Attack surface management
Your attack surface is everything an attacker can target. Every server, every open port, every web application, every API endpoint, every employee email, every third-party integration. The larger your attack surface, the more opportunities attackers have to find a way in.
Most companies don't know their full attack surface. Forgotten servers, test environments left online, shadow IT, acquired company assets, third-party integrations — these create blind spots. Attackers look for exactly these blind spots because they're often less protected.
Attack Surface Management (ASM) is the practice of continuously discovering, cataloging, and reducing your exposure. This chapter covers what attack surfaces are, how to discover yours, and which tools help you see what attackers see.
Why this matters for small companies
Small companies often think their attack surface is small. It's not. A typical 50-person company might have:
- 5-10 public-facing web applications
- 20-50 subdomains (many forgotten)
- Cloud resources across 2-3 providers
- SaaS integrations with dozens of vendors
- Remote employees with personal devices
- Third-party contractors with system access
You can't protect what you don't know exists. That test server from 2021 with default credentials? The staging environment with production database copy? The marketing landing page on a different hosting provider? These are often the entry points attackers find first.
Attackers automate discovery. Tools like Shodan, Censys, and custom scripts continuously scan the entire internet. Your misconfigured asset will be found, cataloged, and probed — usually within hours of going online. Research from Palo Alto Networks found that 80% of security exposures are unknown to the organizations they affect.
Small teams lack visibility. Without dedicated security staff, nobody is tracking what's exposed. Developers spin up resources, marketing launches campaigns on new platforms, and IT loses track of what exists where.
What is an attack surface?
An attack surface is the sum of all points where an attacker could try to enter or extract data from your environment. Think of it like all the doors, windows, and possible entry points to a building — except in digital terms.
Types of attack surfaces
| Type | What it includes | Examples |
|---|---|---|
| Network | All network-accessible assets | Open ports, exposed services, VPNs, firewalls |
| Application | Web apps, APIs, mobile apps | Login pages, APIs, admin panels, file uploads |
| Cloud | Cloud resources and configurations | S3 buckets, EC2 instances, IAM misconfigurations |
| Human | People and their access | Phishing targets, social engineering, credentials |
| Physical | Physical access points | Server rooms, USB ports, badge access |
| Supply chain | Third-party dependencies | SaaS vendors, open-source libraries, contractors |
For IT and server security, we focus primarily on network, application, and cloud attack surfaces — these are what attackers can reach remotely.
External vs internal attack surface
External attack surface: Everything visible from the internet. This is what attackers see without any prior access. Includes public IPs, domains, exposed services.
Internal attack surface: What's visible once inside your network. Assumes attacker has initial foothold (compromised employee laptop, phishing success, etc.). Includes internal services, databases, file shares.
Most Attack Surface Management focuses on external surfaces — reducing what attackers can see from the outside. But internal surface matters for limiting damage after initial breach.
Components of a server/IT attack surface
For a typical small company IT environment:
Network layer
Internet-facing assets to track:
- Web servers (80, 443)
- API servers (443, 8080)
- VPN endpoints (443, 1194, 500)
- SSH bastions (22)
- Mail servers (25, 587, 993)
- DNS servers (53)
- Database ports if exposed (3306, 5432, 27017)
- Remote desktop (3389)
- Admin panels (
/admin,/wp-admin,/phpmyadmin)
Every open port is a potential entry point. Each service running behind those ports might have vulnerabilities.
DNS and domain layer
Your domains and subdomains reveal a lot:
company.com
├── www.company.com → Production website
├── app.company.com → Main application
├── api.company.com → API server
├── staging.company.com → Staging (often less secured)
├── dev.company.com → Development (sometimes exposed)
├── mail.company.com → Email server
├── vpn.company.com → VPN endpoint
├── jenkins.company.com → CI/CD (valuable target)
├── grafana.company.com → Monitoring (exposes architecture)
├── old.company.com → Legacy app (forgotten, vulnerable)
└── test-12345.company.com → Test server (default creds?)
Subdomain enumeration is one of the first steps attackers take. Old, forgotten subdomains are often the weakest links.
