Votre programme voit-il ce que voient les attaquants ?

La plupart des programmes de sécurité sont plus avancés en découverte qu'en validation. L'Exposure Maturity Model identifie précisément la dimension qui freine votre programme.

No items found.
Tendances des menaces
-
4
mins read
-
July 2, 2026

Attack surface management: how it works and where it fits

-
- -
Attack surface management: how it works and where it fits

Most security teams can list the assets they own. Far fewer can list the ones they have forgotten: the staging server still running, the subdomain pointing at a retired service, or the cloud bucket a developer spun up last quarter. Attack surface management exists to close that gap, and for most enterprises the gap is wide. Research from Enterprise Strategy Group found that 69% of organizations had suffered at least one cyberattack that began through an unknown or unmanaged internet-facing asset.

You cannot defend an asset you do not know exists. That single constraint defines the requirements of attack surface management, because it forces teams to start not from their own records but from the attacker's point of view: the open internet, scanned from the outside, with no inventory to rely on.

What is attack surface management?

Attack surface management (ASM) is the practice of discovering, inventorying, and assessing every asset that contributes to an organization's exposure, then reducing that exposure over time. Forrester defines it as an ongoing process of finding, inventorying, and assessing the exposures across an organization's entire IT estate. It covers internet-facing servers, web applications, application programming interfaces (APIs), cloud workloads, domains, certificates, and the third-party connections that extend the surface beyond assets a company directly controls.

It helps to separate two terms. The attack surface is the sum of all the points where an attacker could try to get in or take data out. ASM is the work of keeping that surface known, understood, and as small as it can reasonably be.

Why ASM matters now

Three shifts have moved ASM from a nice-to-have to a priority. Cloud adoption and remote work multiplied the number of internet-facing systems an organization runs. Mergers and acquisitions fold in infrastructure no one has fully mapped. And reliance on outside vendors means part of the surface now sits with third parties. Verizon's 2025 Data Breach Investigations Report found that the share of breaches involving a third party doubled to 30%, so a growing share of exposure now lives in systems a company does not own.

The surface is not only larger, it is also faster-moving. Assets appear and disappear in hours as teams deploy and decommission cloud resources, so a point-in-time audit is out of date almost as soon as it is finished. This is why periodic approaches struggle: they describe the surface as it was, not as it is.

The attack surface management process

Most ASM programs follow the same logical sequence, whether or not they use these exact labels.

It begins with discovery. The goal is to find every asset connected to the organization, including the ones missing from any inventory, by scanning the open internet and attributing what is found back to the business. This outside-in view is what separates ASM from asset management that works only from internal records.

Discovery feeds inventory and context. Each asset is cataloged with the detail that makes it actionable: what it is, who owns it, what it connects to, and how exposed it is. Without that context, a list of assets is only a longer list of things to worry about.

Next comes prioritization. No team can fix everything at once, so exposures are ranked by the risk they actually carry, weighing how reachable and exploitable an asset is alongside its importance to the business. A high-severity flaw on an isolated system can matter less than a moderate one on a public-facing application.

The step many programs skip is validation: confirming which exposures an attacker could genuinely use, rather than treating every finding as equally urgent. Validation turns a backlog of theoretical issues into a short list of real ones. The cycle then repeats through monitoring, because the surface changes constantly and discovery has to keep pace.

{{cta-maturity-model}}

Attack surface management vs vulnerability management

It is easy to confuse attack surface management with vulnerability management, but they answer different questions. Vulnerability management starts from a known list of assets and asks which carry software flaws that need patching. ASM starts a step earlier and asks a harder question: what do we actually have exposed, including the assets no one put on the list?

The two are complementary, vulnerability management is essential for the systems you already track, but it has nothing to say about the forgotten subdomain or the shadow cloud account, because those never enter its inventory. ASM exists to close that blind spot, which is one reason it has become a foundation for broader exposure management programs.

Where ASM fits: EASM, CAASM, and CTEM

ASM is an umbrella, and a few related terms describe its parts. External attack surface management (EASM) focuses on internet-facing assets, the outside-in view an attacker would have. Cyber asset attack surface management (CAASM) works from the inside, aggregating asset data from existing tools through their APIs to build a single internal inventory. Used together, they cover the external and internal halves of the same surface.

All of this sits inside a larger idea Gartner introduced in 2022: continuous threat exposure management (CTEM), a program that runs discovery, prioritization, validation, and remediation as a repeating cycle. Gartner predicted that organizations prioritizing security investments around a CTEM program would be three times less likely to suffer a breach by 2026. ASM supplies the discovery and visibility the rest of that cycle depends on. Our breakdown of continuous threat exposure management from the hacker's perspective explains how the attacker's view shapes each stage, and how external attack surface management moves teams beyond discovery and into action.

Building a modern ASM program

A modern ASM program is defined less by the size of its asset list than by how quickly it turns discovery into action. Three traits separate the programs that reduce risk from the ones that just generate reports. They discover on an ongoing basis rather than on a schedule, so new exposures surface in hours, not quarters. They prioritize by real-world attackability, so teams focus on exposures an attacker could actually reach. And they confirm findings through real attacker techniques, so the list that reaches engineers is short and true.

This is the logic behind Continuous Attack Surface Management, which treats discovery and testing as a standing capability rather than a periodic exercise. Hadrian's approach uses agentic AI to run real attacker techniques against an organization's external attack surface, separating the exposures that matter from the noise that does not. If you are weighing how to put a program like this in place, our guide to choosing the right attack surface management solution walks through the criteria that matter.

{{cta-demo}}

{{related-article}}

Attack surface management: how it works and where it fits

{{quote-1}}

,

{{quote-2}}

,

Articles associés.

Tous les articles

Solutions de sécurité

Attack Surface Management vs. Penetration Testing

Attack Surface Management vs. Penetration Testing

Solutions de sécurité

Attack Surface Management vs Vulnerability Management

Attack Surface Management vs Vulnerability Management

Tendances des menaces

Attack Surface Management and Bug Bounty: What's The Difference?

Attack Surface Management and Bug Bounty: What's The Difference?

Related articles.

All resources

Tendances des menaces

What is the attack surface in cybersecurity?

What is the attack surface in cybersecurity?

Tendances des menaces

What does an autonomous pentesting agent actually do?

What does an autonomous pentesting agent actually do?

Tendances des menaces

Security teams know the scores are wrong.

Security teams know the scores are wrong.

get a 15 min demo

Start your journey today

Hadrian’s end-to-end offensive security platform sets up in minutes, operates autonomously, and provides easy-to-action insights.

What you will learn

  • Monitor assets and config changes

  • Understand asset context

  • Identify risks, reduce false positives

  • Prioritize high-impact risks

  • Streamline remediation

The Hadrian platform displayed on a tablet.
Your programme's weakest dimension sets the ceiling for everything else. Find out which one it is.
Take the first step in the shoes of your adversary