Attack Surface
What is Attack Surface?
Attack SurfaceSum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.
An organization's attack surface is the complete set of exposed entry points: internet-facing assets, third-party SaaS, APIs, endpoints, mobile apps, network protocols, source-code repositories, IoT/OT devices, cloud control planes, identities, and human channels susceptible to social engineering. It is dynamic, growing with each new feature, vendor, and configuration change. Attack surface management (ASM) and external attack surface management (EASM) tools continuously discover assets, fingerprint them, and prioritise exposures, while internal attack surface reduction relies on hardening, decommissioning legacy services, minimising privileges, segmenting networks, and removing unused dependencies and accounts.
● Examples
- 01
Forgotten dev S3 bucket and a CI/CD admin SaaS each appear in an EASM scan as new exposed assets.
- 02
Disabling an unused VPN appliance reduces the network attack surface.
● Frequently asked questions
What is Attack Surface?
Sum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Attack Surface mean?
Sum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.
How does Attack Surface work?
An organization's attack surface is the complete set of exposed entry points: internet-facing assets, third-party SaaS, APIs, endpoints, mobile apps, network protocols, source-code repositories, IoT/OT devices, cloud control planes, identities, and human channels susceptible to social engineering. It is dynamic, growing with each new feature, vendor, and configuration change. Attack surface management (ASM) and external attack surface management (EASM) tools continuously discover assets, fingerprint them, and prioritise exposures, while internal attack surface reduction relies on hardening, decommissioning legacy services, minimising privileges, segmenting networks, and removing unused dependencies and accounts.
How do you defend against Attack Surface?
Defences for Attack Surface typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- compliance№ 073
Attack Vector
Specific path or technique an attacker uses to gain unauthorized access to a target, such as phishing, exploit of a CVE, or stolen credentials.
- compliance№ 1151
Threat Vector
Channel or means through which a threat actor can deliver an attack, often used interchangeably with attack vector but with broader, threat-modelling connotation.
- compliance№ 1149
Threat Landscape
Current picture of the threats facing an organization, sector, or region: actors, tactics, malware families, vulnerabilities, and trends over time.
- defense-ops№ 401
External Attack Surface Management (EASM)
Continuous discovery and monitoring of all internet-facing assets that belong to an organization, viewed from an outside-in attacker perspective.
- defense-ops№ 072
Attack Surface Management (ASM)
Continuous discovery, inventory, classification, and monitoring of all assets that expose an organization to potential cyberattack.
- compliance№ 299
Defense in Depth
Security strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.