Ask any IT team how many internet-facing assets their company has, and they will give you a number. Run an attack surface management scan, and you will get a different, larger number. The gap between what organizations think is exposed and what is actually exposed is where breaches happen.
This is not a theoretical problem. Forgotten subdomains running outdated software, staging environments with production database connections, APIs that were supposed to be internal-only, cloud storage buckets with public access -- these are the assets that attackers find and exploit while your security team focuses on protecting the front door.
What Attack Surface Management Actually Does
Attack surface management is the continuous process of discovering, inventorying, classifying, and monitoring all externally-facing assets associated with your organization. The emphasis is on "continuous" and "all." Traditional asset management relies on teams to register what they deploy. ASM works in the opposite direction -- it starts from the outside and discovers everything connected to your organization, regardless of whether anyone documented it.
The ASM Process
- Discovery. Starting from your known domains, IP ranges, and cloud accounts, ASM tools enumerate subdomains, resolve DNS records, scan IP ranges, identify web applications, detect open ports and services, and map relationships between assets. This process discovers assets that no one on your team may know exist
- Inventory and classification. Each discovered asset is cataloged with metadata: technology stack, open ports, SSL certificate status, web application frameworks, hosting provider, and association with your organization. Assets are classified by type (web application, API endpoint, mail server, etc.) and business criticality
- Vulnerability assessment. Discovered assets are scanned for known vulnerabilities, misconfigurations, expired certificates, exposed sensitive data, and other security issues. This is not the same as a penetration test -- it is automated reconnaissance that identifies the low-hanging fruit attackers look for first
- Continuous monitoring. The discovery and assessment cycle runs continuously, detecting new assets as they appear, identifying changes to existing assets, and alerting when new vulnerabilities affect your infrastructure. This catches the staging server that an engineer spun up on Friday and forgot about by Monday
Why Traditional Asset Inventories Fail
Most organizations maintain some form of asset inventory -- a spreadsheet, a CMDB, an entry in their cloud console. The problem is that these inventories are only as complete as the humans maintaining them, and humans are inconsistent about documentation.
The Sources of Unknown Assets
- Shadow IT. Marketing provisions a landing page on a new subdomain. Engineering spins up a demo environment. Sales deploys a third-party tool that creates DNS records under your domain. None of these go through the formal provisioning process
- Forgotten infrastructure. A staging environment created for a feature that shipped six months ago. A legacy application that was "decommissioned" but the server is still running. An old API version that was replaced but never taken offline
- Acquisitions. When companies acquire other companies, they inherit their entire digital footprint. Legacy domains, old infrastructure, unknown cloud accounts -- all of it becomes part of your attack surface, often without complete documentation
- Third-party integrations. SaaS tools, CDN endpoints, embedded widgets, and API gateways that create external touchpoints associated with your brand or infrastructure
- Cloud sprawl. Multi-cloud environments with resources deployed across AWS, GCP, and Azure accounts, sometimes by teams that manage their own cloud subscriptions outside central IT governance
The discovery gap: Research consistently shows that organizations underestimate their external attack surface by 30-40%. For a company that believes it has 200 internet-facing assets, ASM typically discovers 260-280. Those 60-80 unknown assets represent unpatched, unmonitored, and unprotected entry points that attackers can exploit.
What ASM Typically Finds
After running thousands of ASM scans across organizations of varying sizes and industries, certain patterns emerge consistently. Here are the most common categories of findings.
| Finding Category | Frequency | Risk Level |
|---|---|---|
| Forgotten subdomains | Found in 85%+ of scans | High -- often running outdated software |
| Exposed admin panels | Found in 60%+ of scans | Critical -- direct path to compromise |
| Expired SSL certificates | Found in 70%+ of scans | Medium -- enables MitM attacks |
| Exposed development environments | Found in 45%+ of scans | Critical -- often have weaker controls |
| Dangling DNS records | Found in 50%+ of scans | High -- subdomain takeover risk |
| Exposed API endpoints | Found in 55%+ of scans | High -- often lack authentication |
| Open database ports | Found in 20%+ of scans | Critical -- direct data access |
Real-World Discovery Examples
A SaaS company with 150 employees believed they had 47 internet-facing assets. An ASM scan discovered 83. The additional assets included a forgotten WordPress blog on a subdomain running a three-year-old PHP version, a Jenkins server accessible from the internet with default credentials, four staging environments with database connections to production replicas, and a decommissioned marketing microsite still serving pages with an outdated JavaScript framework containing known XSS vulnerabilities.
None of these appeared in the company's asset inventory. All of them represented viable attack paths.
ASM and Compliance: A Natural Fit
Attack surface management directly supports multiple compliance framework requirements, making it valuable beyond pure security posture improvement.
