ASM (Attack Surface Management) #
ASM (Attack Surface Management) is the security discipline aimed at continuously discovering, inventorying, prioritizing, and remediating every entry point — every part of the organization's attack surface — that an attacker can see from outside. The core idea is: understand what your organization looks like from the outside before the attacker does.
ASM only emerged as a distinct discipline and market around 2018-2020. Before that, it was treated as a subset of vulnerability management or IT asset management. What changed is that cloud, SaaS, M&A, shadow IT, and remote work made it normal for organizations to not even know what assets they owned. The slogan that captures the industry consensus is "you can't protect what you don't know exists."
This article frames "what ASM is and why it became a separate discipline," covering: the definition of attack surface, the three sub-categories under ASM (EASM / CAASM / DRPS), the discovery techniques (SVG 1), the territory map of the three sub-categories (SVG 2), the ASM operational lifecycle, canonical incidents, the major vendors, and the recurring failure modes in practice. Unlike the ransomware or trojan articles, the lens here is terrain awareness before compromise, not response after it.
1. What is "attack surface" — definitions and axes #
Attack surface is "the set of all points where an attacker can try to do something to the organization." NIST defines it as "the set of points on the boundary of a system, system element, or environment where an attacker can try to enter, cause an effect on, or extract data from." In practice, the surface gets sliced along three independent axes:
| Axis | Categories | Examples |
|---|---|---|
| Visibility | External | Anything reachable from the internet — web apps / APIs / VPN / mail gateways / public S3 |
| Internal | Inside the corporate network — AD / business servers / endpoints / printers / IoT | |
| Awareness | Known ★ in CMDB / inventory | Officially provisioned and operated assets |
| Unknown | Shadow IT / leftovers from old projects / M&A subsidiaries / clouds spun up by departments | |
| Medium | Digital | Servers / apps / SaaS tenants / code / data |
| Physical | Data centers / buildings / USB ports / ATMs / signage | |
| Human / Social | Employees and partners — entry points for phishing and social engineering |
ASM focuses heavily on the "External × Unknown × Digital" cell — assets the attacker can see from the internet but the organization doesn't even know it owns. Most major recent breaches — Capital One (2019), MOVEit (2023), Snowflake (2024) — start in that cell.
Attack surface is not measured by size. One forgotten admin console is more dangerous as a target than ten thousand well-managed servers. ASM is fundamentally about terrain awareness — what is where, and what the attacker can see — not asset count.
2. Why ASM became a distinct discipline #
ASM split off from vulnerability management because the structure of the corporate attack surface changed in the late 2010s and into the 2020s.
(1) Cloud and SaaS explosion. In the on-prem era, "the company's IP range" was a workable approximation of the attack surface. Today AWS / Azure / GCP accounts are spread across dozens or hundreds of tenants, and SaaS tenants (Salesforce, Workday, Slack, Notion, Snowflake) are signed up for by marketing teams. The network perimeter has dissolved and "our IP range" no longer even exists as a coherent concept.
(2) M&A. Large enterprises often inherit 30-50% of their attack surface from acquired subsidiaries. The acquirer cannot inventory all the new assets immediately, so a flood of unknown entry points arrives at once. Marriott's 2018 disclosure of 500M records was traced to the Starwood reservation system, which had been compromised before the acquisition closed.
(3) Shadow IT. A team opens an AWS account without CISO approval to run a POC and forgets about it. A subdomain owner leaves the company, but the registration renews itself for years under the company name. Over time, assets that no one can clearly own but that demonstrably operate under the company name keep accumulating.
(4) Remote work. From COVID-19 (2020) onward, internal servers got published behind VPNs in a hurry, and employees' home equipment became part of the work surface. The physical inside/outside distinction that perimeter defense relied on collapsed.
(5) The attacker economy. Initial Access Brokers (IABs) turned "a working foothold" into a tradable commodity. Shodan / Censys give attackers a constantly refreshed map of newly exposed vulnerable assets, which other groups then buy and exploit. By Shodan's own telemetry, a newly exposed IP gets its first scan within ~30 minutes on the median.
The combined effect is that no large organization can claim to have a complete inventory of its own attack surface anymore. ASM is the discipline that takes this as a given and pivots from "achieve perfect inventory" to "keep watching from the outside the way an attacker does, and detect the deltas."
3. EASM / CAASM / DRPS — three sub-disciplines #
ASM is in practice not one market but three closely related markets, sitting under the same umbrella.
