The attack surface is not static: it changes every time a service is deployed, a supplier is onboarded, a port is opened or an employee is granted access to resources.
What is the attack surface
An organisation's attack surface is the sum of all points — technological, human and procedural — through which an attacker could attempt to gain access, extract data or cause harm. It includes internet-facing servers, web applications and APIs, user accounts, endpoints, cloud services, Shadow IT, the supply chain and any other element reachable from outside or exploitable from within.
Why it matters
In a business context, the attack surface matters because it defines how many opportunities an adversary has to find a weakness. As an organisation grows — more cloud services, more SaaS applications, more suppliers, more remote workers — the surface expands. The critical issue is not just knowing it exists, but having real visibility into it and managing it continuously. An uncontrolled attack surface means forgotten assets, unsupervised open ports, credentials exposed in public repositories, unmonitored domains and overly permissive cloud configurations. Each of those points can become the entry vector for an incident. Reducing and governing the attack surface is one of the foundations of any mature security strategy.
Key points
It includes external components (what an attacker sees from the internet) and internal ones (what someone with network access could exploit).
Sound management starts with an up-to-date asset inventory, continuous monitoring and prioritisation of whatever reduces the most risk with the least effort.
The human attack surface — employees susceptible to phishing, social engineering or configuration errors — is just as relevant as the technological one.
Example of attack surface management in a company
A mid-sized company with 300 employees runs Microsoft 365, three SaaS applications, a corporate website with a contact form, a mail server, a VPN for remote access and several development subdomains that were set up for testing and never decommissioned. An attack-surface discovery exercise reveals that two of those subdomains have expired certificates and expose services with known vulnerabilities. Additionally, an S3 bucket configured as public contains internal documentation. None of these assets appeared in the official inventory. With that visibility, the security team can prioritise remediation, decommission what is no longer needed and establish a process to vet any new asset before it is exposed.
Common mistakes
- Believing the attack surface is limited to the corporate website and the perimeter firewall. SaaS applications, third-party integrations, personal accounts with corporate access and forgotten development environments are also part of it.
- Running an asset inventory once a year and assuming it remains valid. The surface changes every week in most organisations.
- Focusing only on the external surface and forgetting that an attacker with initial access can pivot internally by exploiting weak segmentation, over-privileged accounts or internal services with no authentication.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
What does a company's attack surface include?
It includes every point reachable by an attacker: servers, web applications, APIs, endpoints, user accounts, cloud services, IoT devices, Shadow IT, suppliers with access and any asset exposed directly or indirectly.
How can the attack surface be reduced?
With an up-to-date asset inventory, decommissioning of unused assets, configuration hardening, network segmentation, least-privilege access control and continuous monitoring of exposure changes.
How often should the attack surface be reviewed?
Continuously, or at least monthly. Any change in infrastructure, applications, suppliers or personnel can expand the surface without the security team knowing.