Application layer
Each application expands the attack surface:
| Component | Attack surface elements |
|---|---|
| Authentication | Login forms, password reset, session management |
| File handling | Upload forms, file downloads, path traversal |
| User input | Forms, search, APIs accepting data |
| APIs | Endpoints, authentication, rate limiting |
| Admin interfaces | Admin panels, CMS backends, database tools |
| Third-party integrations | OAuth, webhooks, embedded content |
Cloud layer
Cloud resources create their own attack surface:
| Resource | Exposure risk |
|---|---|
| S3/GCS buckets | Public access, listing enabled |
| EC2/VM metadata | SSRF to 169.254.169.254 |
| IAM credentials | Leaked keys, overly permissive roles |
| Lambda/Cloud Functions | Code execution, secret exposure |
| Container registries | Public images with secrets |
| Kubernetes APIs | Exposed dashboards, API servers |
Attack surface discovery
Before you can reduce your attack surface, you need to know what it is. Discovery involves both passive (non-intrusive) and active (scanning) techniques.
Passive discovery
Gather information without touching target systems:
DNS enumeration:
# Find subdomains using public sources
# subfinder - passive subdomain discovery
subfinder -d company.com -o subdomains.txt
# amass - comprehensive enumeration
amass enum -passive -d company.com -o amass-results.txt
# Check Certificate Transparency logs
curl -s "https://crt.sh/?q=%.company.com&output=json" | jq -r '.[].name_value' | sort -u
WHOIS and DNS records:
# WHOIS information
whois company.com
# All DNS records
dig company.com ANY
# Find all A records for subdomains
cat subdomains.txt | xargs -I {} dig {} A +short
Search engines and public databases:
# Google dorks (search manually)
site:company.com
site:company.com filetype:pdf
site:company.com inurl:admin
# Shodan (requires account)
shodan search "company.com"
shodan search "org:Company Name"
# Censys
censys search "company.com"
Active discovery
Directly probe your infrastructure:
Port scanning:
# Nmap - comprehensive port scan
nmap -sS -sV -p- --open -oA scan-results target.company.com
# Fast scan of common ports
nmap -sS -p 21,22,23,25,53,80,110,143,443,445,3306,3389,5432,8080 company.com
# Masscan - very fast, use carefully
masscan -p1-65535 --rate=10000 -oL results.txt IP_RANGE
Service identification:
# Banner grabbing
nc -v target.company.com 22
nc -v target.company.com 80
# HTTP headers
curl -I https://company.com
# SSL/TLS information
openssl s_client -connect company.com:443 </dev/null | openssl x509 -text
Web application discovery:
# Find directories and files
gobuster dir -u https://company.com -w /usr/share/wordlists/common.txt
# Technology detection
whatweb https://company.com
# Wappalyzer CLI
wappalyzer https://company.com
Attack surface reduction
Discovery is only useful if you act on it. Here's how to shrink your attack surface:
Eliminate unnecessary exposure
| Action | How to implement |
|---|---|
| Close unused ports | Firewall rules, security groups, disable services |
| Remove old applications | Audit and decommission unused apps |
| Delete forgotten subdomains | Remove DNS records for unused hosts |
| Disable unused features | Turn off services you don't need |
| Remove default pages | Delete default Apache/nginx pages |
| Block admin panels from internet | VPN-only access, IP allowlisting |
Minimize what's exposed
# Example: Restrict SSH access to VPN only (AWS Security Group)
aws ec2 authorize-security-group-ingress \
--group-id sg-xxx \
--protocol tcp \
--port 22 \
--source-group sg-vpn-only
# Remove public access to SSH
aws ec2 revoke-security-group-ingress \
--group-id sg-xxx \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0
Harden what remains
For services that must be public:
- Use Web Application Firewall (WAF)
- Enable rate limiting
- Implement strong authentication
- Keep software updated
- Monitor for anomalies
- Use HTTPS everywhere
- Disable unnecessary HTTP methods
- Set security headers
Network segmentation
Limit blast radius if something is compromised:
Traffic flows through four tiers, each isolated from the others:
- Internet → WAF / CDN — all public traffic passes through a web application firewall or CDN before reaching your infrastructure
- DMZ (public) — web servers, API gateway, load balancer; exposed to the internet but isolated from internal systems
- Application tier — app servers and background workers; reachable only from the DMZ, not from the internet directly
- Data tier — databases, cache, storage; reachable only from the application tier
Each tier can only communicate with adjacent tiers. Database servers can't be reached from the internet.
