Home Topics Attack surface management What is attack surface management?
Explore IBM's attack surface management solution Subscribe to Security Topic Updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint and check mark.
What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, prioritization, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.

Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.

ASM relies on many of the same methods and resources that hackers use. Many ASM tasks and technologies are devised and performed by ‘ethical hackers’ who are familiar with cybercriminals’ behaviors and skilled at duplicating their actions.

External attack surface management (EASM), a relatively new ASM technology, is sometimes used interchangeably with ASM. However, EASM focuses specifically on the vulnerabilities and risks presented by an organization’s external or internet-facing IT assets—sometimes referred to as an organization’s digital attack surface.

ASM also addresses vulnerabilities in an organization’s physical and social engineering attack surfaces, such as malicious insiders or inadequate end-user training against phishing scams.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

Why organizations are turning to attack surface management

Increased cloud adoption, digital transformation and remote work expansion in recent years made the average company’s digital footprint and attack surface larger, more distributed and more dynamic, with new assets that connect to the company network daily.

Traditional asset discovery, risk assessment and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today's networks. Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.

But ASM‘s continuous workflow and hacker’s perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture in the face of a constantly growing and morphing attack surface. ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

They can draw on information from traditional risk assessment and vulnerability management tools and processes for greater context when analyzing and prioritizing vulnerabilities. And they can integrate with threat detection and response technologies—including security information and event management (SIEM), endpoint detection and response (EDR) or extended detection and response (XDR)—to improve threat mitigation and accelerate threat response enterprise-wide.

How ASM works

ASM consists of four core processes: Asset discovery, classification and prioritization, remediation and monitoring. Again, because the size and shape of the digital attack surface changes constantly, the processes are carried out continuously, and ASM solutions automate these processes whenever possible. The goal is to arm security teams  with complete and current inventory of exposed assets and to accelerate response to the vulnerabilities and threats that present the greatest risk to the organization.

Asset discovery

Asset discovery automatically and continuously scans for and identifies internet-facing hardware, software and cloud assets that could act as entry points for a hacker or cybercriminal trying to attack an organization. These assets can include:

  • Known assets – all IT infrastructure and resources that the organization is aware of and actively managing—routers, servers, company-issued or privately-owned devices (PCs, laptops, mobile devices), IoT devices, user directories, applications deployed on premises and in the cloud, web sites and proprietary databases.

  • Unknown assets – ‘uninventoried’ assets that use network resources without the IT or security team’s knowledge. Shadow IT—hardware or software that is deployed on the network without official administrative approval and/or oversight—is the most common type of unknown asset. Examples of shadow IT include personal web sites, cloud applications and unmanaged mobile devices that use the organization's network. Orphaned IT—old software, web sites and devices no longer in use that have not been properly retired—are another common type of unknown asset.

  • Third-part or vendor assets – assets that the organization doesn’t own, but are part of the organization's IT infrastructure or digital supply chain. These include software-as-a-service (SaaS) applications, APIs, public cloud assets, or third-party services used within the organization’s web site.

  • Subsidiary assets – any known, unknown or third-party assets that belong to networks of an organization’s subsidiary companies. Following a merger or acquisition, these assets may not immediately come to the attention of the IT and security teams of the parent organization.

  • Malicious or rogue assets – assets that threat actors create or steal to target the company. This can include a phishing web site impersonating a company’s brand, or sensitive data stolen as part of a data breach being shared on the dark web.

Classification, analysis and prioritization

Once assets are identified, they are classified, analyzed for vulnerabilities and prioritized by ‘attackability‘—essentially an objective measure of how likely hackers are to target them.

Assets are inventoried by identity, IP address, ownership and connections to the other assets in the IT infrastructure. They’re analyzed for the exposures they might have, the causes of those exposures (e.g., misconfigurations, coding errors, missing patches) and the kinds of attacks that hackers may carry out through these exposures (e.g., stealing sensitive data, spreading ransomware or other malware). 

Next, the vulnerabilities are prioritized for remediation. Prioritization is a risk assessment exercise: Typically, each vulnerability is given security rating or risk score based on

  • Information gathered during classification and analysis.

  • Data from threat intelligence feeds (proprietary and open source), security rating services, the dark web and other sources regarding how visible vulnerabilities are to hackers, how easy they are to exploit, how they’ve been exploited, etc.

  • Results of the organization’s own vulnerability management and security risk assessment activities. One such activity, called red teaming, is essentially penetration testing from the hacker’s point of view (and often conducted by in-house or third-party ethical hackers). Instead of testing known or suspected vulnerabilities, red teamers test all assets a hacker might try to exploit.


Typically, vulnerabilities are remediated in order of priority. This can involve:

  • Applying appropriate security controls to the asset in question—e.g., applying software or operating system patches, debugging application code, implementing stronger data encryption.

  • Bringing previously unknown assets under control—setting security standards for previously unmanaged IT, securely retiring orphaned IT, eliminating rogue assets, integrating subsidiary assets into the organization’s cybersecurity strategy, policies and workflows.

Remediation can also involve broader, cross-asset measures for addressing vulnerabilities, such as implementing least-privileged access or multi-factor authentication (MFA).


Because security risks in the organization's attack surface change any time new assets are deployed or existing assets are deployed in new ways, both the inventoried assets of the network and the network itself are continuously monitored and scanned for vulnerabilities. Continuous monitoring enables ASM to detect and assess new vulnerabilities and attack vectors in real time, and alert security teams to any new vulnerabilities that need immediate attention.

Related solutions
Vulnerability management services

Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that might expose your most-critical assets.

Explore vulnerability management services
Resources What is an attack surface?

An organization’s attack surface is the sum of its cybersecurity vulnerabilities.

What are insider threats?

Insider threats occur when users with authorized access to a company's assets compromise those assets deliberately or accidentally.

What is zero trust?

A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized and continuously validated in order to gain and maintain access to applications and data.

What is malware?

Malware is software code written to damage or destroy computers or networks, or to provide unauthorized access to computers, networks or data.

What is cloud security?

A guide to securing your cloud computing environment and workloads.

What is data security?

Data security is the practice of protecting digital information from theft, corruption or unauthorized access throughout its lifecycle.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services