Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 085

Attack Surface

Reviewed byCybersecurity entrepreneur & security researcher

What is Attack Surface?

Attack SurfaceSum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.


An organization's attack surface is the complete set of exposed entry points: internet-facing assets, third-party SaaS, APIs, endpoints, mobile apps, network protocols, source-code repositories, IoT/OT devices, cloud control planes, identities, and human channels susceptible to social engineering. It is dynamic, growing with each new feature, vendor, and configuration change. Analysts often divide it into the digital surface (software and exposed services), the physical surface (devices and media), and the social surface (people targeted by phishing).

The MOVEit Transfer campaign of 2023 is a textbook illustration. A single SQL-injection flaw, CVE-2023-34362, sat in an internet-facing file-transfer appliance; Shodan showed roughly 2,500 exposed MOVEit instances at disclosure, and the Cl0p ransomware group exploited them as a zero-day to breach hundreds of organizations through one forgotten edge of their surface. The lesson is that unmanaged or "shadow IT" assets — a dev S3 bucket, an abandoned VPN appliance, a stale subdomain vulnerable to takeover — are exactly where attackers look first.

Attack surface management (ASM) and external attack surface management (EASM) tools continuously discover assets, fingerprint them, and prioritise exposures. Reduction relies on hardening, decommissioning legacy services, minimising privileges, segmenting networks, patching internet-facing software fast, and removing unused dependencies and accounts.

flowchart TD
  O[Organization] --> D[Digital surface<br/>internet assets, APIs, SaaS, cloud]
  O --> P[Physical surface<br/>endpoints, IoT/OT, media]
  O --> S[Social surface<br/>employees, phishing targets]
  D --> EASM[EASM continuous discovery<br/>+ fingerprinting]
  EASM --> X{Exposure found?}
  X -->|Yes: e.g. unpatched MOVEit| R[Patch / decommission /<br/>segment / least privilege]
  X -->|No| M[Keep monitoring]
  R --> M

Examples

  1. 01

    Forgotten dev S3 bucket and a CI/CD admin SaaS each appear in an EASM scan as new exposed assets.

  2. 02

    Disabling an unused VPN appliance reduces the network attack surface.

Frequently asked questions

What is Attack Surface?

Sum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people. It belongs to the Compliance & Frameworks category of cybersecurity.

What does Attack Surface mean?

Sum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.

How do you defend against Attack Surface?

Defences for Attack Surface typically combine technical controls and operational practices, as detailed in the full definition above.

Related terms