Glossary · Security testing

What is Attack Surface Management?

Also known as: ASM, External Attack Surface Management, EASM

Attack Surface Management (ASM) is the continuous discovery, inventory, and monitoring of an organization's internet-facing assets that an attacker could target. It takes an outside-in view, mapping every exposed domain, IP, service, and certificate so security teams can find and fix exposures before adversaries reach them.

Key takeaways

  • ASM continuously discovers and monitors internet-facing assets from an attacker's outside-in perspective.
  • Its core purpose is finding unknown or forgotten exposures (shadow IT, stale subdomains, exposed services) before attackers do.
  • ASM is continuous, unlike point-in-time scans, because the external surface changes constantly.
  • Findings feed vulnerability management and provide ongoing evidence for control monitoring.

What does Attack Surface Management actually do?

Attack Surface Management answers a deceptively hard question: what does our organization expose to the public internet right now? Most teams know their primary domains and production hosts, but the real attack surface also includes forgotten subdomains, third-party SaaS, cloud storage buckets, expired certificates, and services spun up outside change control. ASM builds and maintains a live inventory of all of it.

The discipline is outside-in. Rather than starting from an internal asset database, ASM begins with seeds an attacker would start with, such as a domain or company name, and expands outward through DNS, certificate transparency logs, IP ranges, and passive reconnaissance to enumerate everything reachable from the public internet.

  • External-facing domains, subdomains, and DNS records
  • Public IP addresses, open ports, and exposed services
  • TLS/SSL certificates and their expiry or misconfiguration
  • Cloud assets and shadow IT outside official inventory

How ASM works: discovery, attribution, and monitoring

An ASM workflow runs in a loop. First, discovery enumerates assets from public sources. Second, attribution decides which discovered assets actually belong to the organization, filtering out unrelated infrastructure. Third, continuous monitoring re-scans the confirmed surface so new exposures, such as a freshly opened port or an expiring certificate, surface quickly.

Because the external surface changes daily as teams deploy, decommission, and reconfigure, ASM is run continuously rather than as a one-off audit. Detected exposures are typically prioritized by severity and feed directly into remediation and vulnerability management workflows.

External ASM is the outside-in counterpart to internal attack surface management, which maps assets and attack paths once an attacker already has a foothold inside the environment.

How ASM supports compliance evidence

A current, accurate asset inventory is foundational to most security frameworks. ASM produces continuously updated evidence that exposed assets are known and monitored, which supports controls in SOC 2 and PCI DSS.

When ASM findings are wired into continuous control monitoring, an exposed service or expired certificate can fail a control automatically rather than waiting for the next manual audit cycle.

Frequently asked questions

How is ASM different from vulnerability scanning?
Vulnerability scanning checks known assets for known weaknesses. ASM first discovers what assets exist at all, including unknown and shadow IT, then monitors that surface continuously. ASM defines the scope that scanning then assesses.
Why does ASM need to run continuously instead of quarterly?
The external surface changes constantly as teams deploy and decommission infrastructure. A quarterly snapshot misses short-lived exposures and newly opened ports, so continuous monitoring catches changes close to when they happen.
What is the difference between external and internal ASM?
External ASM maps what an attacker sees from the public internet (outside-in). Internal ASM maps internal cloud and identity assets and the attack paths between them once an attacker is already inside (inside-out).

Authoritative sources

← Back to the glossary