Attack surface management tools
Free / open-source tools
Discovery and enumeration
| Tool | Purpose | Installation | Link |
|---|---|---|---|
| Subfinder | Subdomain discovery | go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest | github.com/projectdiscovery/subfinder |
| Amass | Comprehensive enumeration | go install github.com/owasp-amass/amass/v4/...@master | github.com/owasp-amass/amass |
| httpx | HTTP probing | go install github.com/projectdiscovery/httpx/cmd/httpx@latest | github.com/projectdiscovery/httpx |
| dnsx | DNS toolkit | go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest | github.com/projectdiscovery/dnsx |
| Nmap | Port scanning | apt install nmap / brew install nmap | nmap.org |
| Masscan | Fast port scanning | apt install masscan | github.com/robertdavidgraham/masscan |
| Rustscan | Fast port scanning | cargo install rustscan | github.com/RustScan/RustScan |
Vulnerability scanning
| Tool | Purpose | Installation | Link |
|---|---|---|---|
| Nuclei | Template-based vulnerability scanner | go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest | github.com/projectdiscovery/nuclei |
| Nikto | Web server scanner | apt install nikto | github.com/sullo/nikto |
| OWASP ZAP | Web app security scanner | Download from website | zaproxy.org |
| OpenVAS | Full vulnerability scanner | Docker image available | openvas.org |
| Trivy | Container and IaC scanning | brew install trivy | trivy.dev |
| testssl.sh | SSL/TLS configuration testing | git clone https://github.com/drwetter/testssl.sh | testssl.sh |
Intelligence and reconnaissance
| Tool | Purpose | Access | Link |
|---|---|---|---|
| Shodan | Internet-wide scanning data | Free tier available | shodan.io |
| Censys | Internet asset search | Free tier available | censys.io |
| SecurityTrails | DNS history, subdomains | Free tier available | securitytrails.com |
| BuiltWith | Technology detection | Free tier available | builtwith.com |
| crt.sh | Certificate Transparency | Free | crt.sh |
| Have I Been Pwned | Breach data | Free API | haveibeenpwned.com |
Commercial / Enterprise tools
For organizations needing continuous monitoring and managed solutions:
| Tool | Category | Pricing | Best for |
|---|---|---|---|
| Detectify | External ASM, DAST | From $275/month | Web app security, continuous monitoring |
| Intruder | Vulnerability scanning | From $108/month | Small teams, easy setup |
| UpGuard | Vendor risk, ASM | Quote-based | Third-party risk management |
| Qualys CSAM | Cloud security, ASM | Quote-based | Enterprise, multi-cloud |
| Tenable.io | Vulnerability management | Quote-based | Comprehensive vuln mgmt |
| CrowdStrike Falcon Surface | External ASM | Quote-based | Enterprise, threat intel integration |
| Microsoft Defender EASM | External ASM | Quote-based | Azure-heavy environments |
| Palo Alto Cortex Xpanse | Enterprise ASM | Quote-based | Large enterprises |
| Mandiant Attack Surface Management | Threat-informed ASM | Quote-based | Threat intelligence focus |
All-in-one platforms (with free tiers)
| Platform | Free tier includes | Paid features | Link |
|---|---|---|---|
| ProjectDiscovery Cloud | Subfinder, httpx, nuclei cloud | Team features, continuous monitoring | cloud.projectdiscovery.io |
| Shodan | Limited searches | Continuous monitoring, API access | shodan.io |
| Snyk | Open source scanning | Container, IaC, code scanning | snyk.io |
| Intruder | 1 application | More apps, continuous scanning | intruder.io |
Tool selection guide
For a small company starting with ASM:
| Budget | Recommended stack |
|---|---|
| $0 | Subfinder + httpx + Nuclei + Nmap + Shodan (free tier) |
| $100-300/month | Above + Intruder or Detectify for continuous monitoring |
| $500+/month | Enterprise ASM platform (Tenable, Qualys, Microsoft EASM) |
Practical attack surface audit
Here's a step-by-step process to audit your attack surface:
Step 1: Asset inventory
Start with what you know:
## Known assets inventory
### Domains
- company.com (primary)
- company.io (redirect)
- companyapp.com (product)
### Cloud accounts
- AWS: account-id-1 (production)
- AWS: account-id-2 (staging)
- GCP: project-name
### IP ranges
- AWS: dynamic (check Security Groups)
- Office: 203.0.113.0/24
### Third-party services
- GitHub
- Slack
- Jira
- Salesforce
- etc.
