Your company's attack surface is everything a hacker can see and touch from the internet: your website, your APIs, your cloud infrastructure, every subdomain your engineering team has ever spun up, every third-party integration that has an external endpoint. Most companies have no idea how large that surface actually is - and attackers know it.
Attack surface monitoring (ASM) is the practice of continuously discovering, inventorying, and scanning those internet-facing assets for vulnerabilities, misconfigurations, and exposures. This guide explains what it is, how it works, and why it matters for companies that can't afford to find out about a breach the hard way.
What Is an Attack Surface?
Your attack surface is the sum of all points where an unauthorized user could attempt to enter or extract data from your environment. It includes every asset that is reachable from the internet, whether you know about it or not.
A typical Series B SaaS company's attack surface includes:
- The main product domain and all its subdomains (often 50–200 once you start counting)
- APIs - public, partner-facing, and internal ones accidentally exposed
- Admin panels, staging environments, and developer tools left accessible
- Cloud storage buckets, object stores, and data lakes with overly permissive policies
- Third-party SaaS integrations that expose webhooks or OAuth endpoints
- SSL certificates that reveal previously unknown assets through certificate transparency logs
- Employee-registered domains that share your company name
The uncomfortable truth: Every time an engineer spins up a new service, every time a vendor integration goes live, every time a staging environment gets deployed to test something "just for a day," your attack surface grows. Most of it never gets tracked in a spreadsheet, let alone scanned for vulnerabilities.
What Is Attack Surface Monitoring?
Attack surface monitoring is a continuous security process that automatically discovers all of your internet-facing assets and checks them for vulnerabilities, misconfigurations, and exposures - on an ongoing basis.
The key word is continuous. Traditional vulnerability scanning is point-in-time: you run a scan today, get a report, and that report is already stale by the time your team finishes reviewing it. ASM runs constantly. When a new subdomain appears, it gets discovered and scanned. When a new CVE drops for software you're running, ASM flags the exposure. When a certificate expires or a misconfiguration is introduced in a deploy, ASM catches it.
This is also why ASM is sometimes called External Attack Surface Management (EASM) - it focuses specifically on the external perimeter, the assets visible and reachable from the public internet.
How Attack Surface Monitoring Works
A modern ASM platform runs through a multi-phase process, typically on a continuous or scheduled cadence:
Asset Discovery
Starting from your known seed assets (primary domains, IP ranges, organization name), the platform enumerates your full external footprint. This includes passive techniques like certificate transparency log analysis, DNS record mining, and OSINT, combined with active techniques like subdomain brute-forcing, port scanning, and web crawling.
Asset Fingerprinting
Each discovered asset gets profiled: what software is running, what version, what ports are open, what headers are exposed, what technologies are in use. This fingerprint is the foundation for vulnerability matching - you can't find a Rails vulnerability on an asset if you don't know it's running Rails.
Vulnerability and Misconfiguration Scanning
With the asset inventory established, the platform runs security checks against each asset: known CVEs for detected software versions, security header analysis, SSL/TLS configuration issues, open redirect testing, exposed sensitive files, default credentials, and dozens of other checks mapped to OWASP and MITRE frameworks.
Finding Enrichment and Prioritization
Raw scan results get enriched with context: severity ratings, attack scenarios, business impact assessments, and remediation guidance. Modern ASM platforms use AI to generate specific, actionable remediation steps rather than generic CVE descriptions. Findings are prioritized so your team knows what to fix first.
Continuous Monitoring and Alerting
The process repeats on a continuous basis. New assets trigger immediate scanning. Changes to existing assets (new software versions, configuration changes) update the risk profile. Alerts notify your team when new critical findings appear, so you're not waiting for a monthly report to learn about a high-severity exposure.
What Does Attack Surface Monitoring Cover?
A comprehensive ASM platform covers the full range of internet-facing assets and security checks:
Domains & Subdomains
Full enumeration of all subdomains, including shadow IT and forgotten assets
IP Addresses & Ports
Open port discovery and service fingerprinting across all IP ranges
APIs & Web Applications
Exposed API endpoints, admin panels, developer tools, and web app security checks
SSL/TLS Certificates
Certificate expiry, weak cipher suites, misconfigurations, and transparency log monitoring
Cloud Infrastructure
Publicly accessible storage buckets, misconfigured cloud services, and exposed metadata endpoints
Security Headers & Config
Missing or misconfigured HTTP security headers, CSP, HSTS, and CORS policies
Known CVEs
Vulnerabilities in detected software versions matched against current CVE databases
Exposed Services
Databases, admin interfaces, developer tools, and internal services accidentally exposed to the internet
Attack Surface Monitoring vs. Penetration Testing
The most common question we hear: we already do annual penetration tests - do we need ASM too? The answer is yes, and here's why they're fundamentally different tools solving different problems.
| Dimension | Penetration Testing | Attack Surface Monitoring |
|---|---|---|
| Frequency | Annual or semi-annual | Continuous (daily/weekly scans) |
| Scope | Defined, agreed-upon scope | Everything internet-facing (including unknown assets) |
| Methodology | Manual, human-driven exploitation | Automated discovery and scanning |
| Depth | Deep - chained attacks, business logic, complex exploits | Broad - covers all assets but less depth per finding |
| New asset coverage | None - assets deployed after the test aren't covered | Immediate - new assets discovered and scanned automatically |
| Output | Detailed written report with exploitation evidence | Live dashboard with real-time findings and alerts |
| Best for | Proving exploitability, compliance requirements | Ongoing visibility, catching misconfigurations as they happen |
Penetration testing answers "how deep can an attacker get?" Attack surface monitoring answers "what can an attacker see right now?" Both questions matter. The companies that get breached are often the ones who have a clean pentest report from eight months ago but deployed a misconfigured staging environment last week.
