Attack surface management is straightforward in concept. The self-explanatory term boils down to flagging and safeguarding the entry points where threat actors could potentially attack an enterprise’s IT infrastructure.
That’s where the simplicity ends. Attack surface management (ASM) calls on enterprises to continuously scan and identify possible exposures, recommend remediation steps and monitor an organization’s IT environment for emerging threats. The goal is to discover IT assets wherever they exist and provide cybersecurity professionals visibility into potential vulnerabilities. Those vulnerabilities could stem from physical IT assets within a business, digital assets exposed to the internet, third-party vendors’ infrastructures and extended supply chains.
The task is difficult, but there’s a vital payoff: Ongoing surveillance of the IT environment helps chief information security officers (CISOs) and other cybersecurity professionals shrink the attack surface, address security gaps and prevent attacks.
The data explosion stemming from AI adoption makes ASM systems necessary, said Rinki Sethi, chief security and strategy officer at cloud security platform provider Upwind. “You are looking at so much information,” she explained. “[Determining] what’s important to be remediated or resolved needs some type of technology. There is no human way.” Sethi joined Upwind in June 2025, previously holding CISO roles at Twitter and Bill, a financial operations platform company.
This article is part of
Importance of attack surface management
ASM has become increasingly important in recent years. The acceleration of digital transformation and remote work during the COVID-19 pandemic significantly increased attack surfaces. The same can be said for the expanding use of cloud and edge computing. More recently, the surge in AI use has created new vulnerabilities regarding large language models (LLMs) and the data used to train them.
The expanding scope and complexity of IT require a comprehensive overview of assets — and increases the need for attack surface management as a cybersecurity practice.
Another consideration is an evolving roster of attack vectors seeking to exploit vulnerabilities across sprawling IT estates. Ransomware as a service, nation-state threat actors targeting critical infrastructure, phishing attacks, malicious insiders and post-quantum cryptography are just a few of the concerns for enterprises. ASM’s continuous monitoring puts cybersecurity managers on a more proactive footing, helping them address vulnerabilities and prepare for the next onslaught.
“ASM is good at showing you what the attacker would see at first glance about your organization,” said Pete Shoard, an analyst at Gartner. “It provides an attacker’s eye view of the outside of your organization or the digital assets your organization has.”
Large language models and their training data have expanded the attack surface.
Comparing attack surface vs. threat surface vs. vulnerability management
The terms attack surface and threat surface are often used interchangeably. In some industry sectors, attack surface nomenclature appears to have wider recognition. For example, NIST, a U.S. federal government agency that provides cybersecurity guidelines widely used in the public and private sectors, publishes a definition for attack surface but not threat surface. NIST’s definitions are based on documents such as NIST SP 800-53 Rev. 5, a cybersecurity and privacy framework.
Some cybersecurity vendors, however, distinguish between attack surface and threat surface. Palo Alto Networks, for instance, defines attack surface as including “all possible vulnerabilities within an organization, whether activity exploited or not.” The vendor describes threat surface as focusing “specifically on the vulnerabilities currently targeted by cybercriminals.”
ASM and vulnerability management, meanwhile, are interrelated fields with the same general objective of reducing attack surfaces and improving an organization’s security posture. Attack surface management takes a broader view: The practice looks for potential weaknesses in a dynamic threat landscape, while vulnerability management tends to focus on known vulnerabilities. But the two approaches can work together to cover immediate risks while averting anticipated problems.
Types and components of an attack surface
An organization’s attack surface is the complete list of all points where a security exploit might occur. Types of attack surfaces include the following.
Digital attack surface. This area revolves around software vulnerabilities and network-connected entry points. Components include the following:
Application programming interfaces.
Cloud-based infrastructure.
Internet-facing assets.
Misconfigured software.
SaaS applications.
Shadow IT/shadow AI.
Web applications.
Physical attack surface. This category spans hardware vulnerabilities and physical access points. Components include the following:
Desktops, laptops and other endpoints.
Enterprise storage systems.
Operational technology and IoT systems.
Removable media.
Servers.
Server rooms.
Human/social engineering attack surface. This area involves attacks that exploit human behavior and social engineering practices to access systems and data. Components include the following:
Business email compromise.
Deepfakes.
Phishing/spear phishing.
Smishing.
Vishing.
Third-party attack surface. This area comprises an enterprise’s suppliers, vendor partners and other entities that provide technology products or services. It also involves third-party suppliers. Components include the following:
Cloud provider vulnerabilities.
Software dependencies.
Supply chain vulnerabilities.
Vendor-managed assets.
Vendors’ regulatory compliance status.