The three sub-disciplines under ASM
External view (EASM) / unified internal+external (CAASM) / surrounding threat environment (DRPS)
EASM
External Attack Surface Management
— the rest expands automatically
Open ports / certs / CVEs
Public cloud storage misconfigs
Works on M&A targets day 1
Attribution false positives
Defender EASM (Microsoft)
Censys ASM / Mandiant ASM
CrowdStrike Falcon Surface
CAASM
Cyber Asset ASM
AWS / Azure / GCP / AD / EDR /
MDM / Okta / GitHub / SaaS APIs
Coverage gaps ("endpoints without EDR installed")
Makes coverage gaps visible
Misses shadow IT
runZero / Sevco / Lansweeper
ServiceNow CMDB (extended)
DRPS
Digital Risk Protection Services
Phishing domains
Social media / fake apps / GitHub
Brand impersonation detection
RaaS leak-site mentions
Hard to translate into action
ZeroFox / Flashpoint
Cyberint / Intel 471
The three increasingly overlap; the current trend is to bundle them as one ASM platform, framed under CTEM (Continuous Threat Exposure Management)
One-sentence each:
- EASM — "look at your footprint from the outside." Scans the internet from the attacker's vantage point. Discovering unknown public assets is the primary goal.
- CAASM — "consolidate the data you already have." Pulls from the APIs of every existing security / IT tool and builds a unified inventory. Lets you run cross-cutting queries like "endpoints without EDR installed."
- DRPS — "watch the threats surrounding you." Dark web, phishing domains, impersonation on social, leak sites. Threats that don't necessarily use your own assets but concern your organization.
From 2024 onward, Gartner's CTEM (Continuous Threat Exposure Management) framework is increasingly used to put the whole ASM space into one loop: discovery → prioritization → validation (pen testing) → mobilization (response), as a single continuous cycle.
4. Discovery techniques — how the surface expands from a seed #
How does an EASM tool, given just one domain (a seed), discover an entire company's attack surface? It automates and scales the attacker's reconnaissance techniques, chaining multiple data sources together through pivoting.
Step ⑤ — attribution — is the make-or-break. Reporting another company's asset as yours destroys the credibility of the entire ASM program. What separates EASM vendors is not raw discovery breadth but attribution accuracy.
Common attribution signals:
- Favicon hash (MurmurHash3): sites returning the same favicon image → likely sharing the org's template
- JARM (TLS fingerprint): same TLS stack configuration → likely on the same infrastructure
- Certificate SAN (Subject Alternative Name): a single wildcard cert listing many domains is high-confidence
- HTML template similarity: sites built on the same internal base HTML
- WHOIS / RDAP contacts: reverse-lookup by registrant email or org name (often blocked by WHOIS privacy)
- Shared authoritative DNS: sites using the same NS records
Censys, Shodan, SecurityTrails, and DomainTools are the data-layer foundation. EASM vendors run their own scans too, but the de-facto scan infrastructure of the industry is held by Shodan and Censys — many EASM products are calling their APIs under the hood.
5. The ASM lifecycle — don't stop at "discovery" #
A functioning ASM program runs a Discover → Inventory → Classify → Prioritize → Remediate → Continuous loop. Most ASM rollout failures stop at step ① — a list of discovered assets, with no one able to act on it, sitting in front of the CISO.
| Stage | What happens | Common failure |
|---|---|---|
| ① Discover | Find assets via the seed→expansion process above | Buy the tool, declare victory |
| ② Inventory | Push discovered assets into the CMDB / unified inventory (CAASM's domain) | EASM and CMDB drift out of sync |
| ③ Classify | Determine which business unit / department / person owns each asset | Many assets remain "no known owner" |
| ④ Prioritize | Rank by vulnerability + exposure + business criticality + KEV | Ranking by CVSS alone, ignoring KEV |
| ⑤ Remediate | Open tickets → fix → re-scan to confirm | Tickets pile up unowned, never close |
| ⑥ Continuous | Run the cycle continuously, new assets always appearing | One-time scan, never repeated |
"No known owner" is the single biggest operational obstacle. Owner left the company / department was reorganized / acquisition changed everything — and now there's an asset that's clearly the company's but has no human accountable. Block it and someone's job breaks; leave it and someone gets compromised.
The CISA KEV (Known Exploited Vulnerabilities) catalog is the modern standard for prioritization. A CVE actively exploited in the wild outranks a higher-CVSS CVE that isn't. Under CISA BOD 22-01 (2021), US federal agencies are required to remediate KEV-listed CVEs within stated deadlines. Many private-sector orgs now use KEV as an internal SLA basis.
