Attack surface management (ASM) is the discipline of continuously discovering, inventorying, and monitoring every digital asset an organization exposes to the internet, including the ones its own IT team does not know about. The problem is tangible: GitGuardian's State of Secrets Sprawl 2026 report detected 28.65 million new hardcoded secrets in public GitHub commits during 2025, a 34% year-on-year increase and the largest single-year jump on record. Every leaked credential is an open door in an attack surface that almost nobody is watching.
For years, perimeter security assumed the perimeter was known and stable: a handful of servers, an IP range, and little else. That premise is broken today. The perimeter has shattered into dozens of cloud providers, hundreds of subdomains, SaaS integrations, public APIs, code repositories, and assets that outlive forgotten migrations. This article explains what the attack surface is, why it grows out of control, how ASM and EASM work, how they differ from classic vulnerability scanning and from CTEM, and why all of this connects directly to OSINT reconnaissance and offensive penetration testing.
What the attack surface is
The attack surface is the set of all points through which an attacker could try to enter your systems or extract data. It is not a single thing: it consists of digital assets (domains, subdomains, IP addresses, open ports, exposed services, web applications, APIs, storage buckets, certificates), physical assets (devices, endpoints, network hardware), and the human factor (employees susceptible to social engineering, reused credentials, information leaked on social media).
When we talk about ASM and EASM we focus mainly on the digital surface and, more specifically, on the part that faces the internet. That is the portion an adversary sees without needing to be inside your network, and therefore the first thing they explore.
The external attack surface: what the attacker sees
The external attack surface is everything a threat actor can discover from the outside, with no credentials or prior access. A forgotten web server, an exposed admin panel, a subdomain from a testing environment, an unauthenticated API endpoint, or an access key accidentally published in a repository. It is exactly the same map an attacker draws during the reconnaissance phase, which is why the offensive perspective is so valuable for managing it.
Why the attack surface grows out of control
The attack surface does not grow linearly but explosively, and for reasons that rarely stem from a conscious bad decision. These are the main causes.
Cloud and continuous deployment
Any development team can spin up infrastructure in minutes with a credit card and an AWS, Azure, or GCP account. Ephemeral instances, serverless functions, containers, load balancers, and buckets appear and disappear at a pace no manual inventory can follow. A misconfigured S3 bucket or an exposed Lambda function widens the surface without anyone recording it. We cover this in detail in our guide to cloud penetration testing on AWS, Azure, and GCP.
Shadow IT
Shadow IT (technology acquired or deployed without security team approval) is one of the biggest sources of hidden exposure. According to various industry studies, around 57% of SMBs have shadow IT assets operating outside IT control, and the share of employees who create or modify technology unknown to their department is projected to reach 75% by 2027. Every SaaS tool contracted by a department, every undocumented integration, is an asset nobody audits.
Forgotten assets and orphaned subdomains
Half-finished migrations, cancelled projects, marketing campaigns with their own domains, staging environments that were never shut down. These assets keep running with unpatched software and no owner. Orphaned subdomains (DNS records pointing to decommissioned services) enable subdomain takeover attacks, where an attacker claims the pointed resource and serves malicious content under your brand.
Exposed credentials and secrets
API keys, tokens, passwords, and configuration files leaked in public repositories, pastes, or third-party breaches widen the surface silently. As the 28.65 million secrets detected in 2025 show, this vector keeps growing. According to the IBM X-Force Threat Intelligence Index, vulnerability exploitation was the leading cause of security incidents at around 40%, and, separately, exploitation of public-facing applications grew 44% year on year.
What ASM is and how it works
ASM is the continuous process of discovering, classifying, prioritizing, and monitoring all of those assets. Unlike a static inventory, it runs in a permanent loop because the surface changes every day. Its core phases are as follows.
Continuous asset discovery
The starting point is enumerating everything that exists, beginning with a seed (a domain, a company name) and expanding outward: subdomains, IPs, ASNs, TLS certificates, technologies, services, and related assets. Here the techniques overlap with those of offensive reconnaissance. Subdomain enumeration, certificate transparency log analysis, and metadata crawling are the same tools an attacker would use. In fact, much of the discovery relies on open-source intelligence or OSINT, on finding exposed devices with Shodan, and on Google dorking for reconnaissance.
Inventory and contextualization
Discovery alone is not enough: you have to understand what each asset is, who manages it, what data it handles, and how critical it is to the business. An exposed billing panel is not worth the same as a corporate blog. Relationship-mapping tools like Maltego help visualize how domains, IPs, people, and organizations connect within the surface.
Risk-based prioritization
Not every finding deserves the same urgency. ASM prioritizes based on real exposure (accessibility from the internet, existence of public exploits, data sensitivity, presence of valid credentials) and not just an isolated CVSS score. The goal is to answer the question that truly matters: of everything I have exposed, what would an adversary attack first.
