Attack Surface Management

Understanding and Reducing Your Exposure to Threats

Section 1 of 4 0% Complete

What is Attack Surface?

The attack surface is the sum of all points where an unauthorized user (attacker) can try to enter or extract data from an environment. The larger your attack surface, the more opportunities attackers have.

External Attack Surface

Assets exposed to the internet that attackers can discover and target from anywhere in the world.

  • Public websites
  • APIs & web services
  • Email servers
  • VPN gateways
  • Cloud services
  • DNS records
  • SSL certificates
  • Public IPs

Internal Attack Surface

Assets accessible from within the network, exploitable after initial compromise or by insiders.

  • Workstations
  • Servers
  • Databases
  • Network devices
  • Printers/IoT
  • User accounts
  • Applications
  • File shares

Why SOC Analysts Care About Attack Surface

  • Every exposed asset is a potential entry point for attackers
  • Unknown assets can't be monitored or defended
  • Reducing attack surface reduces alert volume and risk
  • ASM findings inform threat hunting and prioritization

Attack Surface Components

Component Description Risk Factor
Open Ports Network services listening for connections High
Web Applications HTTP/HTTPS endpoints with user input Critical
User Accounts Authentication endpoints and credentials High
Third-Party Code Libraries, APIs, and supply chain dependencies Medium
Physical Access Building entry, USB ports, console access Low

Attack Surface Management (ASM)

ASM is the continuous process of discovering, classifying, prioritizing, and monitoring assets that are exposed to attackers. Click each step to learn more.

1
Discover
2
Classify
3
Prioritize
4
Remediate
5
Monitor

Select a step to learn more

The ASM lifecycle is continuous — after monitoring, new assets trigger re-discovery.

ASM Tools & Techniques

Discovery

  • Port scanning (Nmap)
  • DNS enumeration
  • Certificate transparency
  • Shodan/Censys

Classification

  • Service fingerprinting
  • Technology detection
  • Owner identification
  • Business criticality

Prioritization

  • Vulnerability scoring
  • Exploit availability
  • Data sensitivity
  • Exposure level

Interactive Asset Discovery

Simulate an external attack surface scan. Click "Run Scan" to discover assets.

External Surface Scanner

[*] Scanner ready. Click "Run Scan" to begin discovery.

Sample Asset Inventory

This is what an ASM inventory might look like. Note the risk ratings and status.

Asset Type Exposure Risk Status
www.company.com Web Server External Medium Monitored
mail.company.com Email Server External High Hardened
dev.company.com Dev Server External Critical Exposed
vpn.company.com VPN Gateway External High Monitored
10.0.0.50 (DC01) Domain Controller Internal Critical Hardened

Red Flags in Asset Inventory

  • dev.company.com is externally exposed — dev servers often have weak security
  • Any asset with "Exposed" status needs immediate attention
  • Critical risk + External exposure = Priority 1 for hardening
  • Unknown or shadow IT assets are the biggest risk

Knowledge Check

Test your understanding of attack surface concepts.