You can't protect what you don't know exists. That's the premise behind Attack Surface Management (ASM): the discipline that maps, inventories and continuously monitors every point through which an attacker could get into your organization. In a world of cloud, SaaS, APIs and remote work, this set of points grows and changes every day — and is almost always larger than the security team imagines.

What the attack surface is

The attack surface is the sum of all the entry points an adversary could use to access, compromise or extract data from an organization. It goes far beyond the servers listed in a spreadsheet. It includes domains and subdomains, IP addresses, exposed ports and services, digital certificates, web applications, APIs, code repositories, cloud assets, SaaS applications, user accounts and even corporate credentials leaked in third-party incidents.

The surface has a digital dimension (everything connected to the network), a human dimension (people susceptible to phishing and social engineering) and a physical dimension. When we talk about ASM, the focus is mainly on the digital surface — because it's the one that grows the most, changes the fastest and can be mapped in an automated, continuous way.

What Attack Surface Management is

ASM is the continuous practice of discovering, inventorying, classifying, prioritizing and monitoring the attack surface, always from the attacker's perspective. The essential difference from a traditional audit is continuity: the attack surface isn't a photograph, it's a film. A subdomain created today for a marketing campaign, a cloud bucket accidentally left open, a SaaS tool contracted by a business unit last week — all of it enters the surface without passing through security. ASM exists to see these assets the moment they appear.

Gartner consolidated ASM as a category starting in 2021/2022, describing its pillars and incorporating it into the broader concept of CTEM (Continuous Threat Exposure Management). CISA, the U.S. cybersecurity agency, offers external attack surface mapping services to support organizations, and NIST treats attack surface reduction as a security engineering principle in publications such as SP 800-160.

The types of ASM

Under the ASM umbrella there are complementary approaches, each answering a different question.

EASM — External Attack Surface Management

EASM looks from the outside in. With no agents and no internal access, it maps everything exposed to the internet from the same vantage point as an attacker: domains and subdomains, IPs, open services, certificates, applications and publicly accessible APIs. It's EASM that usually reveals most of the shadow IT — unknown and orphaned assets no one knew were online. Because it requires no installation, it's the best starting point for any organization, of any size.

CAASM — Cyber Asset Attack Surface Management

CAASM looks from the inside. Instead of discovering the unknown, it reconciles the known: it integrates via API with the tools the company already uses — EDR, CMDB, cloud platforms, IAM, vulnerability scanners — and aggregates everything into a unified, queryable inventory. CAASM answers questions like "which machines don't have endpoint protection?" or "which critical assets have no owner?" Together, EASM and CAASM provide the complete picture: what the attacker sees and what the company has.

Shadow IT and unknown assets

Shadow IT is, in practice, the heart of the problem ASM solves. Forgotten subdomains, exposed test environments, SaaS tools contracted outside IT's control and reused credentials make up the part of the surface that most often becomes an entry point — precisely because no one was watching it.

Why the perimeter died

For decades, security was organized around a perimeter: a firewall separated the trusted "inside" from the hostile "outside." That model stopped making sense. The public cloud distributes assets across multiple accounts and regions. SaaS puts corporate data in third-party systems that IT doesn't always know about. Remote work takes endpoints outside any controlled network. APIs and microservices expose functionality directly on the internet.

The result is that the attack surface no longer has a sharp edge and has become fragmented, dynamic and largely invisible to traditional methods. ASM is the answer to this reality: since there's no longer a wall to defend, the focus shifts to knowing, in real time, everything that's exposed.

The ASM cycle

A mature ASM program operates as a continuous cycle, not as a project with a beginning and an end.

  1. Discover — starting from little information (a domain name, a company name), automatically enumerate all related assets, including those the organization is unaware of.
  2. Inventory — consolidate the findings into a single, living inventory, assigning owner, criticality and context to each asset.
  3. Prioritize — cross-reference exposure, exploitability and business value to highlight what represents real risk.
  4. Reduce — decommission what shouldn't exist, fix configurations, close services and rotate credentials.
  5. Monitor — watch continuously to detect changes and new assets as soon as they appear.

Exposure map: asset, risk and action

Asset / exposure typeMain riskRecommended action
Orphaned / forgotten subdomainsSubdomain takeover, abandoned and vulnerable sitesInventory, validate ownership and remove unused DNS records
Exposed ports and services (RDP, SSH, databases)Direct access, brute force, service exploitationClose what's unnecessary, restrict by VPN/IP, require MFA
Expired or misconfigured TLS certificatesInterception, loss of trust, downtimeInventory certificates, automate renewal and monitor validity
Public APIs without documentation/governanceData leakage, abuse, shadow APIsDiscover, catalog, authenticate and apply usage limits
Open cloud buckets and storageMassive exposure of sensitive dataReview permissions, block public access by default
Leaked corporate credentials and emailsAccount takeover, initial access via password reuseForce password change, enable MFA, monitor continuously
Ungoverned SaaS / shadow ITData out of control, no visibility or protectionDiscover, approve or discontinue, integrate into governance

ASM, CTEM, vulnerability management and OSINT

ASM is often confused with vulnerability management, but they tackle different problems. Vulnerability management starts from a list of known assets and looks for flaws in them; ASM solves the prior step — discovering which assets exist, especially those on no list at all. There's no point in scanning 80% of the estate well if 20% was never even mapped.

CTEM is the program that stitches everything together: it defines scope, uses ASM to discover and inventory, applies prioritization and validation, and closes the loop with mobilization and remediation. ASM is therefore one of the central engines of a well-implemented CTEM.

OSINT (open-source intelligence) is the fuel for the external discovery phase. Public certificate databases, DNS records, internet scan data and leaked credential dumps feed both EASM and prioritization. When ASM identifies that credentials for a corporate domain have appeared in a leak, that immediately raises the priority of that asset. All of this integrates into threat management as a whole.

How to reduce the attack surface

Visibility is the first step, but the ultimate goal is to reduce the surface. Some established practices:

  • Decommission orphaned assets, exposed test environments and ownerless subdomains.
  • Apply the principle of least privilege and close ports and services that don't need to be accessible.
  • Block public access by default on cloud storage and review configurations regularly.
  • Catalog and authenticate all APIs, eliminating shadow APIs.
  • Enforce MFA and rotate credentials exposed in leaks.
  • Govern SaaS: approve, integrate or discontinue shadow IT.
  • Treat surface reduction as a continuous practice, not a one-off effort.

How Decripte helps

Decripte is a B2B cybersecurity company serving organizations from 1 to over 100,000 employees, with the same technical depth at any size. Our Threat Management puts ASM into practice from the first contact: the free version already maps your external exposure — domains and subdomains, corporate emails and leaked credentials — to show, in minutes and with nothing to install, part of the attack surface an attacker can already see.

From there, the paid plans evolve into continuous discovery, consolidated inventory (EASM and CAASM), risk-based prioritization and permanent monitoring, integrated into a CTEM program. If you still don't know the real size of your attack surface, it's time to find out before someone else finds out for you. Start free or explore our plans.