01
Stale CMDBs · shadow IT
Most organisations have 20-40% of internet-facing assets that the CMDB does not know about. Shadow IT, M&A, external developers, marketing.
What your CMDB doesn't see.
External Attack Surface Management: outside-in discovery of the external attack surface as an attacker sees it. Internet-facing assets, exploitable vulnerabilities, shadow IT, unintegrated M&A, cloud misconfiguration, credential leaks. Detected exposures are prioritised with threat intelligence (CISA KEV, EPSS, active actors) — not a list of theoretical CVEs, but a list of concrete risks.
Standards · frameworks
NIST CSF
CISA KEV
EPSS
MITRE ATT&CK
Discipline · sources
Certificate Transparency
Passive DNS
OSINT
Internet scanning
The problem
VM scans what it knows. The attacker finds the rest.
Traditional vulnerability management is inside-out: it scans what the CMDB knows. But the attacker does not start from the CMDB · they start from Shodan, Censys, certificate transparency, OSINT. EASM closes the gap · outside-in discovery, like the attacker.
02
CVE lists without priority
Thousands of CVEs per year · only a few are actively exploited. Without correlation to KEV, EPSS and active actors, the team patches everywhere or nowhere.
03
Cloud & secret leaks invisible
Public S3 buckets, secrets in GitHub, environment variables on debug endpoints · off the radar of traditional VM, but fully visible to the attacker.
The distinction that changes everything
VM inside-out vs EASM outside-in.
Same discipline (vulnerability), opposite perspective. EASM complements traditional VM · it does not replace it.
Traditional VM · inside-out
- Scans what the CMDB knows
- Requires agents or credentials
- Maps the declared inventory
- Priority: raw CVSS score
- Frequency: weekly or monthly
Necessary, not sufficient
Fortgale EASM · outside-in
- Discovery without CMDB · finds shadow IT
- No agent, no credentials, no integration
- Maps the real inventory (CMDB + everything else)
- Priority: CISA KEV + EPSS + active actors
- Frequency: full rescan 24h, critical 4-6h
Complementary · actor-aware
The method · 4 steps
From OSINT to priority rule.
Four documented phases · from outside-in discovery to a priority rule calibrated on the actors active against your sector.
- 01Mapping the perimeter as the attacker sees it
Outside-in discovery
Fully outside-in discovery: no agent, no credentials, no internal access. Sources: certificate transparency logs (CT), passive DNS, internet-wide scanning, ASN profiling, OSINT, registrar feeds.
- 02From asset to banner
Enumeration and fingerprinting
For each detected asset: enumeration of ports, services, banners, software versioning, TLS certificates, HTTP headers, redirect chains. Precise identification of the technology stack (Apache vs Nginx, IIS, Tomcat, application server, framework).
- 03From generic CVE to CVE that hits you
Prioritisation with CTI
Detected vulnerabilities are correlated with CISA KEV (Known Exploited Vulnerabilities), EPSS score, and the active actors tracked by Fortgale CTI. Only what is genuinely exploited against your sector rises in priority.
- 04From one-shot scan to continuous surveillance
Continuous monitoring & delta alerting
Full rescan every 24 hours. Critical assets (VPN, Citrix, MOVEit, Fortinet) every 4-6 hours. Real-time alerts on deltas: new exposed assets, expiring certificates, changed banner versions, new KEV affecting your stack.
Discovery categories
Five exposure categories · complete coverage.
The five families of exposure that Fortgale EASM maps continuously · each with dedicated methodology and sources.
Category 01
Asset Discovery
Domain · subdomain · IP · ASN · certificates
Discovery of every internet-facing asset of the organisation: domains and subdomains (root + acquisitions + brand), IP ranges (ASN-owned + cloud-hosted), certificates, API endpoints. Most organisations discover 20-40% of assets they did not know they had.
- Certificate Transparency Continuous monitoring of CT logs for certificates issued on owned domains · finds undeclared subdomains before they go live.
- Passive DNS Historical database of DNS resolutions · makes it possible to find decommissioned but still responsive subdomains.
- ASN profiling Mapping of owned or used ASNs · identifies cloud-hosted (AWS, Azure, GCP) and on-prem assets.
- Brand & acquisition tracking Domains purchased post-M&A, brand-protection domains, owned typosquatting domains.
- API & GraphQL endpoints Discovery of exposed API endpoints, GraphQL introspection enabled, exposed OpenAPI/Swagger.
