What is Attack Surface Management? A Complete Introduction
Attack surface management (ASM) helps organisations discover, monitor, and secure all internet-facing assets. Learn the ASM lifecycle and why continuous monitoring matters.
What is an attack surface?
Your attack surface is the sum of all the points where an attacker could try to enter or extract data from your environment. Every domain, subdomain, IP address, open port, web application, API endpoint, cloud service, and email server that is reachable from the internet is part of your external attack surface.
The larger your attack surface, the more opportunities an attacker has to find a weakness. And here is the problem: most organisations do not know how large their attack surface actually is.
External vs internal attack surface
External attack surface
Everything visible from the internet without authentication:
- Public websites and web applications
- APIs and webhooks
- Email servers and DNS records
- Cloud storage buckets
- VPN gateways and remote access points
- Forgotten staging and development servers
- Third-party services configured for your domain
This is what attack surface management primarily focuses on, because it is what attackers see first.
Internal attack surface
Everything inside your network perimeter:
- Internal applications and databases
- Active Directory and identity infrastructure
- Workstations and endpoints
- Internal APIs and microservices
- Network devices (switches, routers, printers)
Internal attack surface matters too, but it requires a different set of tools (EDR, internal vulnerability scanners, network segmentation) and is typically addressed after the external surface is under control.
Why attack surfaces grow over time
Attack surfaces do not stay static. They grow -- often without anyone noticing. The most common causes:
Cloud migration
Every cloud account, VM, container, storage bucket, and serverless function is a potential exposure point. Cloud makes it trivially easy to spin up new resources, and most organisations lack visibility into everything their teams have deployed.
Mergers and acquisitions
When your company acquires another, you inherit their entire attack surface -- including their technical debt, forgotten servers, and shadow IT. Due diligence often focuses on financials and legal, not on the 47 subdomains the acquired company has pointing to decommissioned Heroku apps.
Shadow IT
Developers spin up test environments. Marketing launches a campaign microsite. Sales creates a demo portal. HR deploys a candidate assessment tool. Each one adds to the attack surface, often without the security team's knowledge.
Forgotten assets
Servers that were set up for a project two years ago and never decommissioned. DNS records that point to services that no longer exist. Cloud instances that were "temporary" and became permanent.
Third-party services
Every SaaS tool that integrates with your domain (email providers, CDNs, analytics, CRMs) extends your attack surface. If a third-party service is compromised or misconfigured, your domain may be affected.
Developer and partner access
Staging environments, CI/CD pipelines, partner API endpoints, and webhook receivers all add exposure. These are often less hardened than production systems because they are considered "internal."
The ASM lifecycle
Attack surface management is a continuous process, not a one-time project. It follows five stages:
1. Discover
Find everything that belongs to your organisation on the internet. This goes beyond your known asset inventory to include:
- Subdomain enumeration (DNS brute forcing, certificate transparency logs, passive DNS)
- IP range discovery (WHOIS, BGP, cloud provider APIs)
- Linked infrastructure (third-party services, CDN origins, DNS records)
- Shadow IT and forgotten assets
Discovery is the foundation. You cannot secure what you do not know about.
2. Inventory
Create a comprehensive, continuously updated inventory of all discovered assets. For each asset, record:
- IP address or hostname
- Owner (which team or person is responsible)
- Purpose (production, staging, development, legacy)
- Technology stack (web server, OS, framework)
- Classification (critical, important, low-value)
3. Classify
Prioritise assets based on their importance and exposure:
- Critical -- production systems handling sensitive data, customer-facing applications, authentication infrastructure
- Important -- internal tools, staging environments, non-sensitive APIs
- Low-value -- test systems, static documentation sites
Classification determines how urgently findings need to be addressed.
4. Monitor
Continuously check every asset for:
- Open ports and exposed services (see open ports security)
- Vulnerability detection (known CVEs, misconfigurations)
- TLS certificate health (expiry, weak ciphers, chain issues)
- DNS record integrity (orphan records, subdomain takeover risks)
- Email authentication (SPF, DKIM, DMARC)
- HTTP security headers
- Changes from the last scan (new ports, new services, new subdomains)
Point-in-time scans (running a vulnerability scan once a quarter) miss everything that happens between scans. Continuous monitoring catches changes as they happen.
