ASM Explained — Attack Surface Management / EASM, CAASM, DRPS thumbnail

ASM Explained — Attack Surface Management / EASM, CAASM, DRPS

⏱ approx. 24 min views 164 likes 0 LOG_DATE:2026-05-11
TOC

ASM (Attack Surface Management) is the security discipline of continuously discovering every entry point an attacker can see into your organization, taking inventory, prioritizing, and shutting them down. It became a distinct market around 2018-2020 once cloud, SaaS, M&A, shadow IT, and remote work normalized the situation of "organizations no longer knowing what assets they own". This article walks through the three sub-disciplines under the ASM umbrella — EASM / CAASM / DRPS — the discovery techniques, the operational lifecycle, canonical incidents, the major vendors, and the recurring pitfalls in the field.

01

What "attack surface" actually means #

The attack surface is "the set of every point at which an attacker can attempt some operation against the organization (every entry point)". NIST defines it as the set of paths an attacker can use to enter a system or extract data from it. In practice, it gets organized along three axes:

Axis Class Examples
Visibility External Web / API / VPN / mail gateway / public S3
Internal AD / business servers / endpoints / printers / IoT
Awareness Known Assets in CMDB / inventory
Unknown Shadow IT / old project leftovers / M&A subsidiaries
Medium Digital / Physical / Human Servers, buildings, employees
▸ The cell ASM cares most about is "External × Unknown × Digital"

Assets that attackers can see from the Internet but the organization didn't even know it owned. Most large incidents — Capital One (2019), MOVEit (2023), Snowflake (2024) — originate in this cell.

"You don't measure attack surface by size" matters too. One forgotten admin console can be more fatal than ten thousand servers. The essence of ASM isn't volume; it's terrain awareness — knowing where what sits, and what is visible from outside.

02

Why it emerged as a separate discipline #

The reason ASM detached from "a subset of vulnerability management" into a discipline of its own traces to the fact that, from the late 2010s into the 2020s, the structure of enterprise attack surface itself changed fundamentally.

  • Cloud and SaaS explosion — In the on-prem era, "the company's IP range" was synonymous with "the attack surface." Today, AWS / Azure / GCP accounts are scattered across hundreds, and SaaS tenants (Salesforce / Workday / Slack / Snowflake) get signed up by marketing without IT involvement. The very concept of "our IP range" no longer holds.
  • M&A — At large companies, 30–50% of the attack surface belongs to acquired subsidiaries. Marriott's 500-million-record breach (2018) originated in the Starwood reservation system, which was already compromised at the time of acquisition.
  • Shadow IT — Business units open AWS accounts without CISO approval, stand up PoCs, and walk away. Old subdomains live on after the original owner has left, kept alive only because someone's still renewing the registration.
  • Remote work — Since COVID-19, internal servers got published via VPN and home equipment became part of the work environment. The premise of perimeter defense collapsed.
  • The attacker economy — Initial Access Brokers (IABs) sell "footholds inside organizations" as a commodity in a mature marketplace. Shodan data shows that the median time from a newly-public IP to its first scan is under 30 minutes.
▸ The industry slogan: You can't protect what you don't know exists

ASM was born from the working assumption that "no organization can completely inventory its own attack surface anymore." It gives up on the dream of a perfect inventory and pivots to continuously looking from outside, the way the attacker does, and detecting the deltas.

03

EASM / CAASM / DRPS — three sub-disciplines #

ASM is not a single field. Three closely-related markets sit side by side under the ASM umbrella.