Category 02
Vulnerability Intelligence
CISA KEV · EPSS · in-the-wild exploitation
Vulnerabilities alone are not a priority. Priority comes from correlation with real exploitation: active ransomware groups, mass exploitation campaigns, actors targeting your sector.
- CISA KEV catalog Tracking of the CISA catalogue of actively exploited vulnerabilities · immediate alert if a CVE from your stack appears.
- EPSS score Exploit Prediction Scoring System · probability of exploitation within the next 30 days · combined with CVSS for composite scoring.
- Mass exploitation campaigns Tracking of mass exploitation campaigns (Cl0p MOVEit, Akira Cisco ASA, Black Basta Citrix) · alert if you are a potential target.
- 0-day & N-day for sale Listings of exploits for sale on marketplaces · correlation with CVEs in your stack.
- Patch lag tracking For publicly visible assets: detection when the patch is lagging behind release · pressure point for remediation.
Category 03
Shadow IT & M&A discovery
Assets not in CMDB · post-acquisition · former employees
Shadow IT is the most dangerous asset: nobody knows it, nobody monitors it, nobody updates it. Automatic discovery via brand keywords, executive names, IP correlation.
- M&A inheritance Assets from acquired companies not yet integrated into the main perimeter · often with obsolete stack and no monitoring.
- Former employees / developers Assets hosted in personal tenants (AWS, Heroku, Vercel, Netlify) during development · often forgotten after the employee leaves.
- Marketing & vendor-controlled Microsites, landing pages, marketing campaigns published outside the main IT perimeter.
- Test / staging exposed Test or staging environments accidentally published to the internet (often without authentication).
- Brand acquisitions Domains purchased for brand protection · often unmaintained · vector for typosquatting.
Category 04
Cloud Misconfiguration
S3 · Azure Blob · GCS · Kubernetes · Docker · CI/CD
Cloud misconfigurations are today one of the leading causes of data breach. Discovery of public buckets, exposed API servers, container registries, secrets in public repositories.
- S3 / Azure Blob / GCS Public buckets owned by the client or managed by suppliers · content sampling to estimate sensitivity (PII, code, backups).
- Kubernetes API exposed kube-apiserver, etcd, kubelet publicly accessible · one of the most exploited vectors 2024-2026.
- Docker registry & Helm Exposed container registries · allow image pulls · often with credentials in environment variables.
- Exposed CI/CD pipelines Jenkins, GitLab CI, GitHub Actions runners publicly accessible · often with access to code and secrets.
- Cloudflare worker · Vercel · Netlify Public serverless deployments · often with secrets in environment, API keys in client-side code.
Category 05
Credential & Secret leak
GitHub · Pastebin · infostealer · environment leak
Secrets (API keys, passwords, certificates, .env) end up in public repositories, paste sites, infostealer dumps. Continuous discovery to identify leaks before exploitation.
- GitHub / GitLab leaks Continuous scanning of public repos for secrets traceable to the client (API keys, AWS credentials, .env, private keys).
- Paste sites & gists Pastebin, GhostBin, Gist, RentryCo · monitoring for code or credential leaks.
- Infostealer dump correlation Correlation with infostealer logs indexed in dark web monitoring (capability 05) for exposed corporate credentials.
- Environment variable leak Detection of endpoints that inadvertently expose environment variables (e.g., /env, /debug, /actuator).
- Mobile app reverse-engineering Analysis of the company's mobile apps · extraction of API keys, private endpoints, certificate pinning bypass.
Among the most tracked
Seven exposures that make the difference.
An excerpt of the exposures most relevant to real-world 2024-2026 risk · each correlated with the actor groups that exploit them.
VPN/Edge exposed · 2024-2026 · top
Citrix NetScaler exposed
CVE-2023-3519 · CVE-2024-8534 · CVE chains
- Type
- Edge device · VPN/load balancer
- Coverage
- Banner version · build · admin panel · session injection
Top intrusion vector 2024-2026. Continuous tracking of exposed Citrix NetScaler/ADC versions · alerts on versions vulnerable to CVEs actively exploited by Black Basta, LockBit, RansomHub. Admin panel exposed = critical.
