Why attack surface management: you can't defend what you can't see
You cannot defend what you do not know you have. Every company exposes more than it thinks: forgotten subdomains, test services online, legacy VPNs and portals, shadow IT assets, credentials in public repositories. Attack surface management continuously maps this exposed surface with an attacker's eye, because that is exactly where reconnaissance starts before an attack. What is invisible to you is already visible to whoever studies you.
The thesis
An attacker’s first move is not the attack: it is reconnaissance. They look for what you expose without knowing it, because it is the easiest way in. Attack surface management flips the advantage: it looks at your company from the outside, the way they do, and shows you the open doors before someone else finds them.
The cost of not seeing it
The exposed surface grows on its own: a test environment published and forgotten, a subdomain from an old campaign, a legacy VPN never decommissioned, a key leaked into a repository. These are assets no one guards because no one knows they exist, and they are often the real entry point. The internal inventory does not see them; the attacker does.
What ASM provides
Continuous mapping of the internet-facing surface from the adversary’s point of view: discovery of unknown assets, exposures prioritised by risk, monitoring of change over time. It is intelligence applied to prevention, fuelled by the same research that attributes actors (such as Nebula Broker).
When it really matters (and when less is enough)
It becomes essential with multiple clouds, rapid growth, mergers and acquisitions, a supplier ecosystem: all factors that inflate the exposed surface. If instead you manage few assets, all accounted for and with no scattered cloud, the return is lower and the priority may sit on basic hardening. Honestly: ASM is for those who have grown faster than their own map.
Internal inventory vs attack surface management
| Internal inventory | Attack Surface Management | |
|---|---|---|
| Point of view | What you know you have | What the attacker sees |
| Shadow IT / legacy | Often missing | Discovered and mapped |
| Update | Periodic, static | Continuous |
| Outcome | List of known assets | Real exposures to close, prioritised |
By mapping the infrastructure of the actor Nebula Broker (later confirmed by Mandiant as UNC4990) and the 800 domains of the Kali365 platform, the Fortgale team developed the method to think like the adversary: the same eye that, turned towards you, maps the exposed surface before an attacker does.
Read the research →Frequently asked.
What does attack surface management typically find?
Forgotten subdomains and services, exposed test environments, legacy portals and VPNs, expired certificates, open ports, unaccounted shadow IT assets, credentials or keys leaked into public repositories. The doors no one guards because no one knew they were open.
How is it different from a vulnerability scan?
A vulnerability scan looks for flaws on known assets; ASM first discovers the assets, including those you did not know you had. They are complementary: ASM defines the real perimeter, the scan verifies it.
Why does 'the attacker's eye' matter?
Because the attacker does not attack your IT org chart, they attack what they find exposed. Mapping the surface from the outside, as they do, reveals the blind spots an internal inventory misses.
When is it less of a priority?
With a minimal, well-governed surface (few assets, all accounted for, no scattered cloud) the return is lower. But as soon as there are multiple clouds, mergers, suppliers and rapid growth, the exposed surface grows fast and ASM becomes essential.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Attack Surface Management.
Related resources: What is CTI · The role of CTI in defence · What is MDR
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.