The attack surface is not static: it changes every time a service is deployed, a supplier is onboarded, a port is opened or an employee is granted access to resources.
What is the attack surface
An organisation's attack surface is the sum of all points — technological, human and procedural — through which an attacker could attempt to gain access, extract data or cause harm. It includes internet-facing servers, web applications and APIs, user accounts, endpoints, cloud services, Shadow IT, third-party integrations, the supply chain and any other element reachable from outside or exploitable from within. The larger it gets, the more opportunities an adversary has to find at least one weakness to exploit.
Why it matters
In a business context the attack surface matters because it defines how many opportunities an adversary has to find a weakness. As an organisation grows — more cloud services, more SaaS applications, more suppliers, more remote workers — the surface expands, often faster than the security team can inventory it. The critical issue is not just knowing it exists, but having real visibility into it and managing it continuously, a discipline the industry has formalised under the umbrella of External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM). An uncontrolled surface means forgotten assets, unsupervised open ports, credentials exposed in public repositories, unmonitored domains and overly permissive cloud configurations; each of those points can become the entry vector for an incident. Reducing and governing the attack surface is one of the foundations of any mature security strategy and one of the first controls that frameworks like CIS Controls, ISO 27001 and NIS2 expect to see properly managed.
Key points
It splits into an external surface (what an attacker sees from the internet) and an internal one (what someone with network access or a valid account could exploit).
Sound management starts with an up-to-date asset inventory, continuous monitoring and risk-based prioritisation: what reduces the most exposure with the least effort.
The human attack surface — employees susceptible to phishing, social engineering or configuration errors — is just as relevant as the technological one.
The cloud and SaaS surface grows with almost no friction: any team can sign up for a service or open a bucket; without active governance, what is exposed ends up outrunning the documented inventory.
It appears as a core control in frameworks like CIS Controls, ISO 27001 and NIS2, which require asset inventory, vulnerability management and continuous exposure monitoring.
Example of attack surface management in a company
A mid-sized company with 300 employees runs a cloud productivity suite, three SaaS applications contracted independently by different teams, a corporate website with a contact form, a mail server, a VPN for remote access and several development subdomains spun up for testing that were never decommissioned. An attack-surface discovery exercise reveals that two of those subdomains have expired certificates and expose services with known vulnerabilities; additionally, a cloud storage bucket configured as public contains internal documentation and stale credentials from a forgotten integration. None of these assets appeared in the official inventory.
With that visibility the security team can prioritise remediation by real risk, decommission what is no longer needed, rotate the exposed credentials and establish a process whereby any new asset goes through a technical filter before being exposed. The point is not a static inventory but a continuous cycle of discovery, validation and reduction that turns changes into monitoring rules instead of blind spots.
Common mistakes
- Believing the attack surface is limited to the corporate website and the perimeter firewall. SaaS applications, third-party integrations, personal accounts with corporate access and forgotten development environments are all part of it.
- Running an asset inventory once a year and assuming it remains valid. The surface changes every week in most organisations; without continuous discovery the inventory is already out of date the day it is signed off.
- Focusing only on the external surface and forgetting that an attacker with initial access can pivot internally by exploiting weak segmentation, over-privileged accounts or internal services with no authentication.
- Treating findings as a generic ticket list instead of prioritising by real risk (exposure, asset criticality, ease of exploitation). Without prioritisation, the team remediates what is easy and leaves what matters for "the next iteration".
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
What does a company's attack surface include?
It includes every point reachable by an attacker: servers, web applications, APIs, endpoints, user accounts, cloud services, IoT devices, Shadow IT, suppliers with access and any asset exposed directly or indirectly.
How can the attack surface be reduced?
With an up-to-date asset inventory, decommissioning of unused assets, configuration hardening, network segmentation, least-privilege access control and continuous monitoring of exposure changes.
How often should the attack surface be reviewed?
Continuously, or at least monthly. Any change in infrastructure, applications, suppliers or personnel can expand the surface without the security team knowing.