ASM (Attack Surface Management) is the security discipline of continuously discovering every entry point an attacker can see into your organization, taking inventory, prioritizing, and shutting them down. It became a distinct market around 2018-2020 once cloud, SaaS, M&A, shadow IT, and remote work normalized the situation of "organizations no longer knowing what assets they own". This article walks through the three sub-disciplines under the ASM umbrella — EASM / CAASM / DRPS — the discovery techniques, the operational lifecycle, canonical incidents, the major vendors, and the recurring pitfalls in the field.
What "attack surface" actually means #
The attack surface is "the set of every point at which an attacker can attempt some operation against the organization (every entry point)". NIST defines it as the set of paths an attacker can use to enter a system or extract data from it. In practice, it gets organized along three axes:
| Axis | Class | Examples |
|---|---|---|
| Visibility | External | Web / API / VPN / mail gateway / public S3 |
| Internal | AD / business servers / endpoints / printers / IoT | |
| Awareness | Known | Assets in CMDB / inventory |
| Unknown ★ | Shadow IT / old project leftovers / M&A subsidiaries | |
| Medium | Digital / Physical / Human | Servers, buildings, employees |
Assets that attackers can see from the Internet but the organization didn't even know it owned. Most large incidents — Capital One (2019), MOVEit (2023), Snowflake (2024) — originate in this cell.
"You don't measure attack surface by size" matters too. One forgotten admin console can be more fatal than ten thousand servers. The essence of ASM isn't volume; it's terrain awareness — knowing where what sits, and what is visible from outside.
Why it emerged as a separate discipline #
The reason ASM detached from "a subset of vulnerability management" into a discipline of its own traces to the fact that, from the late 2010s into the 2020s, the structure of enterprise attack surface itself changed fundamentally.
- Cloud and SaaS explosion — In the on-prem era, "the company's IP range" was synonymous with "the attack surface." Today, AWS / Azure / GCP accounts are scattered across hundreds, and SaaS tenants (Salesforce / Workday / Slack / Snowflake) get signed up by marketing without IT involvement. The very concept of "our IP range" no longer holds.
- M&A — At large companies, 30–50% of the attack surface belongs to acquired subsidiaries. Marriott's 500-million-record breach (2018) originated in the Starwood reservation system, which was already compromised at the time of acquisition.
- Shadow IT — Business units open AWS accounts without CISO approval, stand up PoCs, and walk away. Old subdomains live on after the original owner has left, kept alive only because someone's still renewing the registration.
- Remote work — Since COVID-19, internal servers got published via VPN and home equipment became part of the work environment. The premise of perimeter defense collapsed.
- The attacker economy — Initial Access Brokers (IABs) sell "footholds inside organizations" as a commodity in a mature marketplace. Shodan data shows that the median time from a newly-public IP to its first scan is under 30 minutes.
ASM was born from the working assumption that "no organization can completely inventory its own attack surface anymore." It gives up on the dream of a perfect inventory and pivots to continuously looking from outside, the way the attacker does, and detecting the deltas.
EASM / CAASM / DRPS — three sub-disciplines #
ASM is not a single field. Three closely-related markets sit side by side under the ASM umbrella.
| EASM | CAASM | DRPS | |
|---|---|---|---|
| Full name | External ASM | Cyber Asset ASM | Digital Risk Protection Services |
| Vantage point | Observe from outside (the Internet) | Aggregate APIs from internal + external | External threats surrounding the org |
| Main input | Company name / one seed domain | AWS / AD / EDR / SaaS APIs | Dark web / social / leak forums |
| Main output | List of unknown public assets | Unified asset inventory | Leaked credentials / impersonation |
| Strengths | No agents needed; works right after an M&A | Visualizes coverage gaps | Detects threats even on non-owned assets |
| Representative vendors | Cortex Xpanse / Defender EASM / Censys ASM / Mandiant | Axonius / JupiterOne / runZero | Recorded Future / ZeroFox / Flashpoint |
- EASM means "viewing the company's footprint from outside" — it scans the Internet the way an attacker would, and its main objective is discovering unknown public assets
- CAASM means "unifying the data you already have" — it ingests existing tools' APIs and builds a single inventory; cross-cutting queries like "endpoints without EDR" become possible
- DRPS means "watching external threats that touch the organization" — it covers things the org doesn't own but that affect it: phishing domains, leaked credentials, social impersonation
Since 2024, there has been growing momentum to reposition all of ASM under Gartner's CTEM (Continuous Threat Exposure Management) framework. The approach unifies discover → prioritize → validate (= pentest) → mobilize (= respond) into a single cycle.
Discovery techniques — from one seed, an avalanche #
How does EASM go from "one seed domain" to mapping a whole company's attack surface? It is the attacker's recon workflow, scaled and automated — chaining multiple data sources together by pivoting.
example.com into example.co.jp / example-corp.com / domains of acquired companies.dev.example.com / staging-2019.example.com / vpn-test.example.com.The result is an asset map containing thousands to tens of thousands of items — most of them "old admin consoles / dev environments / pre-acquisition residue / shadow IT cloud accounts the org didn't realize it owned".