Continuous monitoring and remediation
Because the surface mutates constantly, ASM watches for changes: a new open port, an expiring certificate, an appearing subdomain, a leaked credential. Each change generates an alert that feeds the remediation workflow.
EASM: external attack surface management
EASM (External Attack Surface Management) is the specialization of ASM focused exclusively on what faces the internet, adopting the external attacker's perspective. While ASM in the broad sense may include internal assets with context and agents, EASM works from the outside in, with no prior knowledge or privileged access. It discovers what an adversary would discover.
This difference matters because EASM finds precisely what the security team did not know existed. It does not start from a CMDB (configuration management database) or a list of approved assets, but from public data. That is why it uncovers shadow IT, forgotten subdomains, and subsidiary assets the official inventory never recorded.
The market reflects this urgency: attack surface management will grow from around $1.54 billion in 2025 to roughly $2.03 billion in 2026, with a compound annual growth rate above 31%.
ASM versus traditional vulnerability scanning
ASM is often confused with vulnerability scanning, but they solve distinct and complementary problems.
Classic vulnerability scanning answers the question "what flaws do the assets I already know about have." It starts from a defined target list and looks for CVEs, misconfigurations, and vulnerable versions on those assets. Its major limitation is that it cannot assess what is not on the list. If a forgotten subdomain is not in scope, the scanner never even looks at it.
ASM answers a prior question: "what assets do I really have exposed, including the ones I did not know existed." It discovers first and evaluates second. In practice, ASM feeds vulnerability scanning by expanding its scope, and scanning provides technical depth on each discovered asset. Both fit into a mature vulnerability management program and into internal and external infrastructure audits.
ASM versus CTEM
CTEM (Continuous Threat Exposure Management) is a framework defined by Gartner that encompasses ASM within a broader five-stage process: scoping, discovery, prioritization, validation, and mobilization.
The relationship is one of content to container. ASM and EASM mainly cover the scoping and discovery stages: they identify what is exposed. CTEM adds validation (confirming through offensive techniques whether the exposure is actually exploitable) and mobilization (activating remediation processes across the whole organization). Gartner forecasts that organizations prioritizing their investments with a continuous threat exposure management (CTEM) program will suffer two-thirds fewer breaches by 2026. In other words: ASM tells you where you are exposed and CTEM closes the loop until it demonstrates and reduces real risk.
Why it matters to businesses: the offensive perspective
This is where offensive security delivers value that no automated platform fully matches. At Secra we attack like an adversary to map your real exposure. An EASM engine lists assets and probable vulnerabilities, but an offensive team confirms which of those assets are genuinely exploitable, chains findings that look harmless in isolation, and demonstrates the business impact of an intrusion.
OSINT reconnaissance is the first phase of any penetration testing or red team exercise, and it matches EASM discovery point for point. The difference is that we do not stop at the inventory: we use that map to try to break in, as a real attacker would. That offensive validation is what turns a list of assets into a faithful picture of risk.
This approach also connects with other emerging surface-expansion risks, such as non-human identities and secrets management, where every token and service credential adds exposure, or Shadow AI, which introduces assets and data flows no traditional inventory accounts for.
Frequently asked questions
What is the difference between ASM and EASM
ASM (Attack Surface Management) is the general discipline of discovering, inventorying, and monitoring all of an organization's digital assets, including some internal ones with context. EASM (External Attack Surface Management) is its specialization in what faces the internet, adopting the external attacker's view with no prior access. EASM excels at detecting unknown assets: shadow IT, orphaned subdomains, and subsidiary assets.
Does ASM replace penetration testing
No. ASM discovers and prioritizes exposure continuously, but it does not prove that an asset is exploitable or chain vulnerabilities to measure real impact. Penetration testing and red teaming validate ASM findings offensively. They are complementary: ASM widens the scope and pentesting provides the depth and the proof of risk.
How often should asset discovery run
Continuously. The attack surface changes daily due to cloud deployments, new SaaS tools, and temporary assets. A quarterly inventory becomes obsolete almost immediately. The value of ASM lies precisely in permanent discovery and alerting on every change, not in point-in-time snapshots.
Which assets typically fall outside the official inventory
The most dangerous ones are usually those nobody recorded: forgotten test subdomains, misconfigured storage buckets, exposed admin panels, unauthenticated APIs, old campaign domains, assets from acquired companies, and credentials leaked in public repositories. EASM is designed precisely to surface this invisible part of the attack surface.
Map your real exposure with Secra
You cannot protect what you do not know you have exposed. At Secra we combine the continuous discovery of EASM with the offensive validation of penetration testing and red teaming: we do not just list your assets, we attack like an adversary would to prove what is genuinely exploitable and what impact it would have. Contact our team and get a faithful picture of your external attack surface before someone else maps it.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