KEV-listedTop exploit 2024-26Mass exploitationPre-ransomware
Risk · Critical Verify exposure →
VPN/Edge · 2023-active · KEV
Ivanti Connect Secure
CVE-2023-46805 · CVE-2024-21887 · CVE-2024-22024
- Type
- Edge device · SSL VPN
- Coverage
- Version detection · auth bypass · template injection
The 2024 mass exploitation produced victims across every sector. Tracking of vulnerable versions, build IDs, admin panel configuration.
KEV-listedMass exploitedAPT + cybercrime
Risk · Critical Verify exposure →
VPN · 2024-active · KEV
Fortinet FortiOS exposed
CVE-2024-21762 · CVE-2024-23113 · CVE chains
- Type
- Firewall · SSL VPN
- Coverage
- Build · admin panel · vulnerable CVE chain
CVE chains actively exploited by Akira, BlackBasta and APT groups. Tracking of exposed FortiOS/FortiGate with vulnerable versions or public admin configurations.
KEV-listedVPN exploitationAkira target
Risk · Critical Verify exposure →
File transfer · 2023-active
MOVEit Transfer exposed
Cl0p mass exploitation pattern · CVE-2023-34362
- Type
- File transfer · SQL injection
- Coverage
- Version detection · admin path · public URL
Vector of the Cl0p 2023 mass exploitation · hit hundreds of organisations. Tracking of MOVEit Transfer instances still exposed publicly.
Cl0p targetSQL injectionMass exploited
Risk · High Verify exposure →
Cloud misconfig · ongoing
Public S3 / Azure Blob
AWS S3 / Azure Blob / GCS storage
- Type
- Cloud storage misconfiguration
- Coverage
- Bucket discovery · public access · content sampling
Continuous tracking of cloud buckets publicly accessible owned by the client or managed by suppliers. Content sampling (no download) to estimate sensitivity.
CloudData exposureSupplier risk
Risk · High Verify exposure →
CMS · 2024-active
WordPress vulnerable plugin
WordPress + plugin (Elementor, WPBakery, Yoast, …)
- Type
- CMS · plugin chain exploitation
- Coverage
- Plugin version · vulnerable known CVE · admin path
Continuous tracking of WordPress sites owned or controlled by the client (marketing, brand sites). Vulnerable plugins are often vectors for defacement, SEO poisoning, malvertising.
WordPressPlugin chainDefacement risk
Risk · Medium Verify exposure →
Hypervisor · 2024-active
VMware vCenter / ESXi
CVE-2024-38812 · CVE-2024-37085 · auth bypass
- Type
- Hypervisor · management plane exposed
- Coverage
- Version detection · auth bypass paths
Publicly exposed hypervisors are a privileged ransomware vector (LockBit, RansomHub, Akira each have dedicated ESXi encryptors). Real-time tracking.
ESXi encryptorCritical exposurePre-ransomware
Risk · Critical Verify exposure →
Severity · methodology
Calculated priorities · not raw CVSS.
Every exposure receives a severity calculated as a function of CVSS · KEV-listed · EPSS · active actors · asset criticality. Not a number from 0 to 10, but a patching priority decision.
Critical
Immediate patching
CVE in CISA KEV actively exploited by groups targeting your sector · on a critical exposed asset (VPN, Citrix, hypervisor, file transfer). Immediate alert.
High
Webhook alert
KEV-listed CVE but not yet observed against your sector · OR critical asset exposed with weak configuration · OR EPSS score > 50%. Webhook alert.
Medium
Weekly digest
Published CVE but not KEV-listed · low EPSS score · non-critical asset · low-impact exposure. Included in the weekly digest.
Info
Dashboard only
Discovery of a new asset · non-critical change (e.g., new marketing subdomain) · informational only. Available in the dashboard, does not generate alerts.
The output
How EASM is delivered.
Four channels by role: dashboard for the CISO, webhook alerts for the SOC, weekly report for management, manual validation for critical cases.
01
EASM dashboard
Web console with real-time view of every detected asset, exposure, prioritised CVE, delta over the last 24h. Filtering by criticality, category, business unit.
02
Critical alert webhook
Immediate push for Critical exposures (new KEV affecting your stack, critical asset exposed, secret leak) via webhook, email, SMS. SLA < 15 minutes.
03
Weekly risk report
Weekly email report for the CISO: asset delta, new exposures, new relevant KEV, BU-level summary, prioritised remediation recommendations.
04
Pentest-aided validation
For critical exposures, manual validation by Fortgale analysts (manual exploitability testing, no automated exploitation) · patching support.
Technical honesty
When not to activate EASM.
