You cannot protect what you do not know about. This has been a security truism for decades, and it has never been more relevant. The average enterprise attack surface has expanded dramatically through cloud services, SaaS applications, APIs, remote work infrastructure, M&A acquisitions, shadow IT, and third-party integrations, creating a sprawling digital footprint that traditional asset inventories cannot track.
Attack Surface Management (ASM) emerged to solve this problem: continuously discovering, inventorying, classifying, and monitoring all assets that an adversary could target. In 2026, Gartner’s Continuous Threat Exposure Management (CTEM) framework has elevated ASM from a point solution to a strategic program that integrates asset discovery with vulnerability management, threat intelligence, and validation.
This guide covers the different flavors of ASM, practical implementation guidance, and how to build a program that actually reduces your organization’s exposure.
Defining the Terminology
The ASM market is cluttered with overlapping acronyms. Here is what they mean and how they differ.
EASM (External Attack Surface Management)
EASM focuses on discovering and monitoring assets visible from the internet, taking the attacker’s perspective.
It discovers public-facing IP addresses, domains, subdomains, web applications, cloud resources, exposed services, SSL certificates, and DNS records. It works through automated reconnaissance using the same techniques an attacker would use: DNS enumeration, port scanning, certificate transparency logs, web crawling, WHOIS data, and passive DNS. Key vendors include Censys, CyCognito, Detectify, Mandiant Attack Surface Management, Palo Alto Cortex Xpanse, and Microsoft Defender EASM. The limitation is that it only sees externally exposed assets. Internal assets, cloud misconfigurations, and SaaS sprawl may be invisible.
CAASM (Cyber Asset Attack Surface Management)
CAASM aggregates asset data from internal sources to build a comprehensive inventory across all environments.
It discovers all assets including endpoints, servers, cloud instances, containers, network devices, SaaS accounts, IoT devices, OT systems, users, and identities. It works by integrating with existing tools (EDR, CMDB, cloud APIs, vulnerability scanners, IAM, MDM) and correlating data to create a unified asset inventory. Key vendors include JupiterOne, Axonius, Sevco Security, runZero, and Noetic Cyber. The limitation is that it is only as complete as the data sources it integrates with. If a system is not managed by any tool, CAASM may not see it either.
ASM (Attack Surface Management)
ASM is the umbrella term that encompasses both EASM and CAASM capabilities. A comprehensive ASM program combines outside-in discovery (EASM) with inside-out inventory (CAASM) to provide complete visibility.
CTEM (Continuous Threat Exposure Management)
Gartner’s CTEM framework goes beyond asset discovery to define a five-phase program for managing organizational exposure:
| Phase | Description |
|---|---|
| Scoping | Define the attack surface boundaries and business context. What assets and exposures matter most? |
| Discovery | Find all assets, vulnerabilities, misconfigurations, and exposures within the defined scope |
| Prioritization | Rank exposures by business impact, exploit availability, and threat intelligence context |
| Validation | Test whether exposures are actually exploitable through penetration testing, BAS, or red team exercises |
| Mobilization | Drive remediation through integration with vulnerability management, ITSM, and DevOps workflows |
CTEM is not a product category but a programmatic framework. Implementing CTEM requires orchestrating capabilities from ASM, vulnerability management, threat intelligence, and security validation tools.
Asset Discovery Techniques
External Discovery
Passive discovery (no direct interaction with target systems) includes DNS enumeration (zone transfers, brute-force subdomain discovery, passive DNS databases), certificate transparency (CT) logs (every publicly issued SSL certificate is logged, and CT monitoring reveals all domains and subdomains with certificates), WHOIS and registrar data (to identify domains registered to your organization), search engines (Google dorking, Shodan, Censys, and BinaryEdge index internet-facing services), code repositories (GitHub, GitLab, and Bitbucket may contain references to internal infrastructure, API keys, or domain names), and cloud storage enumeration (discovering exposed S3 buckets, Azure blobs, and GCS buckets by brute-forcing common naming patterns).
Active discovery (directly interacts with target systems) includes port scanning (to identify open ports and running services on known IP ranges), web crawling (to discover web applications, APIs, and login pages), service fingerprinting (to identify software versions and technologies in use), and cloud resource enumeration (using CSP APIs to inventory cloud assets across all accounts and regions).