Why Attack Surface Monitoring Matters for Growing Companies
Large enterprises have always had attack surface management challenges. What's changed is that growing companies now face the same complexity at much earlier stages, thanks to cloud infrastructure, microservices architectures, and rapid deployment cycles.
Your infrastructure grows faster than your security team
A 40-person engineering team deploying multiple times a day creates new attack surface constantly. Every new service, every new environment, every new third-party integration is a potential entry point. No security team can keep up manually. ASM is the automated layer that tracks what's actually deployed and exposed.
Attackers are automated too
Modern threat actors use automated scanners to continuously probe the internet for exposed services, unpatched software, and misconfigured assets. They find your forgotten staging environment before your team does. ASM gives you the same automated visibility the attackers have - so you can fix exposures before they get found and exploited.
Compliance increasingly requires it
SOC 2 Type II auditors want evidence of continuous monitoring. PCI DSS v4 requires continuous vulnerability monitoring of internet-facing systems. Frameworks like ISO 27001 and NIST CSF include asset management and continuous monitoring as core controls. ASM provides the evidence and the reality behind those controls.
Shadow IT is real
Developers spin up services, marketing builds landing pages, sales deploys tools, and none of it goes through a formal security review process. ASM discovers these assets through the same techniques an attacker would use - certificate transparency logs, DNS enumeration, IP range scanning - so you know what's out there regardless of whether it was formally tracked.
What to Look for in an ASM Platform
Not all attack surface monitoring tools are created equal. Here's what matters when evaluating options:
- Discovery breadth. Does it use multiple enumeration techniques (passive DNS, certificate transparency, active brute-forcing) or just a single method? Narrow discovery means a narrower view of your actual attack surface.
- Continuous vs. scheduled. How frequently are scans run? Near-real-time discovery of new assets matters more than a weekly batch job when engineers are deploying daily.
- Finding quality. Raw CVE dumps are not actionable. Look for platforms that provide context: attack scenarios, severity ratings with business impact, and specific remediation steps your engineering team can act on without a security analyst translating the output.
- False positive rate. High false positive rates destroy team trust in the platform. Understanding how a vendor filters and validates findings matters as much as discovery coverage.
- Integration with remediation workflows. Findings need to get to the people who can fix them. Look for integrations with your existing ticketing systems, or platforms that make it easy to assign and track remediation.
- Pricing transparency. Enterprise ASM platforms often require a sales call to get pricing. If your company is Series A or B, you need to know costs upfront - published pricing is a good sign that the vendor is actually built for your stage.
How Lorikeet ASM Works
Lorikeet ASM is purpose-built for growing companies that need enterprise-grade attack surface visibility without enterprise complexity or pricing.
The platform runs a three-phase scan process:
- Phase 1 - Subdomain enumeration: Passive and active discovery combines DNS brute-forcing, certificate transparency log analysis, and OSINT to map your full external footprint starting from your root domains.
- Phase 2 - Security checks: Every discovered asset gets scanned for open ports, service fingerprinting, SSL/TLS issues, security header analysis, exposed sensitive paths, known CVEs, and dozens of additional security checks mapped to OWASP ASVS, WSTG, and MITRE CWE/CAPEC.
- Phase 3 - AI enrichment: Each finding is enriched by AI with attack scenarios, business impact context, severity ratings, and specific remediation guidance - turning raw scan data into actionable intelligence your engineering team can act on immediately.
All findings land in a real-time dashboard. New scans run on a continuous basis. When new subdomains appear or new vulnerabilities are found, your team is alerted immediately - not in next month's report.
Integrated with pentesting: When ASM finds a vulnerability that warrants deeper investigation, our penetration testing team can validate and exploit it to prove business impact. This seamless handoff from automated monitoring to manual verification is something you can't get from a standalone ASM tool.
Getting Started with Attack Surface Monitoring
The barrier to getting started with ASM is lower than most security teams assume. You don't need to have a perfect asset inventory first - that's the point of ASM. You need:
- Your root domains. Start with the domains you know about. A good ASM platform discovers everything else from there.
- Stakeholder buy-in to act on findings. ASM creates value only if the engineering team has a process to triage and remediate findings. Getting that commitment upfront matters more than the tool itself.
- A realistic timeline expectation. The first scan will surface findings that have been sitting in your environment for months or years. Plan for a remediation sprint after your first full scan cycle.
The companies that benefit most from ASM are the ones that start before an incident forces them to. Once you have continuous visibility into your external attack surface, you stop being reactive and start being ahead of the problem.
See your attack surface in 30 minutes
Book a demo and we'll run a live scan on your domain. You'll see exactly what an attacker sees - subdomains, exposed services, vulnerabilities, and misconfigurations - before you commit to anything.