6. ASM and attacker recon — same techniques, opposite hats #
The techniques EASM uses are nearly identical to the attacker's Reconnaissance phase. Sub-techniques under MITRE ATT&CK TA0043 Reconnaissance — Gather Victim Network Information / Search Open Websites / Search Open Technical Databases — describe exactly what an EASM platform does.
The only differences are who runs it and what they do with the results.
| Attacker recon | EASM (defender) | |
|---|---|---|
| Tools | Shodan / Censys / amass / subfinder / WHOIS | Shodan / Censys / amass / subfinder / WHOIS |
| Goal | Find a weak spot to break in | Find a weak spot to close before they do |
| Cadence | Once, during target selection | 24/7, continuous |
| Scope | The target organization | Own organization |
Relationship to bug bounty / pen testing. Bug bounty hunters function as an external ASM workforce. Many programs explicitly scope "the entire ASM range" rather than a fixed asset list, so hunter discoveries directly fill gaps the in-house ASM missed. Modern enterprises buy an ASM vendor and run a bug bounty — the two cover each other.
Versus pen testing. Pen tests dig deep into a given scope; ASM defines the scope. A common-but-embarrassing reality is that organizations request a pen test and cannot answer "what is the scope?" ASM fills exactly that prerequisite.
7. Canonical incidents — where ASM would have helped #
| Year | Incident | ASM lesson |
|---|---|---|
| 2017 | Equifax (143M records) | Unpatched Apache Struts on an internet-facing portal (CVE-2017-5638). Asset inventory and vulnerability management weren't in sync |
| 2019 | Capital One (100M records) | Misconfigured WAF on AWS enabled SSRF → S3 credentials stolen. No discipline of "what AWS resources are visible externally" |
| 2020 | SolarWinds Orion | Targets were customers running SolarWinds. Drove home that "third-party software is part of your attack surface" |
| 2021 | ProxyLogon / ProxyShell (Exchange) | ~250,000 internet-facing Exchange servers worldwide, trivially enumerable on Shodan. With ASM, "our public Exchange servers" would have been the immediate priority list |
| 2021 | Colonial Pipeline | Initial access via an unused but still-live VPN account. A textbook ASM problem: forgotten authentication endpoints |
| 2023 | MOVEit Transfer (Cl0p) | Zero-day in internet-facing MOVEit. Shodan showed ~2,500 instances, and EASM vendors notified customers "this is your asset" within hours of the public disclosure |
| 2023 | Citrix Bleed (CVE-2023-4966) | Exposed Citrix NetScaler / ADC. LockBit weaponized it widely, hitting Boeing and ICBC, among others |
| 2024 | Snowflake customer breaches (UNC5537) | Snowflake tenants without MFA — 167+ companies affected (AT&T, Ticketmaster, Santander). SaaS tenants are attack surface too, but few orgs put SaaS into their CMDB |
| 2024 | Fortinet / Ivanti / ScreenConnect zero-days | A run of zero-days in public VPN and remote-management products. Perimeter devices themselves are the first thing attackers hit — making "complete inventory of edge devices" a core ASM job |
Common pattern: the foothold was an asset that was publicly exposed without the owner realizing it / had no clear patch owner / was a SaaS tenant the org didn't count as "in scope." Once a new hole appears, attackers' automation finds it almost immediately, so the contest is one of detection speed. Shodan and Censys give both sides the same map at the same time.
8. Vendors and tools — commercial and open source #
The ASM market is growing quickly. Gartner has carved out a dedicated EASM category in its analyses since 2022.
