What is attack surface management?

Attack surface management (ASM) is the practice of knowing which assets make up your external footprint, applying threat intelligence to that knowledge, and then proactively hardening your perimeter in response to emerging risks.

It differs from existing techniques such as penetration testing, vulnerability scanning, and bug bounties because it is not a specificactivity designed to solve an individual problem. Rather, ASM is about co-ordinating people, processes, and technology. The ultimate goal of ASM is to prevent an attacker from discovering things about your attack surface that you do not already know. 

Why isn't vulnerability scanning enough? 

There are tools that can be used to remediate problems on an attack surface. Each has its own unique role in an attack surface management program, but none is a silver bullet:

  • Vulnerability Scanners are often the best way to discover weaknesses across large numbers of known assets, but do not always provide what is needed to discover unknown assets (including information assets such as leaked credentials or business documentation). Moreover, they often have a high signal- to- noise ratio, which means they require a lot of work from your team.
  • Penetration tests remain the gold standard for deep point-in-time testing of critical assets, and are a necessary part of all ASM programs. The problem is that, new vulnerabilities emerge between tests, and there is often no way for an organization to know whether their assets are affected.  You need a way of finding out how your assets are most likely to be exploited by attackers right now in the real world.
  • Bug bounties are currently used by many organizations to discover the unknown unknowns on their attack surface, and can be particularly effective at uncovering some classes of vulnerability, for example cross-site scripting (XSS). However, bounty hunters tend to be motivated to find vulnerabilities that will pay them the most, rather than the vulnerabilities that are actually likely to be exploited by an attacker. The work of triage still falls to your existing security analysts, or must be outsourced at a cost. 

These tools can help you reduce vulnerabilities, but without integration into a larger program of work, none can enable you to proactively direct your response to emerging threats.

What activities are involved in managing an attack surface?

Good attack surface management almost always makes use of sophisticated tools and techniques. SaaS solutions can help with the technical work that supports good management, but as ASM is a complex practice, it cannot just be bought as a software solution.

Owen Evans, the director of F-Secure’s ASM program, highlights three major areas of activity  that make up most attack surface management programs:

  1. Knowing your perimeter. To do this well you need to combine the power of automated seed discovery with creative human-led OSINT. This will allow you to discover assets that don’t appear in any of your inventories, for example, long forgotten subdomains, or credentials leaked on the personal GitHub of a developer.
  2. Prioritizing your remediations. Again, tooling can be invaluable here, but the tooling needs to be overseen by a trained attacker. There’s no point mapping your vulnerabilities to an abstract framework. Prioritization is about understanding what assets look like to an attacker who is keen to exploit the latest vulnerabilities.
  3. Understanding new threat intelligenceFewer than 2% of vulnerabilities actually get exploited in the wild. Anticipating which vulnerabilities create which level of risk involves hard judgments and a deep understanding of the threat landscape. 

Who needs attack surface management?

Building an in-house ASM capability can be a significant undertaking, and we’d therefore recommend it for organizations facing particular challenges. These include:

  • When an organization suspects – but cannot verify – that it has a large shadow IT estate.
  • When mergers and acquisitions result in IT estates that are so complicated that nobody knows what they contain
  • When a holding company with a large portfolio needs visibility over its entire extended attack surface
  • When an organization is spending huge amounts on penetration testing or bug bounties, but no longer feels that it is getting a good return on its investment.

ASM is for any organization struggling with the identify function of the NIST framework. ASM is about identifying what you have, knowing how it is weak, and understanding why that matters in a wider context. Done well, ASM can be the foundation on which the rest of your security posture sits. As Microsoft’s John Lambert memorably puts it, ‘the advantage of the attacker lies in the difference between what you have and what you manage.’

Reading time: 3 min


  • February, 2022
Nicholas Evans, Research Analyst