What Is Attack Surface Management?

Attack surfaces are growing faster than security teams can keep up – to stay ahead, you need to know what’s exposed and where attackers are most likely to strike.

With cloud adoption dramatically increasing the ease of exposing new systems and services to the internet, prioritizing threats and managing your attack surface from an attacker’s perspective has never been more important.

In this guide, we look at why attack surfaces are growing and how to monitor and manage them properly with tools like Intruder. Let’s dive in.

What is your attack surface?

First, it’s important to understand what we mean when we talk about an attack surface. An attack surface is the sum of your digital assets that are ‘reachable’ by an attacker – whether they are secure or vulnerable, known or unknown, in active use or not.

You can also have both internal and external attack surfaces - imagine for example a malicious email attachment landing in a colleague’s inbox, vs a new FTP server being put online. 

Your external attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, your attack surface is anything that a hacker can attack.

What is attack surface management?

Attack surface management (ASM) is the process of discovering these assets and services and reducing or minimizing their exposure to prevent hackers exploiting them. 

Exposure can mean two things: current vulnerabilities, such as missing patches or misconfigurations that reduce the security of the services or assets. But it can also mean exposure to future vulnerabilities or determined attacks.

Take for example an admin interface like cPanel, or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could easily be discovered in the software tomorrow – in which case it would immediately become a significant risk. So while traditional vulnerability management processes would say “wait until a vulnerability is detected and then remediate it”, attack surface management would say “get that firewall admin panel off the internet before it becomes a problem!”.

That’s not to mention that having a firewall admin panel exposed to the internet opens it up to other attacks, regardless of a vulnerability being discovered. For example, if an attacker discovers some admin credentials elsewhere, they could potentially reuse those credentials against this admin interface, and this is often how attackers expand their access across networks. Equally, they may just try a sustained “low and slow” password guessing exercise which goes under the radar but eventually yields results.

To highlight this point in particular, ransomware gangs were reported in 2024 targeting VMware vSphere environments exposed to the internet. By exploiting a vulnerability in these servers, they were able to gain access and encrypt virtual hard disks of critical infrastructure to demand huge ransoms. It was reported there are over two thousand vSphere environments still exposed.

So for multiple reasons, reducing your attack surface today makes you harder to attack tomorrow.

The need for attack surface management 

The challenges of asset management

So, if a significant part of attack surface management is reducing exposure to possible future vulnerabilities by removing unnecessary services and assets from the internet, the first step is to know what you have.

Often considered the poor relation of vulnerability management, asset management has traditionally been a labor intensive, time-consuming task for IT teams. Even when they had control of the hardware assets within their organization and network perimeter, it was still fraught with problems. If just one asset was missed from the asset inventory, it could evade the entire vulnerability management process and, depending on the sensitivity of the asset, could have far reaching implications for the business. This was the case in the Deloitte breach in 2016, where an overlooked administrator account was exploited, exposing sensitive client data.

When companies expand through mergers and acquisitions too, they often take over systems they’re not even aware of – take the example of telco TalkTalk which was breached in 2015 and up to 4 million unencrypted records were stolen from a system they didn’t even know existed.

For more information, we have an article on vulnerability management vs attack surface management. 

The shift to cloud

Today, it’s even more complicated. Businesses are migrating to cloud platforms like Google Cloud, Microsoft Azure, and AWS, which allow development teams to move and scale quickly when needed. But this puts a lot of the responsibility for security directly into the hands of the development teams – shifting away from traditional, centralized IT teams with change control processes.  

While this is great for speed of development, it creates a visibility gap, and so cyber security teams need ways to keep up with the pace. 

A modern solution

Attack surface management if anything is the recognition that asset management and vulnerability management must go hand-in-hand, but companies need tools to enable this to work effectively.

A good example: an Intruder customer once told us we had a bug in our cloud connectors - our integrations that show which cloud systems are internet-exposed. We were showing an IP address that he didn’t think he had. But when we investigated, our connector was working fine – the IP address was in an AWS region he didn’t know was in use, somewhat out of sight in the AWS console. 

This shows how attack surface management can be as much about visibility as vulnerability management.

Where does the attack surface stop?  

If you use a SaaS tool like HubSpot, they will hold a lot of your sensitive customer data, but you wouldn’t expect to scan them for vulnerabilities – this is where a third-party risk platform comes in. You would expect HubSpot to have many cyber security safeguards in place – and you would assess them against these.  

Where the lines become blurred is with external agencies. Maybe you use a design agency to create a website, but you don’t have a long-term management contract in place. What if that website stays live until a vulnerability is discovered and it gets breached?

In these instances, third party and supplier risk management software and insurance help to protect businesses from issues such as data breaches or noncompliance.

6 ways to secure your attack surface with Intruder

By now, we’ve seen why attack surface management is so essential. The next step is turning these insights into concrete, effective actions. Building an ASM strategy means going beyond known assets to find your unknowns, adapting to a constantly changing threat landscape, and focusing on the risks that will have the greatest impact on your business.

Here are six ways Intruder helps you put this into action:

1. Discover unknown assets

Intruder continuously monitors for assets that are easy to lose track of but can create exploitable gaps in your attack surface, such as subdomains, related domains, APIs, and login pages. Learn more about Intruder’s attack surface discovery methods.

2. Search for exposed ports and services

Use Intruder’s Attack Surface View (shown below) to find what’s exposed to the internet. With a quick search, you can check your perimeter for the ports and services that should – and, more importantly, shouldn’t – be accessible from the internet.

3. Find exposures (that others miss)

Intruder provides greater coverage than other ASM solutions by customizing the output of multiple scanning engines. Check for over a thousand attack surface specific issues, including exposed admin panels, publicly-facing databases, misconfigurations, and more. You can learn more about how we utilize multiple scanners here.

4. Scan your attack surface whenever it changes

Intruder continuously monitors your attack surface for changes and initiates scans when new services are detected. By integrating Intruder with your cloud accounts, you can automatically detect and scan new services to reduce blind spots and ensure all exposed cloud assets are covered within your vulnerability management program.

5. Stay ahead of emerging threats

When a new critical vulnerability is discovered, Intruder proactively initiates scans to help secure your attack surface as the threat landscape evolves. With Rapid Response, our security team checks your systems for the latest issues being exploited faster than automated scanners can, alerting you immediately if your organization is at risk.

6. Prioritize the issues that matter most

Intruder helps you focus on the vulnerabilities that pose the greatest risk to your business. For example, you can view the likelihood of your vulnerabilities being exploited within the next 30 days and filter by “known” and “very likely” to generate an actionable list of the most significant risks to address.

Get started with attack surface management

Intruder's EASM platform is solving one of the most fundamental problems in cybersecurity: the need to understand how attackers see your organization, where they are likely to break in, and how you can identify, prioritize and eliminate risk. Book some time in with our team to find out how Intruder can help protect your attack surface.