Your attack surface is almost certainly larger than you think. A forgotten staging subdomain, a misconfigured S3 bucket that was never taken down, a third-party SaaS tool your developers spun up six months ago — each one is a potential entry point. And attackers are not waiting for you to find them first.
Attack surface management (ASM) is the discipline that answers a deceptively simple question: what does your organization look like from the outside? This guide explains what ASM is, why it has become critical for modern security teams, what good tooling should cover, and how to get started regardless of your team size.
What Is Attack Surface Management?
Attack surface management is the continuous process of discovering, inventorying, assessing, prioritizing, and remediating the assets and exposures that an attacker could target. The goal is not a one-time audit — it is an ongoing, automated program that keeps pace with the rate at which infrastructure actually changes.
External vs. Internal Attack Surface
The external attack surface is everything reachable from the public internet: domain names, IP ranges, web applications, APIs, cloud storage endpoints, email infrastructure, and any service listening on an open port. This is the primary focus of ASM tooling because it is what attackers see before they have any foothold inside your network.
The internal attack surface covers assets behind the perimeter — workstations, internal services, Active Directory, lateral movement paths. Internal ASM overlaps with vulnerability management and endpoint security. Most organizations start with external ASM because it is directly accessible to any threat actor with an internet connection and a port scanner.
A complete ASM program eventually covers both, but controlling what is visible from the outside is the highest-leverage starting point.
Why ASM Matters Now
Cloud Adoption Is Expanding the Perimeter
A traditional perimeter had a defined edge: a firewall, a DMZ, a handful of public IP addresses. That model no longer reflects reality. Cloud deployments spin up new infrastructure in minutes. Development teams create ephemeral environments that sometimes outlive their intended lifespan by months or years. Each new resource is a potential exposure, and most organizations have no automated process to detect it.
Shadow IT and Forgotten Assets
Security teams rarely have a complete, accurate inventory of what their organization actually runs. Developers register subdomains, marketing teams stand up landing pages, acquired companies bring entire IP ranges into scope. Assets get created and then forgotten. Forgotten assets do not get patched. Attackers have long understood that the path of least resistance is not the hardened production environment — it is the staging server running an outdated version of a web framework that nobody has touched in two years.
NIS2 and DORA Compliance Requirements
Regulatory frameworks are increasingly explicit about asset visibility. The EU's NIS2 Directive requires organizations to implement risk management measures that include identifying and managing ICT assets. DORA (Digital Operational Resilience Act), which applies to financial entities operating in the EU, mandates continuous monitoring of ICT risks and explicit controls over third-party dependencies. Neither framework accepts "we did not know that asset existed" as a valid defense. A documented, continuous ASM program is foundational evidence of compliance.
Attackers Scan Faster Than Defenders
Shodan indexes new services within hours of them coming online. Threat actors running automated scanners can identify a newly exposed service — a misconfigured database, an unauthenticated admin panel, a server running a freshly disclosed CVE — faster than most security teams run their next scheduled scan. The asymmetry is stark: defenders historically ran quarterly or monthly assessments, while attackers scan continuously. ASM closes that gap by matching the attacker's cadence.
The Five Pillars of ASM
1. Discovery
Discovery is the process of finding everything that belongs to your organization before an attacker does. This goes well beyond a list of IP addresses your IT department maintains.
Effective discovery uses multiple techniques in parallel:
- Subdomain enumeration: Systematically identifying subdomains associated with your root domains using brute-force wordlists, permutation algorithms, and DNS zone transfer attempts.
- Certificate Transparency logs: Every publicly trusted TLS certificate is logged to CT logs (crt.sh being the most widely used). Querying these logs reveals subdomains and services that may never appear in internal documentation.
- Passive DNS: Historical DNS resolution data surfaces assets that were once live but may have been decommissioned without proper cleanup — or that are actively resolving to infrastructure you do not control.
- BGP and ASN data: Mapping your Autonomous System Numbers reveals IP ranges associated with your organization, including ranges from acquisitions.
- WHOIS and reverse WHOIS: Identifying domain registrations tied to your organization's legal name, email addresses, or nameservers.