EASM CAASM DRPS
Full name External ASM Cyber Asset ASM Digital Risk Protection Services
Vantage point Observe from outside (the Internet) Aggregate APIs from internal + external External threats surrounding the org
Main input Company name / one seed domain AWS / AD / EDR / SaaS APIs Dark web / social / leak forums
Main output List of unknown public assets Unified asset inventory Leaked credentials / impersonation
Strengths No agents needed; works right after an M&A Visualizes coverage gaps Detects threats even on non-owned assets
Representative vendors Cortex Xpanse / Defender EASM / Censys ASM / Mandiant Axonius / JupiterOne / runZero Recorded Future / ZeroFox / Flashpoint
  • EASM means "viewing the company's footprint from outside" — it scans the Internet the way an attacker would, and its main objective is discovering unknown public assets
  • CAASM means "unifying the data you already have" — it ingests existing tools' APIs and builds a single inventory; cross-cutting queries like "endpoints without EDR" become possible
  • DRPS means "watching external threats that touch the organization" — it covers things the org doesn't own but that affect it: phishing domains, leaked credentials, social impersonation
▸ The roll-up into CTEM

Since 2024, there has been growing momentum to reposition all of ASM under Gartner's CTEM (Continuous Threat Exposure Management) framework. The approach unifies discover → prioritize → validate (= pentest) → mobilize (= respond) into a single cycle.

04

Discovery techniques — from one seed, an avalanche #

How does EASM go from "one seed domain" to mapping a whole company's attack surface? It is the attacker's recon workflow, scaled and automated — chaining multiple data sources together by pivoting.

1. Find related domains
WHOIS / RDAP registrants, contact emails, and historical registration records (DomainTools, WhoisXML, SecurityTrails) expand example.com into example.co.jp / example-corp.com / domains of acquired companies.
2. Enumerate subdomains
Certificate Transparency logs (crt.sh) / passive DNS / DNS brute force / Subfinder / Amass / VirusTotal surface dev.example.com / staging-2019.example.com / vpn-test.example.com.
3. Resolve to IPs / ASN and sweep neighbors
DNS resolution → IP → ASN via BGP / RIR → scan other IPs in the same ASN. In the cloud era, ASN-pivoting precision drops (thousands of orgs share an AWS /16).
4. Port and service scanning
Query Shodan / Censys's continuous scan data, or run masscan + ZGrab in-house. Outputs are open ports / banners / TLS certificates / SSH key fingerprints.
5. Reinforce attribution
favicon hash / JARM / certificate SANs / HTML template similarity give a confidence score for "is this really the same organization's asset". ASM precision is decided here.

The result is an asset map containing thousands to tens of thousands of items — most of them "old admin consoles / dev environments / pre-acquisition residue / shadow IT cloud accounts the org didn't realize it owned".

Attribution signals commonly used #

  • favicon hash (MurmurHash3) — sites returning the same favicon image are likely from the same in-house template
  • JARM (TLS fingerprint) — same TLS stack settings → likely on the same infrastructure
  • Certificate SANs — domains listed in a single wildcard certificate (high confidence)
  • HTML template similarity — sites sharing a common in-house base HTML
  • WHOIS / RDAP contacts — reverse lookup on contact email / organization name (often anonymized by WHOIS privacy)
  • Shared DNS NS — sites pointing to the same authoritative DNS servers
▸ The de facto scanning infrastructure of the industry is owned by Shodan / Censys

EASM vendors do their own scanning, but many EASM tools call the Censys / Shodan / SecurityTrails / DomainTools APIs underneath.

05

The ASM lifecycle #

The operational cycle that makes ASM actually function has 5+1 stages: Discover → Inventory → Classify → Prioritize → Remediate → continuous. The single most common reason ASM deployments fail is "stopping at Discover" — a list of findings handed to the CISO is worth nothing if nobody knows what to do with it.

Stage Content Typical failure
① Discover Expand from seeds to assets Buy a vendor and call it done
② Inventory Register into CMDB / unified inventory (CAASM territory) EASM and CMDB never sync
③ Classify Identify the owning business unit / department / person "Nobody knows whose asset this is"
④ Prioritize Sort by vulnerability + exposure + business criticality + KEV Sorting on CVSS alone and ignoring KEV
⑤ Remediate Open tickets to the owner → fix → verify Tickets stall and never close
⑥ Continuous Loop the observation cycle, assuming new assets keep appearing Scan once and forget
▸ "Assets with no clear owner" is the biggest wall

Owners retire, departments dissolve, M&A reshapes the org — and assets remain that "belong to the company but no one knows whose responsibility they are." The dilemma is paralysing: shut it down and get yelled at for breaking the business; leave it alone and get breached.

