What is an attack surface?

As organizations increasingly adopt cloud services and hybrid (on-premises/work-from-home) work models, their networks and associated attack surfaces are becoming larger and more complex by the day. According to Randori's State of Attack Surface Management 2022, 67% of organizations have seen their attack surfaces grow in size over the past two years. 

Security experts divide the attack surface into three sub-surfaces: The digital attack surface, the physical attack surface, and the social engineering attack surface.

The digital attack surface potentially exposes the organization’s cloud and on-premises infrastructure to any hacker with an internet connection. Common attack vectors in an organization’s digital attack surface include:

1. Weak passwords
2. Misconfiguration
3. Software, operating system (OS), and firmware vulnerabilities
4. Internet-facing assets
5. Shared databases and directories
6. Outdated or obsolete devices, data, or applications
7. Shadow IT

• Weak passwords: Passwords that are easy to guess—or easy to crack via brute-force attacks—increase the risk that cybercriminals can compromise user accounts to access the network, steal sensitive information, spread malware and otherwise damage infrastructure. According to IBM's Cost of a Data Breach Report 2025, compromised credentials are involved in 10% of breaches.
   

• Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls, or protocols serve as entry points for hackers. Man-in-the-middle attacks, for example, take advantage of weak encryption protocols on message-passing channels to intercept communications between systems.
   

• Software, OS, and firmware vulnerabilities: Hackers and cybercriminals can take advantage of coding or implementation errors in third-party apps, OSs, and other software or firmware to infiltrate networks, gain access to user directories, or plant malware. For example, In 2021, cybercriminals took advantage of a flaw in Kaseya's VSA (virtual storage appliance) platform to distribute ransomware, disguised as a software update, to Kaseya's customers.
   

• Internet-facing assets: Web applications, web servers and other resources that face the public internet are inherently vulnerable to attack. For example, hackers can inject malicious code into unsecured application programming interfaces (APIs), causing them to improperly divulge or even destroy sensitive information in associated databases.
   

• Shared databases and directories: Hackers can exploit databases and directories that are shared between systems and devices to gain unauthorized access to sensitive resources or launch ransomware attacks. In 2016, the Virlock ransomware spread by infecting collaborative file folders that are accessed by multiple devices.
   

• Outdated or obsolete devices, data, or applications: Failure to consistently apply updates and patches creates security risks. One notable example is the WannaCry ransomware, which spread by exploiting a Microsoft Windows operating system vulnerability for which a patch was available. Similarly, when obsolete endpoints, data sets, user accounts, and apps are not uninstalled, deleted, or discarded, they create unmonitored vulnerabilities cybercriminals can easily exploit.
   

• Shadow IT: Shadow IT is software, hardware, or devices—free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities that hackers can exploit.

The physical attack surface exposes assets and information typically accessible only to users with authorized access to the organization’s physical office or endpoint devices (servers, computers, laptops, mobile devices, IoT devices, or operational hardware).

• Malicious insiders: Disgruntled or bribed employees or other users with malicious intent may use their access privileges to steal sensitive data, disable devices, plant malware or worse.
   

• Device theft: Criminals may steal endpoint devices or gain access to them by breaking into an organization's premises. After they are in possession of the hardware, hackers can access data and processes that are stored on these devices. They might also use the device's identity and permissions to access other network resources. Endpoints used by remote workers, employees' personal devices, and improperly discarded devices are typical targets of theft.
   

• Baiting: Baiting is an attack in which hackers leave malware-infected USB drives in public places, hoping to trick users into plugging the devices into their computers and unintentionally downloading the malware.

Social engineering manipulates people into making mistakes that compromise their personal or organizational assets or security through various ways, such as:

• sharing information that they shouldn’t share
• downloading software that they shouldn’t download
• visiting websites that they shouldn’t visit
• sending money to criminals

Because it exploits human weaknesses rather than technical or digital system vulnerabilities, social engineering is sometimes called ‘human hacking’.

An organization‘s social engineering attack surface essentially amounts to the number of authorized users who are unprepared for or otherwise vulnerable to social engineering attacks.

Phishing is the best-known and most prevalent social engineering attack vector. According to IBM's Cost of a Data Breach 2025 report, phishing is the leading cause of data breaches.

In a phishing attack, scammers send emails, text messages, or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—a popular retailer, a government organization, or sometimes even an individual the recipient knows personally.

Attack surface management (ASM) refers to processes and technologies that take a hacker’s view and approach to an organization’s attack surface—discovering and continuously monitoring the assets and vulnerabilities that hackers see and attempt to exploit when targeting the organization. ASM typically involves:

Continuous discovery, inventory, and monitoring of potentially vulnerable assets. Any ASM initiative begins with a complete and continuously updated inventory of an organization‘s internet-facing IT assets, including on-premises and cloud assets. Taking a hacker’s approach ensures discovery not only of known assets, but also shadow IT applications or devices. These applications or devices might have been abandoned but not deleted or deactivated (orphaned IT). Or assets that are planted by hackers or malware (rogue IT), and more—essentially any asset that can be exploited by a hacker or cyberthreat.

Once discovered, assets are monitored continuously, in real time, for changes that raise their risk as a potential attack vector.

Attack surface analysis, risk assessment and prioritization. ASM technologies score assets according to their vulnerabilities and security risks that they pose, and prioritize them for threat response or remediation.

Attack surface reduction and remediation. Security teams can apply their findings from attack surface analysis and red teaming to take various short-term actions to reduce the attack surface. These might include enforcing stronger passwords, deactivating applications and endpoint devices no longer in use, applying application and OS patches, training users to recognize phishing scams, instituting biometric access controls for office entry, or revising security controls and policies around software downloads and removable media.

Organizations might also take more structural or longer-term security measures to reduce their attack surface, either as part of or independent of an attack surface management initiative. For example, implementing two-factor authentication (2FA) or multifactor authentication can reduce or eliminate potential vulnerabilities that are associated with weak passwords or poor password hygiene.

On a broader scale, a zero trust security approach can significantly reduce an organization’s attack surface. A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized, and continuously validated to gain and maintain access to applications and data. Zero trusts principles and technologies—continuous validation, least-privileged access, continuous monitoring, network microsegmentation—can reduce or eliminate many attack vectors and provide valuable data for ongoing attack surface analysis.