In depth
Attack Surface Management (ASM) is the discipline of continuously enumerating every asset an organisation exposes to the internet — domains, subdomains, IP ranges, cloud storage buckets, SaaS tenants, code repositories, exposed APIs, mobile applications, marketing microsites — and watching that inventory for change. The premise is uncomfortable but consistently true: every enterprise above a certain size owns assets its security team is not aware of, and adversaries find those assets faster than the security team does. Shadow IT, abandoned marketing campaigns, acquired-company infrastructure, contractor-stood-up cloud accounts, and developer-spun-up SaaS trials are the typical sources.
The two flavours of ASM are external (EASM) and cyber (CAASM). EASM works the way an attacker does: starts from a small seed (the corporate root domain, the IP allocation), pivots through DNS records, certificate-transparency logs, passive DNS, WHOIS history, GitHub repositories, cloud-asset reverse lookups, and ASN data to build an outside-in inventory. Tools such as Censys, Shodan, RiskIQ (now Microsoft Defender EASM), Detectify, Project Discovery's Chaos, and the open-source amass/subfinder/httpx pipeline are the standard kit. CAASM works inside-out by ingesting asset feeds from CMDB, cloud-provider APIs, EDR rosters, identity providers and DNS to deduplicate and reconcile what should be there.
The output is not a static spreadsheet. A useful ASM platform alerts on diffs: a new subdomain appearing, a previously hardened S3 bucket becoming public, a development server exposing port 22 to 0.0.0.0/0, a leaked credential surfacing on a paste site. Those alerts then feed into the same incident-response pipeline as SIEM alerts.
ASM has become a board-level conversation since the EU NIS2 Directive (enforceable from October 2024) and the SEC's 2023 cyber disclosure rule explicitly require organisations to know what their attack surface is before they can defend it. See VAPT services for assessment of the assets ASM discovers and supply chain attacks 2026 for the third-party angle.
The two flavours of ASM are external (EASM) and cyber (CAASM). EASM works the way an attacker does: starts from a small seed (the corporate root domain, the IP allocation), pivots through DNS records, certificate-transparency logs, passive DNS, WHOIS history, GitHub repositories, cloud-asset reverse lookups, and ASN data to build an outside-in inventory. Tools such as Censys, Shodan, RiskIQ (now Microsoft Defender EASM), Detectify, Project Discovery's Chaos, and the open-source amass/subfinder/httpx pipeline are the standard kit. CAASM works inside-out by ingesting asset feeds from CMDB, cloud-provider APIs, EDR rosters, identity providers and DNS to deduplicate and reconcile what should be there.
The output is not a static spreadsheet. A useful ASM platform alerts on diffs: a new subdomain appearing, a previously hardened S3 bucket becoming public, a development server exposing port 22 to 0.0.0.0/0, a leaked credential surfacing on a paste site. Those alerts then feed into the same incident-response pipeline as SIEM alerts.
ASM has become a board-level conversation since the EU NIS2 Directive (enforceable from October 2024) and the SEC's 2023 cyber disclosure rule explicitly require organisations to know what their attack surface is before they can defend it. See VAPT services for assessment of the assets ASM discovers and supply chain attacks 2026 for the third-party angle.