Internal Discovery
Agent-based discovery deploys agents on endpoints and servers to report asset information (EDR agents, CMDB agents, MDM profiles). This is the most reliable method but requires management overhead.
Agentless scanning uses network scanning tools (runZero, Nmap, Rumble) to discover devices on the network without installing agents. Effective for finding unmanaged devices but requires network access.
API integration pulls asset data from existing tools including cloud provider APIs, Active Directory, Entra ID, Okta, VMware, container orchestrators (Kubernetes), vulnerability scanners, and EDR platforms.
Network traffic analysis passively monitors network traffic to reveal devices communicating on the network, even if they are not in any inventory.
Resolving the Unified Inventory
The biggest challenge in ASM is not discovery but correlation. The same asset appears in multiple data sources with different identifiers. Your CMDB knows it as “PROD-WEB-01”. Your EDR knows it by its agent ID. Your cloud provider knows it as instance “i-0abc123def456”. Your vulnerability scanner knows it by IP address. Your EASM tool knows it by its public hostname.
A CAASM platform resolves these identifiers into a single asset record, giving you one authoritative view of each asset with data enriched from all sources. Without this correlation, you end up with fragmented, contradictory inventories.
Risk Prioritization
Not all exposures are equal. A critical vulnerability on an internet-facing production server handling payment data is categorically different from the same vulnerability on an internal development workstation. Effective ASM requires risk-based prioritization.
Prioritization Factors
| Factor | Description | Data Source |
|---|---|---|
| Asset criticality | Business importance of the asset (revenue-generating, customer-facing, stores sensitive data) | CMDB, business owner input |
| Exposure | Is the asset internet-facing, internal-only, or air-gapped? | EASM, network segmentation data |
| Vulnerability severity | CVSS score, EPSS score (probability of exploitation) | Vulnerability scanner |
| Exploit availability | Is there a public exploit? Is it in CISA KEV? | Threat intelligence |
| Compensating controls | Is the vulnerability mitigated by WAF, EDR, network segmentation, or other controls? | Security tool inventory |
| Business context | Regulatory requirements, data classification, contractual obligations | GRC platform |
Prioritization Framework
Combine these factors into a risk score.
Critical (remediate within 48 hours): Internet-facing asset + CVSS 9.0+ + exploit available + no compensating controls.
High (remediate within 7 days): Internet-facing asset + CVSS 7.0-8.9, or internal asset + CVSS 9.0+ + exploit available.
Medium (remediate within 30 days): Internal asset + CVSS 7.0-8.9, or internet-facing asset + CVSS 4.0-6.9.
Low (remediate within 90 days): Internal asset + CVSS under 7.0 + no exploit available.
Integrating with Vulnerability Management
ASM and vulnerability management (VM) are complementary programs. ASM discovers assets that the VM program does not know about (and therefore is not scanning). VM identifies specific vulnerabilities on known assets. Together, they ensure that all assets are discovered, scanned, and remediated.
The integration workflow starts when ASM discovers new assets. New assets are automatically enrolled in vulnerability scanning. Vulnerability findings are enriched with ASM context (exposure, criticality, business owner). Prioritized findings are routed to remediation workflows. Remediation status is tracked and reported through both programs.
Shadow IT Detection
Shadow IT, meaning systems and services deployed without IT or security team knowledge, represents one of the largest sources of unmanaged attack surface.
Common Shadow IT Sources
SaaS applications appear when departments sign up for SaaS tools using corporate email without going through procurement or security review. Cloud accounts emerge when developers create personal cloud accounts or use corporate credit cards to spin up cloud resources outside the managed environment. Marketing and campaign infrastructure includes microsites, landing pages, and campaign tools deployed on domains not tracked by IT. M&A acquisitions bring their own infrastructure, which may not be integrated into the parent company’s security program for months. Developer tools include CI/CD pipelines, code repositories, package registries, and test environments created outside official channels.
Detection Methods
SaaS discovery uses CASB logs, OAuth token analysis, or SaaS management platforms (Productiv, Zylo, Grip Security) to identify SaaS applications in use across the organization.
DNS monitoring watches DNS queries from corporate networks to identify domains associated with unauthorized services.
Expense report analysis reveals SaaS subscriptions on corporate credit cards and expense reports. Work with finance to identify technology-related charges.