Attack surface types and components often overlap. Phishing, for example, can be viewed as both a digital and a human attack surface.
Cybersecurity leaders have several ASM evaluation factors to consider.
Challenges for attack surface management
Enterprises and their cybersecurity leaders must consider the following factors when devising ASM strategies.
Vast and complex IT resources
Perhaps the top challenge of ASM is that there’s so much surface to manage. The enterprise IT footprint continues to grow, as does its intricacy.
Given the heterogeneity and complexity of today’s technology, businesses face a difficult oversight task, said Nidhi Rastogi, assistant professor in the Department of Software Engineering at Golisano College of Computing and Information Sciences at the Rochester Institute of Technology. “Not everybody has the core knowledge or expertise in integrating these different environments together,” she said.
Evolving attack vectors
Businesses face attack vectors, from cloud misconfigurations to zero-day vulnerabilities, that are “growing in variety and volume,” according to a May 2025 report on attack surface management by KuppingerCole Analysts.
Traditional reactive cybersecurity methods can’t effectively deal with the expanding set of sophisticated attack vectors. “Although reactive cybersecurity measures are still common,” the report noted, “they leave significant gaps because they only respond after damage has occurred.”
The rise of AI in the enterprise
The attack surface is getting expanded because of AI playing such a pivotal role. Nidhi RastogiAssistant professor, Department of Software Engineering at Rochester Institute of Technology’s Golisano College of Computing and Information Sciences
IT environments incorporating the latest LLMs have much more to monitor, Rastogi said. “The attack surface is getting expanded because of AI playing such a pivotal role,” she explained. “And when you say AI, it means both the models, as well as the data, which is training these large models [and] GPUs powering these language models.”
Leon Bian, vice president of product development, data security solutions, at Capital One Software, also noted AI’s introduction of rapidly evolving attack surfaces. He cited models, APIs, data pipelines and training environment as potential entry points. “Threats can include prompt injection, model inversion, data poisoning and unauthorized access to sensitive training data,” Bian said.
Capital One Software is the enterprise software business of financial services company Capital One.
The need to extend ASM
AI systems’ attack surfaces might handle highly sensitive logic and data, but many of those components operate outside the traditional scope of attack surface management, according to Bian. This challenge requires businesses to extend ASM to cover AI assets, he said, noting that tasks include tracking where models are deployed and securing APIs.
“Securing AI systems,” he said, “must become a core part of any modern ASM strategy — and better yet, any cybersecurity program.”
Addressing the ASM’s ‘last mile’
“The deployment of an attack surface management product is not the difficult part,” Sethi said. “If you sit down with a practitioner, the toughest part is what I call the last mile. You have these tools giving you signals, so you know where you have problems. What does a security practitioner do once they know about an issue?”
The required actions include validating whether a particular signal is indeed an actual issue, determining who owns the problem and tracking its resolution within an organization’s service level agreement, Sethi said, adding that these tasks are highly manual within security teams. “That takes a tremendous amount of time,” she said. “That’s the piece that really needs to be solved.”
Selecting the right ASM approach to implement is a fundamental best practice, Shoard noted. Businesses must understand their most significant concerns and the types of attacks they aim to prevent.
Shadow IT is a common theme in that regard, Shoard said. An enterprise that doesn’t know where all its assets reside also doesn’t know what’s exposed to attackers. In that case, external attack surface management might be the place to start. EASM tools and processes discover internet-facing assets and flag vulnerabilities that threat actors could exploit, according to Gartner.
Shoard said enterprises concerned with insiders or lacking good configuration management database visibility might turn to cyber asset attack surface management (CAASM) offerings, which focus on internal assets and exposures, as well as external issues. Businesses worried about leaked credentials or brand imitation attacks might adopt digital risk protection services, he added. Those tools seek to shield digital assets from data breaches and reputational harm.
2. Keep ‘tool sprawl’ in check
ASM technology comes in various flavors, and adjacent technologies also contribute to protecting the attack surface. Organizations should seek ASM offerings that don’t contribute to tool sprawl or technical debt, said Mir Kashifuddin, partner in PwC’s data risk and privacy practice.
Indeed, recent research suggests businesses have started to focus their cybersecurity spending on ASM and related technologies. The “2025 State of Cybersecurity Report,” published in June by consultancy Wipro, noted that enterprises are “consolidating their budgets and allocating funds toward sectors within attack surface management.” Sectors include CAASM, exposure management, continuous threat exposure management, penetration testing as a service and other ASM offerings.
