Attack Surface Management: Seeing What Attackers See
The assets you forgot are the ones that get you
Almost every breach we help contain starts on an asset the client did not know they owned. A staging environment stood up for a two-week project and never torn down. A marketing microsite spun up by an agency on a subdomain nobody tracks. A management interface that was supposed to be firewalled but got exposed during a migration and never got closed. A cloud storage bucket made public "just for the demo." None of these show up in the asset inventory, so none of them get patched, monitored, or decommissioned. Attackers find them anyway.
This is the core problem attack surface management solves. Your defensive tools protect the systems you know about. An attacker does not start from your inventory — they start from the open internet, enumerate everything that resolves to your organization, and probe the weakest thing they find. The gap between what you think you expose and what you actually expose is where intrusions begin. External attack surface management exists to close that gap by looking at you the way an attacker does: from the outside, continuously, with no insider knowledge.
Shadow IT makes this worse every year. Business units buy SaaS, developers deploy to cloud accounts on a corporate card, and acquisitions bring in whole estates of infrastructure nobody has cataloged. Each of these creates internet-facing assets that never pass through change control. You cannot secure, patch, or even monitor what you have not discovered.
What external ASM actually discovers
Attack surface management is a discovery discipline first and a scanning discipline second. It works outside-in, starting from a few seeds — your primary domains, known IP ranges, brand names — and expanding to find everything connected to them. A mature program surfaces:
- Forgotten subdomains and dangling DNS. Enumeration and certificate transparency logs routinely reveal hundreds of subdomains an organization has no record of. Some point to decommissioned services, creating subdomain takeover risk where an attacker can claim the abandoned resource the DNS record still trusts.
- Exposed services and management interfaces. Open RDP, SSH, database ports, admin consoles, VPN gateways, and remote-access tools reachable from the public internet. These are the first thing ransomware operators look for, and they are frequently exposed by accident.
- Shadow and orphaned cloud assets. Public storage buckets, unmanaged cloud instances, and API endpoints in accounts security never onboarded.
- Leaked secrets and credentials. API keys, tokens, and passwords committed to public code repositories, embedded in mobile apps, or pasted into public services. A single leaked cloud key can hand over an entire environment.
- Expired certificates, weak TLS, and vulnerable software versions on the edge that betray unpatched, unmonitored systems.
Figure: your external footprint is a sprawling mesh, not a tidy list — ASM maps the nodes you never registered before an attacker maps them for you.
The output that matters is not a vulnerability count. It is an accurate, deduplicated inventory of everything you expose, attributed back to a business owner. Discovery is the deliverable; everything else builds on it.
ASM is not vulnerability scanning
These get conflated constantly, and the distinction is worth being precise about because it changes what you buy and what you expect.
A vulnerability scanner takes a known list of assets and checks each one against a database of signatures. It answers the question "what is wrong with the things I already told it to look at." It is essential hygiene, and it belongs in a continuous vulnerability management program. But it is only as complete as the target list you feed it, and the assets most likely to be breached are precisely the ones missing from that list.
Attack surface management answers the prior question: "what do I actually expose?" It assumes your inventory is incomplete and sets out to prove it. The two are complementary, not competing:
- ASM discovers the assets. Scanning assesses them.
- ASM works from the attacker's outside view. Scanning usually works from an authenticated inside view.
- ASM is scoped by your DNS and IP footprint. Scanning is scoped by your asset database.
Run scanning without ASM and you get thorough coverage of an incomplete map. Feed continuously discovered assets into your scanner and the map finally matches the territory.
Prioritize by exploitability, not by volume
A discovery tool that dumps ten thousand findings into a spreadsheet has just moved the problem, not solved it. The value is in ranking, and the ranking has to reflect what an attacker would actually target. We prioritize the external surface along a few axes at once:
- Exposure. Is it reachable from the open internet with no authentication? An unauthenticated, internet-facing service outranks the same flaw sitting behind a VPN.
- Exploitability. Is there a known, weaponized exploit? Enriching findings with the CISA Known Exploited Vulnerabilities catalog and the Exploit Prediction Scoring System separates the handful of issues under active attack from the thousands that are theoretical. Only a small single-digit percentage of published vulnerabilities are ever exploited in the wild — prioritization is how you find them.
- Asset criticality. An exposed marketing page and an exposed identity provider are not the same emergency even at the same severity. Tie each asset to the data and process behind it.
- Ease of takeover. Default credentials, a dangling DNS record, or a leaked admin key is a direct path in, not a maybe. These jump the queue regardless of CVSS.
The result is a short, ordered list of things to fix now — an exposed management console, a leaked key, a takeover-able subdomain — instead of an undifferentiated wall of red. Validation closes the loop: periodic penetration testing confirms whether the paths ASM flagged as exploitable really can be chained into an intrusion, and whether anything you deprioritized was reachable after all.
Continuous, not point-in-time
The single most important property of an attack surface program is that it never stops. Your external footprint changes constantly — a developer publishes a new endpoint on Tuesday, a certificate expires on Friday, an acquisition adds a netblock next quarter, a contractor exposes a port during a maintenance window. A new CVE can go from disclosure to mass internet-wide exploitation within days of a proof of concept.
A point-in-time assessment — the annual external pen test, the quarterly scan — is stale the moment it is delivered. Attackers scan the entire IPv4 internet in hours and re-scan continuously; a service exposed by mistake can be found and hit the same day. If your discovery cadence is measured in months and theirs is measured in hours, they will always reach the new exposure first.
Continuous ASM means:
- Ongoing discovery, so new subdomains, hosts, and cloud assets are catalogued as they appear, not at the next audit.
- Change alerting, so a newly opened port or a freshly exposed admin panel generates a signal your security operations team can act on within hours.
- Continuous re-enrichment, so an asset you rated low last month escalates on its own when a new exploit lands, without a human rescanning anything.
The measure of a working program is not how many assets it found once. It is how fast a new exposure goes from appearing to being closed.
Where to start
If you have never looked at your organization from the outside in, start there — the first discovery run is almost always uncomfortable, and that discomfort is the point. Seed it with your domains and IP ranges, let discovery expand the map, and triage the exposed services, leaked secrets, and takeover-able subdomains at the top of the list before anything else.
intSignal runs attack surface management as a continuous service: outside-in discovery of your real internet-facing footprint, exploitability-based prioritization, change alerting, and a feedback loop into vulnerability management and testing. Talk to our security team and we will show you what an attacker sees before one does.