Discovery is never a completed task. It runs continuously because your infrastructure changes continuously.
2. Inventory
Discovery produces a raw list of assets. Inventory transforms that list into a structured, actionable dataset. Each asset needs classification (what type of asset is it?), ownership mapping (which team or business unit owns it?), and context (is it production, staging, or decommissioned?).
Without ownership data, remediation stalls. If a vulnerability is found on a subdomain and nobody knows which team is responsible for it, the finding sits in a queue indefinitely. Good inventory practices tie each asset to a named owner and establish a clear process for contested or unclaimed assets.
3. Assessment
Assessment is the technical analysis of each discovered asset to identify vulnerabilities, misconfigurations, and security weaknesses. This includes:
- Vulnerability scanning: Matching exposed services and software versions against known CVE databases.
- SSL/TLS certificate analysis: Checking for expired certificates, weak cipher suites, protocol downgrades (SSLv3, TLS 1.0/1.1), certificate chain issues, and hostname mismatches.
- DNS security: Evaluating SPF, DKIM, and DMARC records for email security posture; checking for subdomain takeover vulnerabilities; verifying DNSSEC configuration.
- Open port analysis: Identifying services exposed on non-standard ports, services that should not be internet-facing, and banners that reveal version information.
- WHOIS lookup: Identifying domain expiration dates, registrar data, and registration anomalies that could indicate risk.
Assessment should correlate data across multiple sources. A single scanner has blind spots. Combining results from passive intelligence sources (Shodan, SecurityTrails, OTX) with active scanning (direct SSL grading, DNS queries) produces a more complete picture than either approach alone.
4. Prioritization
A typical external ASM run against a mid-size organization will surface dozens or hundreds of findings. Security teams cannot remediate everything simultaneously, and not all findings carry equal risk. Prioritization uses risk scoring to determine what to fix first.
Effective prioritization takes into account:
- Severity of the vulnerability or misconfiguration (CVSS score, exploit availability)
- Asset criticality (is this a production authentication endpoint or an internal test tool?)
- Exposure (is the finding directly internet-accessible or behind an additional layer?)
- Business context (does this asset handle sensitive data or process payments?)
A risk score that combines these factors — rather than sorting purely by CVSS — gives security teams a defensible, business-aligned remediation queue.
5. Remediation
Remediation closes the loop: patching vulnerable software, decommissioning assets that serve no current purpose, fixing misconfigurations, rotating exposed credentials, and hardening SSL/TLS configurations. Good ASM programs treat remediation as a workflow, not an afterthought — with tracked tickets, SLA targets by severity, and verification that fixes are confirmed effective.
Decommissioning deserves particular attention. Many organizations patch active assets diligently but leave retired infrastructure running. A decommissioned asset that nobody monitors is not a low-risk asset — it is an unmonitored one.
What ASM Tools Should Check
A capable ASM tool should cover the following at minimum:
| Category | What to Check |
|---|---|
| Subdomains | CT log enumeration, passive DNS, brute-force discovery |
| Open Ports | TCP/UDP port scan, service fingerprinting, unexpected exposures |
| SSL/TLS | Certificate validity, expiry, cipher suites, protocol versions, chain trust |
| DNS Records | SPF, DKIM, DMARC, DNSSEC, subdomain takeover indicators |
| WHOIS | Registrar data, expiry dates, registrant information |
| CVEs | Known vulnerabilities matched to exposed software and services |
| IP Reputation | Threat intelligence feeds, blacklist status, hosting provider context |
| Email Security | MX records, DMARC policy enforcement, SPF alignment |
The DFIR Lab Exposure Scanner aggregates data across 11 providers — Shodan, Criminal IP, Netlas, SSL Labs, crt.sh, BGPView, WhoisXML, SecurityTrails, OTX, HackerTarget, and IP-API — and synthesizes the results into a single risk score from 0 to 100. Rather than requiring a team to maintain subscriptions and parse output from each provider independently, it normalizes findings into a unified report. The free Domain Lookup tool at dfir-lab.ch/domain-lookup covers DNS, email security, and TLS analysis at no cost.