Cloud account discovery uses cloud provider organization features (AWS Organizations, Azure Management Groups, GCP Resource Manager) to detect unmanaged accounts. For accounts outside the organization, monitor for resources associated with corporate domains or IP ranges.
EASM external discovery often finds shadow IT assets by discovering subdomains, web applications, and cloud resources that are not in any internal inventory.
M&A Due Diligence Use Case
Mergers and acquisitions are a high-stakes use case for ASM. When acquiring a company, you inherit their entire attack surface including vulnerabilities, misconfigurations, and shadow IT.
Pre-Acquisition Assessment
Before the deal closes, conduct an external attack surface assessment of the target. Start with domain enumeration to discover all domains and subdomains associated with the target company. Service discovery identifies internet-facing services, web applications, and APIs. Vulnerability assessment identifies known vulnerabilities in exposed services (using non-intrusive scanning only since you do not own these systems yet). Certificate analysis reviews SSL certificate health, expiration, and configuration. Data exposure checks for leaked credentials, exposed code repositories, and misconfigured cloud storage. Reputation check reviews the target’s IP addresses and domains against threat intelligence feeds.
This assessment reveals the security debt you are inheriting and can inform deal negotiations, integration timelines, and security investment planning.
Post-Acquisition Integration
After the deal closes, deploy EASM monitoring on the acquired company’s infrastructure immediately. Integrate the acquired company’s cloud accounts into your organization structure. Conduct internal discovery to build a complete asset inventory. Prioritize and remediate critical vulnerabilities identified during due diligence. Migrate the acquired company’s assets to your security stack (EDR, vulnerability scanning, SIEM, IAM). Establish ongoing monitoring parity with your existing infrastructure.
The typical M&A integration timeline for security is 6-18 months. During this period, the acquired company’s infrastructure represents elevated risk and should receive enhanced monitoring.
Measuring Attack Surface Reduction
Key Metrics
| Metric | Description | Target |
|---|---|---|
| Total external assets | Count of internet-facing assets discovered | Track trend, should stabilize or decrease over time |
| Unmanaged assets | Assets discovered by ASM that are not in the CMDB or covered by security tools | 0 is the goal; track time-to-management |
| Mean time to inventory | Time between asset creation and appearance in the asset inventory | Under 24 hours for cloud resources |
| Mean time to secure | Time between asset discovery and deployment of baseline security controls | Under 72 hours |
| Critical exposure count | Number of internet-facing assets with critical vulnerabilities and no compensating controls | Trending to zero |
| Shadow IT services | Number of unauthorized SaaS applications or cloud resources | Trending down |
| Attack surface score | Composite score reflecting overall exposure (provided by EASM vendors) | Improving quarter over quarter |
Reporting to Leadership
Executives care about risk reduction, not asset counts. Frame ASM metrics in business terms. For example: “We reduced our internet-facing critical exposures from 47 to 12 this quarter, a 74% reduction in the highest-risk attack surface.” Or: “We discovered and secured 23 previously unknown cloud resources, including 3 that contained customer data.” Or: “Our mean time to secure new assets improved from 14 days to 3 days, reducing the window of exposure by 79%.”
Getting Started
Phase 1: External Visibility (Weeks 1-4)
Deploy an EASM tool to discover your external attack surface. Review initial findings and triage critical exposures. Identify assets not present in your existing inventory. Establish a process for routing new discoveries to asset owners.
Phase 2: Internal Inventory (Months 2-3)
Deploy a CAASM platform or build integrations between your existing tools. Connect cloud provider APIs, EDR, CMDB, vulnerability scanner, and IAM systems. Correlate data to build a unified asset inventory. Identify gaps showing assets that appear in one source but not others.
Phase 3: Prioritization and Remediation (Months 4-6)
Implement risk-based prioritization using asset criticality, exposure, and threat intelligence. Integrate ASM findings with your vulnerability management remediation workflow. Establish SLAs for securing newly discovered assets. Deploy shadow IT detection capabilities.
Phase 4: Continuous Management (Ongoing)
Run EASM discovery continuously (not just periodic scans). Monitor for new assets, configuration changes, and emerging exposures. Incorporate ASM metrics into security program reporting. Align the program with CTEM principles: scope, discover, prioritize, validate, mobilize. Conduct regular validation (BAS, pen testing) to confirm that remediated exposures are actually fixed.