Attribution signals commonly used #
- favicon hash (MurmurHash3) — sites returning the same favicon image are likely from the same in-house template
- JARM (TLS fingerprint) — same TLS stack settings → likely on the same infrastructure
- Certificate SANs — domains listed in a single wildcard certificate (high confidence)
- HTML template similarity — sites sharing a common in-house base HTML
- WHOIS / RDAP contacts — reverse lookup on contact email / organization name (often anonymized by WHOIS privacy)
- Shared DNS NS — sites pointing to the same authoritative DNS servers
EASM vendors do their own scanning, but many EASM tools call the Censys / Shodan / SecurityTrails / DomainTools APIs underneath.
The ASM lifecycle #
The operational cycle that makes ASM actually function has 5+1 stages: Discover → Inventory → Classify → Prioritize → Remediate → continuous. The single most common reason ASM deployments fail is "stopping at Discover" — a list of findings handed to the CISO is worth nothing if nobody knows what to do with it.
| Stage | Content | Typical failure |
|---|---|---|
| ① Discover | Expand from seeds to assets | Buy a vendor and call it done |
| ② Inventory | Register into CMDB / unified inventory (CAASM territory) | EASM and CMDB never sync |
| ③ Classify | Identify the owning business unit / department / person | "Nobody knows whose asset this is" |
| ④ Prioritize | Sort by vulnerability + exposure + business criticality + KEV | Sorting on CVSS alone and ignoring KEV |
| ⑤ Remediate | Open tickets to the owner → fix → verify | Tickets stall and never close |
| ⑥ Continuous | Loop the observation cycle, assuming new assets keep appearing | Scan once and forget |
Owners retire, departments dissolve, M&A reshapes the org — and assets remain that "belong to the company but no one knows whose responsibility they are." The dilemma is paralysing: shut it down and get yelled at for breaking the business; leave it alone and get breached.
Make the KEV catalog a top priority condition #
The modern standard is to make KEV (CISA Known Exploited Vulnerabilities) a top-tier priority criterion. "Vulnerabilities attackers are actually exploiting" take precedence regardless of CVSS score. CISA BOD 22-01 (2021) requires US federal agencies to patch KEV-listed vulnerabilities by deadline. Increasingly, the private sector treats KEV as the SLA basis as well.
Relationship to the attacker's view — ASM ≒ defender-side recon #
The techniques ASM uses are essentially identical to the attacker's reconnaissance phase. MITRE ATT&CK TA0043 (Reconnaissance) sub-techniques — Gather Victim Network Information / Search Open Websites / Search Open Technical Databases — describe exactly what an EASM does.
| Attacker recon | EASM (defender) | |
|---|---|---|
| Tooling | Shodan / Censys / amass / subfinder / WHOIS | Shodan / Censys / amass / subfinder / WHOIS |
| Goal | Find weak spots to break in | Find weak spots to close them yourself |
| Continuity | At target selection (one-shot) | 24/7 continuous |
| Scope | The target only | Your own org only |
More and more companies put scopes like "the entire ASM range" on HackerOne / Bugcrowd, so vulnerabilities hunters find on previously-unknown assets fill the gaps in the org's own ASM. The pattern is: defenders buy an ASM vendor, then additionally hire hunters.
Difference vs. pentest: pentest "drills deep into a given scope," whereas ASM "decides what the scope is." ASM's output becomes the next pentest's input, filling the very real gap of "wait, what's our scope again?" that most companies cannot answer.
Canonical incidents — where ASM would have helped #
| Year | Incident | Lesson from an ASM perspective |
|---|---|---|
| 2017 | Equifax (140 M records) | Internet-facing Apache Struts portal unpatched (CVE-2017-5638). Public asset inventory and vuln management never synced |
| 2019 | Capital One (100 M records) | AWS WAF misconfiguration enabled SSRF → S3 credentials leaked. The "AWS resources visible from outside" inventory wasn't working |
| 2020 | SolarWinds Orion | The attack surface was every customer running SolarWinds. Made the industry recognise that "third-party products are also attack surface" |
| 2021 | ProxyLogon / ProxyShell | About 250,000 Internet-facing Exchange servers worldwide, all enumerable via Shodan. ASM could have prioritised patching |
| 2021 | Colonial Pipeline | Initial access was via an old, unused-but-alive VPN account — a "forgotten authentication endpoint" |
| 2023 | MOVEit Transfer (Cl0p) | A 0-day in the Internet-facing MOVEit file-transfer server. About 2,500 instances visible on Shodan; ASM vendors notified customers the day disclosure hit |
| 2023 | Citrix Bleed (CVE-2023-4966) | Citrix NetScaler / ADC publicly-exposed assets. LockBit exploited widely; Boeing / ICBC were among the casualties |
| 2024 | Snowflake customer breaches (UNC5537) | Snowflake tenants without MFA — 167+ companies (AT&T / Ticketmaster / Santander). SaaS tenants are ASM scope too |
| 2024 | Fortinet / Ivanti / ScreenConnect repeat waves | Repeated zero-days in public-facing VPN / remote-management tools. Comprehensive inventory of edge devices became a core ASM task |
The starting point is "the org didn't realize this asset was public / there's no owner of the patch / SaaS is assumed to be out of scope." The instant a new hole opens in the attack surface, the attacker's automated scanners find it — it's a race for speed of awareness. Today, attackers and defenders watch the same Shodan data at the same pace.