Commercial EASM:
- Cortex Xpanse (Palo Alto Networks, formerly Expanse) — the original (2012), used by the US Department of Defense among others
- Microsoft Defender EASM (formerly RiskIQ, acquired 2021) — integrated with the Microsoft 365 / Defender ecosystem
- CrowdStrike Falcon Surface (formerly Reposify, acquired 2023)
- Censys ASM — built on Censys's own scanning fabric
- Mandiant Advantage Attack Surface Management (Google Cloud)
- Tenable Attack Surface Management — vulnerability-management vendor extending into ASM
- Qualys CyberSecurity Asset Management (CSAM) + EASM
- IONIX (formerly Cyberpion) — strong on supply-chain attack surface
Commercial CAASM:
- Axonius — effectively the CAASM reference vendor (400+ connectors)
- JupiterOne — graph-DB representation of asset relationships (acquired by Drata, 2024)
- runZero — combines passive collection with agentless active scanning
- Sevco / Lansweeper / Panaseer
Commercial DRPS:
- Recorded Future — broad intelligence + DRPS
- ZeroFox — social-media / brand impersonation
- Flashpoint / Cyberint / Intel 471 — dark-web heavy
OSS (the same tools attackers use) — bread and butter for bug bounty and pen testing:
| Tool | Use |
|---|---|
| Amass (OWASP) | Subdomain enum + ASN pivoting + passive DNS in one |
| subfinder (ProjectDiscovery) | The subdomain enum standard (passive only) |
| assetfinder (TomNomNom) | Simple related-asset discovery |
| dnsx / httpx / naabu / katana (ProjectDiscovery) | Resolve, HTTP probe, port scan, crawl |
| nuclei (ProjectDiscovery) | Vulnerability template matching on discovered assets (extensive KEV template coverage) |
| httpx-toolkit / aquatone | Bulk screenshots — visually triage large asset sets |
| gau / waybackurls | Pull historical URLs from the Wayback Machine |
| trufflehog / gitleaks | Find leaked credentials in public repos (DRPS-adjacent) |
| shodan / censys CLI | API clients for the underlying scan fabrics |
You can assemble an EASM-equivalent pipeline entirely from OSS — Shodan + amass + nuclei already gets you "our public assets + the KEV CVEs on them" for free. What the commercial vendors add is continuous operation, dashboards, attribution accuracy, and ticketing integration — the technical core is in OSS.
# Minimal OSS ASM pipeline (also the bug bounty hunter's standard stack)
echo "example.com" | subfinder -silent | dnsx -silent | httpx -silent -title -tech-detect | nuclei -t cves/
# Shodan for your own org
shodan search "org:\"Example Corp\""
# Find related domains via certs on Censys
censys search "names: *.example.com"
9. Failure modes — avoiding "ASM that stops at discovery" #
The same operational pitfalls show up across ASM deployments:
- Attribution false positives. "This is your asset" turns out to be a different organization sharing the same AWS IP. Closing it down without proof of ownership breaks someone else's service. Always look at the EASM's confidence score and manually review low-confidence attributions.
- Ticket backlog. Vulnerabilities pile up with no identified owner and never close. The owner-assignment workflow must be designed before deploying ASM, not discovered afterward.
- "Everything is High" problem. Ranking by CVSS alone produces thousands of High-severity items. Use KEV + exposure + business criticality as a three-axis prioritization so the queue is actually actionable.
- SaaS routinely excluded. Teams drop SaaS tenants from ASM scope because "they're not on our domain," leaving Snowflake-style MFA gaps. The modern answer is using CAASM to pull SaaS APIs into the same inventory.
- Cloud ephemerality. Containers, serverless, and spot instances live for hours and don't survive an ASM snapshot. ASM has to be paired with CSPM / CNAPP for ephemeral resources.
- M&A subsidiary blind spot. Subsidiaries acquired before AD integration rarely make it into the ASM scope. To avoid the Marriott / Starwood replay, add the seed at deal close, not at integration close.
- The "discovered but not validated" gap. ASM finding "asset X is exposed" doesn't prove "X can be exploited." CTEM (Continuous Threat Exposure Management) explicitly adds a validation step after discovery to close this gap.
- SOC fatigue from noise. DRPS feeds, especially phishing-domain alerts, easily hit hundreds of items per day and overwhelm the SOC. Auto-filing takedowns and filtering obvious noise has to be built into the workflow.
ASM is the discipline built on the premise that no large organization can fully map its own attack surface anymore. Cloud, SaaS, M&A, and shadow IT made unknown assets a structural constant of the 2020s, and ASM emerged in 2018-2020 as the dedicated response.
EASM (the view from outside) / CAASM (API-stitched inside+outside) / DRPS (threats surrounding the org) all live under the ASM umbrella, and from 2024 the CTEM (Continuous Threat Exposure Management) framework folds them into a single discovery→prioritization→validation→mobilization loop.
Technically, ASM uses exactly the same techniques as attacker recon — Certificate Transparency, passive DNS, Shodan, Censys, favicon hashing, JARM — automated and continuously scaled. Commercial vendors layer continuity, attribution accuracy, ticketing, and dashboards on top, but the core capability is reproducible with OSS.
Whether an ASM program actually works is decided after discovery, not before: assets must get owners, owners must get prioritized queues (with KEV at the top), tickets must close, and re-scans must catch regressions. Equifax, Capital One, ProxyLogon, MOVEit, Snowflake all share one feature — somewhere in that loop the chain was broken.
