What is the attack surface in cybersecurity?

Every system a company puts online creates a way in. Email servers, web applications, cloud workloads, employee laptops, third-party integrations, and the people who use them all give an attacker something to aim at. The attack surface in cybersecurity is the sum of those entry points: every place where someone could try to get in, cause damage, or take data out.

The most widely cited definition comes from the National Institute of Standards and Technology (NIST): the set of points on the boundary of a system or environment where an attacker can try to enter, affect, or extract data. The Open Worldwide Application Security Project (OWASP) frames it more plainly as all the points where an attacker could get into a system, and where they could get data out. The larger and less understood your attack surface, the more opportunities an attacker has.

The cost of getting this wrong is measurable: IBM's 2025 Cost of a Data Breach Report put the global average breach at $4.44 million, and the United States average at a record $10.22 million. Most of those breaches did not begin with an exotic technique. They began at a forgotten asset, an exposed service, or a credential that should never have been reachable. Understanding your attack surface is the first step to controlling it.

Attack surface versus attack vector

It helps to separate two terms that often get used interchangeably. The attack surface is the whole collection of possible entry points. An attack vector is a single one of those points, the specific path an attacker takes to get in. A phishing email is an attack vector. An unpatched virtual private network (VPN) is an attack vector. The attack surface is every vector added together.

The distinction matters because it changes how you defend. You cannot eliminate the attack surface entirely, since any useful system has to be reachable by someone. What you can do is reduce the number of vectors, close the ones that serve no purpose, and watch the ones that remain. Reducing attack vectors is how you shrink the attack surface in cybersecurity to something a team can actually defend.

The three main types of attack surface

Security teams usually divide the attack surface into three categories. The digital attack surface covers everything reachable over a network: web applications, application programming interfaces (APIs), open ports, cloud storage, domains, certificates, and the servers behind them. This is the largest and fastest-changing category for most enterprises, and it is where external attackers spend most of their time.

The physical attack surface covers hardware and the access to it: laptops, servers, universal serial bus (USB) ports, office endpoints, and any device an attacker could touch or steal. A misplaced laptop or an unattended workstation can be as useful to an attacker as an exposed server.

The third category is the human attack surface, sometimes called the social engineering surface. It covers the people in an organization and the ways they can be manipulated through phishing, pretexting, or stolen credentials. This category is consistently one of the most exploited, because it does not require breaking any technology. It only requires convincing a person.

Why your attack surface keeps expanding

For most organizations, the attack surface is constantly changing. It grows every time a team spins up a cloud instance, connects a new vendor, or ships a new application. Three forces in particular have pushed it outward.

The first is the move to cloud and remote work, which has multiplied the number of internet-facing systems an organization runs. Verizon's 2025 Data Breach Investigations Report found that the exploitation of internet-facing edge devices and VPNs grew nearly eightfold in a single year, from 3% to 22% of vulnerability-based breaches. These are the systems that sit at the edge of the network, exposed by design, and they have become a favorite target.

The second is third-party and supply chain exposure. The same report found that the share of breaches involving a third party doubled to 30%. Your attack surface now includes assets you do not own and cannot patch, reached through vendors, contractors, and integrated software.

The third is shadow IT, and increasingly shadow AI: tools and services adopted without security oversight. Every unsanctioned tool adds exposures that no one is watching, which is exactly the kind of gap attackers look for.

How attackers map your attack surface

Defenders tend to think of their attack surface as a list of their assets, but that presupposes that they know about every asset. Attackers do not work from that list. They start from the outside with no inventory, scanning the open internet for anything connected to your organization, then probing what they find for weaknesses. The assets you have forgotten are often the ones they find first.

This is why an internal asset inventory is rarely enough on its own. The systems that cause breaches are often the ones missing from it: a staging server left running, a subdomain pointing at a decommissioned service, or an acquired company's infrastructure that was never folded into the security program. Seeing your environment the way an attacker sees it, from the outside in, is the most reliable way to find these exposures first. Our breakdown of continuous threat exposure management from the hacker's perspective goes deeper on why that shift matters.

How to reduce and manage your attack surface

You cannot defend what you have not found, so the first task is building a complete, current picture of every internet-facing asset, including the ones no one remembers deploying. This is the core of attack surface management (ASM), and for externally exposed assets specifically, external attack surface management (EASM).

From there, the work follows a clear pattern: inventory what you have, prioritize the exposures that genuinely put the business at risk, close the ones that serve no purpose, and monitor what remains, because the attack surface changes constantly. Periodic scans miss the asset that appeared last Tuesday, which is the reasoning behind Continuous Attack Surface Management, an approach that treats discovery and testing as an ongoing practice rather than a quarterly event.

The strongest programs go one step further and confirm which exposures are actually reachable and exploitable, rather than treating every finding as equally urgent. Hadrian's approach uses agentic AI to run real attacker techniques against an organization's external attack surface, so teams spend their time on the exposures that matter rather than triaging noise. If you are formalizing this work, our guide to understanding attack surface management and why it matters is a practical place to start.