificates, and newly published vulnerabilities. Alerts fire when something changes -- a new subdomain appears, a port opens, a TLS certificate is about to expire, or a DNS record changes unexpectedly.

This continuous loop is what separates EASM from point-in-time assessments. Your attack surface never stops changing, and your monitoring should not either.

What EASM is not

To avoid confusion, it helps to draw some boundaries.

EASM is not a WAF (Web Application Firewall). A WAF protects known applications from known attack patterns in real time. EASM discovers what needs protecting in the first place.

EASM is not an internal vulnerability scanner. Tools like Nessus, Qualys, or OpenVAS scan internal networks with authenticated access. EASM scans from the outside without credentials.

EASM is not a SIEM. A SIEM aggregates logs and detects incidents in progress. EASM is proactive -- it finds weaknesses before they are exploited.

EASM is not a penetration test. A pentest attempts to exploit vulnerabilities to prove impact. EASM identifies and classifies exposure at scale without exploitation.

These tools are complementary, not competing. EASM feeds better target lists to your vulnerability scanner, better scope definitions to your pentesters, and better asset context to your SIEM.

Who needs EASM?

The short answer: any organisation with more than a handful of internet-facing assets. More specifically:

  • Companies growing through acquisition -- every acquisition adds an unknown attack surface that needs immediate visibility
  • Organisations with multiple development teams -- more teams means more shadow IT, more staging environments, more "temporary" services that become permanent
  • Regulated industries -- ISO 27001, NIS2, SOC 2, PCI DSS, and GDPR all require organisations to understand and manage their external exposure
  • Companies undergoing cloud migration -- the transition period is when asset tracking is most likely to break down
  • Any security team that has ever been surprised by an asset they did not know existed showing up in a breach report, a pentest finding, or a Shodan search result

EASM and compliance

Regulatory frameworks increasingly require the capabilities that EASM provides:

  • ISO 27001 (Annex A, A.8.8) requires management of technical vulnerabilities, including awareness of all assets exposed to threats
  • NIS2 (Article 21) requires appropriate measures for vulnerability handling and risk assessment, which presupposes knowing what you have
  • SOC 2 (CC6.1, CC7.1) requires detection of changes to infrastructure and monitoring of boundary protection
  • PCI DSS (Requirement 11) requires regular scanning and testing of security systems

EASM does not replace a compliance programme, but it provides the continuous evidence and asset visibility that auditors expect. Without it, compliance is based on assumptions rather than data.

How SurfaceScan approaches EASM

SurfaceScan is an EASM platform built for organisations that need continuous visibility into their external attack surface without the complexity of enterprise tools designed for Fortune 500 security operations centres.

You start with your domains. SurfaceScan discovers everything connected to them -- subdomains, IPs, mail servers, DNS records, TLS certificates, open ports, and cloud resources. Every asset is assessed against a comprehensive set of security checks covering TLS, email authentication, DNS hygiene, network exposure, web security headers, and known vulnerabilities.

Findings are prioritised by severity, tracked over time, and presented with actionable remediation guidance. When something changes -- a new subdomain, an expiring certificate, a newly opened port -- you know about it.

The result: a continuously updated, accurate picture of your external attack surface, with clear priorities for your security team and ready-made evidence for your next audit.

Discover what is exposed at surfacescan.dev.

← Back to Blog