Simplification is emerging as a strategic imperative, said Vinodh Kumar Allam, a practice partner in Wipro’s cybersecurity and risk services. Consolidating tools and platforms, along with unified asset management and threat detection strategies, improves monitoring and centralizes control, he added.
Identifying assets and remediating entry points helps shrink attack surfaces.
3. Keep ASM’s scope in check
ASM offerings can potentially gather enormous amounts of data, which Shoard said can create more problems than it solves. Businesses should focus their use of ASM technology. “One of the core best practices is to be very directional,” Shoard advised. “Don’t go looking for problems you don’t have the resources or the desire to fix.”
4. Replace outmoded security models
With attack surfaces expanding, old ways of threat modeling might not suffice. “We used to have attack trees,” Rastogi said, referring to hierarchical diagrams used to show ways an attacker might compromise an IT asset. “I don’t think that would apply today because of the attack surface getting expanded.”
Instead, Rastogi suggested NIST’s AI Risk Management Framework, which provides an approach similar to attack trees and a way to understand complex attack vectors and attack surfaces. “I think this is the first place where we can start looking at how to manage this kind of environment,” she said.
5. Recognize the limits of ASM
Attack surface management tools are highly assumptive and will identify a problem based on, for example, the version number of the software it discovers, Shoard said. But the technology doesn’t necessarily validate such findings.
“Don’t trust anything ASM tells you in isolation,” he cautioned. “You can’t just blankly accept the findings.” Instead, enterprises should consider ASM as a valuable starting point for identifying which potential exposures require deeper scans and assessing whether a genuine security gap exists, he noted.
How to choose an attack surface management tool
ASM is a complex field, and cybersecurity leaders must consider several evaluation factors when selecting a tool. Here’s a sampling of criteria:
Integration with other cybersecurity tools. Osman Celik, a research analyst at KuppingerCole Analysts, emphasized the importance of integration as an evaluation factor. “It is not realistic to expand ASM to fix all the problems you might have,” he said. “One of the first things customers need to take a look at is if ASM is able to provide connectors to other cybersecurity tools.” He specifically cited integration with security orchestration, automation and response, IT service management or other detection-and-response tools.
Links to upstream scanners. Shoard pointed to API integration with an upstream scanner, such as an exposure assessment platform. “You don’t want to pick up all the findings from ASM and manually import them into the next stage of the assessment,” he said.
Third-party risk capabilities. Celik said third-party risk management (TPRM) capabilities are becoming increasingly important, although not currently a common practice. “You will have a better view of the partner landscape,” he said, referring to TPRM features. “There is no single company now around doing business by itself.”
Incident ticket generation. Customers should look for an ASM tool’s ability to generate a case or incident ticket, Shoard said. Tickets help security organizations record findings and track issue resolutions, he added.
Remediation features. Remediating the issues uncovered by an attack surface management tool is an important feature for customers. “Remediation capabilities are central to effective ASM and are consistently cited as a top customer priority,” according to the May 2025 ASM report by KuppingerCole Analysts.
Innovation. Technology evaluators should also consider an ASM platform’s commitment to innovation. That could mean judicious use of AI or expanded automation capabilities, among other developments. Sethi sees ASM’s future in AI. AI agents, she noted, have the potential to take on surface management tasks humans handle manually today. Those chores range from filing tickets to remediating issues.
Existing ASM products “will do the scanning, find the issues, but they leave you with everything after that — the hands-on-keyboard part,” Sethi said. “Some of those tools don’t provide enough context on what a developer or DevOps person needs to do to fix these things.”
In this context, an AI agent could pull all the necessary information from sources human security personnel would typically access. A security analyst, for example, might look up an asset owner on the organization’s intranet or visit websites to validate an ASM’s suggested fixes.
“You should be able to automate all of that [and] have an agent decide what needs to be done,” Sethi said. A human might still be in the loop and give the tool the okay to file a ticket, assign it to the owner and point to the SLA, she added.
Celik, meanwhile, said he’s seeing early signs of innovation in automated remediation. He said ASM vendors’ remediation capabilities have typically involved providing recommendations, step-by-step guidance on how to mitigate a vulnerability or proactively shut down a threat. A human, however, would need to follow those steps. But now, a handful of vendors pursue automation in this area.
“There are some solutions that are already offering automated remediation without any security team member involved,” Celik said. “Some of them are very promising.”
Innovation helps enterprises prepare for the inevitable changes ahead in cybersecurity. KuppingerCole Analysts includes innovation in its assessments of ASM technology providers. “Those vendors that score higher on innovation,” Celik said, “are more likely to be future proof.”
John Moore is a writer for Informa TechTarget covering the CIO role, economic trends and the IT services industry.