Step 2: Subdomain enumeration
# Run multiple tools and combine results
subfinder -d company.com -silent >> all_subs.txt
amass enum -passive -d company.com >> all_subs.txt
curl -s "https://crt.sh/?q=%.company.com&output=json" | jq -r '.[].name_value' >> all_subs.txt
# Deduplicate
sort -u all_subs.txt > subdomains.txt
# Check which are alive
cat subdomains.txt | httpx -silent -o alive_subs.txt
Step 3: Port scanning
# Get IPs for alive subdomains
cat alive_subs.txt | dnsx -silent -a -resp-only > ips.txt
# Scan common ports
nmap -sS -sV -p 21,22,23,25,53,80,110,143,443,445,993,995,3306,3389,5432,8080,8443 \
-iL ips.txt -oA nmap_results
Step 4: Service identification
# Probe HTTP services
cat alive_subs.txt | httpx -tech-detect -status-code -title -o http_info.txt
# Check for interesting paths
cat alive_subs.txt | while read url; do
echo "Checking $url"
gobuster dir -u "$url" -w common.txt -q -o "gobuster_$(echo $url | tr '/:' '_').txt"
done
Step 5: Vulnerability scanning
# Run Nuclei with common templates
nuclei -l alive_subs.txt -t cves/ -t exposures/ -t misconfiguration/ -o vulnerabilities.txt
# Check SSL/TLS configuration
cat alive_subs.txt | while read url; do
testssl.sh --quiet "$url"
done
Step 6: Document and prioritize
## Attack Surface Audit Results
### Critical findings
1. `dev.company.com` - SSH exposed to internet, outdated OpenSSH
2. `jenkins.company.com` - No authentication required
3. `api.company.com` - GraphQL introspection enabled
### High findings
1. `staging.company.com` - Uses production database
2. `old.company.com` - Running EOL PHP version
3. Multiple services without HTTPS redirect
### Medium findings
1. Missing security headers on several apps
2. TLS 1.0/1.1 still enabled
3. Default error pages expose technology versions
### Remediation priorities
| Finding | Owner | Deadline | Status |
|---------|-------|----------|--------|
| Jenkins auth | DevOps | 24 hours | In progress |
| SSH exposure | DevOps | 24 hours | Open |
| Staging DB | Dev | 1 week | Open |
Continuous monitoring
A one-time audit isn't enough. Your attack surface changes constantly:
- New subdomains created
- Cloud resources provisioned
- Services accidentally exposed
- Certificates expire
- New vulnerabilities discovered
Automated monitoring setup
Weekly subdomain scan (GitHub Actions):
name: Attack Surface Monitor
on:
schedule:
- cron: '0 8 * * 1' # Every Monday at 8 AM
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Install tools
run: |
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
- name: Subdomain enumeration
run: subfinder -d company.com -o subdomains.txt
- name: Probe alive hosts
run: cat subdomains.txt | httpx -silent -o alive.txt
- name: Compare with baseline
run: |
# Download previous baseline
# Compare and alert on new subdomains
comm -23 alive.txt baseline.txt > new_hosts.txt
if [ -s new_hosts.txt ]; then
echo "New hosts discovered:"
cat new_hosts.txt
# Send alert (Slack, email, etc.)
fi
- name: Vulnerability scan new hosts
run: |
if [ -s new_hosts.txt ]; then
nuclei -l new_hosts.txt -t cves/ -t exposures/ -severity high,critical
fi
- name: Update baseline
run: cp alive.txt baseline.txt
# Commit and push baseline
Shodan monitoring:
# Create Shodan alert for your organization
shodan alert create "Company Assets" "net:YOUR_IP_RANGE"
# Or monitor specific queries
shodan alert create "Open MongoDB" "org:CompanyName mongodb"
Alert on changes
Set up notifications for:
- New subdomains appearing
- New open ports detected
- SSL certificates expiring
- New vulnerabilities matching your stack
- Credentials appearing in breach dumps
Common mistakes to avoid
Running scans without authorization. Even against your own infrastructure, coordinate with IT. Aggressive scanning can trigger alerts, get your IP blocked, or cause service issues.
One-time audits only. Attack surface changes constantly. A scan from 6 months ago doesn't reflect current reality. Automate regular scanning.
Focusing only on primary domain. Check acquired company domains, old product domains, and domains used for marketing campaigns. Attackers check them all.
Ignoring development and staging. These environments often have weaker security but real data. They're prime targets.