5. Remediate
Act on findings:
- Fix vulnerabilities according to severity-based SLAs
- Decommission unnecessary assets
- Harden configurations
- Update DNS records
- Patch or replace outdated software
- Track remediation progress over time
How ASM differs from traditional vulnerability scanning
| Traditional vulnerability scanning | Attack surface management | |
|---|---|---|
| Scope | Known assets only (you tell it what to scan) | Discovers assets you did not know about |
| Frequency | Periodic (weekly, monthly, quarterly) | Continuous |
| Perspective | Inside-out (scans from your network) | Outside-in (scans from the internet, like an attacker) |
| Discovery | None -- relies on your asset inventory | Active discovery of subdomains, IPs, cloud resources |
| Focus | CVE detection on known hosts | Holistic: CVEs, misconfigurations, exposed services, DNS, TLS, email |
| Shadow IT | Misses it entirely | Designed to find it |
ASM does not replace vulnerability scanning -- it extends it. Think of traditional scanning as checking the locks on doors you know about. ASM finds the doors you did not know existed.
Why continuous monitoring matters
Point-in-time vs continuous
A quarterly vulnerability scan tells you what your security posture looked like on one specific day. But your attack surface changes daily:
- New subdomains are created
- Cloud instances are spun up
- TLS certificates expire
- DNS records are modified
- New services are deployed
- Employees leave and their projects are abandoned
Without continuous monitoring, you have blind spots between scans. Continuous monitoring closes this gap.
Mean time to discovery
The average time to detect an exposed asset without continuous monitoring can be weeks or months. With continuous monitoring, it is hours or less. This directly impacts your risk -- the longer an exposure exists, the more likely it is to be found by an attacker.
How ASM maps to compliance frameworks
ISO 27001
ASM directly supports several Annex A controls:
- A.5.9 -- Inventory of information and other associated assets
- A.8.8 -- Management of technical vulnerabilities
- A.8.9 -- Configuration management
See our guide on ISO 27001 vulnerability scanning requirements for how ASM evidence satisfies auditor expectations.
NIS2
NIS2 Article 21 requires risk management measures including vulnerability handling and effectiveness assessment. Continuous attack surface monitoring provides both. See our NIS2 compliance guide for the full mapping.
SOC 2
SOC 2 Trust Services Criteria CC7.1 (detection of changes in infrastructure) and CC6.1 (network security) are directly supported by ASM.
PCI DSS
PCI DSS Requirement 11 mandates external vulnerability scanning at least quarterly. ASM exceeds this with continuous monitoring.
Who needs attack surface management?
The short answer: any organisation with internet-facing assets. But ASM becomes particularly important when:
- You have more than a handful of domains and subdomains
- You use multiple cloud providers
- Your organisation has grown through acquisitions
- Multiple teams deploy internet-facing services independently
- You need to demonstrate security posture for compliance
- You have experienced a security incident involving an unknown or forgotten asset
How SurfaceScan helps
SurfaceScan is a purpose-built external attack surface management platform. It handles the entire ASM lifecycle: discovering your subdomains, IPs, and cloud assets; inventorying everything found; continuously scanning for vulnerabilities, misconfigurations, exposed ports, TLS issues, DNS problems, and email authentication gaps; and providing prioritised findings with remediation guidance. The dashboard gives you a real-time view of your security posture, trend reporting shows improvement over time, and exportable reports satisfy the evidence requirements for ISO 27001 and NIS2 audits.
Related articles
ISO 27001 Vulnerability Scanning Requirements: What Auditors Expect
Learn which ISO 27001 controls require vulnerability scanning, what evidence auditors want to see, and how to build a compliant vulnerability management process.
NIS2 Compliance: Vulnerability Management and Attack Surface Monitoring
The NIS2 directive requires organisations to manage cybersecurity risks including vulnerability scanning. Learn who it applies to, what it requires, and how to comply.