SOC 2
SOC 2 CC3.2 requires organizations to identify and assess risks, including risks from external threats. CC6.1 requires logical access security over all information assets. ASM provides evidence that you have identified all external assets and are monitoring them for security issues, directly supporting these control requirements.
PCI DSS
PCI DSS Requirement 11 requires regular vulnerability scanning of all in-scope systems. ASM ensures your vulnerability scanning program covers all assets that are actually in scope, not just the ones you know about. It also supports Requirement 2 (not using vendor-supplied defaults) by identifying systems with default configurations.
ISO 27001
ISO 27001 Annex A 5.9 requires an inventory of information and other associated assets. Annex A 8.8 requires management of technical vulnerabilities. ASM provides the asset discovery foundation that makes both controls effective rather than aspirational.
Cloud Security
For organizations operating in multi-cloud environments, ASM provides visibility that no single cloud provider's native tools can offer. A cloud security assessment identifies misconfigurations within your cloud accounts, while ASM identifies what those cloud resources look like from the outside.
How ASM Integrates with Penetration Testing
ASM and penetration testing serve complementary purposes. ASM provides breadth -- continuous visibility across your entire external attack surface. Penetration testing provides depth -- expert-driven exploitation of specific systems to identify vulnerabilities that automated scanning cannot detect.
The Combined Approach
- ASM discovers the full scope. Before a penetration test, ASM identifies all assets that should be in scope, preventing the common problem of testing only known systems while unknown assets remain vulnerable
- Pentest findings inform ASM monitoring. When a penetration test identifies a vulnerability class (e.g., misconfigured CORS policies), ASM monitoring rules can be updated to detect similar issues across all assets continuously
- ASM validates remediation. After a penetration test, ASM continuously monitors remediated findings to ensure they do not regress. A patched vulnerability that reappears after a deployment is caught immediately rather than waiting for the next annual pentest
- ASM provides ongoing coverage between tests. Annual penetration tests are snapshots. ASM provides the continuous monitoring between those snapshots, catching new exposures as they emerge
Lorikeet Security's Offensive Security Bundle at $37,500 per year includes both ASM and penetration testing: two web application pentests, one network penetration test, one API assessment, quarterly vulnerability scanning, and continuous attack surface management through the client portal. This combination ensures you have both the breadth of continuous monitoring and the depth of expert-driven testing.
Choosing an ASM Solution
The ASM market ranges from enterprise platforms costing $100K+ per year to lightweight monitoring tools for smaller organizations. The right choice depends on your organization's size, complexity, and security maturity.
| Factor | Entry-Level ASM | Professional ASM | Enterprise ASM |
|---|---|---|---|
| Typical cost | $30 - $100/mo | $200 - $500/mo | $50K - $200K+/yr |
| Best for | Startups, small teams | Mid-market companies | Large enterprises |
| Discovery depth | Subdomain + port scanning | Full reconnaissance | Full recon + dark web |
| Reporting | Basic alerts | Executive reports | Custom dashboards |
| Integration | Email/webhook alerts | SIEM, ticketing, Slack | Full API, custom workflows |
Lorikeet Security offers ASM at two tiers designed for organizations that want real security value without enterprise pricing:
- ASM Personal at $29.99 per month -- continuous asset discovery, vulnerability scanning, and alerting. Ideal for startups and small companies that need external visibility without complexity. This is the most accessible entry point for organizations that have never had attack surface visibility before
- ASM Professional at $299 per month -- everything in Personal plus executive-level reporting, integrations with your existing security tooling, and a dedicated account manager. Designed for growing companies that need ASM data flowing into their broader security operations
Both tiers are included in the Offensive Security Bundle and the Full Stack Bundle, so organizations that purchase those packages get ASM as part of their comprehensive security program.
Getting Started: Your First ASM Assessment
You do not need to deploy a full ASM platform to understand your attack surface. A one-time assessment can reveal the scope of your exposure and inform decisions about ongoing monitoring.
What to Expect from an Initial Assessment
- Complete enumeration of subdomains, IP addresses, and web applications associated with your domains
- Identification of open ports, running services, and technology stacks across all discovered assets
- SSL/TLS certificate inventory including expiration dates and configuration issues
- Detection of exposed development, staging, and administrative interfaces
- Dangling DNS record identification (subdomain takeover risks)
- Comparison of discovered assets against your known asset inventory to identify the gap
This initial assessment typically takes one to two weeks and provides the baseline that continuous monitoring builds upon. For many organizations, the initial assessment alone justifies the investment by identifying critical exposures that would otherwise remain invisible until an attacker finds them.
Discover Your Real Attack Surface
Start with ASM Personal at $29.99 per month for continuous asset discovery and vulnerability monitoring, or talk to us about a comprehensive attack surface assessment.