Make the KEV catalog a top priority condition #

The modern standard is to make KEV (CISA Known Exploited Vulnerabilities) a top-tier priority criterion. "Vulnerabilities attackers are actually exploiting" take precedence regardless of CVSS score. CISA BOD 22-01 (2021) requires US federal agencies to patch KEV-listed vulnerabilities by deadline. Increasingly, the private sector treats KEV as the SLA basis as well.

06

Relationship to the attacker's view — ASM ≒ defender-side recon #

The techniques ASM uses are essentially identical to the attacker's reconnaissance phase. MITRE ATT&CK TA0043 (Reconnaissance) sub-techniques — Gather Victim Network Information / Search Open Websites / Search Open Technical Databases — describe exactly what an EASM does.

Attacker recon EASM (defender)
Tooling Shodan / Censys / amass / subfinder / WHOIS Shodan / Censys / amass / subfinder / WHOIS
Goal Find weak spots to break in Find weak spots to close them yourself
Continuity At target selection (one-shot) 24/7 continuous
Scope The target only Your own org only
▸ Bug bounty hunters are an external ASM team

More and more companies put scopes like "the entire ASM range" on HackerOne / Bugcrowd, so vulnerabilities hunters find on previously-unknown assets fill the gaps in the org's own ASM. The pattern is: defenders buy an ASM vendor, then additionally hire hunters.

Difference vs. pentest: pentest "drills deep into a given scope," whereas ASM "decides what the scope is." ASM's output becomes the next pentest's input, filling the very real gap of "wait, what's our scope again?" that most companies cannot answer.

07

Canonical incidents — where ASM would have helped #

Year Incident Lesson from an ASM perspective
2017 Equifax (140 M records) Internet-facing Apache Struts portal unpatched (CVE-2017-5638). Public asset inventory and vuln management never synced
2019 Capital One (100 M records) AWS WAF misconfiguration enabled SSRF → S3 credentials leaked. The "AWS resources visible from outside" inventory wasn't working
2020 SolarWinds Orion The attack surface was every customer running SolarWinds. Made the industry recognise that "third-party products are also attack surface"
2021 ProxyLogon / ProxyShell About 250,000 Internet-facing Exchange servers worldwide, all enumerable via Shodan. ASM could have prioritised patching
2021 Colonial Pipeline Initial access was via an old, unused-but-alive VPN account — a "forgotten authentication endpoint"
2023 MOVEit Transfer (Cl0p) A 0-day in the Internet-facing MOVEit file-transfer server. About 2,500 instances visible on Shodan; ASM vendors notified customers the day disclosure hit
2023 Citrix Bleed (CVE-2023-4966) Citrix NetScaler / ADC publicly-exposed assets. LockBit exploited widely; Boeing / ICBC were among the casualties
2024 Snowflake customer breaches (UNC5537) Snowflake tenants without MFA — 167+ companies (AT&T / Ticketmaster / Santander). SaaS tenants are ASM scope too
2024 Fortinet / Ivanti / ScreenConnect repeat waves Repeated zero-days in public-facing VPN / remote-management tools. Comprehensive inventory of edge devices became a core ASM task
▸ The common pattern

The starting point is "the org didn't realize this asset was public / there's no owner of the patch / SaaS is assumed to be out of scope." The instant a new hole opens in the attack surface, the attacker's automated scanners find it — it's a race for speed of awareness. Today, attackers and defenders watch the same Shodan data at the same pace.

08

Major vendors and OSS #

The ASM market is growing rapidly, with EASM becoming a standalone category in the Gartner Magic Quadrant starting in 2022.