Not acting on findings. A beautiful report means nothing if vulnerabilities stay open. Track remediation, set deadlines, follow up.
Scanning production during peak hours. Schedule heavy scans for off-peak times. Some tools can impact performance.
Real-world examples
Uber subdomain takeover (2019): Security researchers discovered that saostatic.uber.com pointed to an unclaimed S3 bucket. They could have claimed the bucket and served malicious content on a legitimate Uber domain. Source: HackerOne
Microsoft subdomain takeovers (ongoing): Researchers regularly find dangling DNS records pointing to decommissioned Azure resources. Anyone can claim these resources and hijack the subdomain. Source: The Hacker News
Starbucks subdomain takeover (2020): Abandoned subdomain pointing to Azure allowed researchers to take control and demonstrate potential for phishing and cookie theft. Source: Detectify
Panel admin exposure incidents: Countless companies have been breached through exposed admin panels (Jenkins, Grafana, Kibana, phpMyAdmin) found via Shodan. These panels often have default credentials or missing authentication.
Workshop: attack surface audit
Part 1: Discovery
-
List your known domains:
Primary: company.com
Products: app.company.com, api.company.com
Corporate: careers.company.com, blog.company.com
Old: legacy.company.com, v1.company.com -
Run subdomain enumeration:
subfinder -d company.com -o discovered.txt
cat discovered.txt | wc -l
# How many did you NOT know about? -
Check which are alive:
cat discovered.txt | httpx -silent -status-code -title -
Document unknown assets — add them to your inventory
Part 2: Analysis
-
Port scan your public IPs:
nmap -sS -sV -p- your_public_ip -
For each open port, document:
- Is this port supposed to be open?
- Is the service up to date?
- Is authentication required?
-
Check Shodan for your organization:
- Search for your company name
- Search for your IP ranges
- What does Shodan see?
Part 3: Reduction
-
Identify 3 things to eliminate:
- Close unnecessary ports
- Remove forgotten subdomains
- Restrict admin panel access
-
Create remediation plan with deadlines
-
Implement changes and rescan to verify
Artifacts to produce
- Asset inventory document — all known domains, IPs, cloud resources
- Subdomain list — complete enumeration with status
- Attack surface report — findings categorized by severity
- Remediation plan — prioritized fixes with owners and deadlines
- Monitoring automation — scheduled scan workflow
Self-check questions
- What's the difference between external and internal attack surface?
- Name three tools for subdomain enumeration.
- Why are staging environments often security risks?
- What is subdomain takeover and how does it happen?
- How often should you scan your attack surface?
- What's the first thing attackers look for in Shodan?
- How do you reduce attack surface without impacting business operations?
- What information does Certificate Transparency reveal?
How to explain this to leadership
Start with visibility: "We did an audit and discovered we have 47 subdomains, not the 15 we thought. Some are old servers we forgot about."
Quantify the risk: "Attackers use automated tools to find exposed assets. Right now, Shodan shows [X services] we're running. Some shouldn't be visible."
Show concrete findings: "We found an old development server with access to customer data. It was using default credentials. We've secured it."
Propose monitoring: "One audit isn't enough. For $0-$300/month, we can set up continuous monitoring that alerts us when something changes."
Connect to incidents: "Companies get breached through forgotten assets all the time. Uber lost 57 million records through an exposed S3 bucket. We're reducing that risk."
Links and resources
Discovery tools
- ProjectDiscovery tools suite — subfinder, httpx, nuclei, and more
- OWASP Amass — comprehensive enumeration
- Nmap — network scanning
- Shodan — internet-wide scanning database
- Censys — internet asset search
Vulnerability scanning
- Nuclei templates — vulnerability detection templates
- OWASP ZAP — web application scanner
- OpenVAS — full vulnerability scanner
Best practices
- OWASP Attack Surface Analysis
- NIST Cybersecurity Framework — includes asset management
- CIS Controls — inventory and control of assets
Commercial platforms
- Detectify — external ASM
- Intruder — vulnerability scanning
- Microsoft Defender EASM
Conclusion
You can't protect what you don't know about. Attack surface management is the discipline of knowing your exposure before an attacker finds it for you.
Run the scan. Fix the forgotten server. Expire the unused subdomain. The low-hanging fruit is always there.
What's next
Next: building a Security Champions community — scaling security beyond one person by building a network of champions across teams.