ASM for Different Team Sizes
Solo Security Engineer
A single-person security function usually cannot afford broad commercial tooling and has limited time for manual research. The highest-leverage approach is a combination of free automated tools and an API for scripted checks.
The DFIR Lab Exposure Scanner is available for free at dfir-lab.ch/exposure-scanner, with 100 free credits per month — enough to run regular checks against a small domain portfolio. For automation, the API at platform.dfir-lab.ch/docs/exposure accepts domain inputs and returns structured JSON results (10 credits per scan), making it straightforward to integrate into a cron job or CI pipeline. The CLI is a one-liner:
dfir-cli exposure scan yourdomain.comMid-Size SOC Team
A team with dedicated analysts needs continuous monitoring rather than on-demand scans. The goal is to be alerted when new assets appear or when the risk score of an existing asset changes — not to manually initiate scans. The Professional plan (250 scans/month at $79/mo) supports scheduled scanning across a domain portfolio and provides the volume needed to monitor subdomains individually rather than just root domains.
Integrating scan results into a SIEM or ticketing system via the API closes the loop between detection and remediation tracking.
MSSP
Managed Security Service Providers need multi-client isolation, scalable scan capacity, and the ability to generate per-client reports. API-based access with programmatic domain management makes it possible to run ASM as a structured service offering rather than a manual engagement. The Exposure Scanner's multi-provider aggregation means MSSPs deliver comprehensive coverage without maintaining separate tool subscriptions for each underlying data source.
Getting Started with ASM
Step 1: Know Your Domains
Before running any tool, build a list of every domain and root domain your organization owns. This includes:
- Primary domains
- Country-code TLDs and regional variants
- Domains from acquired companies
- Domains registered by subsidiaries or affiliated entities
WHOIS reverse lookups on your organization's name and historical registrant email addresses often surface domains that are not in any internal inventory. This step alone frequently produces surprises.
Step 2: Run Your First Scan
Run the DFIR Lab Exposure Scanner against your primary domain. Review the risk score and the underlying findings — expired certificates, open ports that should not be exposed, DNS misconfigurations, subdomains appearing in CT logs that your team does not recognize.
The first scan is rarely clean. That is the point. The findings from an initial scan define your remediation backlog and establish a baseline risk score to measure improvement against.
For DNS and email security specifically, the free Domain Lookup tool at dfir-lab.ch/domain-lookup gives you immediate visibility into SPF, DMARC, DKIM, and TLS configuration without requiring any account setup.
Step 3: Set Up Continuous Monitoring
A single scan is a snapshot. The attack surface changes constantly — new subdomains get created, certificates expire, new CVEs are disclosed against software you run. Continuous monitoring means automating scans on a schedule (weekly at minimum, daily for high-risk assets) and alerting on meaningful changes.
Using the API or CLI, schedule scans for each domain in your portfolio. Define thresholds: if a domain's risk score increases by more than 10 points between scans, generate an alert. If a new subdomain appears that was not in the previous scan, flag it for ownership verification before it goes unmonitored.
This is the operational state that ASM programs aim for: not a project that ends, but a continuous capability.
Run an exposure scan against a domain you own. The DFIR API Playground fires the Exposure Scanner against 11 providers — subdomains, open ports, certificate issues, DNS hygiene, CVE hits — and returns a single scored report. 10 free calls per week, no signup, so you can benchmark your own attack surface before deciding whether continuous monitoring is worth the budget.
Conclusion
Attack surface management is not a product category — it is a security discipline. The tools exist to support a process: discover what you have, assess what is exposed, prioritize by actual risk, and remediate systematically. Organizations that treat ASM as a continuous program rather than a periodic audit consistently reduce the window during which vulnerabilities are exploitable.
The DFIR Lab Exposure Scanner gives security teams of any size a starting point. The free tier at dfir-lab.ch/exposure-scanner requires no setup — enter a domain, get a risk score backed by 11 intelligence providers. For teams ready to move to continuous monitoring, the Professional plan is available at $79/month. Use code LAUNCH50 for 50% off your first paid month.
Your attack surface is already being mapped. The question is whether you are the one doing it.