Commercial #

  • EASM — Cortex Xpanse (Palo Alto) / Defender EASM (Microsoft, formerly RiskIQ) / CrowdStrike Falcon Surface / Censys ASM / Mandiant ASM / Tenable / Qualys CSAM / IONIX
  • CAASM — Axonius (400+ connectors) / JupiterOne / runZero / Sevco / Lansweeper / Panaseer
  • DRPS — Recorded Future / ZeroFox / Flashpoint / Cyberint / Intel 471

OSS (also used routinely in bug bounty / pentests) #

Tool Purpose
Amass (OWASP) Subdomain enumeration + ASN pivoting + passive DNS aggregation
subfinder (ProjectDiscovery) The go-to subdomain enumerator (passive only)
dnsx / httpx / naabu / katana Resolution, HTTP probing, port scanning, crawling
nuclei Vulnerability template matching against discovered assets (rich KEV templates)
aquatone / httpx-toolkit Mass screenshotting
gau / waybackurls Pull historical URLs from the Wayback Machine
trufflehog / gitleaks Surface leaked credentials on GitHub
shodan / censys CLI API clients for the scanning infrastructure
A minimal OSS ASM pipeline (the same one bug bounty uses)
# from seed → public assets → KEV vulnerabilities, end to end $ echo "example.com" | subfinder -silent | dnsx -silent | httpx -silent -title -tech-detect | nuclei -t cves/ # Shodan view of your own org $ shodan search "org:\"Example Corp\"" # Censys — discover related domains via certificates $ censys search "names: *.example.com"
▸ EASM-equivalent capability is achievable in pure OSS

With Shodan + amass + nuclei, "our public assets plus the KEV vulnerabilities sitting on them" can be observed at no cost. What commercial vendors add is continuous execution + dashboards + attribution precision + ticketing integration; the technical core is available in OSS.

09

Pitfalls and limits #

  • Attribution false positives — something tagged as "yours" turns out to belong to a different organization (e.g. a different tenant on the same AWS IP). Reviewing EASM low-confidence findings by hand has to be part of the workflow
  • Ticket backlog — large volumes of vulnerability tickets pile up because the owner is unknown. The "decide-the-owner workflow" must be in place before deploying ASM
  • The "everything is High" problem — sorting on CVSS alone produces thousands of Highs. Ranking has to be executable along three axes: KEV + exposure + business criticality
  • SaaS often falls out of scope — the Snowflake incident's missing-MFA pattern slipped through exactly this gap. Integrating SaaS APIs via CAASM is the modern answer
  • Ephemeral cloud assets — containers, serverless, spot instances vanish in hours. They have to be combined with CSPM / CNAPP
  • M&A subsidiaries are blind spots — subsidiaries not yet integrated into the parent AD are hard to bring into ASM scope. To avoid repeating the Marriott / Starwood failure, "add the seed at acquisition time" needs to be a process
  • The gap between "discover" and "pentest" — knowing something is there doesn't tell you if you can actually break in. CTEM's inclusion of "validation after discovery" in the cycle exists exactly to close this gap
  • Detection noise and SOC fatigue — DRPS phishing-domain alerts can run into the hundreds per day. Automated takedown requests and noise filtering need to be in place from day one
10

Summary #

  • ASM is a field built backwards from the assumption "no organization can fully inventory its own attack surface." It crystallized as an independent market in 2018-2020
  • EASM (view from outside) / CAASM (aggregate internal + external APIs) / DRPS (the threat landscape around the organization) are the three sub-disciplines under the ASM umbrella
  • From 2024 onward, the trend is to fold them all under the CTEM framework — unifying discover → prioritize → validate → mobilize
  • Technically it's the same toolset as attacker recon (CT / passive DNS / Shodan / Censys / favicon hash / JARM), used "before they do"
  • What commercial vendors add is continuity + attribution precision + ticketing + dashboards. The core capability is achievable in pure OSS
  • Whether ASM works depends on "what happens after discovery." Equifax / Capital One / ProxyLogon / MOVEit / Snowflake all share the property that some step in the cycle was broken
𝕏 Post B! Hatena