If the external surface is minimal · no public IPv4, no SaaS, no distributed cloud, no frequent M&A, no external developers · traditional internal VM covers most of the risk. EASM is justified when there are unintegrated perimeters.
EASM becomes critical when: distributed cloud (multi-cloud, multi-tenant, multi-region), frequent M&A, broad supplier ecosystem, ungoverned shadow IT, visible brand (e-commerce, B2C applications), sector targeted by mass exploitation campaigns (manufacturing, finance, healthcare).
Not sure? Let's talk. If you don't need it, the Fortgale team will tell you.
Integration
EASM as the advanced radar of defence.
Detected exposures feed detection, threat intelligence and remediation roadmap · they don't stay in a PDF report.
SOC · detection
Exposures → SOC rules
Critical asset exposed = reinforced monitoring rule in the SOC · access patterns monitored, anomalous traffic alert prioritised.
Discover the SOC →MDR · prioritisation
KEV → MDR priority
MDR uses the KEV-aware EASM list to prioritise investigations · less time wasted on theoretical CVEs, focus on actually exposed assets.
Discover MDR →CTI · capability 02
Combined with the feed
The STIX/TAXII feed receives an additional layer: the IOCs of the actors exploiting your specific exposures, not generic IOCs.
Discover TI Feed →CTI · sister capability
The other 6 CTI capabilities
Threat Actor Profiling · TI Feed · Advisory · Executive Briefing · Deep & Dark Web · Brand Intelligence. ASM is capability 06 of 7.
See all →For the board
Three slides · the real surface.
EASM produces data the CISO can take to the board to justify investments and remediation priorities · in business language.
01 · The surface
How many internet-facing assets you actually have (vs how many in the CMDB) · how much shadow IT has been uncovered · how many M&A assets remain unintegrated.
02 · The exposure
How many actively-exploited CVEs affect you · how many critical assets are publicly exposed · how many secrets have leaked in the last 12 months.
03 · The remediation
How many incidents avoided thanks to pre-warning · how many assets removed/protected · estimated cost avoided vs cost of the service.
The «3 board slides» pack is included in the premium EASM deliverables · available on-demand.
FAQ
Frequently asked questions on EASM.
What is EASM and how does it differ from traditional Vulnerability Management?
EASM (External Attack Surface Management) is outside-in discovery: it uncovers the organisation's external attack surface as an attacker would see it, with no need for agents or internal integrations. Traditional VM is inside-out: it scans what the CMDB already knows. EASM finds what the CMDB does not know (shadow IT, post-M&A assets, external developers, former-employee assets).
How does Fortgale integrate threat intelligence into EASM?
Detected vulnerabilities are correlated with CISA KEV (Known Exploited Vulnerabilities), EPSS score, and the active actors tracked by Fortgale CTI. Example: a "critical" Citrix NetScaler CVE with CVSS 9.8 but no observed exploitation has lower priority than a "high" Fortinet CVE actively exploited by ransomware groups.
Does EASM discover cloud assets (S3, Azure, GCP)?
Yes. Discovery of public S3 buckets, exposed Azure Blob Storage and GCP Storage, public Kubernetes API servers, Docker registries, secrets in public repositories (GitHub, GitLab), unauthenticated SaaS API endpoints. Coverage also extends to Cloudflare worker, Vercel and Netlify deployments.
Is any client-side integration required?
No. EASM is fully outside-in: it operates from public sources (certificate transparency, passive DNS, internet scan, OSINT) with no agent, no credentials, no access to internal systems. Typical onboarding: root domain, list of known subdomains, list of IP ranges, list of names and brands. Fortgale finds the rest.
How often is the surface rescanned?
Full discovery: 24 hours. Critical assets (e.g., VPN, Citrix, MOVEit): every 4-6 hours. Real-time alerts on significant deltas: new exposed assets, expiring certificates, changed banner versions, new actively-exploited CVEs affecting the client's stack.
When does it NOT make sense to activate EASM?
If the external surface is minimal (no public IPv4, no SaaS, no cloud, no e-commerce, no exposed executives), traditional internal VM is sufficient. If instead you have distributed cloud, frequent M&A, a broad supplier ecosystem, ungoverned shadow IT · EASM produces immediate value within 1-2 weeks.
Start with ASM
What are you exposing today that you don't know about?
Request a free 30-day assessment · full scan of the external surface, KEV-aware prioritisation, report with the real exposures detected. No commitment.