Major vendors and OSS #
The ASM market is growing rapidly, with EASM becoming a standalone category in the Gartner Magic Quadrant starting in 2022.
Commercial #
- EASM — Cortex Xpanse (Palo Alto) / Defender EASM (Microsoft, formerly RiskIQ) / CrowdStrike Falcon Surface / Censys ASM / Mandiant ASM / Tenable / Qualys CSAM / IONIX
- CAASM — Axonius (400+ connectors) / JupiterOne / runZero / Sevco / Lansweeper / Panaseer
- DRPS — Recorded Future / ZeroFox / Flashpoint / Cyberint / Intel 471
OSS (also used routinely in bug bounty / pentests) #
| Tool | Purpose |
|---|---|
| Amass (OWASP) | Subdomain enumeration + ASN pivoting + passive DNS aggregation |
| subfinder (ProjectDiscovery) | The go-to subdomain enumerator (passive only) |
| dnsx / httpx / naabu / katana | Resolution, HTTP probing, port scanning, crawling |
| nuclei | Vulnerability template matching against discovered assets (rich KEV templates) |
| aquatone / httpx-toolkit | Mass screenshotting |
| gau / waybackurls | Pull historical URLs from the Wayback Machine |
| trufflehog / gitleaks | Surface leaked credentials on GitHub |
| shodan / censys CLI | API clients for the scanning infrastructure |
# from seed → public assets → KEV vulnerabilities, end to end
$ echo "example.com" | subfinder -silent | dnsx -silent | httpx -silent -title -tech-detect | nuclei -t cves/
# Shodan view of your own org
$ shodan search "org:\"Example Corp\""
# Censys — discover related domains via certificates
$ censys search "names: *.example.com"With Shodan + amass + nuclei, "our public assets plus the KEV vulnerabilities sitting on them" can be observed at no cost. What commercial vendors add is continuous execution + dashboards + attribution precision + ticketing integration; the technical core is available in OSS.
Pitfalls and limits #
- Attribution false positives — something tagged as "yours" turns out to belong to a different organization (e.g. a different tenant on the same AWS IP). Reviewing EASM low-confidence findings by hand has to be part of the workflow
- Ticket backlog — large volumes of vulnerability tickets pile up because the owner is unknown. The "decide-the-owner workflow" must be in place before deploying ASM
- The "everything is High" problem — sorting on CVSS alone produces thousands of Highs. Ranking has to be executable along three axes: KEV + exposure + business criticality
- SaaS often falls out of scope — the Snowflake incident's missing-MFA pattern slipped through exactly this gap. Integrating SaaS APIs via CAASM is the modern answer
- Ephemeral cloud assets — containers, serverless, spot instances vanish in hours. They have to be combined with CSPM / CNAPP
- M&A subsidiaries are blind spots — subsidiaries not yet integrated into the parent AD are hard to bring into ASM scope. To avoid repeating the Marriott / Starwood failure, "add the seed at acquisition time" needs to be a process
- The gap between "discover" and "pentest" — knowing something is there doesn't tell you if you can actually break in. CTEM's inclusion of "validation after discovery" in the cycle exists exactly to close this gap
- Detection noise and SOC fatigue — DRPS phishing-domain alerts can run into the hundreds per day. Automated takedown requests and noise filtering need to be in place from day one
Summary #
- ASM is a field built backwards from the assumption "no organization can fully inventory its own attack surface." It crystallized as an independent market in 2018-2020
- EASM (view from outside) / CAASM (aggregate internal + external APIs) / DRPS (the threat landscape around the organization) are the three sub-disciplines under the ASM umbrella
- From 2024 onward, the trend is to fold them all under the CTEM framework — unifying discover → prioritize → validate → mobilize
- Technically it's the same toolset as attacker recon (CT / passive DNS / Shodan / Censys / favicon hash / JARM), used "before they do"
- What commercial vendors add is continuity + attribution precision + ticketing + dashboards. The core capability is achievable in pure OSS
- Whether ASM works depends on "what happens after discovery." Equifax / Capital One / ProxyLogon / MOVEit / Snowflake all share the property that some step in the cycle was broken